Hot!Error enabling token-based authentication for REST API

Author
ciccio81
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/01/20 14:14:51
  • Status: offline
2017/11/18 07:46:34 (permalink)
0

Error enabling token-based authentication for REST API

Hello, I'm trying to create the API admin user for using token-based authentication. I'm using the FortiOS REST API guide (v5.6.2, as the Fortigate firmware):
 
config system api-useredit "api-admin"set comments "admin for API access only"set api-key ENC SH23sQt? +/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=set accprofile "API profile"set vdom "root"nextend When I'm issuing the "set-api key" entry I get an error "<passwd> please input admin password" when I type the "?"It's totally not clear to me also what the long text is ("+/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=", a password?) and whether this is something standard...
 
Thank you!
#1

2 Replies Related Threads

    fortiwhall_FTNT
    Bronze Member
    • Total Posts : 30
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/09/21 11:00:38
    • Status: offline
    Re: Error enabling token-based authentication for REST API 2019/09/18 08:39:11 (permalink)
    0
    The api-key is assigned by the FortiGate.  It's not something you can supply.
     
    Your post was formatted weird, so I unpacked it and got this:
     
    config system api-user
       edit "api-admin"
          set comments "admin for API access only"
          set api-key ENC SH23sQt? +/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=
          set accprofile "API profile"
          set vdom "root"
       next
    end
     
    On 5.6, when you create an api-user, all you need is accprofile – then the api key is randomly assigned by FortiGate and then the user uses THAT api key in order to authenticate future queries.  However, I don't believe the FortiGate will give you the API key when creating the user on command line.  
     
    To help show this, I created a user via the GUI and had “diag debug cli 8” turned on. Here’s the result:
     
    90d # diag debug cli 8
    Debug messages will be on for 30 minutes.
     
    90d # diag debug enable
     
    90d # 0: config system api-user
    0: edit "testing-api"
    0: set comments "This is a comment"
    0: set accprofile "read_only"
    0: set vdom "root"
    0: set cors-allow-origin "https://fndn.fortinet.net"
    0: end
    0: config system api-user
    0: edit "testing-api"
    0: config trusthost
    0: edit 0
    0: set ipv4-trusthost 192.168.1.0 255.255.255.0
    0: end
    0: end
    0: config system api-user
    0: edit "testing-api"
    0: config trusthost
    0: edit 0
    0: set ipv4-trusthost 172.16.0.0 255.240.0.0
    0: end
    0: end
     
    The API key was given in the GUI and is only shown one-time.  This key is then used for authenticating future REST API queries.
     
    For example, I may have been given the following API key in the GUI
     
    cG7yp5pxba79jnd7Q1Hjcyjs6jngrH
     
    but the end configuration shows this:
     
    config system api-user
        edit "testing-api"
            set comments "This is a comment"
            set api-key ENC SH28WlJVyJBQnOADIVSq+EOLx86dHMwDJfQViQsfgYA/M8qiCyVapnWdAQ8Gk4=
            set accprofile "read_only"
            set vdom "root"
            set cors-allow-origin "https://fndn.fortinet.net"
            config trusthost
                edit 1
                    set ipv4-trusthost 192.168.1.0 255.255.255.0
                next
                edit 2
                    set ipv4-trusthost 172.16.0.0 255.240.0.0
                next
            end
        next
    end
     
     
    #2
    emnoc
    Expert Member
    • Total Posts : 5301
    • Scores: 347
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Error enabling token-based authentication for REST API 2019/09/18 08:46:26 (permalink)
    0
    I just posted on my blog about this setup, since others in the community has the same issues.
     
    http://socpuppet.blogspot.com/2019/09/howto-use-fortios-apiuser.html
     
    As posted earlier you generate the key. You can not assign it the cli. Also use the in the correct header when making GET/PUT/POST
     
    # header HTTP 
    "Authorization: Bearer  xxxx BIG LONG KEY HERE xxxxx
     
     
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #3
    Jump to:
    © 2019 APG vNext Commercial Version 5.5