This blog post is part of a series of blogs I published about @sap/datasphere-cli. Find all blog posts related to this topic in my overview blog post here.

The Node.js-based Command-Line Interface (CLI) for SAP Datasphere, @sap/datasphere-cli hosted on npmjs.com, allows you to interact with your SAP Datasphere tenant from the terminal or command line. 

Introduction

Using the Command-line Interface (CLI) for SAP Datasphere is much fun and certainly increases productivity! 🥳 But there’s always another dark side, too – when things don’t work as expected and you don’t know how to solve it. This blog aims at gathering all the well-known issues around using the CLI, and is your go-to blog to ask questions about using the CLI and troubleshooting problems you face along the way.

Troubleshooting

If something goes wrong and a command fails, you typically get a single error message “Failed to …”, for example, “Failed to initialize the local CLI cache”. To get more information, you can always append the –verbose option to any command. Adding the –verbose option tells the CLI to output more information such as the request sent to the server, the response status code and message, and a correlation ID if available in the response.

The blog provides help with the following problems when using @sap/datasphere-cli:

• Error message “Your connection isn’t private” (NET::ERR_CERT_COMMON_NAME_INVALID) in the browser when logging in
• Error message “self-signed certificate in certificate chain”
• Error message “Failed to initialize the local CLI cache”
• “401 Unauthorized” when running commands
• datasphere login command does no action

Error message “Your connection isn’t private” (NET::ERR_CERT_COMMON_NAME_INVALID) in the browser when logging in

The following error message is shown in your browser when logging in using the datasphere login command and OAuth authentication. You did not specify the authorization URL and token URL explicitly.

Picture 1 – Your connection isn’t private

The CLI derives the authorization URL and token URL by default automatically based on the specified host. In certain cases, the automatically derived URLs are not correct. You can still specify the correct authorization URL and token URL explicitly using the options –authorization-url and –token-url when running the login command.

$ datasphere login --authorization-url <authorization url> --token-url <token url>

Code Sample 1 – Specify the authorization URL and token URL explicitly

See SAP Help for more information on where to find the authorization URL and token URL for OAuth clients in your SAP Datasphere tenant.

Also, make sure that you remove any existing login for the tenant in question. Before running the datasphere login command again specifying the authorization URL and token URL, run the datasphere logout –logout-id <id> command, specifying the login ID in question. If you are unsure about the login ID, simply run the datasphere logout command and omit the login ID.

Error message “self-signed certificate in certificate chain”

$ datasphere login --secrets-file /path/to/secrets/file.json --verbose
POST https://your-datasphere-tenant.authentication.eu10.hana.ondemand.com/oauth/token
Request failed with message "self-signed certificate in certificate chain"
Failed to log in to your account using interactive OAuth authentication

Code Sample 2 – Failed command due to self-signed certificates

This error can occur if you are behind a proxy using self-signed certificates. You can try the following solutions to overcome this issue.

1. Switching to HTTP

Entering all URLs using the HTTP instead of HTTPS protocol can help to overcome this issue. Run the command again and replace https:// with http:// in any URL you are using.

2. NODE_TLS_REJECT_UNAUTHORIZED=0

Set environment variable NODE_TLS_REJECT_UNAUTHORIZED=0. This tells the Node.js runtime to not verify self-signed certificates. You want to use this option with care, as it might introduce security leaks in your application.

See also levelup.gitconnected.com/how-to-resolve-certificate-errors-in-nodejs-app-involving-ssl-calls for more information.

3. Including custom certificates in the certificate chain

The following sources provide insights into how you can include custom-generated or self-signed certificates into your machine’s certificate chain. Check out for example stackoverflow.com/how-to-add-custom-certificate-authority-ca-to-nodejs for more information.

Error message “Failed to initialize the local CLI cache”

$ datasphere config cache init --verbose
GET https://your-datasphere-tenant.eu10.hcs.cloud.sap/dwaas-core/api/v1/discovery
Failed to initialize the local CLI cache

Code Sample 3 – The CLI failed to initialize the local CLI cache

This error can occur when the CLI can successfully retrieve the document from the server but fails to store it locally on the machine’s hard drive. This issue is typically caused by the executing user missing write privileges to the .cache folder of the CLI installation. Current versions of the CLI store the document in the executing user’s home directory at ~/.@sap/datasphere-cli/.cache.

This error happened typically in earlier versions of the CLI, where the document wasn’t stored in the user’s home directory, but in the CLI installation directory, typically located outside the user’s home directory.

To solve this issue, make sure that the executing user/process has write access to the .cache folder. Either grant the user the required privileges or run the command in admin mode, for example using sudo on Mac.

$ sudo datasphere config cache init
Password: ************

Code Sample 4 – Using sudo to run the command

“401 Unauthorized” when running commands

Are you using the datasphere host set command, logging in using OAuth clients, and dealing with multiple tenants as well? This combination of different factors can cause 401 Unauthorized responses in case the configured host does not match the target server of the OAuth client.

You can tell whether the command fails by adding the –verbose option to the command.

$ datasphere config cache init --verbose
GET https://some.tenant.eu10.hcs.cloud.sap/dwaas-core/api/v1/discovery
Request failed with 401 Unauthorized
Correlation ID 6ae2b9b1-664d-4c56-4779-55aa8cf44018
POST https://some.different.tenant.authentication.eu10.hana.ondemand.com/oauth/token
200 OK
Correlation ID dbe84b0f-6675-4e51-56ba-88f147c94802
GET https://some.tenant.eu10.hcs.cloud.sap/dwaas-core/api/v1/discovery
Request failed with 401 Unauthorized
Correlation ID f83062ce-5595-4857-4943-0c59b5976b6f
Failed to initialize the local CLI cache

Code Sample 5 – Requests sent to two different hosts

In Code Sample 4 you can see that the initial request is sent to tenant some.tenant, but because the login information point to a different tenant some.different.tenant than the tenant some.tenant configured globally, the returned access token is rejected by some.tenant.

To solve this issue, check the maintained host and stored secrets to authenticate and compare the URLs. They both should point to the same SAP Datasphere tenant.

$ datasphere config host show
https://your-datasphere-tenant.eu10.hcs.cloud.sap/

Code Sample 6 – Configured host

$ datasphere config secrets show
{
  "client_id": "sb-...",
  "client_secret": "9d27f40a-...",
  "authorization_url": "https://your-datasphere-tenant.authentication.eu10.hana.ondemand.com/oauth/authorize",
  "token_url": "https://your-datasphere-tenant.authentication.eu10.hana.ondemand.com/oauth/token",
  "access_token": "ey...",
  "token_type": "bearer",
  "id_token": "ey...",
  "refresh_token": "ba...",
  "expires_in": 3599,
  "scope": "open...",
  "jti": "4d...",
  "expires_after": 1688147408
}

Code Sample 7 – Locally stored login information

Make sure that the locally configured host URL matches the authorization and token URL. Otherwise, you receive a 401 Unauthorized response because the access token generated for tenant A cannot be used for tenant B.

datasphere login command does no action

When you run datasphere login, the CLi completes the command immediately and does not ask for client ID or client secret. When you provide a secrets file using the –secrets-file option, the CLI does not open the browser window.

$ datasphere login

Code Sample 8- The datasphere login command does no action

You are already logged in. Run the datasphere logout command first, then run the datasphere login command again.

$ datasphere logout
$ datasphere login
✔ Please enter your client ID: … abc...
✔ Please enter your client secret: … ********************************************
✔ Please enter your authorization URL: … https://...
✔ Please enter your token URL: … https://...

Code Sample 9 – Log out first, then log in

Conclusion

Facing any troubles or issues when using @sap/datasphere-cli? Let me know in the comments and we can figure it out together! Any questions you have around @sap/datasphere-cli which are not yet covered by the official documentation on help.sap.com or in the package README? Let me know in the comments, too! 

I’d be happy to hear your thoughts, ideas, and comments on this tool and what you think would be a nice-to-have enhancement to the CLI, making your life and work with SAP Datasphere easier. Let me know in the comments!

Further Reading

Command-Line Interface for SAP Datasphere on npmjs.com

Command-Line Interface for SAP Datasphere on SAP Help