Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Encrypted password not working for API

Lev Anni

hi

Seems like in version 19 I can not use encrypted password for API access, it simply does not work. I'm getting authentication error while plain password work normally. I'm generating password using CBC 128. Is anything changed in 19? Tried native tool in sophos advanced shell, online tools etc, nothing :/ 

thanks!!



This thread was automatically locked due to age.
  • 0

    Hi  Thank you for contacting the Sophos community team, yes I have checked in the local LAB device and observed the same problem which you mentioned.

    Response in Browser:

    <Response APIVersion="1900.1" IPS_CAT_VER="1">
    <Login>
    <status>Authentication Failure</status>
    </Login>
    </Response>

    SFVUNL_SO01_SFOS 19.0.1 MR-1-Build365# tail -f /log/apiparser.log
    INFO Oct 12 09:21:12Z [26189]: Start Login Handler,Component : Login
    ERROR Oct 12 09:21:12Z [26189]: Key:ISCrEntity is not found in RequestMap File for Login.
    INFO Oct 12 09:21:12Z [26189]: Mapping file for Login component is /_conf/csc/IOMappingFiles//1900.1/Login/Login.xml
    ERROR Oct 12 09:21:12Z [26189]: Flag setting for this opcode is 18.
    INFO Oct 12 09:21:13Z [26189]: Opcode response: status:500
    ERROR Oct 12 09:21:13Z [26189]: Problem while checking the username & password.
    ERROR Oct 12 09:21:13Z [26189]: Authentication Failure

    CSC Debug:

    INFO Oct 12 09:21:13Z [login:26131]: CSC::PREPSTMT : Create new connection.
    DEBUG Oct 12 09:21:13Z [login:26131]: get_txid:Transaction ID: 1236194
    DEBUG Oct 12 09:21:13Z [login:26131]: do_prep_query: PREPSTMT: 'select usertype from tbluser where username=lower(?) and usertype = ?'
    INFO Oct 12 09:21:13Z [login:26131]: do_get: deny_admin_flag
    INFO Oct 12 09:21:13Z [login:26131]: ACTION: CALL check_defadmin_otp_status
    DEBUG Oct 12 09:21:13Z [login:26131]: do_prep_query: PREPSTMT without ARGS: select otp from tbluser where username = 'admin'
    DEBUG Oct 12 09:21:13Z [login:26131]: get_txid:Transaction ID: 1236195
    DEBUG Oct 12 09:21:13Z [login:26131]: do_prep_query: PREPSTMT: 'select otp from tbluser where username = 'admin''
    INFO Oct 12 09:21:13Z [login:26131]: ACTION: DLOPEN(check_passwd, input)
    INFO Oct 12 09:21:13Z [login:26131]: ACTION: CALL login_failed
    INFO Oct 12 09:21:13Z [login:26131]: ACTION: DLOPEN(get_time, (null))

    +++++++++

    DEBUG Oct 12 09:21:13Z [worker:26193]: # OPCODE Exited: 'apiInterface' with Status: '500'

    I would suggest opening a support case to have further investigation with the Suppor team and to validate the more please share the case ID details for reference here or via DM.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Global Customer Experience
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question, use the 'Verify Answer' link.

    • 0 in reply to Vishal_R

      Seems like I can not log in at the support portal, can you give me a favor and send them this conversation somehow? thanks

      • 0 in reply to Lev Anni

        Hi Let me check and work on this to get some more details at my end and as of now as it is working with a plain password for you, you may use that time being till I am checking and working on this one.

        Regards,

        Vishal Ranpariya
        Technical Account Manager | Global Customer Experience
        Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
        If a post solves your question, use the 'Verify Answer' link.

        • 0 in reply to Vishal_R

          Hi,

          I have the same problem with version 19.0.1 MR-1-Build365. Plaintext password login works, but with encrypted password not. I wish I had red this thread 5 hours ago, that would have saved me a lot of research and testing.

          BTW: Using plaintext password might be OK as a workaround  for testing purpose, but if you have a bunch of self-signed Powershell scripts relying on the authentication mechanism with encrypted credentials the workaround is not easily feasible. During research I found, this is not the first time Sophos XG has problems with encrypted passwords. I wonder how Sophos manages their own firewalls whithout stumbling over such a problem.

          • 0 in reply to Vishal_R

            unlimited thanks!

        • +2

          Encrypted password for API is no longer supported in v19.0. As API calls are over HTTPS, the password is already secured & encrypted in transit so additional encryption is not necessary. You can continue to use plain password on v19.0.