Enable debugging for user authentication issues

Enable debugging for platform-auth-service Liberty to get trace logs for debugging user authentication issues.

Enable debug logs by using oc commands

Complete these steps to enable debug logging of platform-auth-service container pods by using the command-line interface:

  1. Update the platform-auth-idp configmap. Then, save it.

    oc edit cm platform-auth-idp -n <your-foundational-services-namespace>
    
    LIBERTY_DEBUG_ENABLED: "false"   << true
    LOG_LEVEL_AUTHSVC: info    << debug
    LOG_LEVEL_IDMGMT: info     << debug
    LOG_LEVEL_IDPROVIDER: info  << debug
    

    See the following notes:

    • <your-foundational-service-namespace> is the namespace where the platform-auth-service pods are deployed.
    • LIBERTY_DEBUG_ENABLED when set to "true", enables the liberty container trace string to traceSpecification="com.ibm.ws.webcontainer=all:com.ibm.wsspi.webcontainer=all:HTTPChannel=all:GenericBNF=all:HTTPDispatcher=all".
    • LOG_LEVEL for the pods can be changed from "info" to "debug"
      • LOG_LEVEL_AUTHSVC is for the platform-auth-service pod
      • LOG_LEVEL_IDMGMT is for the platform-identity-management pod
      • LOG_LEVEL_IDPROVIDER is for the platform-identity-provider pod
  2. Restart the platform-auth-service, platform-identity-management, and platform-identity-provider pod one at a time by deleting the pod. Wait for the pod to restart before you delete the next pod.

    1. Delete the pod.
      oc delete pod -l component=<pod-name> -n <your-foundational-services-namespace>
      
    2. Check the pod status.
      oc get pods -A | grep platform
      
  3. Wait for all containers and pods to start.

    watch "oc get pods -n <your-foundational-services-namespace> | grep platform"
    

Enable debug logs by using the OpenShift Container Platform console

Complete these steps to enable debug logging of identity management pods by using the OpenShift Container Platform console:

  1. Log in to the OpenShift Container Platform console as a user with cluster administrator access.

  2. From the navigation menu, click Configuration > ConfigMaps.

  3. Search for platform-auth-idp, and select the configmap.

  4. Click the YAML edit tab to open the configmap for editing.

  5. Search for LIBERTY_DEBUG and update LIBERTY_DEBUG_ENABLED: "false" to LIBERTY_DEBUG_ENABLED: "true".

  6. Change the log levels of LOG_LEVEL_IDPROVIDER,LOG_LEVEL_AUTHSVC,LOG_LEVEL_IDMGMTfrom"info"to"debug"`.

    LIBERTY_DEBUG_ENABLED: "false"     << true
    LOG_LEVEL_AUTHSVC: info            << debug
    LOG_LEVEL_IDMGMT: info             << debug
    LOG_LEVEL_IDPROVIDER: info         << debug
    
  7. Click Save.

  8. From the navigation menu, click Workloads > Pods.

  9. Delete the platform-auth-service, platform-identity-management, and platform-identity-provider pods to restart them. Delete the pods by clicking ... > Actions > Delete pod.

  10. Wait for some time. Then, check the status of the pods on the Pods pane. The status of all the pods must show as 4/4 under the Ready field name.

Collect identity management pod and liberty container logs, and foundational services configuration information

After you enable debugging, re-create the issue and collect debug logs. Then, share all the platform-auth-service pod logs with the support team.

The following MG-IAM-CSv4.sh script helps to collect the container and liberty logs, and foundational services configuration information.

Note: Before you run the script, define the NAMESPACE environment variable with the namespace where you deployed foundational services.

#!/bin/bash
######################################################################################
#Replace the NAMESPACE where platform-auth-service pods are running
#Collects description and container logs for all pods under the namespace
#Collect the liberty FFDC, logs, and default LDAP configuration from platform-auth-service container
#For the latest script Source  https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.2?topic=ldap-enable-debugging-user-authentication-issues
###############################################################################################
# export LOGLIMIT="--tail=10000" # uncomment if you experience problems collecting large files
export NAMESPACE=ibm-common-services
export AUTHMGDIR=AuthidpLogs-$(date '+%y%b%dT%H-%M-%S')
mkdir -p $AUTHMGDIR/$NAMESPACE

for pod in $(oc -n $NAMESPACE get pods -l component=platform-auth-service --no-headers -o custom-columns=name:.metadata.name); do
  echo "===== $pod ====="
  LIBDIR="$AUTHMGDIR/$NAMESPACE/$pod-liberty"
  sudo mkdir -p $LIBDIR
  echo "$pod collect liberty logs "
  oc -n $NAMESPACE cp $pod:/logs -c platform-auth-service $LIBDIR/logs
  echo "$pod collect liberty configuration  ====="
  oc -n $NAMESPACE cp $pod:/opt/ibm/wlp/usr/servers/defaultServer/ -c platform-auth-service $LIBDIR/defaultserver
done

echo gathering info from namespace $NAMESPACE
oc get all,secrets,cm,events -n $NAMESPACE -o wide &> $AUTHMGDIR/$NAMESPACE/all-list.txt
oc get pods -n $NAMESPACE | awk 'NR>1{print "oc -n $NAMESPACE describe pod "$1" > $AUTHMGDIR/$NAMESPACE/"$1"-describe.txt && echo described "$1}' | bash
oc get pods -n $NAMESPACE -o go-template='{{range $i := .items}}{{range $c := $i.spec.containers}}{{println $i.metadata.name $c.name}}{{end}}{{end}}' > $AUTHMGDIR/$NAMESPACE/container-list.txt
awk '{print "oc -n $NAMESPACE logs "$1" -c "$2" $LOGLIMIT -p > $AUTHMGDIR/$NAMESPACE/"$1"_"$2"_previous.log && echo gathered previous logs of "$1"_"$2}' $AUTHMGDIR/$NAMESPACE/container-list.txt | bash
awk '{print "oc -n $NAMESPACE logs "$1" -c "$2" $LOGLIMIT > $AUTHMGDIR/$NAMESPACE/"$1"_"$2".log && echo gathered logs of "$1"_"$2}' $AUTHMGDIR/$NAMESPACE/container-list.txt | bash
echo;echo
echo Replace case number TS123456
tar czf CaseTS123456-$AUTHMGDIR.tgz $AUTHMGDIR/

Send the logs to the support team

Complete these tasks after you collect the logs:

Note: When debug logging is enabled, excess logs are generated, which might affect the container resources. After you collect the debug logs, revert the log level values by editing the settings in the platform-auth-idp configmap. For the previous log level values, see parameter values.