1. Upgrading Non-CDBs on the Same System
  2. Preparing to Upgrade Oracle Database
  3. Database Preparation Tasks to Complete Before Starting Oracle Database Upgrades
  4. Understanding Password Case Sensitivity and Upgrades

Understanding Password Case Sensitivity and Upgrades

By default, Oracle Database 12c Release 2 (12.2) and later releases use Exclusive Mode authentication protocols. Exclusive Modes do not support case-insensitive password-based authentication.

Accounts that have only the 10G password version become inaccessible when the server runs in an Exclusive Mode.

Note:

Starting with Oracle Database 21c, the SEC_CASE_SENSITIVE_LOGON parameter is desupported. You must use a case-sensitive password version. If a user with only a 10G password version is upgraded to Oracle Database 21c, then that user account is locked, until an administrator resets the password.

In previous Oracle Database releases, you could configure the authentication protocol so that it allows case-insensitive password-based authentication by setting SEC_CASE_SENSITIVE_LOGON=FALSE. Starting with Oracle Database 12c release 2 (12.2), the default password-based authentication protocol configuration excluded the use of the case-insensitive 10G password version. By default, the SQLNET.ORA parameter SQLNET.ALLOWED_LOGON_VERSION_SERVER is set to 12, which is an Exclusive Mode. When the database is configured in Exclusive Mode, the password-based authentication protocol requires that one of the case-sensitive password versions (11G or 12C) is present for the account being authenticated. This mode excludes the use of the 10G password version used in earlier releases. After upgrading to Oracle Database 12c release 2 and later releases, accounts that have only the case-insensitive 10G password version become inaccessible. This change occurs because the server runs in an Exclusive Mode by default. When Oracle Database is configured in Exclusive Mode, it cannot use the old 10G password version to authenticate the client. The server is left with no password version with which to authenticate the client.

Before upgrading, Oracle recommends that you determine if this change to the default password-based authentication protocol configuration affects you. Perform the following checks:

  • Identify if you have accounts that use only 10G case-insensitive password authentication versions.

  • Identify if you have Oracle Database 11g release 2 (11.2.0.3) database or earlier clients that have not applied critical patch update CPUOct2012, or a later patch update, and have any account that does not have the case-insensitive 10G password version.

Update Accounts Using Case-Insensitive Versions

If you have user accounts that have only the case-insensitive 10G password version, then before upgrade, update the password versions for each account that has only the 10G password version. You can update the password versions by expiring user passwords using the 10G password version, and requesting that these users log in to their account. When they attempt to log in, the server automatically updates the list of password versions, which includes the case-sensitive password versions.

Related Topics

Parent topic: Database Preparation Tasks to Complete Before Starting Oracle Database Upgrades