Debugging Authentication Errors with CSI Tool

Use the CSI tool to debug security profile errors that are encountered during user authentication.

Use the CSI tool to debug authentication failures and validate your security configuration outside the SAP Mobile Platform environment.

  1. Copy these files to a separate, temporary directory:
    • csi-core.jar, found in SMP_HOME\Server\tools\csi.
    • the security profile XML file along with the corresponding role mapping file found in SMP_HOME\Server\configuration\com.sap.mobile.platform.server.security\CSI.
  2. Execute the CSI tool command from the separate temporary directory specifying the following options:
    • com.sap.security.BootstrapConfigurationFile - this is required when the configuration file contains encrypted properties. The same directory that contains the csibootstrap.properties file must contain the keystore referenced in the bootstrap file, as a relative path is used to resolve the reference to it.
    • classpath - should include the csi-tool.jar in the temporary directory as well as SMP_HOME/Server/plugins directory content.
    ex: java -Dcom.sap.security.BootstrapConfigurationFile="C:\SAP\MobilePlatform3\Server\configuration
\com.sap.mobile.platform.server.security\csibootstrap.properties" -cp csi-tool.jar;C:\SAP\MobilePlatform3\Server\plugins\* 
-Djava.util.logging.config.file=logging.properties com.sap.
security.tools.CSILauncher csi.diag.authenticate --USERNAME "smpAdmin" --PASSWOR
D "s3pAdmin" --CONFIG_FILE C:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI\admin.xml
  3. Review the log output to troubleshoot the authentication failure.

CSI uses Java logging API. The following example shows how to configure logging.properties to obtain FINEST level log messages from the classes in the com.sap.security.ldap package while setting the log level for rest of the CSI classes to INFO. Use this configuration to debug authentication failures with LDAP providers. You can also use this configuration to debug errors encountered when looking up user roles from the LDAP repository. The value debug.log for the property java.util.logging.FileHandler.pattern should be the path to the log file.

java -Djava.util.logging.config.file=logging.properties -jar csi-tool.jar csi.diag.authenticate --USERNAME "test_username" --PASSWORD "test_password" 
--CONFIG_FILE "absolute_path_of_the_configuration_xml_file"

where logging.properties contains:

handlers=java.util.logging.ConsoleHandler, java.util.logging.FileHandler.level=INFO
com.sap.security.ldap.level=FINEST 
java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter
java.util.logging.FileHandler.level=FINEST
java.util.logging.FileHandler.pattern=debug.log
Parent topic: Security Monitoring and Validation
Related tasks
Creating and Configuring Security Profiles
Related reference
Directory Service (LDAP/AD) Configuration Properties