Technical Tip : How to login and logout for administrator user from FortiMail using REST-API
Description
This article describes how to make administrator user able to login to and logout from FortiMail using REST-API.
Scope
From OS 5.3.4
Solution
1) Check rest-api feature is enabled on FortiMail.
Note:
Below are the details used:
Username: jklee
Password: fortinet
API-agent : Linux
FortiMail : 10.5.1.99
- Command to log-in:
The purpose of using the option called '--insecure' is to prevent from certification verification error during the procedure.
- See the result step by step.
Followings are the actions sending 'Post action' to FortiMail.
4) Check that "jklee" exists on the list.
- From the CLI:
Go to Status -> System Information -> Current administrator -> Details.
Administrator users are logging in to FortiMail apply to the 'admin-idle-timeout' which means all administrator users are forcibly logged out from FortiMail when any actions are processed on FortiMail.
Refer to the following configuration:
1) To log out "jklee" , it is very important to have "cookie1.txt" file created previously when "jklee" was logged in.
'cookie1.txt' file has to exist on the directory where previously "jklee" has been created log in to FortiMail.
Note:
- Command to log-out:
When "jklee" has been successfully logged out from FortiMail, result is showing 'Successful.
- From the CLI:
Go to Status -> System Information -> Current administrator -> Details.
This article describes how to make administrator user able to login to and logout from FortiMail using REST-API.
Scope
From OS 5.3.4
Solution
1) Check rest-api feature is enabled on FortiMail.
# config system global2) Check administrator user has been added on FortiMail.
set hostname FML_IntSRV
set admin-idle-timeout 30
set data-loss-prevention disable
set rest-api enable
end
# config system admin3) Use following command on the API-agent to make administrator user called 'jklee' login to FortiMail.
edit admin
set password ENC $1$233bbec9$Xb8npD7/j3Bsj.mert9H1.
set access-profile super_admin_prof
set language english
next
edit jklee
set password ENC $1$172bd7d5$gJrUnT4/7unlhRsxHvzvK.
set access-profile super_admin_prof
set language english
next
end
Note:
Below are the details used:
Username: jklee
Password: fortinet
API-agent : Linux
FortiMail : 10.5.1.99
- Command to log-in:
[root@Linux-JKLEE api]# curl --insecure -v -H "Content-Type: application/json" -X POST -d '{"name":"jklee","password":"fortinet"}' https://10.5.1.99/api/v1/AdminLogin -c cookie1.txtNote:
The purpose of using the option called '--insecure' is to prevent from certification verification error during the procedure.
- See the result step by step.
Followings are the actions sending 'Post action' to FortiMail.
* About to connect() to 10.5.1.99 port 443 (#0)Followings are the action receiving '200 OK' from FortiMail.
* Trying 10.5.1.99... connected
* Connected to 10.5.1.99 (10.5.1.99) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* Server certificate:
* subject: E=support@fortinet.com,CN=FortiMail,OU=FortiMail,O=Fortinet,L=Sunnyvale,ST=California,C=US
* start date: Jul 03 17:24:18 2015 GMT
* expire date: Jan 19 03:14:07 2038 GMT
* common name: FortiMail
* issuer: E=support@fortinet.com,CN=support,OU=Certificate Authority,O=Fortinet,L=Sunnyvale,ST=California,C=US
> POST /api/v1/AdminLogin HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 10.5.1.99
> Accept: */*
> Content-Type: application/json
> Content-Length: 38
>
< HTTP/1.1 200 OK
< Date: Wed, 11 Dec 2019 08:04:37 GMT
< Cache-Control: no-cache
* Added cookie APSCOOKIE="Era%3D0%26Payload%3DH0GBlo9rG82OWUcRRR4iRBwGYLTwUGMRfBXUgUmCzHtomNE63fqnzY%2FXpwouT78Y%0AUguSlytMk2lKJ4DL6p1oL3cLT4%2FKIsE3rv3CeFWrze2w%2Fh20wgX6WRnnD4nhhiX2%0AsGJX7C4eMPU%3D%0A%26AuthHash%3D%2Bre%2FBjCJlo1%2Fh7vJCwGpXg%3D%3D%0A" for domain 10.5.1.99, path /, expire 0
< Set-Cookie: APSCOOKIE=Era%3D0%26Payload%3DH0GBlo9rG82OWUcRRR4iRBwGYLTwUGMRfBXUgUmCzHtomNE63fqnzY%2FXpwouT78Y%0AUguSlytMk2lKJ4DL6p1oL3cLT4%2FKIsE3rv3CeFWrze2w%2Fh20wgX6WRnnD4nhhiX2%0AsGJX7C4eMPU%3D%0A%26AuthHash%3D%2Bre%2FBjCJlo1%2Fh7vJCwGpXg%3D%3D%0A; Path=/; Version=1
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Vary: Accept-Encoding
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Content-Security-Policy: frame-ancestors 'self'
< X-Content-Type-Options: nosniff
< Transfer-Encoding: chunked
< Content-Type: application/json
<
* Connection #0 to host 10.5.1.99 left intact
* Closing connection #0
{"objectID": "AdminLogin:","reqAction": 2,"nodePermission": 0,"name": "jklee","password": "******","new_password": "******","token": "******","domain": "system","webmode": 1,"locale": "en","loginstatus": 1,"model": "FE-VMW","serial": "FEVM000000000000","theme": 0,"operation_mode": 2,"manager_supported": 0,"debug": false,"product_name": "FortiMail","product_version": "6.0.160","post_login_banner": false,"disclaimer": "","is_superadmin": true,"scramble": true,"forced_encryption": 3,"migration_enabled": false,"dlp_enabled": false,"minimum_length": 8,"must_contain": 0,"reqAction": 2}
4) Check that "jklee" exists on the list.
- From the CLI:
# get system admin-list- On the GUI:
[2] login-name: jklee
access-profile: super_admin_prof
login-method: HTTPS
login-time: Wed Dec 11 17:04:37 2019
timeout-time: Wed Dec 11 17:34:37 2019
process-ID: 2135
client-address: 10.5.1.254
Go to Status -> System Information -> Current administrator -> Details.
Administrator users are logging in to FortiMail apply to the 'admin-idle-timeout' which means all administrator users are forcibly logged out from FortiMail when any actions are processed on FortiMail.
Refer to the following configuration:
# config system globalHowever, when specific administrator user logged out before reaching the 'admin-idle-timeout' follow these steps:
set hostname FML_IntSRV
set admin-idle-timeout 30
set data-loss-prevention disable
set rest-api enable
end
1) To log out "jklee" , it is very important to have "cookie1.txt" file created previously when "jklee" was logged in.
'cookie1.txt' file has to exist on the directory where previously "jklee" has been created log in to FortiMail.
Note:
[root@Linux-JKLEE api]# ls -lrt | grep cookie1.txt3) Use following command on the API-agent to make administrator user called "jklee" log-out from FortiMail.
-rw-r--r--. 1 root root 398 Dec 11 08:04 cookie1.txt
[root@Linux-JKLEE api]#
- Command to log-out:
[root@Linux-JKLEE api]# curl --insecure -b cookie1.txt -H "Content-Type: application/json" -X POST -d '{"reqAction":8}' https://10.5.1.99/api/v1/AdminLogin- See the result step by step.
When "jklee" has been successfully logged out from FortiMail, result is showing 'Successful.
{"errorType": 0,"errorMsg": "Successful:Custom action2 on object (AdminLogin) ","objectID": "AdminLogin:","reqAction": 8}3) Check that "jklee" does not exist on the list.
- From the CLI:
# get system admin-list- From the GUI:
Go to Status -> System Information -> Current administrator -> Details.