Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ciccio81
New Contributor

Error enabling token-based authentication for REST API

Hello, I'm trying to create the API admin user for using token-based authentication. I'm using the FortiOS REST API guide (v5.6.2, as the Fortigate firmware):

 

config system api-useredit "api-admin"set comments "admin for API access only"set api-key ENC SH23sQt? +/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=set accprofile "API profile"set vdom "root"nextend When I'm issuing the "set-api key" entry I get an error "<passwd> please input admin password" when I type the "?"It's totally not clear to me also what the long text is ("+/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=", a password?) and whether this is something standard...

 

Thank you!

2 REPLIES 2
fortiwhall_FTNT

The api-key is assigned by the FortiGate.  It's not something you can supply.

 

Your post was formatted weird, so I unpacked it and got this:

 

config system api-user

   edit "api-admin"

      set comments "admin for API access only"

      set api-key ENC SH23sQt? +/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=

      set accprofile "API profile"

      set vdom "root"

   next

end

 

On 5.6, when you create an api-user, all you need is accprofile – then the api key is randomly assigned by FortiGate and then the user uses THAT api key in order to authenticate future queries.  However, I don't believe the FortiGate will give you the API key when creating the user on command line.  

 

To help show this, I created a user via the GUI and had “diag debug cli 8” turned on. Here’s the result:

 

90d # diag debug cli 8

Debug messages will be on for 30 minutes.

 

90d # diag debug enable

 

90d # 0: config system api-user

0: edit "testing-api"

0: set comments "This is a comment"

0: set accprofile "read_only"

0: set vdom "root"

0: set cors-allow-origin "https://fndn.fortinet.net"

0: end

0: config system api-user

0: edit "testing-api"

0: config trusthost

0: edit 0

0: set ipv4-trusthost 192.168.1.0 255.255.255.0

0: end

0: end

0: config system api-user

0: edit "testing-api"

0: config trusthost

0: edit 0

0: set ipv4-trusthost 172.16.0.0 255.240.0.0

0: end

0: end

 

The API key was given in the GUI and is only shown one-time.  This key is then used for authenticating future REST API queries.

 

For example, I may have been given the following API key in the GUI

 

cG7yp5pxba79jnd7Q1Hjcyjs6jngrH

 

but the end configuration shows this:

 

config system api-user

    edit "testing-api"

        set comments "This is a comment"

        set api-key ENC SH28WlJVyJBQnOADIVSq+EOLx86dHMwDJfQViQsfgYA/M8qiCyVapnWdAQ8Gk4=

        set accprofile "read_only"

        set vdom "root"

        set cors-allow-origin "https://fndn.fortinet.net"

        config trusthost

            edit 1

                set ipv4-trusthost 192.168.1.0 255.255.255.0

            next

            edit 2

                set ipv4-trusthost 172.16.0.0 255.240.0.0

            next

        end

    next

end

 

 

emnoc
Esteemed Contributor III

I just posted on my blog about this setup, since others in the community has the same issues.

 

http://socpuppet.blogspot.com/2019/09/howto-use-fortios-apiuser.html

 

As posted earlier you generate the key. You can not assign it the cli. Also use the in the correct header when making GET/PUT/POST

 

# header HTTP 

"Authorization: Bearer  xxxx BIG LONG KEY HERE xxxxx

 

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan