Add new user and assign to an existing group using...

Jim_Oqvist · ‎2018-04-09

This document explains the steps to create a user in the R80.x Check Point Security Management Server and assign that user to an existing group using the generic-object API.

Disclaimer

These APIs provide direct access to different objects and fields in the database. As a result if an objects schema change, scripts that relied on specific schema fields may break.

As the generic-object(s) API calls have direct access to change different objects and fields in the database, they do not provide any data validation to ensure that the data added to the fields are following required format for this field. Therefore you have to ensure that the script or 3rd party system you are using to integrate with the management server is doing appropriate data validation before sending the API call.

When you have the option, always prefer to use the documented API calls and not the generic API calls as they are

They are doing data validation
They are documented
They are future compatible
They are tested
They are supported by Technical Assistance Center (TAC)

Data flow

The data flow for the generic API calls are the same as when using the documented API
(Login) > (Add) > (Assign) > (Publish) > (Logout)

Login to session
POST https://<mgmt-server>:<port>/web_api/login
Add new user
POST https://<mgmt-server>:<port>/web_api/add-generic-object
Assign newly created user to existing group
POST https://<mgmt-server>:<port>/web_api/set-generic-object
Publish changes
POST https://<mgmt-server>:<port>/web_api/publish
Logout
POST https://<mgmt-server>:<port>/web_api/logout

Format of the API calls

Please refer to the Security Management API reference guide if you need more information about the login, publish and logout API calls. https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1

Below is describing the formatting of the generic-objects API calls used to create a new user and add that user to an existing user group

Request - 2 Add new user

Note: When adding a new user the following fields are the minimal required fields, all other fields that are omitted will be created with default values.mgmt_cli:
mgmt_cli add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"

Web Services:
{ 
     "create" : "com.checkpoint.objects.classes.dummy.CpmiUser",
     "name":"myvpnuser",
     "userc" : {
          "create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc",
          "owned-object" : {
                  "ike" : {
                    "create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"
               }
          }
     }
}
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Example 1 - Adding a new user with “Check point Password” as authentication method.

The password hash in the internalPassword object must be defined using a two character long salt string and a 4-8 character long key that needs to be encrypted with DES. The key is they user password in clear text and cannot contain spaces.

You can for example use the following command in order to generate a password hash for the password Mypaswd!
# cpopenssl passwd -crypt -salt $(cpopenssl rand -base64 2) 'Mypaswd!'‍‍‍

mgmt._cli:

# mgmt_cli -s id.txt -d "SMC User" -f json add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" email "myvpn@user.local" phoneNumber "00468118118" color "BLUE_1" authMethod "INTERNAL_PASSWORD" internalPassword "59WtGQ3UiC5lo" adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "10-Apr-2018" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"‍‍‍

Web Services:

HTTP POST

POST https://<mgmt-server>:<port>/web_api/-add-generic-object

Headers

Content-Type: application/json

X-chkp-sid: <The SID retrieved from the Login command>

Body

{

"create" : "com.checkpoint.objects.classes.dummy.CpmiUser",

"name":"myvpnuser",

"email":"myvpn@user.local",

"phoneNumber":"00468118118",

"color" : "BLUE_1",

"authMethod" : "INTERNAL_PASSWORD",

"internalPassword":"59WtGQ3UiC5lo",

"adminExpirationBaseData" : {

"create" : "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData",

"owned-object" : {

"expirationDate" : "10-Apr-2018"

}

},

"userc" : {

"create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc",

"owned-object" : {

"useGlobalEncryptionValues" : "true",

"ike" : {

"create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"

}

Response - You need to retrieve the UID of the user object you just created in order to be able to add this user to a user group

Response Body

{….

"adminExpirationBaseData": {

"objId": "f871998d-8e2f-4108-b4af-35a144642897",

"checkPointObjId": null,

"domainId": "41e821a0-3720-11e3-aa6e-0800200c9fde",

"expirationDateVisualNotif": true,

"expirationDate": "25-Apr-2018",

"expirationDateMethod": "EXPIRE_AT",

"folderPath": "1edb57e2-37f3-468f-b613-4a2bcf4e5315",

"text": null,

"folder": "1edb57e2-37f3-468f-b613-4a2bcf4e5315",

"is_owned": false,

"ownedName": "myvpnuser"

},

"days": 127,

"email": "myvpnuser@test.local",

"authMethod": "INTERNAL_PASSWORD",

"tohour": "23:59",

"administrator": false,

"uid": "ac7fba44-6875-45d2-ad04-6c79508b2f30",

……

"_original_type": "CpmiUser"

…….}

Example 2 - Adding a new user with “Radius” as authentication method towards any Radius server defined in the management server

mgmt._cli:

# mgmt_cli -s id.txt -d "SMC User" -f json add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" email "myvpn@user.local" phoneNumber "00468118118" color "BLUE_1" authMethod "RADIUS" adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "10-Apr-2018" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"‍‍‍

Web Services:

HTTP POST

POST https://<mgmt-server>:<port>/web_api/-add-generic-object

Headers

Content-Type: application/json

X-chkp-sid: <The SID retrieved from the Login command>

Body

{

"create" : "com.checkpoint.objects.classes.dummy.CpmiUser",

"name":"myvpnuser",

"email":"myvpn@user.local",

"phoneNumber":"00468118118",

"color" : "BLUE_1",

"authMethod" : "RADIUS ",

"adminExpirationBaseData" : {

"create" : "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData",

"owned-object" : {

"expirationDate" : "10-Apr-2018"

}

},

"userc" : {

"create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc",

"owned-object" : {

"useGlobalEncryptionValues" : "true",

"ike" : {

"create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"

}

Response - You need to retrieve the UID of the user object you just created in order to be able to add this user to a user group

Response Body

{….

"adminExpirationBaseData": {

"objId": "f871998d-8e2f-4108-b4af-35a144642897",

"checkPointObjId": null,

"domainId": "41e821a0-3720-11e3-aa6e-0800200c9fde",

"expirationDateVisualNotif": true,

"expirationDate": "25-Apr-2018",

"expirationDateMethod": "EXPIRE_AT",

"folderPath": "1edb57e2-37f3-468f-b613-4a2bcf4e5315",

"text": null,

"folder": "1edb57e2-37f3-468f-b613-4a2bcf4e5315",

"is_owned": false,

"ownedName": "myvpnuser"

},

"days": 127,

"email": "myvpnuser@test.local",

"authMethod": "RADIUS",

"tohour": "23:59",

"administrator": false,

"uid": "ac7fba44-6875-45d2-ad04-6c79508b2f30",

……

"_original_type": "CpmiUser"

…….}

Example 3 - Adding a new user with “Radius” as authentication method towards a specific radius server or radius group of servers.

To specify the Radius server or group of server the object “radiusServer” shpuld contain the uid of the Radius server or group of server you want to assign to this user.

mgmt_cli:

# mgmt_cli -s id.txt -d "SMC User" -f json add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" email "myvpn@user.local" phoneNumber "00468118118" color "BLUE_1" authMethod "RADIUS" radiusServer "0972a020-2915-4a78-8868-135d13b3f7bb" adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "10-Apr-2018" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"‍‍‍

Web Services:

HTTP POST

POST https://<mgmt-server>:<port>/web_api/-add-generic-object

Headers

Content-Type: application/json

X-chkp-sid: <The SID retrieved from the Login command>

Body

{

"create" : "com.checkpoint.objects.classes.dummy.CpmiUser",

"name":"myvpnuser",

"email":"myvpn@user.local",

"phoneNumber":"00468118118",

"color" : "BLUE_1",

"authMethod" : "RADIUS ",

"radiusServer" : "0972a020-2915-4a78-8868-135d13b3f7bb",

"adminExpirationBaseData" : {

"create" : "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData",

"owned-object" : {

"expirationDate" : "10-Apr-2018"

}

},

"userc" : {

"create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc",

"owned-object" : {

"useGlobalEncryptionValues" : "true",

"ike" : {

"create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"

}

Response - You need to retrieve the UID of the user object you just created in order to be able to add this user to a user group

Response Body

{….

"adminExpirationBaseData": {

"objId": "f871998d-8e2f-4108-b4af-35a144642897",

"checkPointObjId": null,

"domainId": "41e821a0-3720-11e3-aa6e-0800200c9fde",

"expirationDateVisualNotif": true,

"expirationDate": "25-Apr-2018",

"expirationDateMethod": "EXPIRE_AT",

"folderPath": "1edb57e2-37f3-468f-b613-4a2bcf4e5315",

"text": null,

"folder": "1edb57e2-37f3-468f-b613-4a2bcf4e5315",

"is_owned": false,

"ownedName": "myvpnuser"

},

"days": 127,

"email": "myvpnuser@test.local",

"authMethod": "RADIUS",

"tohour": "23:59",

"administrator": false,

"uid": "ac7fba44-6875-45d2-ad04-6c79508b2f30",

……

"_original_type": "CpmiUser"

…….}

Request - 3 Assign newly created user to existing group.

To assign a user to a group you need to provide the UID of the group you want to change and you need to add the user UID to that group.

To get the UID of an object you can use# mgmt_cli –s id.txt true -f json show generic-objects name "name of object" details-level "full"

Or in Web Services
HTTP POST https://<mgmt-server>:<port>/web_api/show-generic-objects
Headers   Content-Type: application/json
          X-chkp-sid: <The SID retrieved from the Login command>
Body               {
                        "name" : " Clientless-vpn-user",
                        "details-level" : "full"
                   }‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

mgmt_cli

mgmt_cli -s id.txt -d "SMC User" -f json set generic-object uid "d5654c00-a153-5148-b451-a5c5d9909895" emptyFieldName.add.1 "ac7fba44-6875-45d2-ad04-6c79508b2f30"‍‍‍

Web Services:

HTTP POST

https://<mgmt-server>:<port>/web_api/set-generic-object

Headers

Content-Type: application/json

X-chkp-sid: <The SID retrieved from the Login command>

Body

{

"uid" : "d5654c00-a153-5148-b451-a5c5d9909895",

"emptyFieldName": { "add": " ac7fba44-6875-45d2-ad04-6c79508b2f30" }

}

Response – will show you the object properties with the new expiration date

Response Body

{….

"email" : "",

"emptyFieldName" : [ "ea511503-86f1-4616-bd04-4c2a4141b059", "ea2fb4e7-8b1e-44c3-b0e6-91178132f529", "fc182f23-40ec-49ab-a11b-86ac8e12259f", "1d1046c8-3863-4cd6-87de-7d723a63a80f", "a0abbf0f-979a-4757-a7f7-3b0023e9c6ab" ],

"type" : "usrgroup",

"groups" : [ ],

},………

Full Example:

The following CLI example will create a user with username “myvpnuser” password “Mypaswd!” and assign that user to group “Clientless-vpn-user”

# Create user myvpnuser and retrieve UID of newly created user
mgmt_cli -r true -d "SMC User" -f json login > id.txt
varUidUsr=$(mgmt_cli -s id.txt -d "SMC User" -f json add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" email "myvpn@user.local" phoneNumber "00468118118" color "BLUE_1" authMethod "INTERNAL_PASSWORD" internalPassword $(cpopenssl passwd -crypt -salt $(cpopenssl rand -base64 2) 'Mypaswd!') adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "10-Apr-2018" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke" | jq -r '.uid')

# Get UID of existing group Clientless-vpn-user
varUidGrp=$(mgmt_cli -s id.txt -d "SMC User" -f json show generic-objects name "Clientless-vpn-user" |  jq -r '.objects[] | select (.["type"] | contains ("CpmiUserGroup")) | .uid')

# Add user myvpnuser to existing group Clientless-vpn-user
mgmt_cli -s id.txt -d "SMC User" -f json set generic-object uid "$varUidGrp" emptyFieldName.add.1 "$varUidUsr"

mgmt_cli -s id.txt -d "SMC User" -f json publish
mgmt_cli -s id.txt -d "SMC User" -f json logout

Laurent_Vanhees · ‎2018-05-20

Hello,

Thank you for your information.

It's really useful!

I would like to create users to be authenticated with a 3rd party certicate. Do you know the property to enable the "public key" option on the user object?

Thanks,

Regards,
Laurent

Robert_Decker · ‎2018-05-24

field name - "userc.ike.isakmpAuthmethods"

value - "SIGNATURES"

pay attention that this is a container field.

robert.

Tobias_Moritz · ‎2018-06-20

Can you please help me out with the correct syntax for adding something to a container field?

During object creation, I get either an error message or the container field stays empty:

add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" comments "My VPN User" color "BLUE" adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "31-Jan-2030" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke" userc.owned-object.ike.owned-object.isakmpAuthmethods.add.1 "SIGNATURES"

code: "generic_server_error"
message: "Management server failed to execute command"

add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" comments "My VPN User" color "BLUE" adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "31-Jan-2030" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke" userc.ike.owned-object.isakmpAuthmethods.add.1 "SIGNATURES"

> show generic-objects name myvpnuser details-level full

objects:
...

userc:
objId: "20088ef8-1124-4389-a49b-163cb837d34c"

...

    ike:
      objId: "c8ab8e39-3fcc-43b0-8175-2e2a3e0d2e06"
      checkPointObjId: null
      domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
      isakmpEncryption: "D3DES"
      isakmpHashmethods: []
      isakmpAuthmethods: []
      isakmpSharedSecret: ""
      isakmpDataIntegrity: "SHA1"
      isakmpTransform: "ESP"
      isakmpEncmethods: []
      folderPath: "0b48c71a-1820-439e-b744-d0bb17b8f68d"
      text: null
      folder: "0b48c71a-1820-439e-b744-d0bb17b8f68d"
      is_owned: false
      ownedName: ""
...

uid: "53a0e295-1b70-4edf-b55b-d63f27cdc4b9"

When I try to manuipulate that container field later, I am not successfull at all:

> set generic-object uid "53a0e295-1b70-4edf-b55b-d63f27cdc4b9" userc.ike.isakmpAuthmethods.add.1 "SIGNATURES"

code: "generic_server_error"
message: "Management server failed to execute command"

> set generic-object uid "53a0e295-1b70-4edf-b55b-d63f27cdc4b9" userc.ike.isakmpAuthmethods.add "SIGNATURES"

code: "generic_server_error"
message: "Management server failed to execute command"

> set generic-object uid "53a0e295-1b70-4edf-b55b-d63f27cdc4b9" .userc.ike.isakmpAuthmethods.add.0 "SIGNATURES"

code: "generic_server_error"
message: "Management server failed to execute command"

Thank you in advance for your help.

Best regards,
Tobias Moritz

Robert_Decker · ‎2018-06-20

Hi Tobias,

Your syntax to change a container field via API is correct -

userc.ike.isakmpAuthmethods.add "SIGNATURES"

The problem in this specific case is that user object is a legacy R77 object that doesn't have its own API yet, therefore jim oqvist‌ used a generic-objects approach.

It seems that sometimes this approach does't work well, because it has to deal with old database schema serializations, and this is exactly what happened for the field above - the serialization didn't work.

Robert.

Tobias_Moritz · ‎2018-06-20

Okay, so I guess there is nothing I can do now.

Nevertheless, thank you for that fast answer!

Jeremy_Parker · ‎2019-02-10

Guessing there has been no change in the IKE Public key issue since the last comments?

I'm in the same boat as Tobias.

Nicklas_Bargell · ‎2020-01-22

Thanks Jim for a great guide!

Would it be possible to share how to create a user group using the same method?

Thanks!!

/Nicklas Bargell.

GHaider · ‎2022-03-23

thx to you documentation i was able to create a lot of legacy vpn users with checkpoint password... thanks for that...

but now i found out that starting with R81 checkpoint internal users can have passwords with more than 8 characters (tested this already with secureRemote) (see https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...), so i want to create users with longer passwords, but when i call:

 mgmt_cli --port 443 --root true -f json add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name testlong authMethod "INTERNAL_PASSWORD" color "GREEN" internalPassword $(cpopenssl passwd -crypt -salt $(cpopenssl rand -base64 2) "longPass1234") userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"

i get this warning:

Warning: truncating password to 8 characters

...and really the password is truncated, if i set the password via GUI i can set more than 8 chars and it works...

do you know how to set long passwords via script??

PhoneBoy · ‎2022-03-23

Do you see the same behavior with the formally supported APIs for this, which were added in R81?
See: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-user~v1.7%20

GHaider · ‎2022-03-23

just tried the new API:

mgmt_cli --root true add user name "testlong" authentication-method "check point password" password "longPass1234" color "GREEN" expiration-date "2030-05-30" groups.1 VPN-User ignore-warnings true --format json

big thanks, the new api works!!

but beware, you need the "ignore-warnings true" otherwise the command fails...

PhoneBoy · ‎2022-03-24

Correct, you need ignore-warnings true in this case.
This is because a password longer than 8 characters will fail on gateway versions prior to R81.