Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CSI tool helps you in debugging Authentication Errors

Jitendra_Kansal
Product and Topic Expert
Product and Topic Expert
‎04-23-2015 10:38 AM


You might have faced authentication errors many times while accessing an application id through SAP Mobile Platform and just wondered if there is some tool to troubleshoot the error apart from checking the security log. Yes, there is a way you can debug authentication errors against an authentication provider. Here, i will be using a tool called CSI (Common security infrastructure) tool.

Note: This guide is mainly for System Administrators and can be tested on same machine where SMP server is installed. I have tested it on Windows.

(I followed this guide but unfortunately it didn't work as per steps mentioned)

You can find 3 different security profiles (admin, default and Notification) present under SETTINGS > SECURITY PROFILES in Admin cockpit and for all these profiles you can see two different .xml file.

e.g. For Admin, admin.xml and admin-role-mapping.xml

      For default, default.xml and role-mapping.xml

      For Notification, Notification-role-mapping.xml, Notification-role-mapping.xml

 

If you are using this CSITool with SMP3 SP08 runtime or later, then one has to also copy the csi-xml*.jar from Server\lib dir into the test dir and add it to the classpath.

Example 1: (System Login (Admin only))


Lets go with Admin profile first, we got a default username as smpAdmin & password as s3pAdmin (might be different in your case). Lets assume you are facing authentication error while accessing an application through the Admin profile. This CSI tool will help you in debugging the error:

Steps to be followed:

1. Create a temporary folder somewhere on server machine

2. copy below files into same folder

  • csibootstrap.properties and csikeystore.jceks files from F:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security

  • admin.xml and admin-role-mapping.xml from F:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI

  • csi-tool.jar file from F:\SAP\MobilePlatform3\Server\tools\csi

  • csi-xml-xxxx.jar from F:\SAP\MobilePlatform3\Server\lib


It should like this:

 



4. Open admin.xml file, modified value for RoleMapFile as mentioned below



5. Open a command prompt > Navigate to temporary folder and run this
java -Dcom.sybase.security.BootstrapConfigurationFile="C:\Users\jk1\Desktop\csitemp\csibootstrap.properties" -cp csi-tool.jar;csi-xml-5.4.0.M6.jar;F:\SAP\MobilePlatform3\Server\plugins\* -Djava.util.logging.config.file=logging.properties com.sybase.security.tools.CSILauncher csi.diag.authenticate --USERNAME "smpAdmin" --PASSWORD "s3pAdmin" --CONFIG_FILE C:\Users\jk1\Desktop\csitemp\admin.xml

You can a success message about true authentication.



 

Let me try passing wrong password



You can try the same for other security profile(s) as well following steps 1-5

Example 2: (HTTP/HTTPS Authentication provider)


The CSI HTTP/HTTPS Authentication provider has been updated to use httpclient 4.3.6 and httpcore 4.4. The version of these libraries in the plugins dir is different.

I have created a new security profile named as SAP_SSO2. You can see that there are 2 different xml files created for same profile: ie. SAP_SSO2.xml and SAP_SSO2-role-mapping.xml under F:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI


Steps to be followed:


1. Create a temporary folder somewhere on server machine


2. copy below files into same folder




  • csibootstrap.properties and csikeystore.jceks files from F:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security

  • SAP_SSO2.xml and SAP_SSO2-role-mapping.xml from F:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI

  • csi-tool.jar file from F:\SAP\MobilePlatform3\Server\tools\csi

  • csi-xml-xxxx.jar from F:\SAP\MobilePlatform3\Server\lib

  • com.sap.security.csi.http-osgi_***.jar from F:\SAP\MobilePlatform3\Server\plugins


3. Extract com.sap.security.csi.http-osgi_***.jar file (right click>Extract Here) (below highlighted files/folders are created after extraction)


         

4. Edit SAP_SSO2.xml file



5. Run this command
java -Dcom.sybase.security.BootstrapConfigurationFile="C:\Users\jk1\Desktop\CSItest\csibootstrap.properties" -cp csi-tool.jar;csi-xml-5.4.0.M6.jar;httpcore-osgi-4.4.jar;httpclient-osgi-4.3.6.jar;F:\SAP\MobilePlatform3\Server\plugins\* -Djava.util.logging.config.file=logging.properties com.sybase.security.tools.CSILauncher csi.diag.authenticate --USERNAME "p1176845" --PASSWORD "******" --CONFIG_FILE C:\Users\jk1\Desktop\CSItest\SAP_SSO2.xml

(I have entered wrong password)



It is throwing '401 unauthorized' error as expected.

Note: This method is also quite valid for a security profile having more than one authentication providers.

Enable security logs for more troubleshooting. Set log level to DEBUG (Admin cockpit > Logs > Settings >Security)

Regards,

JK

16 Comments
Labels in this area
Popular Blog Posts