- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
This document explains the steps to create a user in the R80.x Check Point Security Management Server and assign that user to an existing group using the generic-object API.
Disclaimer
These APIs provide direct access to different objects and fields in the database. As a result if an objects schema change, scripts that relied on specific schema fields may break.
As the generic-object(s) API calls have direct access to change different objects and fields in the database, they do not provide any data validation to ensure that the data added to the fields are following required format for this field. Therefore you have to ensure that the script or 3rd party system you are using to integrate with the management server is doing appropriate data validation before sending the API call.
When you have the option, always prefer to use the documented API calls and not the generic API calls as they are
The data flow for the generic API calls are the same as when using the documented API
(Login) > (Add) > (Assign) > (Publish) > (Logout)
Format of the API calls
Please refer to the Security Management API reference guide if you need more information about the login, publish and logout API calls. https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1
Below is describing the formatting of the generic-objects API calls used to create a new user and add that user to an existing user group
Note: When adding a new user the following fields are the minimal required fields, all other fields that are omitted will be created with default values.mgmt_cli:
mgmt_cli add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"
Web Services:
{
"create" : "com.checkpoint.objects.classes.dummy.CpmiUser",
"name":"myvpnuser",
"userc" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc",
"owned-object" : {
"ike" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"
}
}
}
}
The password hash in the internalPassword object must be defined using a two character long salt string and a 4-8 character long key that needs to be encrypted with DES. The key is they user password in clear text and cannot contain spaces.
You can for example use the following command in order to generate a password hash for the password Mypaswd!
# cpopenssl passwd -crypt -salt $(cpopenssl rand -base64 2) 'Mypaswd!'
# mgmt_cli -s id.txt -d "SMC User" -f json add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" email "myvpn@user.local" phoneNumber "00468118118" color "BLUE_1" authMethod "INTERNAL_PASSWORD" internalPassword "59WtGQ3UiC5lo" adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "10-Apr-2018" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"
HTTP POST |
POST https://<mgmt-server>:<port>/web_api/-add-generic-object |
Headers |
Content-Type: application/json X-chkp-sid: <The SID retrieved from the Login command> |
Body |
{ "create" : "com.checkpoint.objects.classes.dummy.CpmiUser", "name":"myvpnuser", "email":"myvpn@user.local", "phoneNumber":"00468118118", "color" : "BLUE_1", "authMethod" : "INTERNAL_PASSWORD", "internalPassword":"59WtGQ3UiC5lo", "adminExpirationBaseData" : { "create" : "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData", "owned-object" : { "expirationDate" : "10-Apr-2018" } }, "userc" : { "create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc", "owned-object" : { "useGlobalEncryptionValues" : "true", "ike" : { "create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke" } } } } |
Response - You need to retrieve the UID of the user object you just created in order to be able to add this user to a user group
Response Body |
{…. "adminExpirationBaseData": { "objId": "f871998d-8e2f-4108-b4af-35a144642897", "checkPointObjId": null, "domainId": "41e821a0-3720-11e3-aa6e-0800200c9fde", "expirationDateVisualNotif": true, "expirationDate": "25-Apr-2018", "expirationDateMethod": "EXPIRE_AT", "folderPath": "1edb57e2-37f3-468f-b613-4a2bcf4e5315", "text": null, "folder": "1edb57e2-37f3-468f-b613-4a2bcf4e5315", "is_owned": false, "ownedName": "myvpnuser" }, "days": 127, "email": "myvpnuser@test.local", "authMethod": "INTERNAL_PASSWORD", "tohour": "23:59", "administrator": false, "uid": "ac7fba44-6875-45d2-ad04-6c79508b2f30", …… "_original_type": "CpmiUser" …….} |
Example 2 - Adding a new user with “Radius” as authentication method towards any Radius server defined in the management server
# mgmt_cli -s id.txt -d "SMC User" -f json add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" email "myvpn@user.local" phoneNumber "00468118118" color "BLUE_1" authMethod "RADIUS" adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "10-Apr-2018" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"
HTTP POST |
POST https://<mgmt-server>:<port>/web_api/-add-generic-object |
Headers |
Content-Type: application/json X-chkp-sid: <The SID retrieved from the Login command> |
Body |
{ "create" : "com.checkpoint.objects.classes.dummy.CpmiUser", "name":"myvpnuser", "email":"myvpn@user.local", "phoneNumber":"00468118118", "color" : "BLUE_1", "authMethod" : "RADIUS ", "adminExpirationBaseData" : { "create" : "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData", "owned-object" : { "expirationDate" : "10-Apr-2018" } }, "userc" : { "create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc", "owned-object" : { "useGlobalEncryptionValues" : "true", "ike" : { "create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke" } } } } |
Response - You need to retrieve the UID of the user object you just created in order to be able to add this user to a user group
Response Body |
{…. "adminExpirationBaseData": { "objId": "f871998d-8e2f-4108-b4af-35a144642897", "checkPointObjId": null, "domainId": "41e821a0-3720-11e3-aa6e-0800200c9fde", "expirationDateVisualNotif": true, "expirationDate": "25-Apr-2018", "expirationDateMethod": "EXPIRE_AT", "folderPath": "1edb57e2-37f3-468f-b613-4a2bcf4e5315", "text": null, "folder": "1edb57e2-37f3-468f-b613-4a2bcf4e5315", "is_owned": false, "ownedName": "myvpnuser" }, "days": 127, "email": "myvpnuser@test.local", "authMethod": "RADIUS", "tohour": "23:59", "administrator": false, "uid": "ac7fba44-6875-45d2-ad04-6c79508b2f30", …… "_original_type": "CpmiUser" …….} |
To specify the Radius server or group of server the object “radiusServer” shpuld contain the uid of the Radius server or group of server you want to assign to this user.
# mgmt_cli -s id.txt -d "SMC User" -f json add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" email "myvpn@user.local" phoneNumber "00468118118" color "BLUE_1" authMethod "RADIUS" radiusServer "0972a020-2915-4a78-8868-135d13b3f7bb" adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "10-Apr-2018" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"
HTTP POST |
POST https://<mgmt-server>:<port>/web_api/-add-generic-object |
Headers |
Content-Type: application/json X-chkp-sid: <The SID retrieved from the Login command> |
Body |
{ "create" : "com.checkpoint.objects.classes.dummy.CpmiUser", "name":"myvpnuser", "email":"myvpn@user.local", "phoneNumber":"00468118118", "color" : "BLUE_1", "authMethod" : "RADIUS ", "radiusServer" : "0972a020-2915-4a78-8868-135d13b3f7bb", "adminExpirationBaseData" : { "create" : "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData", "owned-object" : { "expirationDate" : "10-Apr-2018" } }, "userc" : { "create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc", "owned-object" : { "useGlobalEncryptionValues" : "true", "ike" : { "create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke" } } } } |
Response - You need to retrieve the UID of the user object you just created in order to be able to add this user to a user group
Response Body |
{…. "adminExpirationBaseData": { "objId": "f871998d-8e2f-4108-b4af-35a144642897", "checkPointObjId": null, "domainId": "41e821a0-3720-11e3-aa6e-0800200c9fde", "expirationDateVisualNotif": true, "expirationDate": "25-Apr-2018", "expirationDateMethod": "EXPIRE_AT", "folderPath": "1edb57e2-37f3-468f-b613-4a2bcf4e5315", "text": null, "folder": "1edb57e2-37f3-468f-b613-4a2bcf4e5315", "is_owned": false, "ownedName": "myvpnuser" }, "days": 127, "email": "myvpnuser@test.local", "authMethod": "RADIUS", "tohour": "23:59", "administrator": false, "uid": "ac7fba44-6875-45d2-ad04-6c79508b2f30", …… "_original_type": "CpmiUser" …….} |
To assign a user to a group you need to provide the UID of the group you want to change and you need to add the user UID to that group.
To get the UID of an object you can use# mgmt_cli –s id.txt true -f json show generic-objects name "name of object" details-level "full"
Or in Web Services
HTTP POST https://<mgmt-server>:<port>/web_api/show-generic-objects
Headers Content-Type: application/json
X-chkp-sid: <The SID retrieved from the Login command>
Body {
"name" : " Clientless-vpn-user",
"details-level" : "full"
}
mgmt_cli -s id.txt -d "SMC User" -f json set generic-object uid "d5654c00-a153-5148-b451-a5c5d9909895" emptyFieldName.add.1 "ac7fba44-6875-45d2-ad04-6c79508b2f30"
HTTP POST |
https://<mgmt-server>:<port>/web_api/set-generic-object |
Headers |
Content-Type: application/json X-chkp-sid: <The SID retrieved from the Login command> |
Body |
{ "uid" : "d5654c00-a153-5148-b451-a5c5d9909895", "emptyFieldName": { "add": " ac7fba44-6875-45d2-ad04-6c79508b2f30" } } |
Response – will show you the object properties with the new expiration date
Response Body |
{…. "email" : "", "emptyFieldName" : [ "ea511503-86f1-4616-bd04-4c2a4141b059", "ea2fb4e7-8b1e-44c3-b0e6-91178132f529", "fc182f23-40ec-49ab-a11b-86ac8e12259f", "1d1046c8-3863-4cd6-87de-7d723a63a80f", "a0abbf0f-979a-4757-a7f7-3b0023e9c6ab" ], "type" : "usrgroup", "groups" : [ ], },……… |
The following CLI example will create a user with username “myvpnuser” password “Mypaswd!” and assign that user to group “Clientless-vpn-user”
# Create user myvpnuser and retrieve UID of newly created user
mgmt_cli -r true -d "SMC User" -f json login > id.txt
varUidUsr=$(mgmt_cli -s id.txt -d "SMC User" -f json add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" email "myvpn@user.local" phoneNumber "00468118118" color "BLUE_1" authMethod "INTERNAL_PASSWORD" internalPassword $(cpopenssl passwd -crypt -salt $(cpopenssl rand -base64 2) 'Mypaswd!') adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "10-Apr-2018" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke" | jq -r '.uid')
# Get UID of existing group Clientless-vpn-user
varUidGrp=$(mgmt_cli -s id.txt -d "SMC User" -f json show generic-objects name "Clientless-vpn-user" | jq -r '.objects[] | select (.["type"] | contains ("CpmiUserGroup")) | .uid')
# Add user myvpnuser to existing group Clientless-vpn-user
mgmt_cli -s id.txt -d "SMC User" -f json set generic-object uid "$varUidGrp" emptyFieldName.add.1 "$varUidUsr"
mgmt_cli -s id.txt -d "SMC User" -f json publish
mgmt_cli -s id.txt -d "SMC User" -f json logout
Hello,
Thank you for your information.
It's really useful!
I would like to create users to be authenticated with a 3rd party certicate. Do you know the property to enable the "public key" option on the user object?
Thanks,
Regards,
Laurent
field name - "userc.ike.isakmpAuthmethods"
value - "SIGNATURES"
pay attention that this is a container field.
robert.
Can you please help me out with the correct syntax for adding something to a container field?
During object creation, I get either an error message or the container field stays empty:
add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" comments "My VPN User" color "BLUE" adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "31-Jan-2030" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke" userc.owned-object.ike.owned-object.isakmpAuthmethods.add.1 "SIGNATURES"
code: "generic_server_error"
message: "Management server failed to execute command"
add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" comments "My VPN User" color "BLUE" adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "31-Jan-2030" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke" userc.ike.owned-object.isakmpAuthmethods.add.1 "SIGNATURES"
> show generic-objects name myvpnuser details-level full
objects:
...
userc:
objId: "20088ef8-1124-4389-a49b-163cb837d34c"
...
ike:
objId: "c8ab8e39-3fcc-43b0-8175-2e2a3e0d2e06"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
isakmpEncryption: "D3DES"
isakmpHashmethods: []
isakmpAuthmethods: []
isakmpSharedSecret: ""
isakmpDataIntegrity: "SHA1"
isakmpTransform: "ESP"
isakmpEncmethods: []
folderPath: "0b48c71a-1820-439e-b744-d0bb17b8f68d"
text: null
folder: "0b48c71a-1820-439e-b744-d0bb17b8f68d"
is_owned: false
ownedName: ""
...
uid: "53a0e295-1b70-4edf-b55b-d63f27cdc4b9"
When I try to manuipulate that container field later, I am not successfull at all:
> set generic-object uid "53a0e295-1b70-4edf-b55b-d63f27cdc4b9" userc.ike.isakmpAuthmethods.add.1 "SIGNATURES"
code: "generic_server_error"
message: "Management server failed to execute command"
> set generic-object uid "53a0e295-1b70-4edf-b55b-d63f27cdc4b9" userc.ike.isakmpAuthmethods.add "SIGNATURES"
code: "generic_server_error"
message: "Management server failed to execute command"
> set generic-object uid "53a0e295-1b70-4edf-b55b-d63f27cdc4b9" .userc.ike.isakmpAuthmethods.add.0 "SIGNATURES"
code: "generic_server_error"
message: "Management server failed to execute command"
Thank you in advance for your help.
Best regards,
Tobias Moritz
Hi Tobias,
Your syntax to change a container field via API is correct -
userc.ike.isakmpAuthmethods.add "SIGNATURES"
The problem in this specific case is that user object is a legacy R77 object that doesn't have its own API yet, therefore jim oqvist used a generic-objects approach.
It seems that sometimes this approach does't work well, because it has to deal with old database schema serializations, and this is exactly what happened for the field above - the serialization didn't work.
Robert.
Okay, so I guess there is nothing I can do now.
Nevertheless, thank you for that fast answer!
Guessing there has been no change in the IKE Public key issue since the last comments?
I'm in the same boat as Tobias.
Thanks Jim for a great guide!
Would it be possible to share how to create a user group using the same method?
Thanks!!
/Nicklas Bargell.
thx to you documentation i was able to create a lot of legacy vpn users with checkpoint password... thanks for that...
but now i found out that starting with R81 checkpoint internal users can have passwords with more than 8 characters (tested this already with secureRemote) (see https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...), so i want to create users with longer passwords, but when i call:
mgmt_cli --port 443 --root true -f json add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name testlong authMethod "INTERNAL_PASSWORD" color "GREEN" internalPassword $(cpopenssl passwd -crypt -salt $(cpopenssl rand -base64 2) "longPass1234") userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"
i get this warning:
Warning: truncating password to 8 characters
...and really the password is truncated, if i set the password via GUI i can set more than 8 chars and it works...
do you know how to set long passwords via script??
Do you see the same behavior with the formally supported APIs for this, which were added in R81?
See: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-user~v1.7%20
just tried the new API:
mgmt_cli --root true add user name "testlong" authentication-method "check point password" password "longPass1234" color "GREEN" expiration-date "2030-05-30" groups.1 VPN-User ignore-warnings true --format json
big thanks, the new api works!!
but beware, you need the "ignore-warnings true" otherwise the command fails...
Correct, you need ignore-warnings true in this case.
This is because a password longer than 8 characters will fail on gateway versions prior to R81.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY