Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
0 Kudos

Debugging Authentication Errors with CSI Tool

This blog describes the use of CSITool to debug errors that are encountered during user authentication in SAP Mobile Platform Server (SMP).

Specifically it describes how to use the CSITool to debug authentication failures for security profiles that contain LDAP Authentication provider. The use of CSITool allows you to invoke the same authentication framework used in SMP but in a stand alone manner in order to easily identify the root cause of the authentication failures.

Following are the steps to execute CSITool to debug LDAP provider outside SMP server:

  1. Create a test directory on the host where SMP server is installed, for example, C:\test.

  2. Copy the following files to the test directory. The security profile to be used is denoted as <test_config>. Please replace it with the security profile name you wish to use for authentication.

    • and csikeystore.jceks from the <SMP_HOME>\Server\configuration\ directory.

    • <test_config>.xml and <test_config>-role-mapping.xml from the <SMP_HOME>\Server\configuration\\CSI directory.

    • csi-tool.jar from the <SMP_HOME>\Server\tools\csi directory.

    •*.jar from the <SMP_HOME>\Server\plugins directory.

  3. Add the jar files to the CLASSPATH.

  4. (SAP Mobile Platform 3.0 SP08 and later) Copy csi-xml-*.jar from the <SMP_HOME>\Server\lib directory to the test directory, and add it to the CLASSPATH.

  5. Open the <test_config>.xml file, and set the value of RoleMapFile to <test_config>-role-mapping.xml (i.e., remove the path to the SMP, refer to the file in current dir). Save and close the file.

  6. CSI framework uses Java logging API. The following example shows how to configure to obtain FINEST level log messages from the classes in the package while setting the log level for the rest of the framework classes to INFO. Use this configuration to debug authentication failures with LDAP providers. The value of debug.log for the java.util.logging.FileHandler.pattern property should be the path to the log file.Create a file “” in test dir with the following content:





  7. In the test directory, run the following command after replacing the full name of the csi-xml and ldap-osgi jar files from your installation (should include the exact filename with the version string) and replacing the <testuser>/<testuserpassword> with the ldap user credentials. Review the log output to troubleshoot the authentication failure.

java"C:\test\" -cp "csi-tool.jar;csi-xml-*.jar;*.jar;C:\SAP\MobilePlatform3\Server\plugins\*" csi.diag.authenticate --USERNAME "<testuser>" --PASSWORD "<testuserpassword>” --CONFIG_FILE C:\test\<test_config>.xml

Alternatively, one can also use a response file to collect the inputs to the tool and specify the file on the command line like:
java"C:\test\" -cp "csi-tool.jar;csi-xml-*.jar;*.jar;C:\SAP\MobilePlatform3\Server\plugins\*" csi.diag.authenticate

where the file in c:\test dir is a java properties file that has the following content (do not include the values in double quotes)


NOTE: Remember to enable LDAP connection tracing in the configuration properties to capture the communication between the LDAP provider and the LDAP server. This will help you collect the ber traces that shed light on the request/responses.