FileMaker Server 19.6 has been out for a little while now. You may have already read about all the new features from Wim Decorte’s excellent review.
In what has become a labor of love for me, I’ve updated the Admin API tool for the latest version. Being able to fully support the addition of PKI authentication, including the ability to generate and manage public and private keys, was nontrivial.
Technically the Admin API only supports adding and deleting the public keys to the server and the ability to use a JWT (JSON Web Token) to authenticate to the Admin API. This Admin API tool update can create new keys and generate the correct JWT.
In the FileMaker Server folder that gets installed, there is now a new folder with some sample Python scripts. The files are located here “FileMaker Server\Tools\AdminAPI_PKIAuth” if you want to look at them. To use them, you will first need to install Python, which you may not want to do on the server. Fortunately, looking at what the Python scripting is doing, it was possible to do the same from FileMaker Pro scripting; you can use some Applescript (macOS) or Powershell (Windows) to call the same command line the python script does, since the commands will run on both platforms. Those are “ssh-keygen” and “openssl” which come preinstalled with the OS.
It makes it very easy to generate the Keys and then Post them to the server via the Admin API. Once that is in place on the server, you can generate a JWT and change your method of authenticating to use the Admin API.
What Does the Scripting Do in FileMaker?
This scripting in FileMaker Pro does a number of things. It runs the command line needed to generate a key pair in PEM format, including both the private and public keys. Since the public key generated is not in the correct format, a second command is run to create that as well.
These are really just text files that contain the keys; those files are inserted into container fields using an “Insert from URL” script step, then get the text from them using a TextDecode function and save the value in a text field. Then we remove the text files we created in the OS to tidy up after ourselves, again with Applescript/Powershell.
Normally, the script to generate the keys, ssh-keygen, would prompt you to enter a password used to encrypt the private key. To completely automate the process, no password is used to encrypt the private key, which would also be prompted when generating a JWT. Since we are storing the private key value in a database you would add necessary security privileges to, you should do that when storing these key files. In case you just want this functionality, there is a standalone file that you can use for just creating private and public keys and generating JWTs called “SSH Keys & JWT.fmp12” for your use.
Calculations for Generating the JWT
Generating the JWT can also be done entirely in FileMaker, so there is a calculation to do that as well in both the standalone file and the full Admin API tool. The calculation uses the “CryptGenerateSignature” function to create the signature needed and encode with Base64.
Once done, you create the API key in FileMaker Server or use the Admin API tool to post it for you. Then you can use the JWT to authenticate instead of using Basic authentication with a username and password. Upon authentication, you get back the same Bearer token that is used for subsequent calls to the Admin API.
This will be especially handy for machine-to-machine scripting using the Admin API to help administer FileMaker Servers. Considering that the authentication of users to the FileMaker Admin Console may change with the use of AD FS that might also require multi-factor authentication, that would not be suitable to use in a scripted fashion where MFA would not be possible to automate, for good reason.
Additional Changes to the Admin API for 19.6
Other changes to the Admin API for 19.6 include the ability to specify running a backup script with the option to only produce a clone and restricting the Admin Console to whitelisted IP addresses. The “Clone Only” option is a welcome addition and will surely get used to get a clone of a file, possibly for use with the Data Migration Tool, without needing to also do a full backup of hosted files. The Data Migration Tool is now installed with FileMaker Server as of 19.6 as well. A note on restricting the Admin Console functionality, doing so will also restring Admin API usage to the same IP addresses listed.
As always, you can get the file(s) for free on GitHub.
Next Steps in Claris FileMaker
If you’d like more insights into how to make your FileMaker application more efficient, we can help. Contact us to learn moreNext Steps in Claris FileMaker.