Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Claudiu_Chiriac
Participant

gaia API not working for any user

Jump to solution

On the SMC, I can execute REST API queries, no problem.

However, when I try to execute any gaia api commands, it just does not work:

[Expert@LPACAICSP1:0]# mgmt_cli show hostname --context gaia_api
Username: admin
Password:
code: "generic_error"
message: "Internal error."
[Expert@LPACAICSP1:0]#

I'm using the superuser/admin account.

 

It looks like a authorization issue, but I have setup Blades->Management API->Accept API calls from All IP addresses..

[Expert@LPACAICSP1:0]# mgmt_cli login user admin password 'mySuperSecret' --context gaia_api --format json
{
"code" : "generic_error",
"message" : "Error 403. Access to the API server is forbidden. Please check the Management API blade settings to make sure that the server is allowed to accept requests from this IP address."
}

I have tried (wthout success) to add the user admin the right to use gaia api like is says in the gaia api guide here: https://sc1.checkpoint.com/documents/latest/GaiaAPIs/#api_access~v1.5%20 :

the command executes just fine but nothing happens (since 'access-mechanism API' is not there):

[Expert@LPACAICSP1:0]# gaia_api access --user admin --enable true
[Expert@LPACAICSP1:0]#

LPACAICSP1> show rba user admin
User
admin
access-mechanism Web-UI
access-mechanism CLI
role adminRole
LPACAICSP1>

If I try to create new users in the Smart Console, they are created there, but I cannot see them with "show rba users".

API status here:

LPACAICSP1> api status

API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 21527
CPM Started 5877 Check Point Security Management Server is running and ready
FWM Started 3997
APACHE Started 8197

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
Apache port retrieved from: httpd-ssl.conf

Profile:
------------
Machine profile: Large SMC env resources profile without SME
CPM heap size:
API heap size:

 

--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

LPACAICSP1>

 

[Expert@LPACAICSP1:0]# gaia_api status

API Status:
---------------------
Build: cp991255022
Uptime: 0:49:03.576685
Current Sessions: 0
Latest Version: 1.5

Processes:

Name State PID
---------------------------------
GAIA_API Started 29357
GAIA_API_DOCS Started 29356
APACHE Started 8197
CONFD Started 8194
CLISHD Started 25719 24906 21350 8282 1147
CELERY Started 29354
REDIS Started 29355

Port Details:
-------------------
APACHE Gaia Port: 443

--------------------------------------------
Overall API Status: Started
--------------------------------------------
[Expert@LPACAICSP1:0]#

I have restarted web and gaia api server, no success. Anyone got an idea what to do to make gaia api work?

 

0 Kudos
1 Solution

Accepted Solutions
Claudiu_Chiriac
Participant

I've found my issue while trying to explain what does not work. It looks like I was performing the login calls as read-only, which is not compatible with running scripts or gaia_api commands.

 

View solution in original post

0 Kudos
8 Replies
_Val_
Admin
Admin

What do you see on https://<your-Gaia-ip-address>/gaia_api/ ?

Claudiu_Chiriac
Participant

this is the output i get in browser:

{ "code": "generic_err_command_not_found", "errors": "Requested API command: [] not found", "message": "Command Not Found" }

0 Kudos
_Val_
Admin
Admin

Also, did you by any chance changed access to WebUI on this server to specific IP addresses only?

0 Kudos
Claudiu_Chiriac
Participant

No, I did not.

 

0 Kudos
Claudiu_Chiriac
Participant

I believe I did not explain correctly what is my issue:

I want to retrieve the routing table and list interfaces of my gateways using REST APIs. I can successfully retrieve the gateways and access policies. I did not find other solution to retrieve the routing table other than:

- run-script: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/run-script~v1.8%20

OR

- gaia-api commands: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/gaia-api~v1.8%20

 

Unfortunately I could not make them run correctly. If I try the mgmt_cli tool version of run-script - it works just fine. The REST API version not so much - I get a 400 Bad Request, although I perform the same calls as in the example.

 

0 Kudos
Claudiu_Chiriac
Participant

I've found my issue while trying to explain what does not work. It looks like I was performing the login calls as read-only, which is not compatible with running scripts or gaia_api commands.

 

View solution in original post

0 Kudos
_Val_
Admin
Admin

Lol, that would explain it. Thanks for sharing, and I am happy you found the issue root cause and resolved it.

0 Kudos
Claudiu_Chiriac
Participant

I spoke too early 😞

Indeed, I can run-script now, but the gaia-api commands still not working. I get a 404 Not Found error.

I use the example from the documentation here https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/gaia-api~v1.7%20

#login is successfull
$URLAnon = "https://10.171.69.11/web_api/login"
$headers = @{
"Content-Type" = "application/json"
}
$login = @{
"user" = $username
"password" = $password
"read-only" = "false"
}
$login = $login | ConvertTo-Json
$response = Invoke-RestMethod -Method Post -Headers $headers -Uri $URLAnon -Body $login
$sid = $response.sid

 

#get hostname

$URLAnon = "https://10.171.69.11/web_api/gaia-api/show-hostname"
$headers = @{
"Content-Type" = "application/json"
"X-chkp-sid" = $sid
}

$body=@{
"target" = "10.171.69.11"
}
$body = $body | ConvertTo-Json

$response = Invoke-RestMethod -Method Post -Headers $headers -Uri $URLAnon -Body $body

Invoke-RestMethod : The remote server returned an error: (404) Not Found.

 

Any ideas why?

0 Kudos