How to generate the Sophos Linux Sensor package repository API token
Prerequisites
SLS is available to new and existing customers with one of the following qualifying product licenses:
- Intercept X Advanced for Server with XDR
- Central Managed Detection and Response Essential Server
- Central Managed Detection and Response Complete Server
Restriction
SLS isn't available with evaluation licenses.
SLS is licensed per device. However, your Sophos Central Devices view and license count won't reflect your SLS instances. You also won't see your SLS devices in Server Protection. This is because SLS can send detection details and alerts to, but isn't managed by, Sophos Central.
Overview
To generate the Sophos Linux Sensor (SLS) package repository API token, you need to do the following:
- Create a service principal
- Use the service principal credentials to request an SLS package repository API token
Create a service principal in Sophos Central
SLS needs API credentials created by a SuperAdmin in a Sophos Central Admin dashboard. You must configure this in a Sophos Central Admin dashboard and not in a Partner or Enterprise dashboard.
Before you can generate an SLS package repository token you will need to create a service principal. A service principal is a set of credentials that can be used to authenticate and call APIs. You need to have the Super Admin role to do this. To create a service principal, do the following:
- Sign in to Sophos Central.
- Go to Global Settings > Administration > API Credentials Management.
- Click Add Credential.
- Enter a Credential name.
- Select Service Principal Super Admin for the Role.
- Click Add.
-
Copy your Client ID and Client Secret. You need this information in the following section.
Warning
For security purposes, the Client Secret cannot be shown again. It is your responsibility to store your client ID and secret securely. If you lose the Client Secret, you must create a new service principal.
Generate an SLS package repository API token
Once you have your service principal API credentials, you can use them to request an SLS package repository access token. To generate an SLS package repository API token, do the following:
Note
The following commands work in a Linux command prompt. To run them in Windows, you will need Windows Subsystem for Linux (WSL). See Install Linux on Windows with WSL.
-
From a command line prompt, run the following command, replacing
{client-id}
with the client_id from the previous step, and{client-secret}
with the client_secret from the previous step:curl -sS -XPOST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id={client-id}&client_secret={client-secret}&scope=token" https://id.sophos.com/api/v2/oauth2/token
A successful API response looks like this example:
{ "access_token": "{jwt}", "errorCode": "success", "expires_in": 3600, "message": "OK", "refresh_token": "{token}", "token_type": "bearer", "trackingId": "{uuid}" }
Tip
Note the very long string that makes up the
{jwt}
value in the API response. You need it for all following API calls. -
After you've obtained your access token, you need to find your tenant ID. Run the following command, replacing
{jwt}
with your access_token from the previous step:curl -XGET -H "Authorization: Bearer {jwt}" https://api.central.sophos.com/whoami/v1
A successful API response looks like this example:
{ "id": "{tenant-id}", "idType": "tenant", "apiHosts": { "global": "https://api.central.sophos.com", "dataRegion": "https://api-us03.central.sophos.com" } }
Tip
Note the string that makes up the
{tenant-id}
value in the API response. You need it for the following API call and after installation.You can also find your tenant ID in Sophos Central. Go to Account name > Support settings and note the unique ID for your Sophos Central account. This is your tenant ID.
-
Run the following command to get your SLS repository token, replacing
{jwt}
with youraccess_token
and{tenant-id}
with yourid
from the previous steps:curl -sS -XPOST -H "Authorization: Bearer {jwt}" -H "Content-Type: application/json" -H "X-Tenant-ID: {tenant-id}" --data '{"label":"SLS Token","type":"sophosLinuxSensor","expiresAt":"2099-06-15T13:21:54.858Z"}' https://api.central.sophos.com/accounts/v1/access-tokens
Note
The
label
value lets you change the name of the token. TheexpiresAt
value is optional and lets you choose when the token expires. If you enter a value forexpiresAt
that exceeds the expiry date of your server license, it's adjusted to match the expiry date of your server license. See Access Token Management API Guide.A successful API response looks like this example:
{ "id": "{transaction-id}", "token": "{LINUX_REPO_API_KEY}", "type": "sophosLinuxSensor", "label": "SLS Token", "createdAt": "2022-07-06T18:30:24.340Z", "expiresAt": "2022-12-02T00:00:00.000Z", "url": "https://packages.sophos.com", "createdBy": { "id": "{user-id}", "type": "service", "accountType": "tenant", "accountId": "{tenant-id}" } }
-
Note the {LINUX_REPO_API_KEY} string in the response above. It starts with "SLS-". This is your Sophos Linux Sensor package repository access token. You will need this for installation.
You are now ready to install and update SLS from the Sophos Linux Sensor package repository.
More information