Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
tvm
Explorer

Ansible uri Module with MDS API - Cannot Even Get Login Working

Hi,

I'm starting to explore Ansible with Check Point. I want to set the OPSEC LEA one-time password on multiple systems. I'm trying to use the 'uri' module, since I cannot find a candidate module in the cp_mgmt_* collection. So far, I cannot get to first base, since I cannot even login succesfully. I imagine I am missing something stupidly simple, but I'm stumped. Any guidance would be appreciated.  Details below.

Thanks!

 

Check Point Security Management Server R80.20 - Build 034
Check Point's software version R80.20 - Build 245
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 149
Management API Settings: All IP addresses

Ansible v 2.9.6

Contents of playbook:
---
- name: Test CP Access
hosts: checkpoint
connection: httpapi
tasks:
- name: Login
uri:
url: https://10.10.10.10:443/web_api/login
validate_certs: no
user: admin
password: somepassword
method: POST
headers:
Content_Type: "application/json"
return_content: yes

Error message running playbook:
fatal: [10.10.10.10]: FAILED! => {"changed": false, "connection": "close", "content": "{\n \"code\" : \"generic_err_invalid_syntax\",\n \"message\" : \"Login request message processing failed\"\n}", "content_type": "application/json", "date": "Fri, 08 May 2020 20:14:23 GMT", "elapsed": 0, "json": {"code": "generic_err_invalid_syntax", "message": "Login request message processing failed"}, "msg": "Status code was 400 and not [200]: HTTP Error 400: Bad Request", "redirected": false, "server": "CPWS", "status": 400, "strict_transport_security": "max-age=31536000; includeSubDomains", "transfer_encoding": "chunked", "url": "https://10.10.10.10:443/web_api/login", "x_forwarded_host_port": "443", "x_frame_options": "SAMEORIGIN", "x_ua_compatible": "IE=EmulateIE8"}

 

4 Replies
PhoneBoy
Admin
Admin

I don't think you can configure OPSEC LEA via the API anyway, which means you won't necessarily be able to do it via Ansible.
(In general, you shouldn't be using LEA, but use Log Exporter).

What precise version/JHF is the management in question?
What does the output of api status say on the MDS?
Also, if this is MDS, you're not specifying the domain you are connecting to as part of your playbook, which is required.
tvm
Explorer

If the info I originally included about versions etc. is incomplete, I could use help to obtain more precise information.

I was trying to use this API call, through the 'uri' module:
https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-opsec-application~v1.4%20

================================================================================
My most recent attempts use this playbook with the domain specified.
---
- name: Test CP Access
hosts: checkpoint
connection: httpapi
tasks:
- name: Login
uri:
url: https://10.10.10.45:443/web_api/login
validate_certs: no
method: POST
headers:
Content_Type: "application/json"
body:
"name" : "admin"
"password" : "somepassword"
"domain" : "Lab-Domain"
body_format: json
return_content: yes

================================================================================
I cannot figure out the correct syntax so that I can actually achieve a login. On each attempt, there are errors like this in the api.elg file:

--------------------------------------
2020-05-21 10:49:21,168 ERROR com.checkpoint.management.web_api.utils.LoginRequestValidator.fromStream:47 [qtp-389546900-33] - Request body contains unknown fields or invalid syntax
2020-05-21 10:49:21,172 WARN com.checkpoint.management.web_api_is.utils.helpers.RequestHeadersHelper.getMediaType_aroundBody6:9 [qtp-389546900-33] - No Accept header received. Falling back to default media type [application/json].
2020-05-21 10:49:21,173 ERROR com.checkpoint.management.web_api_is.utils.helpers.ThreadLocalStore$1.initialValue:7 [qtp-389546900-33] - ThreadLocalStore.requestedVersion was requested before initialization! Initializing it with the latest API version: 1.3
2020-05-21 10:49:21,177 INFO org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp-389546900-33] - Inbound Message
----------------------------
ID: 31489
Address: http://127.0.0.1:50276/web_api/login
Encoding: ISO-8859-1
Http-Method: POST
Content-Type: application/json
Headers: {accept-encoding=[identity], connection=[keep-alive], Content-Length=[64], content-type=[application/json], Content_Type=[application/json], Host=[127.0.0.1:50276], User-Agent=[ansible-httpget], X-Chkp-Sid=[], X-Forwarded-For=[10.10.10.120], X-Forwarded-Host=[10.10.10.45:443], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[10.10.10.45]}
--------------------------------------
2020-05-21 10:49:21,181 INFO org.apache.cxf.interceptor.LoggingOutInterceptor.log:250 [qtp-389546900-33] - Outbound Message
---------------------------
ID: 31489
Response-Code: 400
Content-Type: application/json
Headers: {Content-Type=[application/json], Date=[Thu, 21 May 2020 15:49:21 GMT]}
Payload: {
"code" : "generic_err_invalid_syntax",
"message" : "Login request message processing failed"
}
--------------------------------------

================================================================================
Full output from 'api status':

API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 1154
CPM Started 6150 Check Point Security Management Server is running and ready
FWM Started 21443
APACHE Started 5065

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

================================================================================

Johnny_V
Employee
Employee

Try this.

---
- hosts: localhost
  gather_facts: no
  connection: httpapi

  tasks:


- name: Login
  uri:
       url: "https://192.168.0.100/web_api/login"
       validate_certs: false
       method: POST
       body_format: json
       body: "{ \"user\" : \"admin\", \"password\" : \"abc0123\", \"domain\" : \"CMA1\" }"
 register: loginoutput

- debug:
        msg: "{{ loginoutput }}"

0 Kudos
Pierre-Aymeric_
Participant

Hi TVM,

I have the same issue with Tufin 19.1 HF2 and I can see the same exact message 

2020-05-21 10:49:21,173 ERROR com.checkpoint.management.web_api_is.utils.helpers.ThreadLocalStore$1.initialValue:7 [qtp-389546900-33] - ThreadLocalStore.requestedVersion was requested before initialization! Initializing it with the latest API version: 1.3

I'm running r80.20 JHF173 (I had same issue on JHF 160)

 

API connectivity is successfull as I can see tufin is able to get configuration data from checkPoint MGMT Server, but is not able to make some specific calls such as retrieve deviceconfiguration details.

 

cheers  

 

Did you solved your issue ?

 

best regards

 

Pierre

0 Kudos