Administrator

Debugging Authentication Errors with CSI Tool

Use the common security infrastructure (CSI) tool to debug errors that are encountered during user authentication.

Context

This topic describes how to use the CSI tool to debug authentication failures for security profiles that contain an HTTP/HTTPS Authentication provider.

Procedure

  1. Create a test directory on the server machine, for example, C:\test.
  2. Copy these files to the test directory:
    • csibootstrap.properties and csikeystore.jceks from the <SMP_HOME>\Server\configuration\com.sap.mobile.platform.server.security directory.
    • test.xml and test-role-mapping.xml from the <SMP_HOME>\Server\configuration\com.sap.mobile.platform.server.security\CSI directory.
    • csi-tool.jar from the <SMP_HOME>\Server\tools\csi directory.
    • com.sap.security.csi.http-osgi_*.jar from the <SMP_HOME>\Server\plugins directory.
  3. Extract the contents of com.sap.security.csi.http-osgi_*.jar into the current directory.
  4. Add httpclient-osgi-4.3.6.jar and httpcore-osgi-4.4.jar to the CLASSPATH.
  5. (SAP Mobile Platform 3.0 SP08 and later) Copy csi-xml-*.jar from the <SMP_HOME>\Server\lib directory to the test directory, and add it to the CLASSPATH.
  6. Open the test.xml file, and set the value of RoleMapFile to test-role-mapping.xml. Save and close the file.
  7. In the test directory, run:
    java -Dcom.sybase.security.BootstrapConfigurationFile=
    "C:\test\csitool\csibootstrap.properties" -cp "csi-tool.jar;csi-xml-*.jar;
    httpcore-osgi-4.4.jar;httpclient-osgi-4.3.6.jar;
    C:\SAP\MobilePlatform3\Server\plugins\*" com.sybase.security.tools.CSILauncher
    csi.diag.authenticate --USERNAME "supuser" --PASSWORD "mobile123" 
    --CONFIG_FILE C:\test\csitool\test.xml
  8. Review the log output to troubleshoot the authentication failure.

Example

CSI uses Java logging API. The following example shows how to configure logging.properties to obtain FINEST level log messages from the classes in the com.sap.security.ldap package while setting the log level for the rest of the CSI classes to INFO. Use this configuration to debug authentication failures with LDAP providers. You can also use this configuration to debug errors encountered when looking up user roles from the LDAP repository. The value of debug.log for the java.util.logging.FileHandler.pattern property should be the path to the log file.

java -Djava.util.logging.config.file=logging.properties -jar csi-tool.jar csi.diag.authenticate 
--USERNAME "test_username" --PASSWORD "test_password" 
--CONFIG_FILE "<absolute_path_of_the_configuration_xml_file>"

where logging.properties contains:

handlers=java.util.logging.ConsoleHandler, java.util.logging.FileHandler.level=INFO
com.sap.security.ldap.level=FINEST 
java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter
java.util.logging.FileHandler.level=FINEST
java.util.logging.FileHandler.pattern=debug.log