Attention : support for WAPT 1.8.2 ended on June the 30th 2022.

There are known vulnerabilities in WAPT dependencies in WAPT 1.8.2 branch. Please upgrade to the latest supported version. CVE listing (non exhaustive) :

* python engine : python 2.7 (CVE-2020-10735, CVE-2015-20107, CVE-2022-0391, CVE-2021-23336, CVE-2021-3177, CVE-2020-27619, CVE-2020-26116, CVE-2019-20907, CVE-2020-8492, etc.)
* cryptography : openssl : CVE-2022-2068, CVE-2022-1292, CVE-2022-0778, CVE-2021-4160, CVE-2021-3712, CVE-2021-23841, CVE-2021-23840, CVE-2021-23839, CVE-2020-1971, CVE-2020-1968, CVE-2019-1551
* python dependencies : cryptography (CVE-2020-36242, CVE-2020-25659), eventlet (CVE-2021-21419), jinja2 (CVE-2020-28493), psutil (CVE-2019-18874), waitress (CVE-2022-31015), lxml (CVE-2021-4381, CVE-2021-28957, CVE-2020-27783, CVE-2018-19787), ujson (CVE-2022-31117, CVE-2022-31116, CVE-2021-45958), python-ldap (CVE-2021-46823)

Configuring the WAPT agent¶

The configuration file C:\Program Files(x86)\wapt\wapt-get.ini defines the behavior of the WAPT agent.

The [global] section is required:

[global]

Description of available options for the WAPT agent¶

Note

if repo_url and wapt_server fields are empty, the WAPT agent will look for a repository using SRV records in the dnsdomain zone;
if there is no wapt_server attribute in the [global] section, no WAPT Server will be used;
if there is no repo_url attribute in the [global] section, a repository in the [wapt] section will have to be explicitly defined;
it will have to be enabled by adding it to the repositories attribute to the [global] section;

Description of available options for the WAPT agent¶
Options	Description
`use_hostpackages` = 1	Use host packages (default 1).
`waptupdate_task_period` = 120	Update frequency (120 minutes by default).
`waptupgrade_task_period` = 360	Upgrade frequency (disabled by default)
`waptservice_port` = 8088	WAPT agent loopback port. It is not accessible from the network.
`dbpath` = `C:\Program Files(x86)\wapt\db\waptdb.sqlite`	Path to the local database file.
`loglevel` = warning	Log level of the WAPT agent. Possible values are: `debug`, `info`, `warning`, `critical`.
`maturities` = PROD	List of packages maturities than can be viewed and installed by WAPT Agent. Default value is `PROD`. Any value can be used.
`use_fqdn_as_uuid` = 1	Allows you to use the fqdn name rather than the uuid BIOS as the unique machine identifier in wapt.
`waptaudit_task_period` = 120	Define the frequency where the agent checks if he has audits to perform.
`locales` = en	Allows you to set the list of wapt agent languages to modify the list of packages visible by wapt (for package filtering). You can add multiple language (eg. `locales=fr,en`) in order of preference.
`host_profiles` = tis-firefox,tis-java	Allows you to define a wapt package list that the wapt agent must install.
`language` = en	Force default langauge for GUI (not for package filtering)
`host_organizational_unit_dn` = OU=TOTO,OU=TEST,DC=DEMO,DC=LAN	Allows you to force an Organizational Unit on the WAPT agent. (Convenient to assign a fake OU for out-of-domain PC) Make sure it respects a consistent case (don’t mix “dc”s and “DC”s, for example), which you can find in the console (in the DN/`computer_ad_dn` fields for each machine)
`download_after_update_with_waptupdate_task_period` = True	Define whether a download of pending packages should be started after an update with waptupdate_task_period
`log_to_windows_events` = False	Send the log wapt in the window events
`service_auth_type` = system	How the self service authentication works. Possible values are: `system`, `waptserver-ldap` or `waptagent-ldap`
`uninstall_allowed` = 1	Whether or not it is possible for the user to uninstall applications via the self-service.

WAPT Server configuration attributes¶

These options will set WAPT agent behavior when connecting to WAPT Server.

Description of available options for the WAPT Server¶
Options	Description
`wapt_server` =	WAPT Server URL. If the attribute is not present, no WAPT Server will be contacted. If the attribute is empty, a DNS query will be triggered to find the WAPT Server using the `dnsdomain` attribute for the DNS zone.
`dnsdomain` =	DNS zone on which the DNS SRV `_waptserver._tcp` is searched.
`wapt_server_timeout` = 10	WAPT Server HTTPS connection timeout in seconds
`use_kerberos` = 1	Use Kerberos authentication for initial registration on the WAPT Server.
`verify_cert` = C:\Program Files (x86)\wapt\ssl\server\srvwapt.mydomain.lan.crt	See the documentation on activating the verification of HTTPS certificates
`public_certs_dir` = `C:\Program Files (x86)\wapt\ssl`	Folder of certificates authorized to verify the signature of WAPT packages, by default, `<wapt_base_dir>\\ssl`. Only files in this directory with .crt or .pem extension are taken into account. There may be several X509 certificates in each file. Authorized packages in WAPT are those whose signature may be verified by one of the certificates contained in the PEM files of this directory. Each repository may have its own folder of authorized certificates.

Using several repositories¶

There can be more sections in the wapt-get.ini file to define more repositories:

[wapt]: main repository. Relevent attributes: repo_url, verify_cert, dnsdomain, http_proxy, use_http_proxy_for_repo, timeout. If this section does not exist, parameters are read from the [global] section;
[wapt-template]: external remote repository that will be used in the WAPT console for importing new or updated packages;
[wapt-host]: repository for host packages. If this section does not exist, default locations will be used on the main repository;

More information on that usage can be found in this article on working with multiple public or private repositories.

Note

Active repositories are listed in the repositories attribute of the [global] section.

Description of available options for repositories¶
Options	Description
`repositories` = repo1, repo2	List of enabled repositories, separated by a comma. Each value defines a section of the `wapt-get.ini` file. In each section, it is possible to define `repo_url`, `dnsdomain`, `public_certs_dir`, `http_proxy`.

Note

This parameter can be configured both in the WAPT agent configuration and in the WAPT console configuration file C:\Users\%username%\AppData\Local\waptconsole\waptconsole.ini.

For information on configuring the WAPT console, please refer to this documentation.

Settings for waptexit¶

Description of available options for WAPTexit¶
Options	Description
`allow_cancel_upgrade` = 1	Prevents users from canceling package upgrades on computer shutdown.
`pre_shutdown_timeout` = 180	Timeout for scripts at computer shutdown.
`max_gpo_script_wait` = 180	Timeout for GPO execution at computer shutdown.
`hiberboot_enabled` = 0	Disables Hiberboot on Windows 10 to make waptexit work correctly.

Settings for WAPT Self-Service and Waptservice Authentification¶

Description of available options for the WAPT Self-Service and Waptservice Authentification¶
Options	Description
`waptservice_admin_filter` = True	Apply selfservice package view filtering for Local Administrators.
`service_auth_type` = system	Defines the authentication system of the wapt service, available value are system, waptserver-ldap, waptagent-ldap.
`ldap_auth_ssl_enabled` = False	Useful with waptagent-ldap, defines if the LDAP request must be encrypted.
`verify_cert_ldap` = True	Useful with waptagent-ldap, define whether the certificate should be verified.
`ldap_auth_base_dn` = dc=domain,dc=lan	Useful with waptagent-ldap, defines the base dn for the LDAP request.
`ldap_auth_server` = srvads.domain.lan	Useful with waptagent-ldap, defines the LDAP server to contact.
`waptservice_user` = admin	Forces a user to authenticate on the WAPT service.
`waptservice_password` = 5e884898da	sha256 hashed password when waptservice_user is used (the value NOPASSWORD disables the requirement for a password).

Settings for wapttray¶

Description of available options for the WAPT tray¶
Options	Description
`notify_user` = 0	Prevents `wapttray` from sending notifications (popup).

Proxy settings¶

Description of available options for the WAPT Server¶
Options	Description
`http_proxy` = http://user:pwd@host_fqdn:port	HTTP proxy address
`use_http_proxy_for_repo` = 0	Use the proxy to access the repositories.
`use_http_proxy_for_server` = 0	Use a proxy to access the WAPT Server.
`use_http_proxy_for_templates` = 0	Use a proxy to access package template server.

Settings for creating packages¶

Description of available options for creating WAPT packages¶
Options	Description
`personal_certificate_path` = C:\private\org-coder.crt	Path to the Administrator’s private key.
`default_sources_root` = C:\waptdev	Directory for storing packages in development.
`default_sources_root_host` = C:\waptdev\hosts	Directory for storing host packages in development.
`default_package_prefix` = tis	Default prefix for new or imported packages.
`default_sources_suffix` = wapt	Default prefix for new or imported packages.

Settings for `WAPT Windows Updates`¶

Refer to this article on configuring WAPTWUA on the WAPT agent.

Overriding settings of upload functions¶

It’s possible to override upload commands to define a particular behavior when uploading packages. It’s possible for example to upload packages on several repositories, or via another protocol, etc.

To upload packages on the repository (wapt-get upload-package or build-upload), use:

upload_cmd="C:\\Program Files (x86)\\WinSCP\\WinSCP.exe" admin@srvwapt.mydomain.lan /upload %(waptfile)s

To upload host-packages on the repository (upload-package or build-upload of a host package), use:

upload_cmd_host="C:\\Program Files (x86)"\\putty\\pscp -v -l admin %(waptfile)s srvwapt.mydomain.lan:/var/www/wapt-host/

To launch a command after a package upload, use:

after_upload="C:\\Program Files (x86)"\\putty\\plink -v -l admin srvwapt.mydomain.lan "python /var/www/wapt/wapt-scanpackages.py /var/www/%(waptdir)s/"

Configuration of WAPT agents¶

After standard installation, the default configuration is:

[global]
waptupdate_task_period=120
waptserver=https://srvwapt.mydomain.lan
repo_url=https://srvwapt.mydomain.lan/wapt/
use_hostpackages=1

Making changes in wapt-get.ini and regenerating an agent is not sufficient to push the new configuration.

You can create a WAPT package to push updated wapt-get.ini settings.

The package is available from the Tranquil IT repository: https://store.wapt.fr/wapt/tis-wapt-conf-policy_6_f913e7abc2f223c3e243cc7b7f95caa5.wapt:

# -*- coding: utf-8 -*-
from setuphelpers import *

uninstallkey = []

def install():

  print('Modify max_gpo_script_wait')
  inifile_writestring(WAPT.config_filename,'global','max_gpo_script_wait',180)

  print('Modify Preshutdowntimeout')
  inifile_writestring(WAPT.config_filename,'global','pre_shutdown_timeout',180)

  print('Disable Hyberboot')
  inifile_writestring(WAPT.config_filename,'global','hiberboot_enabled',0)

  print('Disable Notify User')
  inifile_writestring(WAPT.config_filename,'global','notify_user',0)

Configuring the WAPT agent¶

Description of available options for the WAPT agent¶

WAPT Server configuration attributes¶

Using several repositories¶

Settings for waptexit¶

Settings for WAPT Self-Service and Waptservice Authentification¶

Settings for wapttray¶

Proxy settings¶

Settings for creating packages¶

Settings for WAPT Windows Updates¶

Overriding settings of upload functions¶

Configuration of WAPT agents¶

Settings for `WAPT Windows Updates`¶