Attention : support for WAPT 1.8.2 ended on June the 30th 2022.

There are known vulnerabilities in WAPT dependencies in WAPT 1.8.2 branch. Please upgrade to the latest supported version. CVE listing (non exhaustive) :

* python engine : python 2.7 (CVE-2020-10735, CVE-2015-20107, CVE-2022-0391, CVE-2021-23336, CVE-2021-3177, CVE-2020-27619, CVE-2020-26116, CVE-2019-20907, CVE-2020-8492, etc.)
* cryptography : openssl : CVE-2022-2068, CVE-2022-1292, CVE-2022-0778, CVE-2021-4160, CVE-2021-3712, CVE-2021-23841, CVE-2021-23840, CVE-2021-23839, CVE-2020-1971, CVE-2020-1968, CVE-2019-1551
* python dependencies : cryptography (CVE-2020-36242, CVE-2020-25659), eventlet (CVE-2021-21419), jinja2 (CVE-2020-28493), psutil (CVE-2019-18874), waitress (CVE-2022-31015), lxml (CVE-2021-4381, CVE-2021-28957, CVE-2020-27783, CVE-2018-19787), ujson (CVE-2022-31117, CVE-2022-31116, CVE-2021-45958), python-ldap (CVE-2021-46823)

New in version 1.5: Enterprise

Differentiating the role level in WAPT¶

Hint

Feature only available with WAPT Enterprise

Introduction¶

WAPT offers the possibility to differentiate administrator roles based on a PKI to sign packages and actions.

Hint

The following description of roles differentiation is temporary as it will evolve in the near future.

There are three cases:

Private key + certificate types	Key usages
Simple private key + certificate	Allows authentication on WAPT console + interactions with WAPT agents
Developer private key + certificate	Allows authentication on WAPT console + interactions with WAPT agents + package signing
Certificate Authority (CA) private key + certificate	Allows authentication + interactions + package signing + private key issuing

Common WAPT install will generate a CA private key by default, allowing private key issuing for developers and package signing.

It is possible to emit a Certificate Authority for each subsidiaries. It is then possible to issue a personal private key and its corresponding certificate to each IT admins.

By looking at the above schematics, we can deduce the following conclusion:

WAPT agents in HQ can be managed by HQ IT team and cannot be managed by subsidiaries IT teams;
WAPT agents in the subsidiary having both certificates, from HQ and subsidiary, can be managed by local IT team and by HQ IT team;

The usage of an existing PKI is possible, WAPT Console comes with a simple certificate generator.

Generating a new certificate¶

Generating a new self-signed certificate¶

Generating the Certificate Authority (CA)¶

When installing WAPT, you are asked to create a .pem / .crt pair by checking the boxes Certificate CA and Code Signing.

This crt/ pem pair will allow to sign WAPT packages and new certificates.

Generating a new certificate with the Certificate Authority¶

To create a new pem/ crt pair from the private key, click on Create a certificate.

Note

The new certificate will not be a self-signed certificate;

This new certificate will be signed by the AC (the key generated at the time of the first installation of WAPT);

You must then fill in the AC’s certificate and the AC’s key.

When generating the new pem/ crt pair, you have the option to choose whether or not the new certificate will be a Code Signing type.

Hint

For recall, a Code Signing certificate is reserved to individuals with the Administrator role in the context of WAPT and a simple SSL certificate without the Code Signing attribute is reserved to individuals with the role of Package Deployer.

Administrators will be authorized to sign packages that CONTAIN a setup.py executable file (i.e. base packages).

Individuals with the Package Deployer role will be authorized to sign packages that DO NOT CONTAIN setup.py executable file (i.e. host, unit and group packages).

Generating a certificate without the *Code Signing* attribute¶

Keys and certificates that are Not Code Signing may be distributed to individuals in charge of deploying packages on the installed base of WAPT equipped devices.

Another team with certificates having the Code Signing attribute will prepare the WAPT packages that contain applications that will need to be configured according to the Organization’s security guidelines and the user customizations desired by her.

Generating a certificate with the *Code Signing* attribute¶

Generating a new prm/ crt pair will also allow to formally identify the individual who has signed a package by looking up the WAPT package certificate’s CN attribute.

Hint

The new certificates will not be CA Certificates, which means that they will not be authorized to sign other certificates.

As a general rule, there is only one CA Certificate pem / crt pair per Organization.

Deploying certificates of local IT admins on client¶

Some Organisations will choose to let local IT administrators perform actions on WAPT equipped devices by issuing them personnal certificates that will work on the set of devices for which the local IT admins are responsible.

The headquarter IT admins will deploy the certificates of local IT admins on the computers that local admins manage on their respective sites.

This way, local IT admins will not be able to manage computers located in headquarters, but on their own sites only.

You will need to copy the certificates of allowed local IT admins on client in C:\program files(x86)\wapt\ssl.

Hint

Do not forget to restart the WAPT service on clients for them to use their new certificate. Open a command line cmd.exe then:

net stop waptservice
net start waptservice

If you want to deploy the certificates using WAPT, below is an example of a package to deploy certificates on client computers.

# -*- coding: utf-8 -*-
from setuphelpers import *

uninstallkey = []

def install():
  print(ur"Copy of AC's distant site")
  filecopyto('ca_distant.crt',makepath(install_location('WAPT_is1'),'ssl',))

def audit():
  print('Auditing %s' % control.asrequirement())
  return "OK"

if __name__ == '__main__':
  update_package()