This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Yunus_Badar
Participant
‎2019-02-28 04:57 PM

no JSON object could be decoded - "MODULE FAILURE"

Hi:

Trying to create VPN via play book results in the error as below.

I also noticed that the api doesnot have all the commands for example, you cannot create vpn interoperable device via api so I had to manually create interoperable device to test out the VPN creation.

Here is the VPN entry in .yml

[root@Ansible-Cent Playbooks]# ansible-playbook -C vpn-testing.yml

PLAY [localhost]

.....

TASK [create VPN community] *************************************************************************************************************************************************************************
fatal: [127.0.0.1]: FAILED! => {"changed": false, "module_stderr": "Shared connection to 127.0.0.1 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/tmp/ansible_tvlW8Y/ansible_module_check_point_mgmt.py\", line 256, in <module>\r\n main()\r\n File \"/tmp/ansible_tvlW8Y/ansible_module_check_point_mgmt.py\", line 136, in main\r\n parameters = json.loads(parameters)\r\n File \"/usr/local/lib/python2.7/json/__init__.py\", line 339, in loads\r\n return _default_decoder.decode(s)\r\n File \"/usr/local/lib/python2.7/json/decoder.py\", line 364, in decode\r\n obj, end = self.raw_decode(s, idx=_w(s, 0).end())\r\n File \"/usr/local/lib/python2.7/json/decoder.py\", line 382, in raw_decode\r\n raise ValueError(\"No JSON object could be decoded\")\r\nValueError: No JSON object could be decoded\r\n", "msg": "MODULE FAILURE", "rc": 1}
to retry, use: --limit @/root/cpAnsible/Playbooks/yunus-demo3.retry

PLAY RECAP ******************************************************************************************************************************************************************************************
127.0.0.1 : ok=7 changed=0 unreachable=0 failed=1

Labels
0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2019-02-28 05:41 PM

Do you see anything in the api status -s output that might give a clue?

This creates a tarball of various log files--the api.elg file is probably the most interesting.

0 Kudos
Yunus_Badar
Participant
‎2019-03-01 05:01 AM
In response to PhoneBoy

In api.elg, after id 78, I was expecting id 79 to be "add-vpn-community-star". but that was not the case.

id 78:

Address: http://127.0.0.1:50276/web_api/add-access-rule


which made me go line by line for yml configuration and I found out through error and trial that following line was causing the error to be thrown.

"use-shared-secret: true"

The "use-shared-secret: true" doesnot work at all and throws error.

once removed, the error didn't occur and VPN section

- name: create VPN community
check_point_mgmt:
command: add-vpn-community-star
parameters:
name: "Ottawa VPN"
center-gateways: cp-fw1
satellite-gateways: ottawa-vpn-gw
encryption-method: ikev2 only
encryption-suite: suite-b-gcm-256
shared-secrets:
- external-gateway: ottawa-vpn-gw
shared-secret: mysharedsecret120length
session-data: '{{login_response}}'


question:

1) I know in gui you have to use " use shared secret for all external vpn" for it to allow adding PSK for remote gateway. Why it fails when using in yml? looks like some sort of api bug. This feature is needed to enable PSK otherwise PSK will be setup manually like interoperable device which defeats the purpose of automation

2) Why the api for VPN is missing important things like "interoperable device". This is absolutely needed for VPN automation along with other params like cutom encryption. Any Plans to have this available in near future?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-01 04:55 PM
In response to Yunus_Badar

The question is whether it's the Ansible module or the API that's the source of the error.

It's not clear from the error which.

Can't really comment on why the API is missing calls for interoperable devices, but it's a known limitation.

In some cases, you may be able to achieve automation through the generic-object API, though obviously less ideal than official API support.

There are some threads on this on CheckMates.

There doesn't appear to be anything in the upcoming R80.30 for this (planned for the next several weeks).

In addition to letting us know here (which you did), you should also discuss these requirements with your local office.

0 Kudos
Artur_Zalenekas
Explorer
‎2019-03-05 04:47 PM

The source of the error is actually the conversion of the code of parameters into JSON. The boolean in Ansible should be defined as yes|no and Ansible will convert that into true boolean as true|false. To give also some clarity, here are some additional explanations and how to use true booleans in Ansible: hxxps://emilwypych.com/2018/01/28/ansible-boolean-variable-in-extra-vars/

So far I can see the problem at the JSONDecoder (import json) for Python 2.7

Will update once I have more ...

UPDATE:

The problem as suspected, the produced boolean values by Ansible are capitalized on the first letter. JSON format takes only in lower case, so just do a replace on the parameters and that solves the issue.

Ansible module: check_point_mgmt.py

After line134: parameters = parameters.replace("\\\\\"", "'")

Add two lines:

parameters = parameters.replace("True", "true")

parameters = parameters.replace("False", "false")

Additionally, the parameters in the API commands that are of Object type, only need indentation on the new line. Parameters with List type, need a dash on the new indented line.

Also, it seems like the Management API take all lowercase boolean values.

Hopefully, that helps somebody. I also submitted an issue for that Ansible module on github.

0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events