Troubleshooting

If you are experiencing problems with the IBM Security Verify Access OIDC Provider (ISVAOP) there are a number of steps which you should follow to help troubleshoot the problem, namely:

Step 1 : Review the Environment

The first step is to always review the environment:

  1. Examine the log of the ISVAOP container for applicable error messages;
  2. Review the YAML configuration of the ISVAOP container, ensuring that the configuration semantics and logic is correct.

Step 2 : Enable Tracing

Tracing can be enabled by setting the log level at the provider.yml YAML file.

logging:
  level: finest

By default the log level is set to INFO.

Step 3 : Understand the log format

Once tracing is enabled.

The log format is as follows:

{Container name} | {Time stamp} {Function} {Error(E)/Info(I)/Debug(D)} {Correlation ID} {Message/Stack trace}

A sample of the log format is here for a failed client credential flow :

      verify-access-oidc-provider_1           | [08/29/2022 22:53:24.174 UTC] (TokenHandler.HandlerFunc) E     [CORR_ID-57d69ea0-47f7-4bbf-a255-c27b2e869427]  "NewAccessRequest failed: invalid_client"
      verify-access-oidc-provider_1         | [08/29/2022 22:53:24.183 UTC] (TokenHandler.HandlerFunc) E [CORR_ID-57d69ea0-47f7-4bbf-a255-c27b2e869427] "Stack trace: [errors.go:38 client_authentication.go:195 client_authentication.go:78 access_request_handler.go:87 token_handler.go:66 server.go:2047 context_middleware.go:59 server.go:2047 mux.go:210 server.go:3337 asm_amd64.s:1581]"
      verify-access-oidc-provider_1         | [08/29/2022 22:53:24.192 UTC] (api.middleware.ContextMiddleware.HandlerFunc) I [CORR_ID-57d69ea0-47f7-4bbf-a255-c27b2e869427] "[HTTP_RESPONSE_LOG] 172.19.0.7:54820 - - POST /oauth2/token HTTP/1.0 401 70 42.747078ms"

When there is an error in the JavaScript mapping rule, the log indicates the line of code which caused the failure, the log is as follows :

      verify-access-oidc-provider_1           | [08/29/2022 23:51:30.193 UTC] (internal.errors.ParseJSError) E [CORR_ID-a5669a06-4ecf-4789-a621-f5d0434a54b2] "Javascript throw TypeError: stsuu.getPrincipalName12 is not a function\n    at mappingrule/isvaop pretoken.js:3:60"
      verify-access-oidc-provider_1           | [08/29/2022 23:51:30.193 UTC] (internal.javascript.worker.workOnTask) I [CORR_ID-0b5a1b6f-b958-4b77-8aa5-c9a337797ae3] "Encounter error execute script: TypeError: stsuu.getPrincipalName12 is not a function."
      verify-access-oidc-provider_1           | [08/29/2022 23:51:30.194 UTC] (internal.provider.mapper.executeJavascript) E [CORR_ID-a5669a06-4ecf-4789-a621-f5d0434a54b2] "Error executing pre_token javascript: TypeError: stsuu.getPrincipalName12 is not a function"
      verify-access-oidc-provider_1           | [08/29/2022 23:51:30.194 UTC] (TokenHandler.HandlerFunc) E [CORR_ID-a5669a06-4ecf-4789-a621-f5d0434a54b2] "EnrichSession failed: CSIAQ0008E: An unknown internal server error occurred."

Step 4 : Seek help from the Community

Community support is also available for ISVAOP via the Identity and Access Management (IAM) IBM Security community. This is a vibrant community, with members ranging from beginners to industry experts to development team members.

You can search the community for similar issues/answers, or you can create a new discussion thread to seek input from the community regarding your particular issue.

Step 5 : Raise a ticket with the IBM Support team

If you are a licensed IBM customer you can request support through the official IBM support channel.

Before raising a support ticket it is critical that you gather the necessary information to enable the support team to understand and troubleshoot your issue. Some of the pieces of information which will be required include:

  • Problem Description:
    • A clear description of the problem;
    • Any steps which can be followed to reproduce the problem;
  • ISVAOP specific information:
    • ISVAOP version number;
    • ISVAOP configuration files;
    • ISVAOP log files;
  • Docker infrastructure information and version (e.g. Kubernetes v1.16 / OpenShift v3.11);

The information can be uploaded to IBM using the instructions contained in the following article: Exchanging information with Technical Support for problem determination.