Skip to main content
chimera
chimera
New Member
October 31, 2017
Question

RESTAPI admin and access, under firmware v5.6

  • October 31, 2017
  • 1 reply
  • 14514 views

I see the newer firmware the menu option gives the ability to setup a specific RESTAPI user.

 

I've created a user (called ‘restapi’) and got a token for it, but when I curl to it, it gives me authentication error. Any ideas? (see curl output below)

 

I do notice when creating the RESTAPI user, it mentions a PKI group. I have this disabled this setting when I created and tested access, but then the message box with it enabled says “REST API clients must use client certification authentication…” As mentioned I turned this off, but suspect this is the issue – as it does say must.  I drop down the PKI drop box but don’t see a PKI group and have no idea how to create one, I’ve looked but cannot work it out. I’ve tried documentation on Fortinet site, but its fairly average.  Any help would be appreciated.  Here is the output of a basic curl I'm running:

 

pi@raspberrypi:~ $ curl -k -v -u "restapi:m7Qz4knrhn7sfNschHjp6Qwb1qb88f" https://172.16.221.254:8443/api/v1/

* Trying 172.16.221.254...
* TCP_NODELAY set
* Connected to 172.16.221.254 (172.16.221.254) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: O=Fortinet Ltd.; CN=FWF60D4613004145
* start date: Oct 9 20:49:34 2017 GMT
* expire date: Oct 10 20:49:34 2027 GMT
* issuer: O=Fortinet Ltd.; CN=FWF60D4613004145
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* Server auth using Basic with user 'restapi'
> GET /api/v1/ HTTP/1.1
> Host: 172.16.221.254:8443
> Authorization: Basic cmVzdGFwaTptN1F6NGtucmhuN3NmTnNjaEhqcDZRd2IxcWI4OGY=
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 401 UNAUTHORIZED
< Date: Mon, 30 Oct 2017 20:41:29 GMT
< Server: xxxxxxxx-xxxxx
< Content-Security-Policy: frame-ancestors 'self'
< Expires: Mon, 30 Oct 2017 20:41:29 GMT
< Vary: Cookie,Accept-Encoding
< Last-Modified: Mon, 30 Oct 2017 20:41:29 GMT
< X-UA-Compatible: IE=Edge
< Cache-Control: max-age=0
< X-FRAME-OPTIONS: SAMEORIGIN
< Set-Cookie: csrftoken_2211073454=d7f8f9fa154987cccdf47d0d0adcd513; expires=Mon, 29-Oct-2018 20:41:29 GMT; Max-Age=31449600; Path=/
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=utf-8
<
<!DOCTYPE html>
<html lang="en">
<head>
<title>Error</title>
<meta charset="utf-8">
<meta http-equiv="Content-Type" content="text/html">
<meta http-equiv="pragma" content="no-cache">
<script>
var is_rw_admin = false;
var is_guest = false;
var is_ipv6_enabled = false;
var gui_lines_per_page = 50;
var lang_dict = {};
window.onerror = function(msg, file, line) {
    if (('$j' in window) && ('JSON' in window)) {
        $j.post("/api/monitor?path=system&name=debug", {
            "json": JSON.stringify({
                "type": "JavaScript",
                "msg": msg,
                "file": file,
                "line": line
            })
        });
    }
};
</script><link href="/cad9763523c690ddffc1d3950311a00a/css/main-blue.css" rel="stylesheet" type="text/css">

<script src="/cad9763523c690ddffc1d3950311a00a/js/es6-shim.js"></script>
<script src="/cad9763523c690ddffc1d3950311a00a/lang/en.js"></script>
<script src="/cad9763523c690ddffc1d3950311a00a/fweb_all.js"></script>

<script src="/cad9763523c690ddffc1d3950311a00a/js/dialog.js"></script>
</head>

<body class="main" data-theme="blue">
<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='d7f8f9fa154987cccdf47d0d0adcd513' /></div><div class="dialog absolute" >
<form method="post" action="" >
<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='d7f8f9fa154987cccdf47d0d0adcd513' /></div>
<div class="title-bar">
<h1>Error</h1>
</div>

<div class="content ">
<div class="section-title">
    <h2>Error 401: Unauthorized.</h2>
</div>
</div>

<div class="footer">
    <button class="primary" type="button"
        onclick="dlg_close((null))"
        data-fweb-action="cancel"
>
OK </button>
</div>

</form>
</div>

<script>
$(document).ready(function() {
  $('textarea[expand]').textarea();
});
</script>
</body>
* Curl_http_done: called premature == 0
* Connection #0 to host 172.16.221.254 left intact

    1 reply

    megassa
    megassa
    New Member
    September 10, 2018

    Hello,

     

    I have the same issue, did you find a solution ? thanks in advance.

    xxddpac
    xxddpac
    New Member
    November 28, 2018

    Did you find a solution ?

     

    I'm using Python have same issue.

     

    <TITLE>401 Authorization Required</TITLE>

    emnoc
    emnoc
    New Member
    November 28, 2018

    Have you   used the logincheck  , I believe even with the  defined  user, you still make the calls in the same way.

     

    http://socpuppet.blogspot.com/2018/07/howto-use-fortios-api-to-add-delete.html

     

    Ken Felix

    Terms & ConditionsAccessibility statement