Solved: gaia API not working for any user

Claudiu_Chiriac · ‎2021-08-04

On the SMC, I can execute REST API queries, no problem.

However, when I try to execute any gaia api commands, it just does not work:

[Expert@LPACAICSP1:0]# mgmt_cli show hostname --context gaia_api
Username: admin
Password:
code: "generic_error"
message: "Internal error."
[Expert@LPACAICSP1:0]#

I'm using the superuser/admin account.

It looks like a authorization issue, but I have setup Blades->Management API->Accept API calls from All IP addresses..

[Expert@LPACAICSP1:0]# mgmt_cli login user admin password 'mySuperSecret' --context gaia_api --format json
{
"code" : "generic_error",
"message" : "Error 403. Access to the API server is forbidden. Please check the Management API blade settings to make sure that the server is allowed to accept requests from this IP address."
}

I have tried (wthout success) to add the user admin the right to use gaia api like is says in the gaia api guide here: https://sc1.checkpoint.com/documents/latest/GaiaAPIs/#api_access~v1.5%20 :

the command executes just fine but nothing happens (since 'access-mechanism API' is not there):

[Expert@LPACAICSP1:0]# gaia_api access --user admin --enable true
[Expert@LPACAICSP1:0]#

LPACAICSP1> show rba user admin
User
admin
access-mechanism Web-UI
access-mechanism CLI
role adminRole
LPACAICSP1>

If I try to create new users in the Smart Console, they are created there, but I cannot see them with "show rba users".

API status here:

LPACAICSP1> api status

API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 21527
CPM Started 5877 Check Point Security Management Server is running and ready
FWM Started 3997
APACHE Started 8197

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
Apache port retrieved from: httpd-ssl.conf

Profile:
------------
Machine profile: Large SMC env resources profile without SME
CPM heap size:
API heap size:

--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

LPACAICSP1>

[Expert@LPACAICSP1:0]# gaia_api status

API Status:
---------------------
Build: cp991255022
Uptime: 0:49:03.576685
Current Sessions: 0
Latest Version: 1.5

Processes:

Name State PID
---------------------------------
GAIA_API Started 29357
GAIA_API_DOCS Started 29356
APACHE Started 8197
CONFD Started 8194
CLISHD Started 25719 24906 21350 8282 1147
CELERY Started 29354
REDIS Started 29355

Port Details:
-------------------
APACHE Gaia Port: 443

--------------------------------------------
Overall API Status: Started
--------------------------------------------
[Expert@LPACAICSP1:0]#

I have restarted web and gaia api server, no success. Anyone got an idea what to do to make gaia api work?

Claudiu_Chiriac · ‎2021-08-04

I've found my issue while trying to explain what does not work. It looks like I was performing the login calls as read-only, which is not compatible with running scripts or gaia_api commands.

View solution in original post

_Val_ · ‎2021-08-04

What do you see on https://<your-Gaia-ip-address>/gaia_api/ ?

Claudiu_Chiriac · ‎2021-08-04

this is the output i get in browser:

{ "code": "generic_err_command_not_found", "errors": "Requested API command: [] not found", "message": "Command Not Found" }

_Val_ · ‎2021-08-04

Also, did you by any chance changed access to WebUI on this server to specific IP addresses only?

Claudiu_Chiriac · ‎2021-08-04

No, I did not.

Claudiu_Chiriac · ‎2021-08-04

I believe I did not explain correctly what is my issue:

I want to retrieve the routing table and list interfaces of my gateways using REST APIs. I can successfully retrieve the gateways and access policies. I did not find other solution to retrieve the routing table other than:

- run-script: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/run-script~v1.8%20

OR

- gaia-api commands: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/gaia-api~v1.8%20

Unfortunately I could not make them run correctly. If I try the mgmt_cli tool version of run-script - it works just fine. The REST API version not so much - I get a 400 Bad Request, although I perform the same calls as in the example.

Claudiu_Chiriac · ‎2021-08-04

I've found my issue while trying to explain what does not work. It looks like I was performing the login calls as read-only, which is not compatible with running scripts or gaia_api commands.

_Val_ · ‎2021-08-04

Lol, that would explain it. Thanks for sharing, and I am happy you found the issue root cause and resolved it.

Claudiu_Chiriac · ‎2021-08-05

I spoke too early 😞

Indeed, I can run-script now, but the gaia-api commands still not working. I get a 404 Not Found error.

I use the example from the documentation here https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/gaia-api~v1.7%20

#login is successfull
$URLAnon = "https://10.171.69.11/web_api/login"
$headers = @{
"Content-Type" = "application/json"
}
$login = @{
"user" = $username
"password" = $password
"read-only" = "false"
}
$login = $login | ConvertTo-Json
$response = Invoke-RestMethod -Method Post -Headers $headers -Uri $URLAnon -Body $login
$sid = $response.sid

#get hostname

$URLAnon = "https://10.171.69.11/web_api/gaia-api/show-hostname"
$headers = @{
"Content-Type" = "application/json"
"X-chkp-sid" = $sid
}

$body=@{
"target" = "10.171.69.11"
}
$body = $body | ConvertTo-Json

$response = Invoke-RestMethod -Method Post -Headers $headers -Uri $URLAnon -Body $body

Invoke-RestMethod : The remote server returned an error: (404) Not Found.

Any ideas why?

Are you a member of CheckMates?

gaia API not working for any user