Skip to Content

Debugging Authentication Errors with CSI Tool

This blog describes the use of CSITool to debug errors that are encountered during user authentication in SAP Mobile Platform Server (SMP).

Specifically it describes how to use the CSITool to debug authentication failures for security profiles that contain LDAP Authentication provider. The use of CSITool allows you to invoke the same authentication framework used in SMP but in a stand alone manner in order to easily identify the root cause of the authentication failures.

Following are the steps to execute CSITool to debug LDAP provider outside SMP server:

  1. Create a test directory on the host where SMP server is installed, for example, C:\test.
  2. Copy the following files to the test directory. The security profile to be used is denoted as <test_config>. Please replace it with the security profile name you wish to use for authentication.
    • csibootstrap.properties and csikeystore.jceks from the <SMP_HOME>\Server\configuration\com.sap.mobile.platform.server.security directory.
    • <test_config>.xml and <test_config>-role-mapping.xml from the <SMP_HOME>\Server\configuration\com.sap.mobile.platform.server.security\CSI directory.
    • csi-tool.jar from the <SMP_HOME>\Server\tools\csi directory.
    • com.sybase.security.csi.ldap-osgi*.jar from the <SMP_HOME>\Server\plugins directory.
  3. Add the jar files to the CLASSPATH.
  4. (SAP Mobile Platform 3.0 SP08 and later) Copy csi-xml-*.jar from the <SMP_HOME>\Server\lib directory to the test directory, and add it to the CLASSPATH.
  5. Open the <test_config>.xml file, and set the value of RoleMapFile to <test_config>-role-mapping.xml (i.e., remove the path to the SMP, refer to the file in current dir). Save and close the file.
  6. CSI framework uses Java logging API. The following example shows how to configure logging.properties to obtain FINEST level log messages from the classes in the com.sybase.security.ldap package while setting the log level for the rest of the framework classes to INFO. Use this configuration to debug authentication failures with LDAP providers. The value of debug.log for the java.util.logging.FileHandler.pattern property should be the path to the log file.Create a file “logging.properties” in test dir with the following content:
    handlers=java.util.logging.FileHandler
    
    com.sybase.security.ldap.level=ALL
    
    java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter
    
    java.util.logging.FileHandler.level=ALL
    
    java.util.logging.FileHandler.pattern=debug.log
    
    .level=INFO
    
    
  7. In the test directory, run the following command after replacing the full name of the csi-xml and ldap-osgi jar files from your installation (should include the exact filename with the version string) and replacing the <testuser>/<testuserpassword> with the ldap user credentials. Review the log output to troubleshoot the authentication failure.
java -Djava.util.logging.config.file=logging.properties -Dcom.sybase.security.BootstrapConfigurationFile="C:\test\csibootstrap.properties" -cp "csi-tool.jar;csi-xml-*.jar;com.sap.security.csi.ldap-osgi-*.jar;C:\SAP\MobilePlatform3\Server\plugins\*" com.sybase.security.tools.CSILauncher csi.diag.authenticate --USERNAME "<testuser>" --PASSWORD "<testuserpassword>” --CONFIG_FILE C:\test\<test_config>.xml




Alternatively, one can also use a response file to collect the inputs to the tool and specify the file on the command line like:

java -Djava.util.logging.config.file=logging.properties -Dcom.sybase.security.BootstrapConfigurationFile="C:\test\csibootstrap.properties" -cp "csi-tool.jar;csi-xml-*.jar;com.sap.security.csi.ldap-osgi_*.jar;C:\SAP\MobilePlatform3\Server\plugins\*" com.sybase.security.tools.CSILauncher csi.diag.authenticate @args.properties

where the file args.properties in c:\test dir is a java properties file that has the following content (do not include the values in double quotes)

 

USERNAME=<testuser>
PASSWORD=<testuserpassword>
CONFIG_FILE=<test_config>.xml
NOTE: Remember to enable LDAP connection tracing in the configuration properties to capture the communication between the LDAP provider and the LDAP server. This will help you collect the ber traces that shed light on the request/responses.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply