Hello, I'm trying to create the API admin user for using token-based authentication. I'm using the FortiOS REST API guide (v5.6.2, as the Fortigate firmware):
config system api-useredit "api-admin"set comments "admin for API access only"set api-key ENC SH23sQt? +/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=set accprofile "API profile"set vdom "root"nextend When I'm issuing the "set-api key" entry I get an error "<passwd> please input admin password" when I type the "?"It's totally not clear to me also what the long text is ("+/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=", a password?) and whether this is something standard...
Thank you!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The api-key is assigned by the FortiGate. It's not something you can supply.
Your post was formatted weird, so I unpacked it and got this:
config system api-user edit "api-admin" set comments "admin for API access only" set api-key ENC SH23sQt? +/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE= set accprofile "API profile" set vdom "root" nextend
On 5.6, when you create an api-user, all you need is accprofile – then the api key is randomly assigned by FortiGate and then the user uses THAT api key in order to authenticate future queries. However, I don't believe the FortiGate will give you the API key when creating the user on command line.
To help show this, I created a user via the GUI and had “diag debug cli 8” turned on. Here’s the result:
90d # diag debug cli 8Debug messages will be on for 30 minutes. 90d # diag debug enable 90d # 0: config system api-user0: edit "testing-api"0: set comments "This is a comment"0: set accprofile "read_only"0: set vdom "root"0: set cors-allow-origin "https://fndn.fortinet.net"0: end0: config system api-user0: edit "testing-api"0: config trusthost0: edit 00: set ipv4-trusthost 192.168.1.0 255.255.255.00: end0: end0: config system api-user0: edit "testing-api"0: config trusthost0: edit 00: set ipv4-trusthost 172.16.0.0 255.240.0.00: end0: end
The API key was given in the GUI and is only shown one-time. This key is then used for authenticating future REST API queries.
For example, I may have been given the following API key in the GUI
cG7yp5pxba79jnd7Q1Hjcyjs6jngrH
but the end configuration shows this:
config system api-user edit "testing-api" set comments "This is a comment" set api-key ENC SH28WlJVyJBQnOADIVSq+EOLx86dHMwDJfQViQsfgYA/M8qiCyVapnWdAQ8Gk4= set accprofile "read_only" set vdom "root" set cors-allow-origin "https://fndn.fortinet.net" config trusthost edit 1 set ipv4-trusthost 192.168.1.0 255.255.255.0 next edit 2 set ipv4-trusthost 172.16.0.0 255.240.0.0 next end nextend
I just posted on my blog about this setup, since others in the community has the same issues.
http://socpuppet.blogspot.com/2019/09/howto-use-fortios-apiuser.html
As posted earlier you generate the key. You can not assign it the cli. Also use the in the correct header when making GET/PUT/POST
# header HTTP
"Authorization: Bearer xxxx BIG LONG KEY HERE xxxxx"
Ken Felix
PCNSE
NSE
StrongSwan
Despite not seemingly being able to set the API key from the CLI manually, it is possible to set the API key to the same as one generated by another FortiGate if you push it via CLI script from a FortiManager.
Example script:
config system api-user
edit "RESTAPI_Admin"
set api-key ENC <encrypted password here>
set accprofile "<associated admin profile here>"
set vdom "root"
config trusthost
edit 1
set ipv4-trusthost 192.168.0.1 255.255.255.255
next
end
next
end
You should be able to copy the config system api-user entry from the donor FortiGate and paste it into a CLI script in the FortiManager and run it on the target FortiGate.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.