This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cm
Explorer
8 hours ago

Cannot change GAiA admin password via ansible/API

Hi,

I'm trying to automate initial configuration of GAiA gateways and I have an issue when trying to change the password for "admin", like this:

 

  - name: set admin user password hash
    check_point.gaia.cp_gaia_user:
      name: admin
      password_hash: $6$xxxxx
      must_change_password: False

When I try this, I get an error:

Checkpoint device returned error 400 with message {'code': 'err_validation_failed', 'errors': 'Cannot change this attribute of user admin', 'msg': 'Validation Error'}

This also happens when I use "password" instead of "password_hash", and it is limited to the "admin" user. I am accessing the API as a separate user "apiuser" because I thought maybe the password of the accessing user cannot be changed, but that's not the issue.

This is on R81.20 JHF89/API level 1.7

So, how do I change that password via the API and ansible?

 

0 Kudos
8 Replies
the_rock
Legend
Legend
7 hours ago

Is this management or gateway?

Andy

0 Kudos
the_rock
Legend
Legend
7 hours ago

https://sc1.checkpoint.com/documents/latest/APIs/?#clish/set-user~v2%20

0 Kudos
cm
Explorer
7 hours ago
In response to the_rock

That's on the gateway, so using the GAiA API, not the mgmt API...

0 Kudos
the_rock
Legend
Legend
7 hours ago
In response to cm

Hm, that link I sent is gaia cli.

Andy

https://sc1.checkpoint.com/documents/latest/APIs/?#clish/set-user~v1.7%20

0 Kudos
cm
Explorer
6 hours ago
In response to the_rock

I don't think so. That's just the management API as called from clish, not the GAiA API which is a different beast. The link you posted affects the user objects in the SMC, not the GAiA users...

0 Kudos
the_rock
Legend
Legend
5 hours ago
In response to cm

Maybe below?

Andy

https://sc1.checkpoint.com/documents/latest/GaiaAPIs/#web/set-user~v1.8%20

0 Kudos
PhoneBoy
Admin
Admin
2 hours ago

Just to confirm, you can change other users passwords using this playbook, but not the admin user?

0 Kudos
Jim_Oqvist
Employee
Employee
2 hours ago

Hi,

it seems to be a bug in the ansible collection.

it is possible to change the admin password using the set-user api call directly (https://sc1.checkpoint.com/documents/latest/GaiaAPIs/index.html#cli/set-user~v1.7%20).

It also seems like this is only triggered when trying to change the password of the user "admin" if you crate a new user for example called test it works as expected.

This is reproducible with this playbook https://github.com/checkpointsw-devsec/chkp-api-examples/blob/master/Ansible/Gaia/cp_gaia_user.yml 

I suggest you open a issue here: https://github.com/CheckPointSW/CheckPointAnsibleGAIACollection or if you open a service request with TAC to get it solved.

Kind Regards

Jim

0 Kudos
Upcoming Events

    CheckMates Events