Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jim_Oqvist
Employee
Employee

Change expiration date of users using generic-object API calls

This document explains the steps to change expiration date of users defined in the R80.x Check Point Security Management Server using the generic-object API.

Disclaimer

These APIs provide direct access to different objects and fields in the database. As a result if an objects schema change, scripts that relied on specific schema fields may break.

 

As the generic-object(s) API calls have direct access to change different objects and fields in the database, they do not always provide data validation to ensure that the data added to the fields are following required format for this field. Therefore you have to ensure that the script or 3rd party system you are using to integrate with the management server is doing appropriate data validation before sending the API call.

 

When you have the option, always prefer to use the documented API calls and not the generic API calls as

  • They are doing data validation
  • They are documented
  • They are future compatible
  • They are tested
  • They are supported by Technical Assistance Center (TAC)

Data flow

The data flow for the generic API calls are the same as when using the documented API
(Login) > (Show) > (Change)  > (Publish) > (Logout)

  1. Login to session
    POST https://<mgmt-server>:<port>/web_api/login
  2. Show properties and get UID of object you want to change
    POST https://<mgmt-server>:<port>/web_api/show-generic-objects
  3. Change Expiration date and verify new values
    POST https://<mgmt-server>:<port>/web_api/set-generic-object
  4. Publish changes
    POST https://<mgmt-server>:<port>/web_api/publish
  5. Logout
    POST https://<mgmt-server>:<port>/web_api/logout

Format of the API calls

Please refer to the Security Management API reference guide if you need information about the login, publish and logout API calls. https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1

The following text is describing the formatting of the generic-objects API calls used to change user expiration date

 

Request - 2        Show properties and get UID of object you want to change

mgmt_cli tool:

# mgmt_cli -r true -d "SMC User" -f json show generic-objects name "vpnuser" details-level "full"‍‍

Web Sevices:

HTTP POST

https://<mgmt-server>:<port>/web_api//show-generic-objects

Headers

Content-Type: application/json

X-chkp-sid: <The SID retrieved from the Login command>

Body

{

  "name" : "vpnuser",

  "details-level" : "full"

}

Response - In the response you might see multiple objects with the same name. You need to retrieve the UID of the object with "_original_type": "CpmiUser" and check the value of “expirationDate”

Response Body

{….

    "adminExpirationBaseData": {

        "objId": "f871998d-8e2f-4108-b4af-35a144642897",

        "checkPointObjId": null,

        "domainId": "41e821a0-3720-11e3-aa6e-0800200c9fde",

        "expirationDateVisualNotif": true,

        "expirationDate": "25-Apr-2018",

        "expirationDateMethod": "EXPIRE_AT",

        "folderPath": "1edb57e2-37f3-468f-b613-4a2bcf4e5315",

        "text": null,

        "folder": "1edb57e2-37f3-468f-b613-4a2bcf4e5315",

        "is_owned": false,

        "ownedName": "vpnuser"

    },

    "days": 127,

    "email": "vpnuser@test.local",

    "authMethod": "INTERNAL_PASSWORD",

    "tohour": "23:59",

    "administrator": false,

    "uid": "9f55210f-64a5-4cc7-9725-4882c7571c5f ",

……

     "_original_type": "CpmiUser"

…….}

 

Request - 3        Change Expiration date

mgmt_cli tool:

In order to change the users expiration date you will need to provide the CpmiUser object uid. Expiration date needs to be written in date format "dd-mmm-yyyy" for example 10-Apr-2018.

# mgmt_cli -r true -d "SMC User" -f json set generic-object uid "9f55210f-64a5-4cc7-9725-4882c7571c5f" .adminExpirationBaseData.expirationDate "10-Apr-2018"‍‍

Using the CLI you can assign the object to a variable and in the next command call that variable. In the CLI you are also able to use the command "date" for example "date --date 2018-04-10 +%d-%b-%Y" to ensure that correct date format is used. The following commands will create the the variables "$varUid" "$varDate" and change the exparation date of the user using these variables 

# varUid=$(mgmt_cli -r true -d "SMC User" -f json show generic-objects name "vpnuser" details-level "full" | /opt/CPshrd-R80/jq/jq -r '.objects[] | select (.["_original_type"] | contains ("CpmiUser")) | .uid')
# varDate=$(date --date 2018-04-10 +%d-%b-%Y)
# mgmt_cli -r true -d "SMC User" -f json set generic-object uid "$varUid" .adminExpirationBaseData.expirationDate "$varDate"‍‍‍‍‍‍

Web Sevices:

HTTP POST

https://<mgmt-server>:<port>/web_api//set-generic-object

Headers

Content-Type: application/json

X-chkp-sid: <The SID retrieved from the Login command>

Body

{          

            "uid":"9f55210f-64a5-4cc7-9725-4882c7571c5f",

            "adminExpirationBaseData":{

                        "expirationDate":"10-Apr-2018"

            }

}

 

Response – will show you the object properties with the new expiration date

Response Body

{….

    "adminExpirationBaseData": {

        "objId": "f871998d-8e2f-4108-b4af-35a144642897",

        "checkPointObjId": null,

        "domainId": "41e821a0-3720-11e3-aa6e-0800200c9fde",

        "expirationDateVisualNotif": true,

        "expirationDate": "10-Apr-2018",

        "expirationDateMethod": "EXPIRE_AT",

        "folderPath": "1edb57e2-37f3-468f-b613-4a2bcf4e5315",

        "text": null,

        "folder": "1edb57e2-37f3-468f-b613-4a2bcf4e5315",

        "is_owned": false,

        "ownedName": "vpnuser"

    },………

3 Replies
Robert_Decker
Advisor

Excellent work, Jim!

Robert.

0 Kudos
Tomer_Sole
Mentor
Mentor

best

0 Kudos
Kim_Moberg
Advisor

Good work Jim.

Best Regards
Kim

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events