topic Re: Management API Login with certificates in API / CLI Discussion

Management API Login with certificates

RAJESH_TRIPATHI — Fri, 02 Feb 2018 12:28:57 GMT

Hi,

I am new to Mgmt_cli and APIs. I want to login into mgmt server with cli tool and add new IP host objects into existing group to blacklist public IP which is threat source. I can do this very well with below commands

ex:

C:\CP>mgmt_cli add host name 120.20.20.20 ip-address 120.20.20.20 -u admin -p Cp@123 -m 10.x.y.z

C:\CP>mgmt_cli set group name "blacklist" members.add "120.20.20.20" -u admin -p Cp@123 -m 10.x.y.z

But I dont want to store the info of userame and password in the script and instead want to have a user created who can login with personal certificate and i can store that certificate in a volume which cant be read by anyone else...is this possible?

Re: Management API Login with certificates

RAJESH_TRIPATHI — Fri, 02 Feb 2018 14:32:41 GMT

Further I tried this but getting error as below

C:\CP>mgmt_cli login -c C:\CP\resourceadmin.p12 -p secret
Peer certificate host: 127.0.0.1, port: 19009 cannot be authenticated
C:\CP>mgmt_cli login -c C:\CP\resourceadmin.p12 -p secret -m 10.1.1.1
First connection to the server 10.1.1.1 port 19009

To verify server identity, compare the following fingerprint with the one displayed by the server configuration tool (cpconfig).

SHA1 Fingerprint=D9:73:57:B9:3C:23:4D:ED:88:19:1B:56:A2:1D:4E:AE:45:24:72:6D
English Fingerprint=SENT HOOT TORN DUMB POT WALL GAGE ONLY SAID WAR RUSS BETH

Do you accept the fingerprint? (y/n) [y] ? y
Error: Unable to login with client certificate. mgmt_cli_login tool was not found on this system.

C:\CP>

Re: Management API Login with certificates

Robert_Decker — Fri, 02 Feb 2018 15:43:03 GMT

Hi,

Please refer to the following link and look at the login command examples using certificates -

https://sc1.checkpoint.com/documents/latest/APIs/index.html#mgmt_cli~v1.1

Robert.

Re: Management API Login with certificates

RAJESH_TRIPATHI — Fri, 02 Feb 2018 16:12:42 GMT

This hasnt helped

I tried the diff combinations but no joy... I can login with userid and passwd but not certificate only

C:\CP>mgmt_cli login -u resourcemgr -p iLoveCp123 -m 10.x.y.z
uid: "5064e6fc-530c-4df9-9152-3b28fedb938e"
sid: "vFSeU29BfSqc10-GImSKTwxXm5VypNSJO7CNNa6ECDM"
url: "https://10.x.y.z:443/web_api"
session-timeout: 600
last-login-was-at:
posix: 1517587802133
iso-8601: "2018-02-02T16:10+0000"
api-server-version: "1.1"

C:\CP>mgmt_cli login -c C:\CP\resourcemgr.p12 -p 1234 -m 10.x.y.z
Error: Unable to login with client certificate. mgmt_cli_login tool was not found on this system.

C:\CP>

Can you share a working example?

Re: Management API Login with certificates

Robert_Decker — Fri, 02 Feb 2018 19:01:07 GMT

Hi,

The error is about a missing "mgmt_cli_login" utility.

This utility is required in order to login with a certificate.

Please verify that it is in your working directory.

Are you running on Windows machine?

Robert.

Re: Management API Login with certificates

RAJESH_TRIPATHI — Mon, 05 Feb 2018 12:44:47 GMT

Hi,

Yes I am running from windows machine where I have copied the mgmt_cli tool.

where can I find mgmt_cli_login tool? Documentation is not very clear on this tool, infact there is no mention of this.

I want to run this tool from remote machine as part of automation

Regards

Rajesh

Re: Management API Login with certificates

Robert_Decker — Tue, 06 Feb 2018 08:57:14 GMT

Hi Rajesh,

It is not possible to run "login" API command with a certificate on Windows machine.

The "mgmt_cli_login" utility is available only on R80 Management Server machine.

We will update the documentation to note this fact.

Robert.

Re: Management API Login with certificates

RAJESH_TRIPATHI — Tue, 06 Feb 2018 09:59:15 GMT

Thanks Robert for confirmation. Will there be a update in mgmt_cli tool to include this functionality of login with certificates? Its important to have this functionality as it prevents putting password in scripts. is there any other solution of remotely updating network objects without having login credentials in clear text in any scripts or batch files?

Re: Management API Login with certificates

Robert_Decker — Tue, 06 Feb 2018 10:16:33 GMT

You can use environment variables to store the credentials:

Parameter name	Short name	Environment variable
User name	-u	MGMT_CLI_USER
Password	-p	MGMT_CLI_PASSWORD
Domain	-d	MGMT_CLI_DOMAIN
Management server address	-m	MGMT_CLI_MANAGEMENT

First, add the environment variables. On linux machine use -

export MGMT_CLI_USER=me
export MGMT_CLI_PASSWORD=secret
export MGMT_CLI_MANAGEMENT=1.1.1.1

and call the command -

mgmt_cli login

Robert.

Re: Management API Login with certificates

RAJESH_TRIPATHI — Tue, 06 Feb 2018 10:28:20 GMT

Am afraid but this is not good as the password is still in clear text in env variable and can be visible to anyone, this wont meet security policies of the company

Re: Management API Login with certificates

Robert_Decker — Tue, 06 Feb 2018 10:31:47 GMT

if you are writing a script to automate your tasks, you can save the password obscured, and then un-obscure in script just before calling the login command.

Robert.