This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
prashanth
Participant
‎2023-10-05 07:24 AM
Jump to solution

MDS REST API Call Authentication Issue

Hi There,

  I'm trying to run API towards the CheckPoint MDS CMAs.
From thread below thread I came to know that I need to generate the sid along with the domain name

https://community.checkpoint.com/t5/API-CLI-Discussion/How-does-the-API-work-in-a-multi-domain-envir...

When I try to run the query towards the MDS IP and without domain I can get the SID without any issues.
Once I send the domain as key, value parameter I'm getting authentication failures as below.

{
"code" : "err_login_failed",
"message" : "Authentication to server failed."
}

I can login to all the SmartConsole of CMA with the password, which I'm supplying to the REST API Post request.

Thanks in advance

0 Kudos
1 Solution

Accepted Solutions
Amir_Senn
Employee
Employee
‎2023-10-23 07:42 AM
In response to prashanth
Jump to solution

Are you using latest JHF recommended for you version?

Kind regards, Amir Senn

View solution in original post

0 Kudos
12 Replies
Bob_Zimmerman
Authority
Authority
‎2023-10-05 07:32 AM
Jump to solution

What does the audit log say?

What do you see if you try to authenticate with mgmt_cli locally on the MDS? For example, 'mgmt_cli -d "<CMA name>" login read-only true'.

0 Kudos
prashanth
Participant
‎2023-10-05 07:36 PM
In response to Bob_Zimmerman
Jump to solution

I don't see any logs under the audit.


mgmt_cli command that you have shared was able to extract the SID successfully.

I have also noticed that when I give the domain UID instead of the name I am able to generate the SID.

0 Kudos
Amir_Senn
Employee
Employee
‎2023-10-18 08:17 AM
Jump to solution

Try <domain_name> instead of <CMA_name>

Kind regards, Amir Senn
0 Kudos
prashanth
Participant
‎2023-10-20 06:01 AM
In response to Amir_Senn
Jump to solution

Hi @Amir_Senn 
How can I differentiate the Domain Name and CMA name?

Best Regards,
Prashanth

0 Kudos
Amir_Senn
Employee
Employee
‎2023-10-22 04:04 AM
In response to prashanth
Jump to solution

CMA is management instance from specific MDS.

Domain is the same for all instances that are related to it.

See attached.

Kind regards, Amir Senn
Preview file
10 KB
0 Kudos
prashanth
Participant
‎2023-10-22 07:05 PM
In response to Amir_Senn
Jump to solution

Thank you Amir.


Indeed, I have tried both Domain and CMA names but in vain.

0 Kudos
Amir_Senn
Employee
Employee
‎2023-10-23 03:11 AM
In response to prashanth
Jump to solution

What platform are you using

Try: mgmt_cli login -d <domain_name> -r true

You can also try: mgmt_cli login -d <CMA_IP> -r true

If this succeeds than the problem is with credentials/permissions of that specific admin, if this doesn't login properly perhaps you have a different issue and would consult with support.

Kind regards, Amir Senn
0 Kudos
(1)
prashanth
Participant
‎2023-10-23 03:50 AM
In response to Amir_Senn
Jump to solution

I'm using an Open Server to construct my python code.

I'm able to login with mgmt_cli login -d <domain_name> -r true and mgmt_cli login -d <CMA_IP> -r true. Both returns the SID and other variables while executing the command. 

Further I'm using the admin account to execute my code which is a "Multi-Domain Super User" account. Do I need to add any permissions apart from that for the API call?

0 Kudos
Amir_Senn
Employee
Employee
‎2023-10-23 04:31 AM
In response to prashanth
Jump to solution

Multi-Domain Super User automatically has permissions for every domain so it doesn't need any further permissions.

Make sure MGMT accepts calls from the IP.

Kind regards, Amir Senn
Preview file
52 KB
0 Kudos
prashanth
Participant
‎2023-10-23 05:54 AM
In response to Amir_Senn
Jump to solution

Indeed, I have allowed all the IP address for the API call.
Stange that the script is working for domain UID but not for the domain name.

From the API guide below, the API should take UID or name.

https://sc1.checkpoint.com/documents/latest/APIs/?#web/login~v1.9.1%20

Preview file
70 KB
0 Kudos
Amir_Senn
Employee
Employee
‎2023-10-23 07:42 AM
In response to prashanth
Jump to solution

Are you using latest JHF recommended for you version?

Kind regards, Amir Senn
0 Kudos
prashanth
Participant
‎2023-11-07 01:04 AM
In response to Amir_Senn
Jump to solution

Thank you @Amir_Senn 
The issue was due to the JHF. As I was running it on my lab I didn't install the hotfix.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events