Error enabling token-based authentication for REST API
Hello, I'm trying to create the API admin user for using token-based authentication. I'm using the FortiOS REST API guide (v5.6.2, as the Fortigate firmware):
config system api-useredit "api-admin"set comments "admin for API access only"set api-key ENC SH23sQt? +/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=set accprofile "API profile"set vdom "root"nextend When I'm issuing the "set-api key" entry I get an error "<passwd> please input admin password" when I type the "?"It's totally not clear to me also what the long text is ("+/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=", a password?) and whether this is something standard...
The api-key is assigned by the FortiGate. It's not something you can supply.
Your post was formatted weird, so I unpacked it and got this:
config system api-user edit "api-admin" set comments "admin for API access only" set api-key ENC SH23sQt? +/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE= set accprofile "API profile" set vdom "root" nextend
On 5.6, when you create an api-user, all you need is accprofile – then the api key is randomly assigned by FortiGate and then the user uses THAT api key in order to authenticate future queries. However, I don't believe the FortiGate will give you the API key when creating the user on command line.
To help show this, I created a user via the GUI and had “diag debug cli 8” turned on. Here’s the result:
90d # diag debug cli 8Debug messages will be on for 30 minutes. 90d # diag debug enable 90d # 0: config system api-user0: edit "testing-api"0: set comments "This is a comment"0: set accprofile "read_only"0: set vdom "root"0: set cors-allow-origin "https://fndn.fortinet.net"0: end0: config system api-user0: edit "testing-api"0: config trusthost0: edit 00: set ipv4-trusthost 192.168.1.0 255.255.255.00: end0: end0: config system api-user0: edit "testing-api"0: config trusthost0: edit 00: set ipv4-trusthost 172.16.0.0 255.240.0.00: end0: end
The API key was given in the GUI and is only shown one-time. This key is then used for authenticating future REST API queries.
For example, I may have been given the following API key in the GUI
but the end configuration shows this:
config system api-user edit "testing-api" set comments "This is a comment" set api-key ENC SH28WlJVyJBQnOADIVSq+EOLx86dHMwDJfQViQsfgYA/M8qiCyVapnWdAQ8Gk4= set accprofile "read_only" set vdom "root" set cors-allow-origin "https://fndn.fortinet.net" config trusthost edit 1 set ipv4-trusthost 192.168.1.0 255.255.255.0 next edit 2 set ipv4-trusthost 172.16.0.0 255.240.0.0 next end nextend
Despite not seemingly being able to set the API key from the CLI manually, it is possible to set the API key to the same as one generated by another FortiGate if you push it via CLI script from a FortiManager.
config system api-user
set api-key ENC <encrypted password here>
set accprofile "<associated admin profile here>"
set vdom "root"
set ipv4-trusthost 192.168.0.1 255.255.255.255
You should be able to copy the config system api-user entry from the donor FortiGate and paste it into a CLI script in the FortiManager and run it on the target FortiGate.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.