Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

Is there a way to make API calls using other methods for authentication?

We are exploring the vast wonders of the R80.30 API commands and would like to expand further but have some security concerns.  What we need is a way to make API calls (that does more than read) and not have to hard code the credentials into the call itself.

Is there some type of API key that can be used for this type of work or some other method we can use to encrypt this?  A fear is that if the box is compromised, then a bad actor could just crack open the content and have some real fun, or possibly even sniff the credentials while we are making a call.

Thanks,
Patrick

0 Kudos
4 Replies
Highlighted
Employee+
Employee+

Re: Is there a way to make API calls using other methods for authentication?

What we need is a way to make API calls (that does more than read) and not have to hard code the credentials into the call itself.

Are you using the username and password for each command run? If so, then I would recommend starting each session by with login command and then referencing the sid that is created on a successful login. This would prevent each call requiring a username/password scenario.

Support for using an API key is available in the newly released R80.40

- https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-api-key~v1.6

It might be possible to use certificate authentication for your API calls if you're using the mgmt_cli command.  There is an option to use a client certificate (-c ), however I don't know how this would work when using a POST from curl, python, etc. Unfortunately, it would still require knowing the certificate password and supplying it as a part of the script. 

 

 

0 Kudos
Highlighted
Ivory

Re: Is there a way to make API calls using other methods for authentication?

Thanks for the response! It exciting to hear that it is going to be available in R80.40. On the topic of API Keys, the documentation you supplied details how to create it, but is there any way we can lock it down? Since we would have to pass the API Key as well, could we say only allow this API Key if it comes from server xyz or even limit the commands it could run? (probably not possible but I can dream 🙂 )
0 Kudos
Employee+
Employee+

Re: Is there a way to make API calls using other methods for authentication?

I'm not aware of an option to lock-down users to specific hosts. There are some restrictions in the Management API settings that might help, but they are probably not as granular as you would like to see.

 

image.png

0 Kudos
Highlighted
Admin
Admin

Re: Is there a way to make API calls using other methods for authentication?

R80.40 has the concept of API keys.
You can assign permission profiles to them to restrict what they can do just like other administrator accounts.
However, you cannot lock down where those API keys can be used from.
Thad be an RFE.
0 Kudos