Error enabling token-based authentication for REST API

Question

Hello, I'm trying to create the API admin user for using token-based authentication. I'm using the FortiOS REST API guide (v5.6.2, as the Fortigate firmware):

config system api-useredit "api-admin"set comments "admin for API access only"set api-key ENC SH23sQt? +/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=set accprofile "API profile"set vdom "root"nextend When I'm issuing the "set-api key" entry I get an error "<passwd> please input admin password" when I type the "?"It's totally not clear to me also what the long text is ("+/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=", a password?) and whether this is something standard...

Thank you!

fortiwhall_FTNT · Answer

The api-key is assigned by the FortiGate. It's not something you can supply.

Your post was formatted weird, so I unpacked it and got this:

config system api-user

edit "api-admin"

set comments "admin for API access only"

set api-key ENC SH23sQt? +/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=

set accprofile "API profile"

set vdom "root"

On 5.6, when you create an api-user, all you need is accprofile – then the api key is randomly assigned by FortiGate and then the user uses THAT api key in order to authenticate future queries. However, I don't believe the FortiGate will give you the API key when creating the user on command line.

To help show this, I created a user via the GUI and had “diag debug cli 8” turned on. Here’s the result:

90d # diag debug cli 8

Debug messages will be on for 30 minutes.

90d # diag debug enable

90d # 0: config system api-user

0: edit "testing-api"

0: set comments "This is a comment"

0: set accprofile "read_only"

0: set vdom "root"

0: set cors-allow-origin "https://fndn.fortinet.net"

0: end

0: config system api-user

0: edit "testing-api"

0: config trusthost

0: edit 0

0: set ipv4-trusthost 192.168.1.0 255.255.255.0

0: end

0: config system api-user

0: edit "testing-api"

0: config trusthost

0: edit 0

0: set ipv4-trusthost 172.16.0.0 255.240.0.0

0: end

The API key was given in the GUI and is only shown one-time. This key is then used for authenticating future REST API queries.

For example, I may have been given the following API key in the GUI

cG7yp5pxba79jnd7Q1Hjcyjs6jngrH

but the end configuration shows this:

config system api-user

edit "testing-api"

set comments "This is a comment"

set api-key ENC SH28WlJVyJBQnOADIVSq+EOLx86dHMwDJfQViQsfgYA/M8qiCyVapnWdAQ8Gk4=

set accprofile "read_only"

set vdom "root"

set cors-allow-origin "https://fndn.fortinet.net"

config trusthost

edit 1

set ipv4-trusthost 192.168.1.0 255.255.255.0

set ipv4-trusthost 172.16.0.0 255.240.0.0

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded