Solved: Re: "mgmt_cli login" triggers err_login_failed an...

Robin_Berthier · ‎2020-06-23

Hi,

I am trying to understand the requirements on the user account in order to connect to the web api without the need to be root.

Running "mgmt_cli login" with an admin user on an R80.20 management server triggers the error err_login_failed (message: Authentication to server failed).

No error is triggered if we use "mgmt_cli -r true" but we want to use session id and avoid logging in as root.

Attached are screenshots showing :

- [api status] the api is up with all access granted

- [user profile] the user (admin) has the "Management API Login" enabled

- [mgmt_cli login outputs] successful when run as root but failing when not using "-r true"

The same admin user account works fine to ssh to the management server or log into SmartDashboard.

Is there any requirement on the authentication method (we use "Checkpoint Password" here) to access the API without the need to be root (-r true)?

Thanks for any hint!

Robin_Berthier · ‎2020-06-29

Our customer responded and it turns out the issue was due to confusion with regards to "Checkpoint authentication" versus "OS authentication" when attempting to use mgmt_cli

They had 2 user accounts with the same name:

one created in the clish
- with command "add user ..." and role "adminRole"
another -same user name- but created in SmartConsole
- with "Checkpoint Authentication"
- an administrator with "super user" profile

Each with a different password.

When invoking "mgmt_cli login", they were using the password of the account created in the clish instead of the SmartConsole account.

It took us a while to figure it out but were able to reproduce.

Thanks for hinting the issue was related to the password.

View solution in original post

PhoneBoy · ‎2020-06-23

Does your password have any special characters?
Try creating a different user/password combination (one with a simple password like aaaa) to verify.

Robin_Berthier · ‎2020-06-25

I asked the customer to check his password for special characters and will update the post as soon as I hear back.

Thank you for the suggestion.

Robin_Berthier · ‎2020-06-29

Our customer responded and it turns out the issue was due to confusion with regards to "Checkpoint authentication" versus "OS authentication" when attempting to use mgmt_cli

They had 2 user accounts with the same name:

one created in the clish
- with command "add user ..." and role "adminRole"
another -same user name- but created in SmartConsole
- with "Checkpoint Authentication"
- an administrator with "super user" profile

Each with a different password.

When invoking "mgmt_cli login", they were using the password of the account created in the clish instead of the SmartConsole account.

It took us a while to figure it out but were able to reproduce.

Thanks for hinting the issue was related to the password.

PhoneBoy · ‎2020-06-29

You could create a Gaia OS user and an admin user in SmartConsole with the same name and use "OS Password" as the authentication method.
Then you could use the same password for both users 🙂
In any case, glad you were able to figure it out.

CarstenWeber · ‎2023-09-20

Hi all,

In my case this does not resolve my issue of:

Trying to use the API from the ssh bash:

[Expert@MDS:0]# mgmt_cli login --port 4434 -d <domain_id> > /var/log/tmp/sid.txt.$$
or
[Expert@MDS:0]# mgmt_cli login --port 4434

Situation:

The user is the default "admin" and the current password has a "-" as the only special character.
There is no other user called "admin" having a different password.
With "-r true" it works.
The MDS server has been rebooted within the past week.
Our Multi Domain Management server running R81.10 JHF take 95 is showing that the API v1.8.1 status is also fine.

[Expert@MDS:0]# api status

API Settings:
---------------------
Accessibility:                      Require all granted
Automatic Start:                    Enabled

Processes:

Name      State     PID       More Information
-------------------------------------------------
API       Started   14916
CPM       Started   14916     Check Point Security Management Server is running and ready
FWM       Started   15267
APACHE    Started   13206

Port Details:
-------------------
JETTY Internal Port:               61236
JETTY Documentation Internal Port: 51238
APACHE Gaia Port:                  4434 (a non-default port)
                                   When running mgmt_cli commands add '--port 4434'
                                   When using web-services, add port 4434 to the URL

Profile:
-------------------
Machine profile:                   131072 or larger without SME - MDS
CPM heap size:                     20480m



--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

What else does come to mind when thinking about this issue?

Best regards
Carsten

previously known as (pka.) Carsten_Weber

PhoneBoy · ‎2023-09-20

-r true logs in with a different user than admin (web_api, I think).
What is the precise error you get back?
What does $FWDIR/log/api.elg say?
Recommend engaging with the TAC also: https://help.checkpoint.com

CarstenWeber · ‎2023-09-29

Hi PhoneBoy

I get exactly the following

[Expert@MDSServer:0]# mgmt_cli login --port 4434 -d 5d6fd6s7-1235-a345-1234-s7d6s8d8f89d
Username: admin
Password:
code: "err_login_failed"
message: "Authentication to server failed."
[Expert@MDSServer:0]#

And the api.elg shows this, which I believe to belong together:

...
----------------------------
ID: 166785
Address: http://127.0.0.1:59929/web_api/login
Encoding: UTF-8
Http-Method: POST
Content-Type: application/json
Headers: {Accept=[text/plain], connection=[keep-alive], Content-Length=[95], content-type=[application/json], Host=[127.0.0.1:59929], User-Agent=[mgmt_cli], X-Forwarded-For=[127.0.0.1], X-Forwarded-Host=[127.0.0.1:4434], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[10.1.2.3]}
--------------------------------------
2023-09-29 15:10:12,930  INFO com.checkpoint.management.web_api.web_services.WebApiEntryPoint.logRequestedCommandInfo:35 [qtp-1368107315-461921] - Executing [login] of version [1.8.1]
2023-09-29 15:10:13,521 ERROR com.checkpoint.management.web_api.utils.WebApiCommandExceptionUtils.getErrorReply:248 [qtp-1368107315-461921] -
com.checkpoint.management.coresvc.ngm_api.AuthenticationFailureLoginException: Authentication to server failed.
        at com.checkpoint.management.dleserver.coresvc.internal.LoginSvcImpl.loginAuthenticationFailed(LoginSvcImpl.java:797)
        at com.checkpoint.management.dleserver.coresvc.internal.LoginSvcImpl.authenticateUserByFwm(LoginSvcImpl.java:779)
        at com.checkpoint.management.dleserver.coresvc.internal.LoginSvcImpl.performFWMAuthenticationRetry(LoginSvcImpl.java:1375)
        at com.checkpoint.management.dleserver.coresvc.internal.LoginSvcImpl.access$7(LoginSvcImpl.java:3548)
        at com.checkpoint.management.dleserver.coresvc.internal.LoginSvcImpl$FWMAuthenticationRetryRunnable.run(LoginSvcImpl.java:1)
        at java.lang.Thread.run(Thread.java:820)
2023-09-29 15:10:13,522  INFO org.apache.cxf.interceptor.LoggingOutInterceptor.log:250 [qtp-1368107315-461921] - Outbound Message
---------------------------
ID: 166785
Response-Code: 400
Content-Type: text/plain
Headers: {Content-Type=[text/plain], Date=[Fri, 29 Sep 2023 13:10:13 GMT]}
Payload: code: "err_login_failed"
message: "Authentication to server failed."
--------------------------------------
[Expert@MDSServer:0]#

If this does not clarify (it doesn't to me), I'll have to go with the TAC.

previously known as (pka.) Carsten_Weber

Are you a member of CheckMates?

"mgmt_cli login" triggers err_login_failed and only works using "-r true"