- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi
I am facing a problem with API on a R81.10 installed cluster, that won't allow me to log into a domain on the MDS-server.
We have a script that we use to deploy new CMA + VS in a new domain, when we need it. It works flawlessly on the other 3 R81.10 clusters we have running, just not on the one I need to deploy on now.
The command I use:
curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -X POST "$cp_api_url/login" -d '{ "user": "'$cp_user'","password": "'$password'", "domain": "'$CP_Domain'"}'
Result:
{
"code" : "err_login_failed",
"message" : "Authentication to server failed."
}
If I change the variables $cp_api_url, $cp_user, $password and $CP_Domain to match a domain on another cluster, I get this output:
{
"uid" : "<censor>",
"sid" : "QbZF6nQ1ZK2erXqKEOp90zKXscZXGidHWmG8u_vJ1MQ",
"url" : "https://mds-server:443/web_api",
"session-timeout" : 600,
"api-server-version" : "1.8",
"user-name" : "<user>",
"user-uid" : "<censor>"
}
The MDS servers are both R81.10.
I can't find any differences in the settings and I have tried restarting the API, but it did not help.
Nothing is shown in the Audit log either. 😞
This is really frustrating!
I found a work-around:
Instead of logging in to MDS, creating domain and CMA, logging out of MDS, then logging into domain and then creating the VS, which is what works everywhere else, I had to do:
Log into MDS (and get a SID) - POST https://<mgmt-server>:<port>/web_api/login
Log into Domain (using SID from MDS login and get a new SID) - POST https://<mgmt-server>:<port>/web_api/login-to-domain
Then I could create the VS (after having made various hack-changes, because there now are 2 SID's to handle, rather than just one).
I still think something is broken in the API for this particular MDS-server.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY