topic Re: How to add a new admin user via the API in General Topics

How to add a new admin user via the API

RogerMccarrick — Tue, 31 Jul 2018 17:19:15 GMT

I'm working on a script to deploy new Palo Alto firewalls in vmware from template, using powershell.

I'm doing this with API calls in the powershell code.

for instance, change hostname:

$hnURL = "https://myPA//api/?key=" + $apiKey + "&type=config&action=edit&xpath=/config/devices/entry[@name='localhost.localdomain']/deviceconfig/system/hostname&element=<hostname>$myHostname</hostname>"

Invoke-WebRequest -uri $hnURL

I want to do something similar to add a new user "apiadmin", and password.

I have googled and found how to add a user on the CLI, but I'm hoping to be able to do it via the API.

Any help would be much appreciated.

Roger

Re: How to add a new admin user via the API

BPry — Tue, 31 Jul 2018 17:33:35 GMT

@RogerMccarrick,

I don't think this is actually possible. The API will give you the phash value and you might be able to actually set that value, but that wouldn't really help you at all.

Re: How to add a new admin user via the API

RogerMccarrick — Tue, 31 Jul 2018 22:41:27 GMT

Thanks for the reply.

So I will create the user ahead of time. But then I want to use the API to change the password of that account in each new FW so that I can then generate a new API key.

I can get the phash of the NEW PASSWORD.

<request><password-hash><password>NEWPASSWORD</password></password-hash></request>

Do you know how I set the new password using th API and phash.

I read an article but it didn't work for me.

thanks

Re: How to add a new admin user via the API

BPry — Tue, 31 Jul 2018 23:15:38 GMT

@RogerMccarrick,

Here's the thing with that, if you follow best practices this isn't going to work. Unless you keep the devices master key the exact same between all units, and you use the exact same password on all devices, the phash value isn't interpreted the same.

I really recommend that this not be something you script as it breaks multiple best practices.

Re: How to add a new admin user via the API

RogerMccarrick — Wed, 01 Aug 2018 14:44:25 GMT

There is an article at called "How to Change the Password of Administrative Users via XML AP" at https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Change-the-Password-of-Administrative-Users-via-XML-API/ta-p/75525

I tried to follow the article but it didnt work. The article doesn't show complete commands and I think it has a mistake.

But however I do this, I will want to know how to change the password of an account via API.

My idea is to:

Deploy PA

Run a powershell command I have to generate a new password.

Use the API to get the phash of that password, with powershell.

Use the API to change the password of the apiadmin account, with powershell.

Generate an api key with apiadmin and new password, all in powershell.

I don't ever need to know what that password is. It is all generated in the running of instance of the powershell script, used in that instance and the only thing I keep is the API key.

Wil never access the PA again with the password. Only the API key.

Re: How to add a new admin user via the API

BPry — Wed, 01 Aug 2018 15:04:08 GMT

@RogerMccarrick,

The command to do something like this would look like this.

api/?type=config&action=set&key=YOURKEY&xpath=/config/mgt-config/users/entry[@name='test']&element=<phash>PHASHVALUE</phash>

Just to point out once again, I'm not seeing what you're attempting to do here. You specifically call out that you are setting the password to a known value in some powershell script, then you get the phash for some reason, then you change the password using a phash value again, then you get the API key?

I'm not seeing the point in all the run-around with setting the password. If you're doing it once already just set it to a secure password the first time, generate the api-key and be done with it. It appears that you have two password changes in your script that has you changing the password once, then modifying the phash directly, then getting the API key. I'm missing why you would ever need to modify the phash directly if you're already setting the password once.

Re: How to add a new admin user via the API

RogerMccarrick — Thu, 02 Aug 2018 17:39:06 GMT

Thanks for the command. It worked.

Each time I deploy a PA, I want to do all (or as much as I can) (of) the deployment with a single powershell script doing API calls to configure the PA.

Each PA has an apiadmin account, specifically for doing API calls for future configurations. And each PA will have to have a different API-Key. So I have to change the password of the apiadmin account (without manually logging in) to something different on each PA to achieve this. I will store all API keys in a database.

When I deploy a new PA, it is a clone of the template, all passwords and keys are the same for each one. I am using the script to automate changing passwords and generating new API keys.

So from powershell script:

deploy new PA from VMware template, has known password for apiadmin account.

generate random password.

send api call to new PA to get hash of that new password

api call to with that hash to change the apiadmin password (the command you showed me).

api call to PA using apiadmin and new password to generate new API key for apiadmin

store new PA name and apiadmin API key in database.

I do all the api calls using the default admin account, and then when done change the password and key of the admin account.

thanks for your help.