Solved: MDS REST API Call Authentication Issue

prashanth · ‎2023-10-05

Hi There,

I'm trying to run API towards the CheckPoint MDS CMAs.
From thread below thread I came to know that I need to generate the sid along with the domain name

https://community.checkpoint.com/t5/API-CLI-Discussion/How-does-the-API-work-in-a-multi-domain-envir...

When I try to run the query towards the MDS IP and without domain I can get the SID without any issues.
Once I send the domain as key, value parameter I'm getting authentication failures as below.

{
"code" : "err_login_failed",
"message" : "Authentication to server failed."
}

I can login to all the SmartConsole of CMA with the password, which I'm supplying to the REST API Post request.

Thanks in advance

Amir_Senn · ‎2023-10-23

Are you using latest JHF recommended for you version?

Kind regards, Amir Senn

View solution in original post

Bob_Zimmerman · ‎2023-10-05

What does the audit log say?

What do you see if you try to authenticate with mgmt_cli locally on the MDS? For example, 'mgmt_cli -d "<CMA name>" login read-only true'.

prashanth · ‎2023-10-05

I don't see any logs under the audit.

mgmt_cli command that you have shared was able to extract the SID successfully.

I have also noticed that when I give the domain UID instead of the name I am able to generate the SID.

Amir_Senn · ‎2023-10-18

Try <domain_name> instead of <CMA_name>

Kind regards, Amir Senn

prashanth · ‎2023-10-20

Hi @Amir_Senn
How can I differentiate the Domain Name and CMA name?

Best Regards,
Prashanth

Amir_Senn · ‎2023-10-22

CMA is management instance from specific MDS.

Domain is the same for all instances that are related to it.

See attached.

Kind regards, Amir Senn

prashanth · ‎2023-10-22

Thank you Amir.

Indeed, I have tried both Domain and CMA names but in vain.

Amir_Senn · ‎2023-10-23

What platform are you using

Try: mgmt_cli login -d <domain_name> -r true

You can also try: mgmt_cli login -d <CMA_IP> -r true

If this succeeds than the problem is with credentials/permissions of that specific admin, if this doesn't login properly perhaps you have a different issue and would consult with support.

Kind regards, Amir Senn

prashanth · ‎2023-10-23

I'm using an Open Server to construct my python code.

I'm able to login with mgmt_cli login -d <domain_name> -r true and mgmt_cli login -d <CMA_IP> -r true. Both returns the SID and other variables while executing the command.

Further I'm using the admin account to execute my code which is a "Multi-Domain Super User" account. Do I need to add any permissions apart from that for the API call?

Amir_Senn · ‎2023-10-23

Multi-Domain Super User automatically has permissions for every domain so it doesn't need any further permissions.

Make sure MGMT accepts calls from the IP.

Kind regards, Amir Senn

prashanth · ‎2023-10-23

Indeed, I have allowed all the IP address for the API call.
Stange that the script is working for domain UID but not for the domain name.

From the API guide below, the API should take UID or name.

https://sc1.checkpoint.com/documents/latest/APIs/?#web/login~v1.9.1%20

Amir_Senn · ‎2023-10-23

Are you using latest JHF recommended for you version?

Kind regards, Amir Senn

prashanth · ‎2023-11-07

Thank you @Amir_Senn
The issue was due to the JHF. As I was running it on my lab I didn't install the hotfix.

Are you a member of CheckMates?

MDS REST API Call Authentication Issue