Enable debugging for user authentication issues
Enable debugging for platform-auth-service Liberty to get trace logs for debugging user authentication issues.
Enable debug logs by using oc commands
Complete these steps to enable debug logging of auth-idp container pods by using the command-line interface:
-
Update the
platform-auth-idpconfigmap. Then, save it.oc edit cm platform-auth-idp -n <your-common-services-namespace>LIBERTY_DEBUG_ENABLED: "false" << true LOG_LEVEL_AUTHSVC: info << debug LOG_LEVEL_IDMGMT: info << debug LOG_LEVEL_IDPROVIDER: info << debug -
Restart the
auth-idppod by deleting the pod.oc delete pod -l k8s-app=auth-idp -n <your-common-services-namespace> -
Wait for all 4 container pods to start.
oc get pods -l k8s-app=auth-idp -n <your-common-services-namespace>
Enable debug logs by using the the OpenShift Container Platform console
Complete these steps to enable debug logging of auth-idp container pods by using the OpenShift Container Platform console:
-
Log in to the OpenShift Container Platform console as a user with cluster administrator access.
-
From the navigation menu, click Configuration > ConfigMaps.
-
Search for
platform-auth-idp. -
Click ... > Edit.
-
Change the
LOG_LEVEL_IDPROVIDER,LOG_LEVEL_AUTHSVC,LOG_LEVEL_IDMGMTparameter values todebug.LIBERTY_DEBUG_ENABLED: "false" << true LOG_LEVEL_AUTHSVC: info << debug LOG_LEVEL_IDMGMT: info << debug LOG_LEVEL_IDPROVIDER: info << debug -
Click Submit.
-
From the navigation menu, click Workloads > Pods.
-
Locate
auth-idpand delete it. -
Click ... > Actions > Delete pod.
-
Wait for some time. Then, check the status of the
auth-idppods on the Pods pane. The status of all the pods must show as4/4under the Ready field name.
Collect auth-idp pod logs and liberty container logs
After you enable debugging, re-create the issue and collect debug logs. Then, share all the auth-idp pod logs with the support team.
The following cat MG-IDP-log.sh script helps to collect the container and liberty logs of multiple auth-idp pods.
Note: Before you run the script, define the NAMESPACE environment variable with the namespace where you deployed foundational services.
#!/bin/bash
export NAMESPACE=ibm-common-services
export AUTHMGDIR=AuthidpLogs-$(date '+%y%b%dT%H-%M-%S')
mkdir -p $AUTHMGDIR
for pod in $(oc -n $NAMESPACE get pods -l component=auth-idp --no-headers -o custom-columns=name:.metadata.name); do
echo "===== $pod ====="
LIBDIR="$AUTHMGDIR/$pod/liberty"
sudo mkdir -p $LIBDIR
# Collect the liberty logs
echo "===== $pod collect liberty logs ====="
oc -n $NAMESPACE cp $pod:/logs -c platform-auth-service $LIBDIR/logs
echo "===== $pod collect liberty configuration ====="
oc -n $NAMESPACE cp $pod:/opt/ibm/wlp/usr/servers/defaultServer/ -c platform-auth-service $LIBDIR/defaultserver
#collect the idp container logs
echo "===== $pod collect container logs ====="
oc get pods -l component=auth-idp -n $NAMESPACE -o go-template='{{range $i := .items}}{{range $c := $i.spec.containers}}{{println $i.metadata.name $c.name}}{{end}}{{end}}' > $AUTHMGDIR/$pod/container-list.txt
awk '{print "oc -n $NAMESPACE logs "$1" -c "$2" -p > $AUTHMGDIR/$pod/"$1"_"$2"_previous.log && echo gathered previous logs of "$1"_"$2}' $AUTHMGDIR/$pod/container-list.txt | bash
awk '{print "oc -n $NAMESPACE logs "$1" -c "$2" > $AUTHMGDIR/$pod/"$1"_"$2".log && echo gathered logs of "$1"_"$2}' $AUTHMGDIR/$pod/container-list.txt | bash
done
echo;echo
echo "===== tar czf $AUTHMGDIR.tgz $AUTHMGDIR and send the file for analysis ----"
echo;echo
Send the logs to the support team
Complete these tasks after you collect the logs:
- Compress the logs and send them to support for analysis.
tar czf $AUTHMGDIR.tgz $AUTHMGDIR
Note: When debug logging is enabled, excess logs are generated, which might affect the container resources. After you collect the debug logs, revert the log level values by editing the settings in the platform-auth-idp configmap. For the previous log level values, see parameter values.