FortiMail
FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
leej
Staff
Staff
Article Id 190408
Description
This article describes how to make administrator user able to login to and logout from FortiMail using REST-API.

Scope
From OS 5.3.4

Solution
1) Check rest-api feature is enabled on FortiMail.
# config system global
    set hostname FML_IntSRV
    set admin-idle-timeout 30
    set data-loss-prevention disable
    set rest-api enable
end
2) Check administrator user has been added on FortiMail.
# config system admin
    edit admin
        set password ENC $1$233bbec9$Xb8npD7/j3Bsj.mert9H1.
        set access-profile super_admin_prof
        set language english
    next
    edit jklee
        set password ENC $1$172bd7d5$gJrUnT4/7unlhRsxHvzvK.
        set access-profile super_admin_prof
        set language english
    next
end
3) Use following command on the API-agent to make administrator user called 'jklee' login to FortiMail.

Note:
Below are the details used:

Username: jklee
Password: fortinet
API-agent : Linux
FortiMail : 10.5.1.99

- Command to log-in:
[root@Linux-JKLEE api]# curl --insecure -v -H "Content-Type: application/json" -X POST -d '{"name":"jklee","password":"fortinet"}' https://10.5.1.99/api/v1/AdminLogin -c cookie1.txt
Note:
The purpose of using the option called '--insecure' is to prevent from certification verification error during the procedure.

- See the result step by step.

Followings are the actions sending 'Post action' to FortiMail.
* About to connect() to 10.5.1.99 port 443 (#0)
*   Trying 10.5.1.99... connected
* Connected to 10.5.1.99 (10.5.1.99) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* Server certificate:
*       subject: E=support@fortinet.com,CN=FortiMail,OU=FortiMail,O=Fortinet,L=Sunnyvale,ST=California,C=US
*       start date: Jul 03 17:24:18 2015 GMT
*       expire date: Jan 19 03:14:07 2038 GMT
*       common name: FortiMail
*       issuer: E=support@fortinet.com,CN=support,OU=Certificate Authority,O=Fortinet,L=Sunnyvale,ST=California,C=US
> POST /api/v1/AdminLogin HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 10.5.1.99
> Accept: */*
> Content-Type: application/json
> Content-Length: 38
>
Followings are the action receiving '200 OK' from FortiMail.
< HTTP/1.1 200 OK
< Date: Wed, 11 Dec 2019 08:04:37 GMT
< Cache-Control: no-cache
* Added cookie APSCOOKIE="Era%3D0%26Payload%3DH0GBlo9rG82OWUcRRR4iRBwGYLTwUGMRfBXUgUmCzHtomNE63fqnzY%2FXpwouT78Y%0AUguSlytMk2lKJ4DL6p1oL3cLT4%2FKIsE3rv3CeFWrze2w%2Fh20wgX6WRnnD4nhhiX2%0AsGJX7C4eMPU%3D%0A%26AuthHash%3D%2Bre%2FBjCJlo1%2Fh7vJCwGpXg%3D%3D%0A" for domain 10.5.1.99, path /, expire 0
< Set-Cookie: APSCOOKIE=Era%3D0%26Payload%3DH0GBlo9rG82OWUcRRR4iRBwGYLTwUGMRfBXUgUmCzHtomNE63fqnzY%2FXpwouT78Y%0AUguSlytMk2lKJ4DL6p1oL3cLT4%2FKIsE3rv3CeFWrze2w%2Fh20wgX6WRnnD4nhhiX2%0AsGJX7C4eMPU%3D%0A%26AuthHash%3D%2Bre%2FBjCJlo1%2Fh7vJCwGpXg%3D%3D%0A; Path=/; Version=1
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Vary: Accept-Encoding
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Content-Security-Policy: frame-ancestors 'self'
< X-Content-Type-Options: nosniff
< Transfer-Encoding: chunked
< Content-Type: application/json
<
* Connection #0 to host 10.5.1.99 left intact
* Closing connection #0
{"objectID": "AdminLogin:","reqAction": 2,"nodePermission": 0,"name": "jklee","password": "******","new_password": "******","token": "******","domain": "system","webmode": 1,"locale": "en","loginstatus": 1,"model": "FE-VMW","serial": "FEVM000000000000","theme": 0,"operation_mode": 2,"manager_supported": 0,"debug": false,"product_name": "FortiMail","product_version": "6.0.160","post_login_banner": false,"disclaimer": "","is_superadmin": true,"scramble": true,"forced_encryption": 3,"migration_enabled": false,"dlp_enabled": false,"minimum_length": 8,"must_contain": 0,"reqAction": 2}

4) Check that "jklee" exists on the list.

- From the CLI:
# get system admin-list
[2] login-name: jklee
access-profile: super_admin_prof
login-method: HTTPS
login-time: Wed Dec 11 17:04:37 2019
timeout-time: Wed Dec 11 17:34:37 2019
process-ID: 2135
client-address: 10.5.1.254
- On the GUI:

Go to Status -> System Information -> Current administrator -> Details.

Administrator users are logging in to FortiMail apply to the 'admin-idle-timeout' which means all administrator users are forcibly logged out from FortiMail when any actions are processed on FortiMail.

Refer to the following configuration:
# config system global
    set hostname FML_IntSRV
    set admin-idle-timeout 30
    set data-loss-prevention disable
    set rest-api enable
end
However, when specific administrator user logged out before reaching the 'admin-idle-timeout' follow these steps:

1) To log out "jklee" , it is very important to have "cookie1.txt" file created previously when "jklee" was logged in.
'cookie1.txt' file has to exist on the directory where  previously "jklee" has been created log in to FortiMail.

Note:
[root@Linux-JKLEE api]# ls -lrt | grep cookie1.txt
-rw-r--r--. 1 root root 398 Dec 11 08:04 cookie1.txt
[root@Linux-JKLEE api]#
3) Use following command on the API-agent to make administrator user called "jklee" log-out from FortiMail.

- Command to log-out:
[root@Linux-JKLEE api]# curl --insecure -b cookie1.txt -H "Content-Type: application/json" -X POST -d '{"reqAction":8}' https://10.5.1.99/api/v1/AdminLogin
- See the result step by step.
When "jklee" has been successfully logged out from FortiMail, result is showing 'Successful.
{"errorType": 0,"errorMsg": "Successful:Custom action2 on object (AdminLogin) ","objectID": "AdminLogin:","reqAction": 8}
3) Check that "jklee" does not exist on the list.

- From the CLI:
# get system admin-list
- From the GUI:

Go to Status -> System Information -> Current administrator -> Details.

Contributors