R81 SmartConsole config file doesn't work

HeikoAnkenbrand · ‎2020-12-28

I have a problem with the SmartConsole config file and version R81.

Is this no longer supported from R81 or is this a bug?

I'll try the following:

"C:\Program Files (x86)\CheckPoint\SmartConsole\R81\PROGRAM\SmartConsole.exe" -p D:\SmartConsoleP.xml

And the file SmartConsoleP.xml for the SmartConsole login:

<?xml version="1.0" encoding="utf-8"?>
	<RemoteLaunchParemeters xmlns:xsi="http‌‌/www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http‌‌/www.w3.org/2001/XMLSchema">
		<Username>admin</Username>
		<ServerIP>x.y.z.w</ServerIP>
		<DomainName></DomainName>
		<ReadOnly>False</ReadOnly>
		<CloudDemoMode>False</CloudDemoMode>
		<Password>this is secret</Password>
	</RemoteLaunchParemeters>

PS:
This works without problems with version R80.10 - R80.40.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Dima_M · ‎2020-12-29

Hi Heiko,

Thanks for reporting, we're already working to fix this issue. If you would like to get a private HotFix, please submit a Service Request.

HeikoAnkenbrand · ‎2020-12-29

Thanks

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

randolchen · ‎2021-02-24

Hi,

Same here, I just ran into this. I tried the latest version R81 (81.0.9500.549) as of today (Build 549 published 2021-02-04) but the problem persists. Is any fix available? I just opened a SR just in case. Maybe DEVs updated something on the Syntaxis of the XML.

@HeikoAnkenbrand by the way, just in case you need it... I realized that R80.x didnt recognize the ReadOnly option (<ReadOnly>True</ReadOnly>), after a very long testing session I figure it out this (<IsReadOnly>1</IsReadOnly>) as a working workaround to connect Read Only "R80.x".

Thanks.

RChen

Arne_Boettger · ‎2021-02-26

Thank you for that information. Unfortunately, our request for a private Hotfix for R80.30 was denied and we were told to monitor the release notes of SmartConsole for a fixed version.

best regards, Arne

the_rock · ‎2021-02-26

Yes, I have the same issue as well...glad they are working on the fix.

Sagivw · ‎2021-03-04

Hi Heiko,

As Dima_m mentioned, we are working on a fix- It is important to state that this is not actually an issue, but that the feature was adjusted so that you can no longer use it with the password in clear text within the XML file but using an SSO token instead. (duo to Security reasons)

It has been integrated as so in the latest SC build for all versions- we are currently integrating the fix that will allow you to use it with clear text password for R80.30 and R80.20 (no ETA at the moment, still under testing) as for R80.40 and above- according to my understanding, it will not be reinstated.

Official documentation about all of this is inbound.

Hope that clarifies things 🙂

****after checking again with the development team the login with SSO token option is not available for the SmartConsole admin****

randolchen · ‎2021-03-23

Exactly, is not an issue but would have been great if LoginParam would remain working until developers implemented something new and more secure like token or so. Because if you get to that build on R80.40 or R81 there is no option right now...

Just to share how I use LoginParams:
I implemented a "bit more secure" way and was calling the paramfile from a secure server that generate the xml based on some permisions, etc.
First the web app generate a bat file that contains this script obuscated, and the bat autodeletes after running:

SmartConsole.exe -p https://myinternalapp.local/app/connect?to=ONETIMETOKEN

The url will generate the XML file. but will never be stored on the machine. and its one time. so the next time I use the URL or the BAT file will not work, even if I manage to make copies before they auto delete.

I'm waiting for the new connection method to rewrite my code.

RChen

BABaracus · ‎2021-09-15

To RChen's point, and similar to what he's describing, we've achieved with a password vault in version prior to R81.

We were using cyberark to launch smartconsole and populate username/password fields in the XML with variables by making a request to the cyberark API. After upgrading to R81 we are now dead in the water. Our only workaround has been to allow access to smartconsole through the web UI - but this is not ideal as it lacks features our admins require. For now the workaround has been installing smarconsole directly on user desktop vms and letting them run it locally without monitoring or password management - also not ideal. We will adjust our code as well whenever CP documents their new method for launching from CLIs.

BA

barakco · ‎2022-03-09

Hi,

Does anyone know if there is a solution for R81.10?

Lloic · ‎2022-05-19

Hello,

Actually exactly the same case here as BABaracus and barakco.
Moving from R80.30 with LoginParam to R81.10 with ... Nothing ?!

Does anyone get the support of Checkpoint on that ? Except an private hotfix...?

Thanks.

Sagivw · ‎2022-06-02

Please see sk175463

barakco · ‎2022-06-02

Hi ,

i see that logging with xml is not supported. Do you have any solution to inject user/password with Cyberark?

Sagivw · ‎2022-06-02

Hi barakco,

I am not aware of any other methods- I believe that Cyberark should handle that directly with our R&D, I would suggest contacting them.

Ruan_Kotze · ‎2022-06-02

While it doesn't directly fix your issue, this might be a workaround for CyberArk until integration is fixed again.

Establish a RDP connection to a jump box with SmartConsole installed using PSM (so that you get session recording). The user will need to check check out the password via PVWA and use that to login.

Are you a member of CheckMates?

R81 SmartConsole config file doesn't work