The error "ORA-12696: Double Encryption Turned On, login disallowed" is an expected one when both SSL and Native encryption (ANO) is enabled. By default Oracle doesn't allow both encryption types and return the above error.
However, there is a parameter that could be set so that ANO is ignored for TCPS connections. The parameter is called IGNORE_ANO_ENCRYPTION_FOR_TCPS and setting this to TRUE would allow both TCP with ANO and TCPS connections to be used concurrently.
While settting up this configuration the connections for TCPS were failing with ORA-12696. The parameter IGNORE_ANO_ENCRYPTION_FOR_TCPS could be set on either sqlnet.ora or in the TNS alias. No matter where it was set, the TCPS connections kept getting the above error. It was puzzling as the documentation was followed to the letter.
Apparently the issue is with documetnation. The parameter is actaully called "SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS" (visible on the step 4 below). However the documentation where it shows how to set it and helpful copy buttons all ignore the "SQLNET." part. See below for current documentation at the time of this blog post.
MOS Doc 2614143.1 which also address the same issue shows it being set as IGNORE_ANO_ENCRYPTION_FOR_TCPS=TRUE (though the sqlnet.ora content shown in the same MOS has it set correctly).
SR was raised to correct the documentation so that parameter is reflected correctly with the prefix SQLNET. similar to other parameters such as SQLNET.ENCRYPTION_CLIENT, SQLNET.ENCRYPTION_TYPES_CLIENT and etc which all has been documented with SQLNET. prefix.
Only place this is correctly reflected (time of this blog) is in net services reference guide (which helped to identify the root cause of the issue).
When setting this on the TNS alias then the parameter could be with sqlnet. prefix or without it(documentation is correct for this setting).