You might have faced authentication errors many times while accessing an application id through SAP Mobile Platform and just wondered if there is some tool to troubleshoot the error apart from checking the security log. Yes, there is a way you can debug authentication errors against an authentication provider. Here, i will be using a tool called CSI (Common security infrastructure) tool.
Note: This guide is mainly for System Administrators and can be tested on same machine where SMP server is installed. I have tested it on Windows.
(I followed this guide but unfortunately it didn't work as per steps mentioned)
You can find 3 different security profiles (admin, default and Notification) present under
SETTINGS > SECURITY PROFILES in Admin cockpit and for all these profiles you can see two different .xml file.
e.g.
For Admin, admin.xml and admin-role-mapping.xml
For default, default.xml and role-mapping.xml
For Notification, Notification-role-mapping.xml, Notification-role-mapping.xml
If you are using this CSITool with SMP3 SP08 runtime or later, then one has to also copy the csi-xml*.jar from Server\lib dir into the test dir and add it to the classpath.
Example 1: (System Login (Admin only))
Lets go with Admin profile first, we got a default username as
smpAdmin & password as
s3pAdmin (might be different in your case). Lets assume you are facing authentication error while accessing an application through the Admin profile. This CSI tool will help you in debugging the error:
Steps to be followed:
1. Create a temporary folder somewhere on server machine
2. copy below files into same folder
- csibootstrap.properties and csikeystore.jceks files from F:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security
- admin.xml and admin-role-mapping.xml from F:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI
- csi-tool.jar file from F:\SAP\MobilePlatform3\Server\tools\csi
- csi-xml-xxxx.jar from F:\SAP\MobilePlatform3\Server\lib
It should like this:
4. Open
admin.xml file, modified value for
RoleMapFile as mentioned below
5. Open a command prompt > Navigate to temporary folder and run this
java -Dcom.sybase.security.BootstrapConfigurationFile="C:\Users\jk1\Desktop\csitemp\csibootstrap.properties" -cp csi-tool.jar;csi-xml-5.4.0.M6.jar;F:\SAP\MobilePlatform3\Server\plugins\* -Djava.util.logging.config.file=logging.properties com.sybase.security.tools.CSILauncher csi.diag.authenticate --USERNAME "smpAdmin" --PASSWORD "s3pAdmin" --CONFIG_FILE C:\Users\jk1\Desktop\csitemp\admin.xml
You can a success message about true authentication.
Let me try passing wrong password
You can try the same for other security profile(s) as well following steps 1-5
Example 2: (HTTP/HTTPS Authentication provider)
The CSI HTTP/HTTPS Authentication provider has been updated to use httpclient 4.3.6 and httpcore 4.4. The version of these libraries in the plugins dir is different.
I have created a new security profile named as SAP_SSO2. You can see that there are 2 different xml files created for same profile: ie. SAP_SSO2.xml and SAP_SSO2-role-mapping.xml under F:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI
Steps to be followed:
1. Create a temporary folder somewhere on server machine
2. copy below files into same folder
- csibootstrap.properties and csikeystore.jceks files from F:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security
- SAP_SSO2.xml and SAP_SSO2-role-mapping.xml from F:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI
- csi-tool.jar file from F:\SAP\MobilePlatform3\Server\tools\csi
- csi-xml-xxxx.jar from F:\SAP\MobilePlatform3\Server\lib
- com.sap.security.csi.http-osgi_***.jar from F:\SAP\MobilePlatform3\Server\plugins
3. Extract com.sap.security.csi.http-osgi_***.jar file (right click>Extract Here) (below highlighted files/folders are created after extraction)
4. Edit SAP_SSO2.xml file
5. Run this command
java -Dcom.sybase.security.BootstrapConfigurationFile="C:\Users\jk1\Desktop\CSItest\csibootstrap.properties" -cp csi-tool.jar;csi-xml-5.4.0.M6.jar;httpcore-osgi-4.4.jar;httpclient-osgi-4.3.6.jar;F:\SAP\MobilePlatform3\Server\plugins\* -Djava.util.logging.config.file=logging.properties com.sybase.security.tools.CSILauncher csi.diag.authenticate --USERNAME "p1176845" --PASSWORD "******" --CONFIG_FILE C:\Users\jk1\Desktop\CSItest\SAP_SSO2.xml
(I have entered wrong password)
It is throwing '401 unauthorized' error as expected.
Note: This method is also quite valid for a security profile having more than one authentication providers.
Enable security logs for more troubleshooting. Set log level to DEBUG (Admin cockpit > Logs > Settings >Security)
Regards,
JK