Error enabling token-based authentication for REST API
Hello, I'm trying to create the API admin user for using token-based authentication. I'm using the FortiOS REST API guide (v5.6.2, as the Fortigate firmware):
config system api-useredit "api-admin"set comments "admin for API access only"set api-key ENC SH23sQt? +/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=set accprofile "API profile"set vdom "root"nextend When I'm issuing the "set-api key" entry I get an error "<passwd> please input admin password" when I type the "?"It's totally not clear to me also what the long text is ("+/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=", a password?) and whether this is something standard...
The api-key is assigned by the FortiGate. It's not something you can supply.
Your post was formatted weird, so I unpacked it and got this:
config system api-user edit "api-admin" set comments "admin for API access only" set api-key ENC SH23sQt? +/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE= set accprofile "API profile" set vdom "root" nextend
On 5.6, when you create an api-user, all you need is accprofile – then the api key is randomly assigned by FortiGate and then the user uses THAT api key in order to authenticate future queries. However, I don't believe the FortiGate will give you the API key when creating the user on command line.
To help show this, I created a user via the GUI and had “diag debug cli 8” turned on. Here’s the result:
90d # diag debug cli 8Debug messages will be on for 30 minutes. 90d # diag debug enable 90d # 0: config system api-user0: edit "testing-api"0: set comments "This is a comment"0: set accprofile "read_only"0: set vdom "root"0: set cors-allow-origin "https://fndn.fortinet.net"0: end0: config system api-user0: edit "testing-api"0: config trusthost0: edit 00: set ipv4-trusthost 192.168.1.0 255.255.255.00: end0: end0: config system api-user0: edit "testing-api"0: config trusthost0: edit 00: set ipv4-trusthost 172.16.0.0 255.240.0.00: end0: end
The API key was given in the GUI and is only shown one-time. This key is then used for authenticating future REST API queries.
For example, I may have been given the following API key in the GUI
but the end configuration shows this:
config system api-user edit "testing-api" set comments "This is a comment" set api-key ENC SH28WlJVyJBQnOADIVSq+EOLx86dHMwDJfQViQsfgYA/M8qiCyVapnWdAQ8Gk4= set accprofile "read_only" set vdom "root" set cors-allow-origin "https://fndn.fortinet.net" config trusthost edit 1 set ipv4-trusthost 192.168.1.0 255.255.255.0 next edit 2 set ipv4-trusthost 172.16.0.0 255.240.0.0 next end nextend