Debug Authentication Errors with CSI Tool

Use the CSI tool to debug authentication failures and validate your security configuration outside the SAP Mobile Platform environment.

To debug authentication failures:

1. Copy these files from the SAP Mobile Platform installation directory, SMP_HOME\Servers\UnwiredServer\lib\ext, to a separate, temporary directory:

   • csi-core.jar
   • csi-tool.jar
   • csi-provider_referenced_in_the_configuration_file.jar, such as csi-ldap.jar, or csi-http.jar
2. Perform additional configuration tasks, in preparation for testing, using these guidelines:

   1. The csibootstrap.properties file from Repository/conf must be referenced from the command line, when a configuration file contains encrypted properties. The same directory that contains the csibootstrap.properties file, must contain the keystore referenced in the bootstrap file, if a relative path is used to reference it in the bootstrap file. Therefore, you must also copy these files from SMP_HOME\Servers\UnwiredServer\Repository\CSI to the temporary directory:

      • csibootstrap.properties
      • csikeystore.jceks

   2. Delete any references to SUP-specific providers, including SUPAuthorizer, SUPAttributer, and SUPHttpPropertiesRetrieverLoginModule, from the copied configuration files.

   3. Add dependencies for a specific provider to the CLASSPATH. For example, for HttpAuthLoginModule the dependencies are httpClient, commons codec (wrapped in sup-server.jar) and commons logging (httpclient dependency):

      java -Dcom.sybase.security.BootstrapConfigurationFile="absolute_path_to_the_csibootstrap.properties" -cp csi-tool.jar;csi-core.jar;csi-http.jar;sup-server.jar;commons-logging-1.1.1.jar
      -Djava.util.logging.config.file=logging.properties com.sybase.security.tools.CSILauncher csi.diag.authenticate --USERNAME "test_user" --PASSWORD "test_password" --CONFIG_FILE "absolute_path_of_the_configuration_xml_file"
      

   4. The csi.diag.authenticate task initializes the PasswordCallback to allow the password to be retrieved only once. The configuration file being tested can only contain one login module; if more than one provider is stacked, the rest of the providers cannot get the password. Therefore, include only the login module that is causing the authentication failure in the configuration to troubleshoot the root cause.

3. Execute the CSI tool command from the separate directory.
4. When the authentication fails, review the log output to troubleshoot the authentication failure.

CSI uses Java logging API. The following example shows how to configure logging.properties to obtain FINEST level log messages from the classes in the com.sybase.security.ldap package while setting the log level for rest of the CSI classes to INFO. Use this configuration to debug authentication failures with LDAP providers. You can also use this configuration to debug errors encountered when looking up user roles from the LDAP repository. The value debug.log for the property java.util.logging.FileHandler.pattern should be the path to the log file.

java -Djava.util.logging.config.file=logging.properties -jar csi-tool.jar csi.diag.authenticate --USERNAME "test_username" --PASSWORD "test_password" 
--CONFIG_FILE "absolute_path_of_the_configuration_xml_file"

Where logging.properties contains the following:

handlers=java.util.logging.ConsoleHandler, java.util.logging.FileHandler
.level=INFO
com.sybase.security.ldap.level=FINEST 
java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter
java.util.logging.FileHandler.level=FINEST
java.util.logging.FileHandler.pattern=debug.log 

CSI uses the Java logging API. For more information refer to Java logging configuration information at http://docs.oracle.com/javase/6/docs/technotes/guides/logging/index.html.