Hi all

I'm trying to automate a process to onboard devices to Tufin SecureTrack. That requires creating an OPSEC object with CPMI and LEA. 

For the love of everything, there is no safe way of creating a usable CPMI profile using WEB API. What I tried:

Create generic object (yes, I know, it's unsupported but it's the only real way to at least get something done)
'create': 'com.checkpoint.objects.classes.dummy.CpmiAdministratorProfile',
'name': 'cpmi_read_only',
'permissions': 'READ_ONLY_ALL',
'type': 'administrator_profile',

I even tried adding more fields according to how the object looks like when displayed with show generic object. The problem is they get reset to read only after the profile creation and they don't look the same as when the profile is created via GUI.

Anyway, the profile gets created, after that I do publish and install database on both management station and logging station (all done via API).

Then I try to create the OPSEC object with the CPMI enabled and the newly created profile linked. The API returns an error:
One of the objects that you selected could not be linked.

When I try to do the same thing in SmartConsole, it works just fine.

When I remove the CPMI part from the API call, it also works just fine (it only creates the OPSEC with LEA and doesn't return any error) so the error is certainly linked to the CPMI profile.

So, if there is no (even undocumented way) to get this working, am I really left with only one option and that is no possibility of fully automated process? Do I really need to make users go to SmartConsole to configure the CPMI part manually and publish? It literally takes like 10x longer than the whole automated part.

I've been at this for a whole week and honestly, it feels like an absolute oversight.

Oh, an the behavior is the same for R81 and R82 so pretty much version independent.

/Milan from DXC