Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ciccio81
New Contributor

Error enabling token-based authentication for REST API

Hello, I'm trying to create the API admin user for using token-based authentication. I'm using the FortiOS REST API guide (v5.6.2, as the Fortigate firmware):

 

config system api-useredit "api-admin"set comments "admin for API access only"set api-key ENC SH23sQt? +/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=set accprofile "API profile"set vdom "root"nextend When I'm issuing the "set-api key" entry I get an error "<passwd> please input admin password" when I type the "?"It's totally not clear to me also what the long text is ("+/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=", a password?) and whether this is something standard...

 

Thank you!

3 REPLIES 3
fortiwhall_FTNT

The api-key is assigned by the FortiGate.  It's not something you can supply.

 

Your post was formatted weird, so I unpacked it and got this:

 

config system api-user

   edit "api-admin"

      set comments "admin for API access only"

      set api-key ENC SH23sQt? +/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=

      set accprofile "API profile"

      set vdom "root"

   next

end

 

On 5.6, when you create an api-user, all you need is accprofile – then the api key is randomly assigned by FortiGate and then the user uses THAT api key in order to authenticate future queries.  However, I don't believe the FortiGate will give you the API key when creating the user on command line.  

 

To help show this, I created a user via the GUI and had “diag debug cli 8” turned on. Here’s the result:

 

90d # diag debug cli 8

Debug messages will be on for 30 minutes.

 

90d # diag debug enable

 

90d # 0: config system api-user

0: edit "testing-api"

0: set comments "This is a comment"

0: set accprofile "read_only"

0: set vdom "root"

0: set cors-allow-origin "https://fndn.fortinet.net"

0: end

0: config system api-user

0: edit "testing-api"

0: config trusthost

0: edit 0

0: set ipv4-trusthost 192.168.1.0 255.255.255.0

0: end

0: end

0: config system api-user

0: edit "testing-api"

0: config trusthost

0: edit 0

0: set ipv4-trusthost 172.16.0.0 255.240.0.0

0: end

0: end

 

The API key was given in the GUI and is only shown one-time.  This key is then used for authenticating future REST API queries.

 

For example, I may have been given the following API key in the GUI

 

cG7yp5pxba79jnd7Q1Hjcyjs6jngrH

 

but the end configuration shows this:

 

config system api-user

    edit "testing-api"

        set comments "This is a comment"

        set api-key ENC SH28WlJVyJBQnOADIVSq+EOLx86dHMwDJfQViQsfgYA/M8qiCyVapnWdAQ8Gk4=

        set accprofile "read_only"

        set vdom "root"

        set cors-allow-origin "https://fndn.fortinet.net"

        config trusthost

            edit 1

                set ipv4-trusthost 192.168.1.0 255.255.255.0

            next

            edit 2

                set ipv4-trusthost 172.16.0.0 255.240.0.0

            next

        end

    next

end

 

 

emnoc
Esteemed Contributor III

I just posted on my blog about this setup, since others in the community has the same issues.

 

http://socpuppet.blogspot.com/2019/09/howto-use-fortios-apiuser.html

 

As posted earlier you generate the key. You can not assign it the cli. Also use the in the correct header when making GET/PUT/POST

 

# header HTTP 

"Authorization: Bearer  xxxx BIG LONG KEY HERE xxxxx

 

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Stephen_Roddick
New Contributor

 

 

Despite not seemingly being able to set the API key from the CLI manually, it is possible to set the API key to the same as one generated by another FortiGate if you push it via CLI script from a FortiManager.

 

Example script:

 

config system api-user
    edit "RESTAPI_Admin"
        set api-key ENC <encrypted password here>
        set accprofile "<associated admin profile here>"
        set vdom "root"
        config trusthost
            edit 1
                set ipv4-trusthost 192.168.0.1 255.255.255.255
            next
        end
    next
end

 

 

You should be able to copy the config system api-user entry from the donor FortiGate and paste it into a CLI script in the FortiManager and run it on the target FortiGate.

Top Kudoed Authors