Enabling debugging for user authentication issues

Enable debugging for platform-auth-service Liberty to get trace logs for debugging user authentication issues.

Enable debug logs by using oc commands

Complete these steps to enable debug logging of platform-auth-service container pods by using the command-line interface:

  1. Update the platform-auth-idp configmap. Then, save it.

    Add your IBM Cloud Pak® foundational services namespace and run the following patch commands:

    oc project <your-foundational-services-namespace>  
oc patch pcm platform-auth-id --type merge -p '{"data":{"LIBERTY_DEBUG_ENABLED":"true"}}'
oc patch cm platform-auth-idp --type merge -p '{"data":{"LOG_LEVEL_AUTHSVC":"debug"}}'
oc patch cm platform-auth-idp --type merge -p '{"data":{"LOG_LEVEL_IDMGMT":"debug"}}'
oc patch cm platform-auth-idp --type merge -p '{"data":{"LOG_LEVEL_IDPROVIDER":"debug"}}'

    Or edit with the following command:

    oc edit cm platform-auth-idp -n <your-foundational-services-namespace>

    LIBERTY_DEBUG_ENABLED: "false"   << true
LOG_LEVEL_AUTHSVC: info    << debug
LOG_LEVEL_IDMGMT: info     << debug
LOG_LEVEL_IDPROVIDER: info  << debug

    See the following notes:

    • <your-foundational-service-namespace> is the namespace where the platform-auth-service pods are deployed.
    • LIBERTY_DEBUG_ENABLED when set to "true", enables the liberty container trace string to traceSpecification="com.ibm.ws.webcontainer*=all:com.ibm.wsspi.webcontainer*=all:HTTPChannel=all:GenericBNF=all:HTTPDispatcher=all".
    • LOG_LEVEL for the pods can be changed from "info" to "debug"
      • LOG_LEVEL_AUTHSVC is for the platform-auth-service pod
      • LOG_LEVEL_IDMGMT is for the platform-identity-management pod
      • LOG_LEVEL_IDPROVIDER is for the platform-identity-provider pod

  2. Restart the platform-auth-service, platform-identity-management, and platform-identity-provider pod one at a time by deleting the pod. Wait for the pod to restart before you delete the next pod.

    1. Delete the pod.
      oc delete pod -l app=platform-identity-management
oc delete pod -l app=platform-auth-service
oc delete pod -l app=platform-identity-provider
    2. Check the pod status.
      oc get pods -A | grep platform

  3. Wait for all containers and pods to start.

    watch "oc get pods -n <your-foundational-services-namespace> | grep platform"

Enable debug mode in user management pods

If the IBM Cloud Pak® uses Zen or the CPD console, enable debugging for the usermgnt pods.

Run the following commands to enable debug mode:

oc set env deployment/usermgmt LOG_LEVEL=debug

For more information, see Enable debug mode in user management pods.

Enable debug logs by using the Red Hat® OpenShift® Container Platform console

Complete these steps to enable debug logging of identity management pods by using the Red Hat® OpenShift® Container Platform console:

  1. Log in to the Red Hat® OpenShift® Container Platform console as a user with cluster administrator access.

  2. From the navigation menu, click Configuration > ConfigMaps.

  3. Search for platform-auth-idp, and select the configmap.

  4. Click the YAML edit tab to open the configmap for editing.

  5. Search for LIBERTY_DEBUG and update LIBERTY_DEBUG_ENABLED: "false" to LIBERTY_DEBUG_ENABLED: "true".

  6. Change the log levels of LOG_LEVEL_IDPROVIDER, LOG_LEVEL_AUTHSVC, LOG_LEVEL_IDMGMTfrom"info"to"debug"`.

    LIBERTY_DEBUG_ENABLED: "false"     << true
LOG_LEVEL_AUTHSVC: info            << debug
LOG_LEVEL_IDMGMT: info             << debug
LOG_LEVEL_IDPROVIDER: info         << debug

  7. Click Save.

  8. From the navigation menu, click Workloads > Pods.

  9. Delete the platform-auth-service, platform-identity-management, and platform-identity-provider pods to restart them. Delete the pods by clicking ... > Actions > Delete pod.

  10. Wait for some time. Then, check the status of the pods on the Pods pane. The status of all the pods must show as 4/4 under the Ready field name.

Collect identity management pod and liberty container logs, and foundational services configuration information

After you enable debugging, re-create the issue and collect debug logs.

  1. Use the following cs_im_mustgather.sh script to generate the logs archive with the container logs, Liberty logs, and foundational services configuration information. The script generates a .tgz file.
    • If you are unable to use the wget command to download the file, copy the script from cs_im_mustgather.sh.
  2. Share the .tgz file with support for analysis.
wget https://raw.githubusercontent.com/IBM/ibm-common-service-operator/scripts/must-gather/cs_im_mustgather.sh
chmod +x cs_im_mustgather.sh
./cs_im_mustgather.sh

Note: When debug logging is enabled, excess logs are generated, which might affect the container resources. After you collect the debug logs, revert the log level values by editing the settings in the platform-auth-idp configmap. For the previous log level values, see parameter values.