Community discussions

MUM Europe 2020
 
User avatar
astounding
Member Candidate
Member Candidate
Topic Author
Posts: 121
Joined: Tue Dec 16, 2008 12:17 am

License Upgrade using API and mikrotik.com

Thu Dec 10, 2009 8:30 pm

In updating a large batch of MikroTik routerboards deployed on private IP space, I would like to automate the update/upgrade process using the API. So far I can do everything EXCEPT obtain the "code", a 128-bit hex string that gets sent along with the old and new software IDs and the old base-64-encoded license key to the MikroTik web site, which then passes back the new, updated license key (also base-64-encoded).

Any idea what information is encoded in the "code" parameter sent to mikrotik.com and how it's encoded? Perhaps the routerboard serial number? Hardware MAC(s)? Maybe the current license level?

Does mikrotik.com perhaps make available a web form wherein someone can enter an existing license and device parameters to obtain the upgraded key? (Instead of doing the web submission that WinBox does passing the two software IDs--old and new--along with the code and old key.)

Thanks in advance! This will make upgrading hundreds of devices a breeze.

Aaron out.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24315
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: License Upgrade using API and mikrotik.com

Mon Dec 14, 2009 9:26 am

there is a security related reason why you can't do this, we don't want you to (yet). we could think about alternate ways to upgrade SoftID's, but it's not possible now.
No answer to your question? How to write posts
 
User avatar
astounding
Member Candidate
Member Candidate
Topic Author
Posts: 121
Joined: Tue Dec 16, 2008 12:17 am

Re: License Upgrade using API and mikrotik.com

Thu Dec 17, 2009 2:16 am

I was worried the code passed to MikroTik's web server might involve proprietary license information.

There are two possible ways this is so. Either 1) the code itself is proprietary and should not be publicaly visible (in which case PLEASE make sure the web connection between WinBox and MikroTik is encrypted--it was not on my machine when I was doing license key updates), OR 2) the code is calculated (most likely using MD5 or some other hash) using proprietary information as input.

I hope MikroTik will consider releasing RouterOS 3.31 with an API command and a public URL that can be used by we users to script routerboard license key updates to the new format. Whether the security issue is either #1 or #2, there are secure ways to make the API work.

If #1 (the code needs to be kept secret), it should be as simple as exposing TWO URLs at mikrotik.com, the first would be contacted by a user script to obtain a NONCE (a one-time random bit string), which the user would pass to the API command. The RouterOS box would then generate a random SALT, and using the NONCE and the SALT, create a one-time encryption key to encrypt the code and pass it back to the user, who then passes it to MikroTik via the second URL to obtain the updated license key string. Barring a poor random number generation method on routerboards, this would mean the user-in-the-middle should never be able to decrypt the information.

If #2, things are even easier. Just offload code calculation to RouterOS and expose it via the API instead of doing it in winbox.

Here's hoping for future API-ability!

Thanks for responding to my query.

Aaron out.

Who is online

Users browsing this forum: No registered users and 8 guests