NSM On-Prem - Authentication with API

Description

Logging into NSM On-Prem with API needs authentication first. This KB illustrates how to authenticate with API in Postman.

The first part of this article is about default admin user (which is super admin) authentication. The second part is about other users like regular admin/operator/etc authentication.

PART 1. Authentication with default admin user

For NSM On-Prem instances  without 2FA, Step 1 is good enough. For NSM On-Prem instances with 2FA, follow Step 1-4.

Step 1. Get Bearer Token:

POST https://(NSM ON-Prem IP:port)/api/manager/auth
Body:
{

  "override": true,
  "password": "Real Password",
  "user": "admin"
}
Clicking on Send it will return Bearer Token at "message" section. Notice this NSM On-Prem instance has 2FA enabled.

Step 2. Copy the Bearer Token (between " ") from Step 1 and paste it to Collection, so the rest of APIs can inherit it.
Note: 
Make sure the rest of API calls in this collection Authentication to use "Inherit auth from parent".

Step 3. create a new API call to send 2FA code. Note that this is for Email 2FA code. If using Authenticator, skip this step.

POST https://(NSM ON-Prem IP:port)/api/manager/tfa/resend

Step 4. create a new API call to verify 2FA code. Replace the 2FA code from email or authenticator.

POST https://(NSM ON-Prem IP:port)/api/manager/tfa/verify
Body:
{"code":"369621","2faType":"email"}
Note: 
This code is the 2FA code emailed from Step 3. If Microsoft/Google Authenticator is used, the API call would be:
{"code":"369621","2faType":"app"}

Note - the Bearer Token itself is the same one. It just has been verified with 2FA.
Now the Bearer Token has been verified. We can test it by retrieving all tenants info:

GET https://(NSM ON-Prem IP:port)/api/manager/tenants

 

PART 2. Authentication with other users

The difference of default admin (which is super admin) and other users, is default admin has the scope of all tenants. Other users may have a scope of some tenants. We need to set active tenant for other users first.

Assume user1 is a regular admin user, and it has the scope of "Global Default Tenant".

Perform steps 1-4 in PART 1 with default admin user. The tenant ID can be found from the tenant list. 

Perform steps 1-4 in PART 1 with user1's credential, , then set active tenant:

PUT https://(NSM ON-Prem IP:port)/api/manager/tenants/active
Body:
{"tenantIDs":[ "a4371f74-ed0b-4f5a-82e0-448aa618fd58"] }
 

Now the Bearer Token has been verified and active tenant has been set. We can test it by retrieving tenants in user1's scope:

GET https://(NSM ON-Prem IP:port)/api/manager/tenants
 

Related Articles

  • Firewall Shows Offline / Out of Sync in NSM After Firmware Upgrade to SonicOS 7.3.3
    Read More
  • NSM On-Prem: How to collect System Logs
    Read More
  • NSM On-Prem - How to change username of default admin
    Read More

Categories

Management and Reporting
Network Security Manager
not finding your answers?
Ask the Community
Chat
NSM On-Prem - Authentication with API