You might have faced authentication errors many times while accessing an application id through SAP Mobile Platform and just wondered if there is some tool to troubleshoot the error apart from checking the security log. Yes, there is a way you can debug authentication errors against an authentication provider. Here, i will be using a tool called CSI (Common security infrastructure) tool.

Note: This guide is mainly for System Administrators and can be tested on same machine where SMP server is installed. I have tested it on Windows.

(I followed this guide but unfortunately it didn’t work as per steps mentioned)

You can find 3 different security profiles (admin, default and Notification) present under SETTINGS > SECURITY PROFILES in Admin cockpit and for all these profiles you can see two different .xml file.

e.g. For Admin, admin.xml and admin-role-mapping.xml

      For default, default.xml and role-mapping.xml

      For Notification, Notification-role-mapping.xml, Notification-role-mapping.xml


If you are using this CSITool with SMP3 SP08 runtime or later, then one has to also copy the csi-xml*.jar from Server\lib dir into the test dir and add it to the classpath.

Example 1: (System Login (Admin only))

Lets go with Admin profile first, we got a default username as smpAdmin & password as s3pAdmin (might be different in your case). Lets assume you are facing authentication error while accessing an application through the Admin profile. This CSI tool will help you in debugging the error:

Steps to be followed:

1. Create a temporary folder somewhere on server machine

2. copy below files into same folder

  • csibootstrap.properties and csikeystore.jceks files from F:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security
  • admin.xml and admin-role-mapping.xml from F:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI
  • csi-tool.jar file from F:\SAP\MobilePlatform3\Server\tools\csi
  • csi-xml-xxxx.jar from F:\SAP\MobilePlatform3\Server\lib

It should like this:

    

          1.PNG

4. Open admin.xml file, modified value for RoleMapFile as mentioned below

     2.PNG

5. Open a command prompt > Navigate to temporary folder and run this

java -Dcom.sybase.security.BootstrapConfigurationFile=”C:\Users\jk1\Desktop\csitemp\csibootstrap.properties” -cp csi-tool.jar;csi-xml-5.4.0.M6.jar;F:\SAP\MobilePlatform3\Server\plugins\* -Djava.util.logging.config.file=logging.properties com.sybase.security.tools.CSILauncher csi.diag.authenticate –USERNAME “smpAdmin” –PASSWORD “s3pAdmin” –CONFIG_FILE C:\Users\jk1\Desktop\csitemp\admin.xml

You can a success message about true authentication.

     /wp-content/uploads/2015/04/2_690519.png

    

Let me try passing wrong password

     3.PNG

You can try the same for other security profile(s) as well following steps 1-5

Example 2: (HTTP/HTTPS Authentication provider)

The CSI HTTP/HTTPS Authentication provider has been updated to use httpclient 4.3.6 and httpcore 4.4. The version of these libraries in the plugins dir is different.

I have created a new security profile named as SAP_SSO2. You can see that there are 2 different xml files created for same profile: ie. SAP_SSO2.xml and SAP_SSO2-role-mapping.xml under F:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI

     ldap1.PNG

Steps to be followed:

1. Create a temporary folder somewhere on server machine

2. copy below files into same folder

  • csibootstrap.properties and csikeystore.jceks files from F:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security
  • SAP_SSO2.xml and SAP_SSO2-role-mapping.xml from F:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI
  • csi-tool.jar file from F:\SAP\MobilePlatform3\Server\tools\csi
  • csi-xml-xxxx.jar from F:\SAP\MobilePlatform3\Server\lib
  • com.sap.security.csi.http-osgi_***.jar from F:\SAP\MobilePlatform3\Server\plugins

3. Extract com.sap.security.csi.http-osgi_***.jar file (right click>Extract Here) (below highlighted files/folders are created after extraction)

          4.PNG

4. Edit SAP_SSO2.xml file

5.PNG

5. Run this command

java -Dcom.sybase.security.BootstrapConfigurationFile=”C:\Users\jk1\Desktop\CSItest\csibootstrap.properties” -cp csi-tool.jar;csi-xml-5.4.0.M6.jar;httpcore-osgi-4.4.jar;httpclient-osgi-4.3.6.jar;F:\SAP\MobilePlatform3\Server\plugins\* -Djava.util.logging.config.file=logging.properties com.sybase.security.tools.CSILauncher csi.diag.authenticate –USERNAME “p1176845” –PASSWORD “******” –CONFIG_FILE C:\Users\jk1\Desktop\CSItest\SAP_SSO2.xml

(I have entered wrong password)

          5.PNG

It is throwing ‘401 unauthorized’ error as expected.

Note: This method is also quite valid for a security profile having more than one authentication providers.

Enable security logs for more troubleshooting. Set log level to DEBUG (Admin cockpit > Logs > Settings >Security)

Regards,

JK

To report this post you need to login first.

16 Comments

You must be Logged on to comment or reply to a post.

  1. Seenu Katha

    Hi JK,

    I am getting this error message when I try command..

    C:\Users\seenu\Desktop\CSI>java -Dcom.sybase.security.BootstrapConfigurationFile

    =”C:\Users\Jitendra\Desktop\CSItest\csibootstrap.properties” -cp csi-tool.jar;C:

    \SAP\MobilePlatform3\Server\plugins\* -Djava.util.logging.config.file=logging.pr

    operties com.sybase.security.tools.CSILauncher csi.diag.authenticate –USERNAME

    “smpAdmin” –PASSWORD “s3pAdmin” –CONFIG_FILE C:\Users\Jitendra\Desktop\CSItest

    \admin.xml

    Exception in thread “main” java.lang.UnsupportedClassVersionError: com/sybase/se

    curity/tools/CSILauncher : Unsupported major.minor version 51.0

            at java.lang.ClassLoader.defineClass1(Native Method)

            at java.lang.ClassLoader.defineClassCond(ClassLoader.java:631)

            at java.lang.ClassLoader.defineClass(ClassLoader.java:615)

            at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:14

    1)

            at java.net.URLClassLoader.defineClass(URLClassLoader.java:283)

            at java.net.URLClassLoader.access$000(URLClassLoader.java:58)

            at java.net.URLClassLoader$1.run(URLClassLoader.java:197)

            at java.security.AccessController.doPrivileged(Native Method)

            at java.net.URLClassLoader.findClass(URLClassLoader.java:190)

            at java.lang.ClassLoader.loadClass(ClassLoader.java:306)

            at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)

            at java.lang.ClassLoader.loadClass(ClassLoader.java:247)

    Could not find the main class: com.sybase.security.tools.CSILauncher.  Program w

    ill exit.

    Do you have any idea?

    Thanks

    seenu

    (0) 
    1. jitendra kansal Post author

      C:\Users\seenu\Desktop\CSI>java -Dcom.sybase.security.BootstrapConfigurationFile

      =”C:\Users\Jitendra\Desktop\CSItest\csibootstrap.properties” -cp csi-tool.jar;C:

      \SAP\MobilePlatform3\Server\plugins\* -Djava.util.logging.config.file=logging.pr

      operties com.sybase.security.tools.CSILauncher csi.diag.authenticate –USERNAME

      “smpAdmin” –PASSWORD “s3pAdmin” –CONFIG_FILE C:\Users\Jitendra\Desktop\CSItest

      \admin.xml

      I assume you have modified above highlighted syntex as per yours.

      Can you share a screenshot of the same?

      Regards,

      JK

      (0) 
        1. Hemal Pandya

          Hi Seenu,

          UnsupportedClassVersionException is thrown when the JVM determines that the version of compiled code is not supported. Version 51.0 that you are getting error for is used by Java 7, which is indeed the java version used to build SMP 3.0.7.

          Please check the version of jvm you are using with the command `java -version`. It will almost certainly report a version before Java 7. Then either adjust your PATH so that Java 7 or later is found first or use complete path to the correct JVM.

          Hope this helps

          Hemal

          (0) 
          1. Seenu Katha

            Hi Hemal,

            Pls see my Java -version. It says 1.7. So I installed 1.8 and tested the same. Now I see the line with Running task csi.diag.authenticate. Then it gives an error “java.lang.NoClassDefFoundError: org/apache/http/confi

            g/Lookup”.

            Capture6.PNG

            Capture7.PNG

            Basically I am struggling to test SSO scenario with SAP GW + SMP.

            Thanks

            seenu

            (0) 
  2. bill zhang

    Hi Kansal,

    Is it possible to run the command on linux?

    Our SMP is on redhat, not windows.

    I meet an urgent LDAP config issue so want to track the error information details by your method.

    Thanks a lot in advance!

    Bill

    (0) 
    1. Hemal Pandya

      I am afraid I have not tried this myself, my earlier post was based entirely on the error message.

      Did you try it on redhat and got an error? CSI in SMP does not use any platform specific modules (such as a DLL) so I would expect it to work.

      (0) 
      1. bill zhang

        Hi Pandra,

        Thanks for your quick response.

        I try the same steps on linux, but the command doesn’t work.

        My command as below:

        java -Dcom.sybase.security.BootstrapConfigurationFile=”/opt/SAP/MobilePlatform3/Server/configuration/com.sap.mobile.platform.server.security/csibootstrap.properties” -cp csi-tool.jar;/opt/SAP/MobilePlatform3/Server/plugins/* -Djava.util.logging.config.file=logging.properties com.sybase.security.tools.CSILauncher csi.diag.authenticate –USERNAME “username” –PASSWORD “password” –CONFIG_FILE CRV_LDAP.xml

        Can you help to figure out where is wrong?

        thanks!

        (0) 
  3. Jyothi Krothapalli

    The CSI HTTP provider has been updated to use httpclient 4.3.6 and httpcore 4.4. The version of these libraries in the plugins dir is different. One has to extract these jars bundled in the plugins\com.sap.security.csi.http-osgi*.jar into the test dir and add them to the classpath before the plugins dir when testing with the configuration file that includes HTTP provider. Also, if using the CSITool with SP08 or later, then one has to also copy the csi-xml*.jar from Server\lib dir into the test dir and add it to the classpath. For ex:

    java -Dcom.sybase.security.BootstrapConfigurationFile=”C:\Users\Jitendra\Desktop\CSItest\csibootstrap.properties” -cp csi-tool.jar;csi-xml.jar;httpcore-osgi-4.4.jar;httpclient-osgi-4.3.6.jar;C:\SAP\MobilePlatform3\Server\plugins\* -Djava.util.logging.config.file=logging.properties com.sybase.security.tools.CSILauncher csi.diag.authenticate –USERNAME “p1176845” –PASSWORD “******” –CONFIG_FILE C:\Users\Jitendra\Desktop\CSItest\SAP_SSO2.xml

    @Jitendra – can you please update the blog with these details.

    (0) 

Leave a Reply