This document explains the steps to change expiration date of users defined in the R80.x Check Point Security Management Server using the generic-object API.
Disclaimer
These APIs provide direct access to different objects and fields in the database. As a result if an objects schema change, scripts that relied on specific schema fields may break.
As the generic-object(s) API calls have direct access to change different objects and fields in the database, they do not always provide data validation to ensure that the data added to the fields are following required format for this field. Therefore you have to ensure that the script or 3rd party system you are using to integrate with the management server is doing appropriate data validation before sending the API call.
When you have the option, always prefer to use the documented API calls and not the generic API calls as
- They are doing data validation
- They are documented
- They are future compatible
- They are tested
- They are supported by Technical Assistance Center (TAC)
Data flow
The data flow for the generic API calls are the same as when using the documented API
(Login) > (Show) > (Change) > (Publish) > (Logout)
- Login to session
POST https://<mgmt-server>:<port>/web_api/login - Show properties and get UID of object you want to change
POST https://<mgmt-server>:<port>/web_api/show-generic-objects - Change Expiration date and verify new values
POST https://<mgmt-server>:<port>/web_api/set-generic-object - Publish changes
POST https://<mgmt-server>:<port>/web_api/publish - Logout
POST https://<mgmt-server>:<port>/web_api/logout
Format of the API calls
Please refer to the Security Management API reference guide if you need information about the login, publish and logout API calls. https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1
The following text is describing the formatting of the generic-objects API calls used to change user expiration date
Request - 2 Show properties and get UID of object you want to change
mgmt_cli tool:
# mgmt_cli -r true -d "SMC User" -f json show generic-objects name "vpnuser" details-level "full"
Web Sevices:
HTTP POST | https://<mgmt-server>:<port>/web_api//show-generic-objects |
Headers | Content-Type: application/json X-chkp-sid: <The SID retrieved from the Login command> |
Body | { "name" : "vpnuser", "details-level" : "full" } |
Response - In the response you might see multiple objects with the same name. You need to retrieve the UID of the object with "_original_type": "CpmiUser" and check the value of “expirationDate”
Response Body | {…. "adminExpirationBaseData": { "objId": "f871998d-8e2f-4108-b4af-35a144642897", "checkPointObjId": null, "domainId": "41e821a0-3720-11e3-aa6e-0800200c9fde", "expirationDateVisualNotif": true, "expirationDate": "25-Apr-2018", "expirationDateMethod": "EXPIRE_AT", "folderPath": "1edb57e2-37f3-468f-b613-4a2bcf4e5315", "text": null, "folder": "1edb57e2-37f3-468f-b613-4a2bcf4e5315", "is_owned": false, "ownedName": "vpnuser" }, "days": 127, "email": "vpnuser@test.local", "authMethod": "INTERNAL_PASSWORD", "tohour": "23:59", "administrator": false, "uid": "9f55210f-64a5-4cc7-9725-4882c7571c5f ", …… "_original_type": "CpmiUser" …….} |
| |
Request - 3 Change Expiration date
mgmt_cli tool:
In order to change the users expiration date you will need to provide the CpmiUser object uid. Expiration date needs to be written in date format "dd-mmm-yyyy" for example 10-Apr-2018.
# mgmt_cli -r true -d "SMC User" -f json set generic-object uid "9f55210f-64a5-4cc7-9725-4882c7571c5f" .adminExpirationBaseData.expirationDate "10-Apr-2018"
Using the CLI you can assign the object to a variable and in the next command call that variable. In the CLI you are also able to use the command "date" for example "date --date 2018-04-10 +%d-%b-%Y" to ensure that correct date format is used. The following commands will create the the variables "$varUid" "$varDate" and change the exparation date of the user using these variables
# varUid=$(mgmt_cli -r true -d "SMC User" -f json show generic-objects name "vpnuser" details-level "full" | /opt/CPshrd-R80/jq/jq -r '.objects[] | select (.["_original_type"] | contains ("CpmiUser")) | .uid')
# varDate=$(date --date 2018-04-10 +%d-%b-%Y)
# mgmt_cli -r true -d "SMC User" -f json set generic-object uid "$varUid" .adminExpirationBaseData.expirationDate "$varDate"
Web Sevices:
HTTP POST | https://<mgmt-server>:<port>/web_api//set-generic-object |
Headers | Content-Type: application/json X-chkp-sid: <The SID retrieved from the Login command> |
Body | { "uid":"9f55210f-64a5-4cc7-9725-4882c7571c5f", "adminExpirationBaseData":{ "expirationDate":"10-Apr-2018" } } |
Response – will show you the object properties with the new expiration date
Response Body | {…. "adminExpirationBaseData": { "objId": "f871998d-8e2f-4108-b4af-35a144642897", "checkPointObjId": null, "domainId": "41e821a0-3720-11e3-aa6e-0800200c9fde", "expirationDateVisualNotif": true, "expirationDate": "10-Apr-2018", "expirationDateMethod": "EXPIRE_AT", "folderPath": "1edb57e2-37f3-468f-b613-4a2bcf4e5315", "text": null, "folder": "1edb57e2-37f3-468f-b613-4a2bcf4e5315", "is_owned": false, "ownedName": "vpnuser" },……… |