This document explains the steps to change expiration date of users defined in the R80.x Check Point Security Management Server using the generic-object API.

Disclaimer
These APIs provide direct access to different objects and fields in the database. As a result if an objects schema change, scripts that relied on specific schema fields may break.
 
As the generic-object(s) API calls have direct access to change different objects and fields in the database, they do not always provide data validation to ensure that the data added to the fields are following required format for this field. Therefore you have to ensure that the script or 3rd party system you are using to integrate with the management server is doing appropriate data validation before sending the API call.
 
When you have the option, always prefer to use the documented API calls and not the generic API calls as
They are doing data validation
They are documented
They are future compatible
They are tested
They are supported by Technical Assistance Center (TAC)

Data flow

The data flow for the generic API calls are the same as when using the documented API
(Login) > (Show) > (Change)  > (Publish) > (Logout)

1. Login to session
   POST https://<mgmt-server>:<port>/web_api/login
2. Show properties and get UID of object you want to change
   POST https://<mgmt-server>:<port>/web_api/show-generic-objects
3. Change Expiration date and verify new values
   POST https://<mgmt-server>:<port>/web_api/set-generic-object
4. Publish changes
   POST https://<mgmt-server>:<port>/web_api/publish
5. Logout
   POST https://<mgmt-server>:<port>/web_api/logout

Format of the API calls

Please refer to the Security Management API reference guide if you need information about the login, publish and logout API calls. https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1

The following text is describing the formatting of the generic-objects API calls used to change user expiration date

Request - 2        Show properties and get UID of object you want to change

mgmt_cli tool:

# mgmt_cli -r true -d "SMC User" -f json show generic-objects name "vpnuser" details-level "full"‍‍‍

Web Sevices:

Response - In the response you might see multiple objects with the same name. You need to retrieve the UID of the object with "_original_type": "CpmiUser" and check the value of “expirationDate”

Request - 3        Change Expiration date

mgmt_cli tool:

In order to change the users expiration date you will need to provide the CpmiUser object uid. Expiration date needs to be written in date format "dd-mmm-yyyy" for example 10-Apr-2018.

# mgmt_cli -r true -d "SMC User" -f json set generic-object uid "9f55210f-64a5-4cc7-9725-4882c7571c5f" .adminExpirationBaseData.expirationDate "10-Apr-2018"‍‍‍

Using the CLI you can assign the object to a variable and in the next command call that variable. In the CLI you are also able to use the command "date" for example "date --date 2018-04-10 +%d-%b-%Y" to ensure that correct date format is used. The following commands will create the the variables "$varUid" "$varDate" and change the exparation date of the user using these variables 

# varUid=$(mgmt_cli -r true -d "SMC User" -f json show generic-objects name "vpnuser" details-level "full" | /opt/CPshrd-R80/jq/jq -r '.objects[] | select (.["_original_type"] | contains ("CpmiUser")) | .uid')
# varDate=$(date --date 2018-04-10 +%d-%b-%Y)
# mgmt_cli -r true -d "SMC User" -f json set generic-object uid "$varUid" .adminExpirationBaseData.expirationDate "$varDate"‍‍‍‍‍‍‍‍‍

Web Sevices:

Response – will show you the object properties with the new expiration date