This document explains the steps to create a user in the R80.x Check Point Security Management Server and assign that user to an existing group using the generic-object API.

Disclaimer

These APIs provide direct access to different objects and fields in the database. As a result if an objects schema change, scripts that relied on specific schema fields may break.

As the generic-object(s) API calls have direct access to change different objects and fields in the database, they do not provide any data validation to ensure that the data added to the fields are following required format for this field. Therefore you have to ensure that the script or 3rd party system you are using to integrate with the management server is doing appropriate data validation before sending the API call.

When you have the option, always prefer to use the documented API calls and not the generic API calls as they are

• They are doing data validation
• They are documented
• They are future compatible
• They are tested
• They are supported by Technical Assistance Center (TAC)

Data flow

The data flow for the generic API calls are the same as when using the documented API
(Login) > (Add) > (Assign)  > (Publish) > (Logout)

1. Login to session
   POST https://<mgmt-server>:<port>/web_api/login
2. Add new user
   POST https://<mgmt-server>:<port>/web_api/add-generic-object
3. Assign newly created user to existing group
   POST https://<mgmt-server>:<port>/web_api/set-generic-object
4. Publish changes
   POST https://<mgmt-server>:<port>/web_api/publish
5. Logout
   POST https://<mgmt-server>:<port>/web_api/logout

Format of the API calls

Please refer to the Security Management API reference guide if you need more information about the login, publish and logout API calls. https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1

Below is describing the formatting of the generic-objects API calls used to create a new user and add that user to an existing user group

Request - 2         Add new user

Note: When adding a new user the following fields are the minimal required fields, all other fields that are omitted will be created with default values.mgmt_cli:
mgmt_cli add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"

Web Services:
{ 
     "create" : "com.checkpoint.objects.classes.dummy.CpmiUser",
     "name":"myvpnuser",
     "userc" : {
          "create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc",
          "owned-object" : {
                  "ike" : {
                    "create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"
               }
          }
     }
}
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Example 1 - Adding a new user with “Check point Password” as authentication method.

The password hash in the internalPassword object must be defined using a two character long salt string and a 4-8 character long key that needs to be encrypted with DES. The key is they user password in clear text and cannot contain spaces.

You can for example use the following command in order to generate a password hash for the password Mypaswd!
# cpopenssl passwd -crypt -salt $(cpopenssl rand -base64 2) 'Mypaswd!'‍‍‍

mgmt._cli:

# mgmt_cli -s id.txt -d "SMC User" -f json add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" email "myvpn@user.local" phoneNumber "00468118118" color "BLUE_1" authMethod "INTERNAL_PASSWORD" internalPassword "59WtGQ3UiC5lo" adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "10-Apr-2018" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"‍‍‍

 Web Services:

 Response - You need to retrieve the UID of the user object you just created in order to be able to add this user to a user group

 Example 2 - Adding a new user with “Radius” as authentication method towards any Radius server defined in the management server

mgmt._cli:

# mgmt_cli -s id.txt -d "SMC User" -f json add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" email "myvpn@user.local" phoneNumber "00468118118" color "BLUE_1" authMethod "RADIUS" adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "10-Apr-2018" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"‍‍‍

Web Services:

Response - You need to retrieve the UID of the user object you just created in order to be able to add this user to a user group

Example 3 - Adding a new user with “Radius” as authentication method towards a specific radius server or radius group of servers.

To specify the Radius server or group of server the object “radiusServer” shpuld contain the uid of the Radius server or group of server you want to assign to this user.

mgmt_cli:

# mgmt_cli -s id.txt -d "SMC User" -f json add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" email "myvpn@user.local" phoneNumber "00468118118" color "BLUE_1" authMethod "RADIUS" radiusServer "0972a020-2915-4a78-8868-135d13b3f7bb" adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "10-Apr-2018" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"‍‍‍

Web Services:

 Response - You need to retrieve the UID of the user object you just created in order to be able to add this user to a user group

Request - 3   Assign newly created user to existing group.

To assign a user to a group you need to provide the UID of the group you want to change and you need to add the user UID to that group.

To get the UID of an object you can use# mgmt_cli –s id.txt true -f json show generic-objects name "name of object" details-level "full"

Or in Web Services
HTTP POST https://<mgmt-server>:<port>/web_api/show-generic-objects
Headers   Content-Type: application/json
          X-chkp-sid: <The SID retrieved from the Login command>
Body               {
                        "name" : " Clientless-vpn-user",
                        "details-level" : "full"
                   }‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

mgmt_cli

mgmt_cli -s id.txt -d "SMC User" -f json set generic-object uid "d5654c00-a153-5148-b451-a5c5d9909895" emptyFieldName.add.1 "ac7fba44-6875-45d2-ad04-6c79508b2f30"‍‍‍

Web Services:

Response – will show you the object properties with the new expiration date

Full Example:

The following CLI example will create a user with username “myvpnuser” password “Mypaswd!” and assign that user to group “Clientless-vpn-user”

# Create user myvpnuser and retrieve UID of newly created user
mgmt_cli -r true -d "SMC User" -f json login > id.txt
varUidUsr=$(mgmt_cli -s id.txt -d "SMC User" -f json add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" email "myvpn@user.local" phoneNumber "00468118118" color "BLUE_1" authMethod "INTERNAL_PASSWORD" internalPassword $(cpopenssl passwd -crypt -salt $(cpopenssl rand -base64 2) 'Mypaswd!') adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "10-Apr-2018" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke" | jq -r '.uid')

# Get UID of existing group Clientless-vpn-user
varUidGrp=$(mgmt_cli -s id.txt -d "SMC User" -f json show generic-objects name "Clientless-vpn-user" |  jq -r '.objects[] | select (.["type"] | contains ("CpmiUserGroup")) | .uid')

# Add user myvpnuser to existing group Clientless-vpn-user
mgmt_cli -s id.txt -d "SMC User" -f json set generic-object uid "$varUidGrp" emptyFieldName.add.1 "$varUidUsr"

mgmt_cli -s id.txt -d "SMC User" -f json publish
mgmt_cli -s id.txt -d "SMC User" -f json logout