This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ias_gc-dk
Contributor
‎2022-04-07 01:57 AM

Can't login to MDS domain

Hi

 

I am facing a problem with API on a R81.10 installed cluster, that won't allow me to log into a domain on the MDS-server.

We have a script that we use to deploy new CMA + VS in a new domain, when we need it. It works flawlessly on the other 3 R81.10 clusters we have running, just not on the one I need to deploy on now.

 

The command I use:

curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -X POST "$cp_api_url/login" -d '{ "user": "'$cp_user'","password": "'$password'", "domain": "'$CP_Domain'"}'

Result:

{
"code" : "err_login_failed",
"message" : "Authentication to server failed."
}

If I change the variables $cp_api_url, $cp_user, $password and $CP_Domain to match a domain on another cluster, I get this output:

{
"uid" : "<censor>",
"sid" : "QbZF6nQ1ZK2erXqKEOp90zKXscZXGidHWmG8u_vJ1MQ",
"url" : "https://mds-server:443/web_api",
"session-timeout" : 600,
"api-server-version" : "1.8",
"user-name" : "<user>",
"user-uid" : "<censor>"
}

The MDS servers are both R81.10.

I can't find any differences in the settings and I have tried restarting the API, but it did not help.

Nothing is shown in the Audit log either. 😞

This is really frustrating!

0 Kudos
1 Reply
ias_gc-dk
Contributor
‎2022-04-07 06:04 AM

I found a work-around:

Instead of logging in to MDS, creating domain and CMA, logging out of MDS, then logging into domain and then creating the VS, which is what works everywhere else, I had to do:

Log into MDS (and get a SID) - POST https://<mgmt-server>:<port>/web_api/login

Log into Domain (using SID from MDS login and get a new SID) - POST https://<mgmt-server>:<port>/web_api/login-to-domain

Then I could create the VS (after having made various hack-changes, because there now are 2 SID's to handle, rather than just one).

I still think something is broken in the API for this particular MDS-server.

 

 

 

0 Kudos