Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RAJESH_TRIPATHI
Explorer

Management API Login with certificates

Hi,

I am new to Mgmt_cli and APIs. I want to login into mgmt server with cli tool and add new IP host objects into existing group to blacklist public IP which is threat source. I can do this very well with below commands

ex: 

C:\CP>mgmt_cli add host name 120.20.20.20 ip-address 120.20.20.20 -u admin -p Cp@123 -m 10.x.y.z

C:\CP>mgmt_cli set group name "blacklist" members.add "120.20.20.20" -u admin -p Cp@123 -m 10.x.y.z

But I dont want to store the info of userame and password in the script and instead want to have a user created who can login with personal certificate and i can store that certificate in a volume which cant be read by anyone else...is this possible?

Labels (3)
0 Kudos
10 Replies
RAJESH_TRIPATHI
Explorer

Further I tried this but getting error as below


C:\CP>mgmt_cli login -c C:\CP\resourceadmin.p12 -p secret
Peer certificate host: 127.0.0.1, port: 19009 cannot be authenticated
C:\CP>mgmt_cli login -c C:\CP\resourceadmin.p12 -p secret -m 10.1.1.1
First connection to the server 10.1.1.1 port 19009

To verify server identity, compare the following fingerprint with the one displayed by the server configuration tool (cpconfig).

SHA1 Fingerprint=D9:73:57:B9:3C:23:4D:ED:88:19:1B:56:A2:1D:4E:AE:45:24:72:6D
English Fingerprint=SENT HOOT TORN DUMB POT WALL GAGE ONLY SAID WAR RUSS BETH

Do you accept the fingerprint? (y/n) [y] ? y
Error: Unable to login with client certificate. mgmt_cli_login tool was not found on this system.

C:\CP>

0 Kudos
Robert_Decker
Employee Alumnus
Employee Alumnus

Hi,

Please refer to the following link and look at the login command examples using certificates - 

https://sc1.checkpoint.com/documents/latest/APIs/index.html#mgmt_cli~v1.1

Robert.

0 Kudos
RAJESH_TRIPATHI
Explorer

This hasnt helped Smiley Sad

I tried the diff combinations but no joy... I can login with userid and passwd but not certificate only

C:\CP>mgmt_cli login -u resourcemgr -p iLoveCp123 -m 10.x.y.z
uid: "5064e6fc-530c-4df9-9152-3b28fedb938e"
sid: "vFSeU29BfSqc10-GImSKTwxXm5VypNSJO7CNNa6ECDM"
url: "https://10.x.y.z:443/web_api"
session-timeout: 600
last-login-was-at:
posix: 1517587802133
iso-8601: "2018-02-02T16:10+0000"
api-server-version: "1.1"


C:\CP>mgmt_cli login -c C:\CP\resourcemgr.p12 -p 1234 -m 10.x.y.z
Error: Unable to login with client certificate. mgmt_cli_login tool was not found on this system.

C:\CP>

Can you share a working example?

0 Kudos
Robert_Decker
Employee Alumnus
Employee Alumnus

Hi,

The error is about a missing "mgmt_cli_login" utility.

This utility is required in order to login with a certificate.

Please verify that it is in your working directory.

Are you running on Windows machine?

Robert.

0 Kudos
RAJESH_TRIPATHI
Explorer

Hi,

Yes I am running from windows machine where I have copied the mgmt_cli tool.

where can I find mgmt_cli_login tool? Documentation is not very clear on this tool, infact there is no mention of this.

I want to run this tool from remote machine as part of automation

Regards

Rajesh

0 Kudos
Robert_Decker
Employee Alumnus
Employee Alumnus

Hi Rajesh,

It is not possible to run "login" API command with a certificate on Windows machine.

The "mgmt_cli_login" utility is available only on R80 Management Server machine.

We will update the documentation to note this fact.

Robert.

0 Kudos
RAJESH_TRIPATHI
Explorer

Thanks Robert for confirmation. Will there be a update in mgmt_cli tool to include this functionality of login with certificates? Its important to have this functionality as it prevents putting password in scripts. is there any other solution of remotely updating network objects without having login credentials in clear text in any scripts or batch files?

0 Kudos
Robert_Decker
Employee Alumnus
Employee Alumnus

You can use environment variables to store the credentials:

Parameter nameShort nameEnvironment variable
User name-uMGMT_CLI_USER
Password-pMGMT_CLI_PASSWORD
Domain-dMGMT_CLI_DOMAIN
Management server address-mMGMT_CLI_MANAGEMENT

First, add the environment variables. On linux machine use -

export MGMT_CLI_USER=me
export MGMT_CLI_PASSWORD=secret
export MGMT_CLI_MANAGEMENT=1.1.1.1

and call the command - 

mgmt_cli login

Robert.

0 Kudos
RAJESH_TRIPATHI
Explorer

Am afraid but this is not good as the password is still in clear text in env variable and can be visible to anyone, this wont meet security policies of the company

0 Kudos
Robert_Decker
Employee Alumnus
Employee Alumnus

if you are writing a script to automate your tasks, you can save the password obscured, and then un-obscure in script just before calling the login command.

Robert.

0 Kudos