Skip to content

How to generate the Sophos Linux Sensor package repository API token

Prerequisites

SLS is currently available to new and existing Intercept X Advanced for Server with XDR or Intercept X Advanced for Server with MTR customers. Before you proceed, ensure your Sophos Central account has one of the following qualifying products licenses:

  • Intercept X Advanced for Server with XDR
  • Intercept X Advanced for Server with MTR Standard
  • Server E Intercept X Advanced for Server with MTR Advanced

Restriction

SLS is not available with evaluation licenses.

Overview

To generate the Sophos Linux Sensor (SLS) package repository API token, you need to do the following:

  1. Create a service principal
  2. Use the service principal credentials to request a SLS package repository API token

Create a service principal in Sophos Central

Before you can generate a SLS package repository token you will need to create a service principal. A service principal is a set of credentials that can be used to authenticate and call APIs. You need to have the Super Admin role to do this. To create a service principal, do the following:

  1. Sign in to Sophos Central.
  2. Go to Global Settings } Administration } API Credentials Management.
  3. Click Add Credential.
  4. Enter a Credential name.
  5. Select Service Principal Super Admin for the Role.
  6. Click Add.
  7. Copy your Client ID and Client Secret. You need this information in the following section.

    Copy your Client ID and Client Secret

    Warning

    For security purposes, the Client Secret cannot be shown again. It is your responsibility to store your client ID and secret securely. If you lose the Client Secret, you must create a new service principal.

Generate a SLS package repository API token

Once you have your service principal API credentials, you can use them to request a SLS package repository access token. To generate a SLS package repository API token, do the following:

  1. From a command line prompt, run the following command, replacing {client-id} with the client_id from the previous step, and {client-secret} with the client_secret from the previous step:

    curl -sS -XPOST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id={client-id}&client_secret={client-secret}&scope=token" https://id.sophos.com/api/v2/oauth2/token
    

    A successful API response looks like this example:

    {
    "access_token": "{jwt}",
    "errorCode": "success",
    "expires_in": 3600,
    "message": "OK",
    "refresh_token": "{token}",
    "token_type": "bearer",
    "trackingId": "{uuid}"
    }
    

    Tip

    Note the very long string that makes up the {jwt} value in the API response. You need it for all following API calls.

  2. After you've obtained your access token, you need to find your tenant ID. Run the following command, replacing {jwt} with your access_token from the previous step:

    curl -XGET -H "Authorization: Bearer {jwt}" https://api.central.sophos.com/whoami/v1
    

    A successful API response looks like this example:

    {
        "id": {tenant-id},
        "idType": "tenant",
        "apiHosts": {
            "global": "https://api.central.sophos.com",
            "dataRegion": "https://api-us03.central.sophos.com"
        }
    }
    

    Tip

    Note the string that makes up the {tenant-id} value in the API response. You need it for the following API call and after installation.

    You can also find your tenant ID in Sophos Central. Go to Account name > Account Details > Sophos Support and note the unique ID for your Sophos Central account. This is your tenant ID.

  3. Run the following command to get your SLS repository token, replacing {jwt} with your access_token and {tenant-id} with your id from the previous steps:

    curl -sS -XPOST -H "Authorization: Bearer {jwt}" -H "Content-Type: application/json" -H "X-Tenant-ID: {tenant-id}" --data '{"label":"SLS Token","type":"sophosLinuxSensor","expiresAt":"2099-06-15T13:21:54.858Z"}' https://api.central.sophos.com/accounts/v1/access-tokens
    

    Tip

    Both the label and expiresAt values are optional. The label value lets you change the name of the token. The expiresAt value lets you choose when the token expires. See Access Token Management API Guide.

    A successful API response looks like this example:

    {
        "id": "a53ddc6a-4bb4-4781-805e-6cf899db7be7",
        "token": {LINUX_REPO_API_KEY},
        "type": "sophosLinuxSensor",
        "label": "SLS Token",
        "createdAt": "2022-07-06T18:30:24.340Z",
        "expiresAt": "2022-12-02T00:00:00.000Z",
        "url": "https://packages.sophos.com",
        "createdBy": {
            "id": "4908bf24-6b32-4e22-b1f2-c032136117a9",
            "type": "service",
            "accountType": "tenant",
            "accountId": "8d2073b6-94f9-435e-af36-5f3c015b4fe6"
        }
    }   
    
  4. Note the {LINUX_REPO_API_KEY} string in the response above. It starts with "SLS-". This is your Sophos Linux Sensor package repository access token. You will need this for installation.

You are now ready to install and update SLS from the Sophos Linux Sensor package repository.

More information

Back to top