Enable debugging for user authentication issues
Enable debugging for platform-auth-service
Liberty to get trace logs for debugging user authentication issues.
Enable debug logs by using oc commands
Complete these steps to enable debug logging of platform-auth-service container pods by using the command-line interface:
-
Update the
platform-auth-idp
configmap. Then, save it.oc edit cm platform-auth-idp -n <your-foundational-services-namespace>
LIBERTY_DEBUG_ENABLED: "false" << true LOG_LEVEL_AUTHSVC: info << debug LOG_LEVEL_IDMGMT: info << debug LOG_LEVEL_IDPROVIDER: info << debug
See the following notes:
<your-foundational-service-namespace>
is the namespace where the platform-auth-service pods are deployed.LIBERTY_DEBUG_ENABLED
when set to"true"
, enables the liberty container trace string to traceSpecification="com.ibm.ws.webcontainer=all:com.ibm.wsspi.webcontainer=all:HTTPChannel=all:GenericBNF=all:HTTPDispatcher=all".LOG_LEVEL
for the pods can be changed from"info"
to"debug"
LOG_LEVEL_AUTHSVC
is for theplatform-auth-service
podLOG_LEVEL_IDMGMT
is for theplatform-identity-management
podLOG_LEVEL_IDPROVIDER
is for theplatform-identity-provider
pod
-
Restart the
platform-auth-service
,platform-identity-management
, andplatform-identity-provider
pod one at a time by deleting the pod. Wait for the pod to restart before you delete the next pod.- Delete the pod.
oc delete pod -l component=<pod-name> -n <your-foundational-services-namespace>
- Check the pod status.
oc get pods -A | grep platform
- Delete the pod.
-
Wait for all containers and pods to start.
watch "oc get pods -n <your-foundational-services-namespace> | grep platform"
Enable debug logs by using the OpenShift Container Platform console
Complete these steps to enable debug logging of identity management pods by using the OpenShift Container Platform console:
-
Log in to the OpenShift Container Platform console as a user with cluster administrator access.
-
From the navigation menu, click Configuration > ConfigMaps.
-
Search for
platform-auth-idp
, and select the configmap. -
Click the YAML edit tab to open the configmap for editing.
-
Search for
LIBERTY_DEBUG
and updateLIBERTY_DEBUG_ENABLED: "false"
toLIBERTY_DEBUG_ENABLED: "true"
. -
Change the log levels of LOG_LEVEL_IDPROVIDER
,
LOG_LEVEL_AUTHSVC,
LOG_LEVEL_IDMGMTfrom
"info"to
"debug"`.LIBERTY_DEBUG_ENABLED: "false" << true LOG_LEVEL_AUTHSVC: info << debug LOG_LEVEL_IDMGMT: info << debug LOG_LEVEL_IDPROVIDER: info << debug
-
Click Save.
-
From the navigation menu, click Workloads > Pods.
-
Delete the
platform-auth-service
,platform-identity-management
, andplatform-identity-provider
pods to restart them. Delete the pods by clicking ... > Actions > Delete pod. -
Wait for some time. Then, check the status of the pods on the Pods pane. The status of all the pods must show as
4/4
under the Ready field name.
Collect identity management pod and liberty container logs, and foundational services configuration information
After you enable debugging, re-create the issue and collect debug logs. Then, share all the platform-auth-service
pod logs with the support team.
The following MG-IAM-CSv4.sh
script helps to collect the container and liberty logs, and foundational services configuration information.
Note: Before you run the script, define the NAMESPACE
environment variable with the namespace where you deployed foundational services.
#!/bin/bash
######################################################################################
#Replace the NAMESPACE where platform-auth-service pods are running
#Collects description and container logs for all pods under the namespace
#Collect the liberty FFDC, logs, and default LDAP configuration from platform-auth-service container
#For the latest script Source https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.2?topic=ldap-enable-debugging-user-authentication-issues
###############################################################################################
# export LOGLIMIT="--tail=10000" # uncomment if you experience problems collecting large files
export NAMESPACE=ibm-common-services
export AUTHMGDIR=AuthidpLogs-$(date '+%y%b%dT%H-%M-%S')
mkdir -p $AUTHMGDIR/$NAMESPACE
for pod in $(oc -n $NAMESPACE get pods -l component=platform-auth-service --no-headers -o custom-columns=name:.metadata.name); do
echo "===== $pod ====="
LIBDIR="$AUTHMGDIR/$NAMESPACE/$pod-liberty"
sudo mkdir -p $LIBDIR
echo "$pod collect liberty logs "
oc -n $NAMESPACE cp $pod:/logs -c platform-auth-service $LIBDIR/logs
echo "$pod collect liberty configuration ====="
oc -n $NAMESPACE cp $pod:/opt/ibm/wlp/usr/servers/defaultServer/ -c platform-auth-service $LIBDIR/defaultserver
done
echo gathering info from namespace $NAMESPACE
oc get all,secrets,cm,events -n $NAMESPACE -o wide &> $AUTHMGDIR/$NAMESPACE/all-list.txt
oc get pods -n $NAMESPACE | awk 'NR>1{print "oc -n $NAMESPACE describe pod "$1" > $AUTHMGDIR/$NAMESPACE/"$1"-describe.txt && echo described "$1}' | bash
oc get pods -n $NAMESPACE -o go-template='{{range $i := .items}}{{range $c := $i.spec.containers}}{{println $i.metadata.name $c.name}}{{end}}{{end}}' > $AUTHMGDIR/$NAMESPACE/container-list.txt
awk '{print "oc -n $NAMESPACE logs "$1" -c "$2" $LOGLIMIT -p > $AUTHMGDIR/$NAMESPACE/"$1"_"$2"_previous.log && echo gathered previous logs of "$1"_"$2}' $AUTHMGDIR/$NAMESPACE/container-list.txt | bash
awk '{print "oc -n $NAMESPACE logs "$1" -c "$2" $LOGLIMIT > $AUTHMGDIR/$NAMESPACE/"$1"_"$2".log && echo gathered logs of "$1"_"$2}' $AUTHMGDIR/$NAMESPACE/container-list.txt | bash
echo;echo
echo Replace case number TS123456
tar czf CaseTS123456-$AUTHMGDIR.tgz $AUTHMGDIR/
Send the logs to the support team
Complete these tasks after you collect the logs:
- Compress the logs and send them to support for analysis.
tar czf $AUTHMGDIR.tgz $AUTHMGDIR
Note: When debug logging is enabled, excess logs are generated, which might affect the container resources. After you collect the debug logs, revert the log level values by editing the settings in the platform-auth-idp
configmap. For the previous log level values, see parameter values.