Creating an Administrator Account with API Key Authentication
An API key is a token that a client provides when making API calls.
API key authentication provides an administrator the ability to use a token for authenticating to the API interface instead of the usual administrator name / password.
You can use SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to configure an API key for administrators to use the management API.
|
Note - This administrator can only use the API for executing API commands and cannot use it for SmartConsole authentication. |
-
In SmartConsole click Manage & Settings > Permissions & Administrators > Administrators
Click the New icon at the top menu.
The New Administrator window opens.
-
Give the administrator a name
-
In the Authentication Method field select API Key.
-
Click Generate API key.
- A new API key window opens.
Click Copy key to Clipboard
Save the key for a later use (provide it to the relevant administrator).
-
Click OK
-
Publish the SmartConsole session.
This example demonstrates how to use the API-key for login and creating a simple-gateway using the API.
-
Log in to the Expert mode.
-
Use the previously generated key for the login, and save the standard output to a file (redirect it to a file using the ">" sign):
Syntax:
mgmt_cli login api-key <api-key> > /<path_to>/<filename>
Example:
mgmt_cli login api-key mvYSiHVmlJM+J0tu2FqGag12 > /var/tmp/token.txt
-
Run a
mgmt_cli
command with the "-s" flag.Syntax:
mgmt_cli -s /<path_to>/<filename> add simple-gateway name <gateway name> ip-address <ip address> one-time-password <password> blade <true>
Example:
mgmt_cli -s /var/tmp/token.txt add simple-gateway name "gw1" ip-address 192.168.3.181 one-time-password "aaaa" firewall true vpn true
For more details, see the Check Point Management API Reference.
After you configure API authentication, you can, in addition, configure authentication with a certificate file. The administrator can then authenticate to the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. with either an API Key or a certificate file.
You create the certificate file in SmartConsole. The administrator can use the certificate to log in to SmartConsole in two ways:
-
Log in to SmartConsole with the Certificate File option. The administrator must provide the password to use the certificate file.
-
You can import the certificate file to the Windows Certificate Store on the Microsoft Windows SmartConsole computer. The administrator can use this stored certificate to log in to SmartConsole with the CAPI Certificate option. The administrator does not need to provide a password to log in.
The administrator can also give the certificate to other administrators to log in to SmartConsole with no administrator account of their own.