Error enabling token-based authentication for REST API

ciccio81 · ‎11-18-2017

Hello, I'm trying to create the API admin user for using token-based authentication. I'm using the FortiOS REST API guide (v5.6.2, as the Fortigate firmware):

config system api-useredit "api-admin"set comments "admin for API access only"set api-key ENC SH23sQt? +/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=set accprofile "API profile"set vdom "root"nextend When I'm issuing the "set-api key" entry I get an error "<passwd> please input admin password" when I type the "?"It's totally not clear to me also what the long text is ("+/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=", a password?) and whether this is something standard...

Thank you!

fortiwhall_FTNT · ‎09-18-2019

The api-key is assigned by the FortiGate. It's not something you can supply.

Your post was formatted weird, so I unpacked it and got this:

config system api-user

edit "api-admin"

set comments "admin for API access only"

set api-key ENC SH23sQt? +/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=

set accprofile "API profile"

set vdom "root"

On 5.6, when you create an api-user, all you need is accprofile – then the api key is randomly assigned by FortiGate and then the user uses THAT api key in order to authenticate future queries. However, I don't believe the FortiGate will give you the API key when creating the user on command line.

To help show this, I created a user via the GUI and had “diag debug cli 8” turned on. Here’s the result:

90d # diag debug cli 8

Debug messages will be on for 30 minutes.

90d # diag debug enable

90d # 0: config system api-user

0: edit "testing-api"

0: set comments "This is a comment"

0: set accprofile "read_only"

0: set vdom "root"

0: set cors-allow-origin "https://fndn.fortinet.net"

0: end

0: config system api-user

0: edit "testing-api"

0: config trusthost

0: edit 0

0: set ipv4-trusthost 192.168.1.0 255.255.255.0

0: end

0: config system api-user

0: edit "testing-api"

0: config trusthost

0: edit 0

0: set ipv4-trusthost 172.16.0.0 255.240.0.0

0: end

The API key was given in the GUI and is only shown one-time. This key is then used for authenticating future REST API queries.

For example, I may have been given the following API key in the GUI

cG7yp5pxba79jnd7Q1Hjcyjs6jngrH

but the end configuration shows this:

config system api-user

edit "testing-api"

set comments "This is a comment"

set api-key ENC SH28WlJVyJBQnOADIVSq+EOLx86dHMwDJfQViQsfgYA/M8qiCyVapnWdAQ8Gk4=

set accprofile "read_only"

set vdom "root"

set cors-allow-origin "https://fndn.fortinet.net"

config trusthost

edit 1

set ipv4-trusthost 192.168.1.0 255.255.255.0

set ipv4-trusthost 172.16.0.0 255.240.0.0

emnoc · ‎09-18-2019

I just posted on my blog about this setup, since others in the community has the same issues.

http://socpuppet.blogspot.com/2019/09/howto-use-fortios-apiuser.html

As posted earlier you generate the key. You can not assign it the cli. Also use the in the correct header when making GET/PUT/POST

# header HTTP

"Authorization: Bearer xxxx BIG LONG KEY HERE xxxxx"

Ken Felix

PCNSE

NSE

StrongSwan

Stephen_Roddick · ‎06-02-2023

Despite not seemingly being able to set the API key from the CLI manually, it is possible to set the API key to the same as one generated by another FortiGate if you push it via CLI script from a FortiManager.

Example script:

config system api-user
    edit "RESTAPI_Admin"
        set api-key ENC <encrypted password here>
        set accprofile "<associated admin profile here>"
        set vdom "root"
        config trusthost
            edit 1
                set ipv4-trusthost 192.168.0.1 255.255.255.255
            next
        end
    next
end

You should be able to copy the config system api-user entry from the donor FortiGate and paste it into a CLI script in the FortiManager and run it on the target FortiGate.

Error enabling token-based authentication for REST API

Nominate a Forum Post for Knowledge Article Creation