This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Patrick_B
Explorer
‎2020-02-14 07:54 AM

Is there a way to make API calls using other methods for authentication?

We are exploring the vast wonders of the R80.30 API commands and would like to expand further but have some security concerns.  What we need is a way to make API calls (that does more than read) and not have to hard code the credentials into the call itself.

Is there some type of API key that can be used for this type of work or some other method we can use to encrypt this?  A fear is that if the box is compromised, then a bad actor could just crack open the content and have some real fun, or possibly even sniff the credentials while we are making a call.

Thanks,
Patrick

0 Kudos
4 Replies
masher
Employee
Employee
‎2020-02-14 08:16 AM

What we need is a way to make API calls (that does more than read) and not have to hard code the credentials into the call itself.

Are you using the username and password for each command run? If so, then I would recommend starting each session by with login command and then referencing the sid that is created on a successful login. This would prevent each call requiring a username/password scenario.

Support for using an API key is available in the newly released R80.40

- https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-api-key~v1.6

It might be possible to use certificate authentication for your API calls if you're using the mgmt_cli command.  There is an option to use a client certificate (-c ), however I don't know how this would work when using a POST from curl, python, etc. Unfortunately, it would still require knowing the certificate password and supplying it as a part of the script. 

 

 

0 Kudos
Patrick_B
Explorer
‎2020-02-14 08:30 AM
In response to masher

Thanks for the response! It exciting to hear that it is going to be available in R80.40. On the topic of API Keys, the documentation you supplied details how to create it, but is there any way we can lock it down? Since we would have to pass the API Key as well, could we say only allow this API Key if it comes from server xyz or even limit the commands it could run? (probably not possible but I can dream 🙂 )
0 Kudos
masher
Employee
Employee
‎2020-02-14 08:59 AM
In response to Patrick_B

I'm not aware of an option to lock-down users to specific hosts. There are some restrictions in the Management API settings that might help, but they are probably not as granular as you would like to see.

 

image.png

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-14 09:31 AM

R80.40 has the concept of API keys.
You can assign permission profiles to them to restrict what they can do just like other administrator accounts.
However, you cannot lock down where those API keys can be used from.
Thad be an RFE.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events