Enhancing the security of your WAPT setup¶
By default, all WAPT packages are signed with your private key, which already provides a great level of security. However you can further improve the security of WAPT.
To fully secure your WAPT setup; you will want to do the following:
Enable authenticated registration to filter who is authorized to register the device with the WAPT server.
Enable https certificate verification on the agents and the console to ensure that the WAPT agents and the WAPT console are connecting to the correct WAPT server.
Configure authentication against Active Directory to allow access to the WAPT console only to authorized WAPT admins.
Enable Client-Side Certificate Authentication to only allow authenticated devices to access the WAPT server (Note: it is especially important if you want to expose your WAPT server to the outside in a DMZ).
If you are using the Enterprise version of WAPT and you operate a large fleet with multiple administrators, you may be interested in knowing how to properly configure and apply the ACLs.
Configuring the firewall on the WAPT Server¶
WAPT Server firewall configuration is essential and should be the first step towards achieving better security in WAPT.
As WAPT aims to be secure by design, only a minimal set of open ports is needed on the WAPT Server compared to other solutions.
You will find in the following documentation firewall tips to improve WAPT security.
Configuring the firewall for WAPT Server on Debian / Ubuntu¶
By default on Debian Linux, no firewall rule applies.
Disable ufw and install firewalld instead.
ufw disable
apt update
apt -y install firewalld
Simply apply this firewalld configuration.
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
systemctl restart firewalld
Configuring the firewall for WAPT Server on RedHat / CentOS¶
Simply apply this firewalld configuration.
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
systemctl restart firewalld
Configuring kerberos authentication¶
Note
Without kerberos authentication, you have to either trust initial registration or enter a password for each workstation on initial registration.
For more information, visit the documentation on registering a machine with the WAPT Server and signing inventory updates.
The kerberos authentication will be used only when registering the device.
Installing the kerberos components and configuring krb5.conf file¶
# Debian / Ubuntu
apt install krb5-user msktutil libnginx-mod-http-auth-spnego
# CentOS / RedHat
yum install krb5-workstation msktutil nginx-mod-http-auth-spnego
Note
Registering with kerberos is not available with a WAPT Server running on Windows.
Modify the /etc/krb5.conf
file and replace all the content with the following 4 lines replacing MYDOMAIN.LAN with your Active Directory domain name (i.e. <MYDOMAIN.LAN>).
Attention
default_realm
value must be written with ALL CAPS!!
[libdefaults]
default_realm = MYDOMAIN.LAN
dns_lookup_kdc = true
dns_lookup_realm=false
Retrieving a service keytab. Use the kinit and klist. You can use an Administrator account or any other account with the delegated right to join a computer to the domain in the proper destination container (by default CN=Computers).
In the shell transcript below, commands are in black and returned text is commented in light gray:
sudo kinit administrator
## Password for administrator@MYDOMAIN.LAN:
## Warning: Your password will expire in 277 days on Mon. 17 sept. 2018 10:51:21 CEST
sudo klist
## Ticket cache: FILE:/tmp/krb5cc_0
## Default principal: administrator@MYDOMAIN.LAN
##
## Valid starting Expires Service principal
## 01/12/2017 16:49:31 02/12/2017 02:49:31 krbtgt/MYDOMAIN.LAN@MYDOMAIN.LAN
## renew until 02/12/2017 16:49:27
If the authentication request is successful, you can then create your HTTP Keytab with the msktutil command.
Be sure to modify the <DOMAIN_CONTROLER> string with the name of your domain controller (eg: srvads.mydomain.lan).
sudo msktutil --server DOMAIN_CONTROLER --precreate --host $(hostname) -b cn=computers --service HTTP --description "host account for wapt server" --enctypes 24 -N
sudo msktutil --server DOMAIN_CONTROLER --auto-update --keytab /etc/nginx/http-krb5.keytab --host $(hostname) -N
Attention
Be sure to have properly configured your WAPT Server hostname before running these commands;
In order to double check your hostname, you can run echo $(hostname) and it must return the name that will be used by WAPT agent running on client workstations.
Apply the proper access rights to the
http-krb5.keytab
file.
#Debian / Ubuntu
sudo chmod 640 /etc/nginx/http-krb5.keytab
sudo chown root:www-data /etc/nginx/http-krb5.keytab
# CentOS / RedHat
sudo chown root:nginx /etc/nginx/http-krb5.keytab
sudo chmod 640 /etc/nginx/http-krb5.keytab
Post-configuring kerberos for the WAPT server¶
You can now use post-configuration script to configure the WAPT Server to use kerberos.
The post-configuration script will configure Nginx and the WAPT Server to use kerberos authentication.
Hint
This post-configuration script must be run as root.
/opt/wapt/waptserver/scripts/postconf.sh --force-https
Kerberos authentication will now be configured.
Special use cases¶
My WAPT server does not have access to a writeable Active Directory¶
Connect to your Active Directory (Not a RODC).
Create a computer account srvwapt.
Add a SPN on the srvwapt$ account.
setspn -A HTTP/srvwapt.mydomain.lan srvwapt
Create a keytab for this WAPT server.
ktpass -out C:\http-krb5.keytab -princ HTTP/srvwapt.mydomain.lan@MYDOMAIN.LAN rndpass -minpass 64 -crypto all -pType KRB5_NT_PRINCIPAL /mapuser srvwapt$@MYDOMAIN.LAN
Reset SRVWAPT$'s password [y/n]? y
Note
If the address of your WAPT server is different from your active directory domain, replace HTTP/srvwapt.mydomain.lan@MYDOMAIN.LAN with HTTP/srvwapt.othername.com@MYDOMAIN.LAN.
Transfer this file to
/etc/nginx/
(with winscp for example).Apply the proper access rights to the
http-krb5.keytab
file.
# Debian / Ubuntu
sudo chmod 640 /etc/nginx/http-krb5.keytab
sudo chown root:www-data /etc/nginx/http-krb5.keytab
# CentOS / RedHat
sudo chown root:nginx /etc/nginx/http-krb5.keytab
sudo chmod 640 /etc/nginx/http-krb5.keytab
WAPT agents only have access to a RODC domain controller¶
For RODC, add the srvwapt account to the allowed password group for replication.
Remember to preload the password of the WAPT server with the different RODC servers.
You have multiple Active Directory domains with or without relationships¶
If you have multiple Active Directory domains, you must create one keytab
per domain by following the procedure above, ex:
http-krb5-domain1.local.keytab
;http-krb5-domain2.local.keytab
;http-krb5-domain3.local.keytab
.
You will then have to merge all these keytabs
into a unique keytab
:
ktutil
read_kt http-krb5-domain1.local.keytab
read_kt http-krb5-domain2.local.keytab
read_kt http-krb5-domain3.local.keytab
write_kt http-krb5.keytab
Debug problems with the kerberos¶
Attention
The WAPT server address cannot be an IP, Kerberos works well only with DNS.
In your test, the url used must be exactly the same address as the one indicated in
C:\Program Files (x86)\wapt\wapt-get.ini
.
Did you restart nginx correctly?¶
systemctl restart nginx
Check the permissions of the http-krb5.keytab file¶
[root@srvwapt.mydomain.lan]# ls -l /etc/nginx/http-krb5.keytab
-rw-r----- 1 root www-data 921 janv. 4 16:20 /etc/nginx/http-krb5.keytab
Is kerberos mode active on my agent?¶
On the windows machine:
Check in your
C:\Program Files (x86)\wapt\wapt-get.ini
that the use_kerberos value isTrue
.
[global]
use_kerberos=1
If you change the value, don’t forget to restart the WAPT service.
net stop waptservice
net start waptservice
Is Kerberos mode active on my server?¶
On the linux machine:
Check in your
/opt/wapt/conf/waptserver.ini
that the use_kerberos value isTrue
.
[options]
use_kerberos=1
Check in your
/etc/nginx/sites-enabled/wapt.conf
that this configuration is present.
location /add_host_kerberos {
auth_gss on;
auth_gss_keytab /etc/nginx/http-krb5.keytab;
proxy_pass http://127.0.0.1:8080;
}
If one of the two configurations is not present, restart the post-configuration and activate kerberos.
Checking that the keytab file contains the correct url¶
[root@srvwapt.mydomaine.lan]# KRB5_KTNAME=/etc/nginx/http-krb5.keytab klist -k
Keytab name: FILE:/etc/nginx/http-krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
...
3 HTTP/srvwapt.ad.mydomain.lan@AD.MYDOMAIN.LAN
...
Trying to register the host using a system account¶
To switch to a system account you must use the psexe tool from Microsoft: psexe
.
In cmd as an Administrator.
C:\Users\\xxxxxx\\Downloads\\PSTools\\psexec.exe -accepteula -s -i cmd
In the new cmd window, check that you are identified as System.
C:\WINDOWS\\system32>whoami
NT AUTHORITY\System
Run register.
wapt-get register
Trying an authentication with the keytab from your WAPT server¶
On the Linux machine.
[root@srvwapt.ad.tranq ~]# ktutil
ktutil: read_kt /etc/nginx/http-krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 srvwapt$@AD.TRANQUIL.IT
2 3 srvwapt$@AD.TRANQUIL.IT
3 3 srvwapt$@AD.TRANQUIL.IT
4 3 SRVWAPT$@AD.TRANQUIL.IT
5 3 SRVWAPT$@AD.TRANQUIL.IT
6 3 SRVWAPT$@AD.TRANQUIL.IT
7 3 host/srvwapt@AD.TRANQUIL.IT
8 3 host/srvwapt@AD.TRANQUIL.IT
9 3 host/srvwapt@AD.TRANQUIL.IT
10 3 HTTP/srvwapt.ad.tranquil.it@AD.TRANQUIL.IT
11 3 HTTP/srvwapt.ad.tranquil.it@AD.TRANQUIL.IT
12 3 HTTP/srvwapt.ad.tranquil.it@AD.TRANQUIL.IT
ktutil: quit
[root@srvwapt.ad.tranq ~]# kinit -k -t /etc/nginx/http-krb5.keytab srvwapt\$@AD.TRANQUIL.IT
[root@srvwapt.ad.tranq ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: srvwapt$@AD.TRANQUIL.IT
Valid starting Expires Service principal
05/02/2021 19:06:05 06/02/2021 05:06:05 krbtgt/AD.TRANQUIL.IT@AD.TRANQUIL.IT
renew until 06/02/2021 19:06:05
Attempting an authentication with curl¶
On the Linux machine.
[root@srvwapt.ad.tranq ~]# kdestroy
[root@srvwapt.ad.tranq ~]# kinit sfonteneau
Password for sfonteneau@AD.TRANQUIL.IT:
[root@srvwapt.ad.tranq ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sfonteneau@AD.TRANQUIL.IT
Valid starting Expires Service principal
05/02/2021 19:10:42 06/02/2021 05:10:42 krbtgt/AD.TRANQUIL.IT@AD.TRANQUIL.IT
renew until 06/02/2021 19:10:39
root@srvwapt.ad.tranq ~]# curl -v --negotiate -u : https://srvwapt.ad.tranquil.it/add_host_kerberos -k
* Expire in 0 ms for 6 (transfer 0x563dece09f90)
* Uses proxy env variable no_proxy == 'localhost,127.0.01/8,192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,ad.tranquil.it'
* Expire in 1 ms for 1 (transfer 0x563dece09f90)
...
* Expire in 0 ms for 1 (transfer 0x563dece09f90)
* Expire in 0 ms for 1 (transfer 0x563dece09f90)
* Trying 192.168.149.37...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x563dece09f90)
* Connected to srvwapt.ad.tranquil.it (192.168.149.37) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1 Server certificate:
* subject: C=FR; ST=PDLL; L=Saint Sebastien sur Loire; O=Tranquil IT Systems; OU=TIS; CN=srvwapt.ad.tranquil.it; name=PKI TIS; emailAddress=technique@tranquil.it
* start date: Aug 3 12:48:03 2017 GMT
* expire date: Aug 1 12:48:03 2027 GMT
* issuer: C=FR; ST=PDLL; L=Saint Sebastien sur Loire; O=Tranquil IT Systems; OU=TIS; CN=Tranquil IT Systems CA; name=PKI TIS; emailAddress=technique@tranquil.it
* SSL certificate verify ok.
> GET /add_host_kerberos HTTP/1.1
> Host: srvwapt.ad.tranquil.it
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Server: nginx
< Date: Fri, 05 Feb 2021 18:08:38 GMT
< Content-Type: text/html
< Content-Length: 188
< Connection: keep-alive
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm=""
<
* Ignoring the response-body
* Connection #0 to host srvwapt.ad.tranquil.it left intact
* Issue another request to this URL: 'https://srvwapt.ad.tranquil.it/add_host_kerberos'
* Uses proxy env variable no_proxy == 'localhost,127.0.01/8,192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,ad.tranquil.it'
* Found bundle for host srvwapt.ad.tranquil.it: 0x563dece07590 [can pipeline]
* Could pipeline, but not asked to!
* Re-using existing connection! (#0) with host srvwapt.ad.tranquil.it
* Connected to srvwapt.ad.tranquil.it (192.168.149.37) port 443 (#0)
* Expire in 0 ms for 6 (transfer 0x563dece09f90)
* Server auth using Negotiate with user ''
> GET /add_host_kerberos HTTP/1.1
> Host: srvwapt.ad.tranquil.it
> Authorization: Negotiate IIGagYGKwYBBQUCoIIGXjCCBlqgDTALBgkqhkiG9xIBAgKiggZHBIIGQ2CCBj8GCSqGSIb3EgECAgEAboIGLjCCBiqgAwIBBaEDAgEOogcDBQAgAAAAo4IFOmGCBTYwggUyoAMCAQWhEBsOQUQuVFJBTlFVSUwuSVSiKTAnoAMCAQOhIDAeGwRIVFRQGxZzcnZ3YXB0LmFkLnRyYW5xdWlsLml0o4IE7DCCBOigAwIBEqEDAgEDooIE2gSCBNac76E6ITct2DXZXMxVNKO5cvgXwU6F9LpnN7Zf6M2AEhvnDAaeD5VOqq/+lGapoxK1hCC62Mnye9zF4SzOEKBDLPD77KJp2xbW227lc5ZF/22wGXn8n6Sw1xndf1brq1mSEUo0TzpFUfY1wNoRDaw7WUNhQK2nbTTeMrsiiPACuQtG82W0VrZJZ+4z1Gq3ZFTLYUrlC010S1T8pNRzCLFRb47Q15B1f7rPAqaZLO/OBq9EQd+i/2Mfp8XWy46gGRtezTk8Dya+SH3henhB+L7G4ew0c3MKxFRkv0nXQ65qPAXWyogbivI/ReekU1anHLnGfDyfeBw2QUM8t2kEEcSBmNKfrQ1U/u1jnlRZJ1o067PiziZsH7w/zGpe7uhOa8a4RKYu1LeJEuU+CKrufulQWKuqdiwIBdq9ApoQqduCbNsE9ihH1srL3RYh9XdQ4Unx51eo49nZQA+c2Aj4JvCafbY/jeRBw6SNYCrfGETN1mXytjLRyVBtJlch7djBGUAYaH1HGNfEVt+VnCW4O9OoqgC0M++u6d7Ci5w494ZseNXnF7RBKr01aVEt0231geGglNvTyXzWJ3IGUOrhBnaTTSLAzai/arutH6c3CzLb+xPMAOUtCIup0M43SR0DC7gJ/xZ3BZyKHF6b3p3tAWiByat2XNMxfMbgjaiv7oLCNEIAga0IgTg5f0nlahTI9323vfIH8aLNNVYVJeFKNGX1ord0YpJ3RLDshNBnoDTPyCKnXcf5nM+tqabshzatuTP6PfFkal6evwZ/QXiFQAezmRut+hfXtoVch8LHC0OIaloDUk1eHlFbAqQ98OaE3SZ8Fx4m8Nw3JgQ0E+zXPt8DJCnNY4YV4j3+9b1093XhsJRyP97qEFazUGFhfg7/PzqFnxSHtikXjCnjtzfuHLePMWn0HKFbL/hEMmAnfZ15JiBgfBi82OXv3rCui+GKT/ZsjUFsgR8tCUJ58/gXBu9J/gY1R46CvWTnl03+2JHQyomm6k0XnAU+s2hX+n/QcKbIjT7ew/f/UuT0J1YV+bQ8MMTpQqbau4f5sVaembIB7hTVyttpfbBEqCOVk39xZ/r8b9CMpmukShPgeJI0x353i7bO9/mBkchFaeyOc45jA7Z4iJ3IHNiWLaWyYLktH/1N9/dXas8/CoZK0UsKjm9+xlkFFSP18CFHijILlIc1sTdMnAil/jwqQl1W2WRnBlt8r/yE56EDR/i8VkCMHT5XsiiMCHm4LldkmDnIo/+GgHTG+3Z78Pkq939rMati/gzd9geYM8aUuYwJpcb53YsjWvJD1gDEHEwS3K1MYxbyy9eiODCOCgvIeKmVPouNrugXs4TX6PJsCQDtzusSWxmZY4820HxmJkNT1lG5ZkktyHGsMjHnBLlSz5Ex01CnxwjVOHmSOrYfJnTzqYP5AF648wHbQ9ArikXg0pBQVQ832ChwR18N3jH5xeUljq3fjGzxA27YD6nTg6SV7hdcDkXmJvjUbIwGjrtfZU/b93cbD4oaOWlbPViBpwLZ+TTCkeGAxo3eBicENHSK81EIJYMBfEWTTsjYPEPsl5BK7IFcqArfEWG6HQDw3bOfYAB1ZJb0zSbhyD/rKnRmtSke/eWIAjYaeHDX0qYMruJCuI2lYofHtFwMEKSB1jCB06ADAgESooHLBIHIDVUTdDas6nA0obxBuM2bQiZ0ZUPhAVGMoTniuCmBXU/mFRAsD029zDjfl0nzeFsPdC4UBERcc8Vh4r3YeZIxUxzn5tXCW4oFypYi5kHAdx6Zd4GkZcEpzAhRF7JwSylerZiCF+fnSIiI5wdDG56PMFf46ZnT0gSnYiqYGWCv7y1pdc3P9VViECBNjpGSc9sn9fZ2HFTGaiuGLl1G8Jyjkymn2cilE0MOBpYuFUXnvyYErT5jajyKOUMexTCS1FxneLNUK6jBlWE=
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 05 Feb 2021 18:08:38 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 38
< Connection: keep-alive
< WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvQoZWpMIm8fS3ZrHmI96KuJ4AnP1ztIwCCXGJy3HuI2+IQ4cccbhf2WLdbxjaf82eOb4MQDZDq8F/x0oFJX6n4DnhPZxrq/RnjwkoTnik7R8MJkKRuvYncBfTGBIHvTJktq6+j9pHqmBDH5D5L8A
< WWW-Authenticate: Basic realm=""
< Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
<
* Closing connection 0
kerberos connection seems to be working
Verifying that you are successfully obtaining a Kerberos ticket¶
Attention
Always execute commands in system account (see previous point)!
klist purge
klist get http/srvwapt.ad.mydomain.lan
You must get (in your language):
C:\Windows\System32>klist get http/srvwapt.ad.mydomain.lan
LogonId est 0:0x13794d
Un ticket pour http/srvwapt.ad.mydomain.lan a été récupéré.
Tickets mis en cache : (2)
#0> Client : sfonteneau @ AD.MYDOMAIN.LAN
Serveur : krbtgt/AD.MYDOMAIN.LAN @ AD.MYDOMAIN.LAN
Type de chiffrement KerbTicket : AES-256-CTS-HMAC-SHA1-96
Indicateurs de tickets 0x40e00000 -> forwardable renewable initial pre_authent
Heure de démarrage : 2/4/2021 15:51:07 (Local)
Heure de fin : 2/5/2021 1:51:07 (Local)
Heure de renouvellement : 2/11/2021 15:51:07 (Local)
Type de clé de session : AES-256-CTS-HMAC-SHA1-96
Indicateurs de cache : 0x1 -> PRIMARY
KDC appelé : srvads.AD.MYDOMAIN.LAN
#1> Client : sfonteneau @ AD.MYDOMAIN.LAN
Serveur : http/srvwapt.AD.MYDOMAIN.LAN @ AD.MYDOMAIN.LAN
Type de chiffrement KerbTicket : AES-256-CTS-HMAC-SHA1-96
Indicateurs de tickets 0x40a80000 -> forwardable renewable pre_authent 0x80000
Heure de démarrage : 2/4/2021 15:51:07 (Local)
Heure de fin : 2/5/2021 1:51:07 (Local)
Heure de renouvellement : 2/11/2021 15:51:07 (Local)
Type de clé de session : AES-256-CTS-HMAC-SHA1-96
Indicateurs de cache : 0
KDC appelé : srvads.AD.MYDOMAIN.LAN
If that does not work, check in your Active Directory that the serviceprincipalname
attribute on the computer account of the WAPT server has this value: HTTP/srvwapt.mydomain.lan
.
Check that it works with Firefox¶
Note
You must first configure Firefox for kerberos authentication.
Type about:config in the URL bar in your Firefox.
Edit
network.negotiate-auth.trusted-uris
, and add the url of the WAPT Server:srvwapt.mydomain.lan
.You can now visit the url: https://srvwapt.mydomain.lan/add_host_kerberos.
If the authentication does not work, then the server will return a 403 error message.
In case of an error on one of the previous checks¶
Delete the machine account from the Active Directory.
Delete the
/etc/nginx/http-krb5.keytab
file.Reboot the host you are testing with and re-run the keytab creation process again.
Note
It is important to restart the machine to purge the kerberos tickets previously obtained by the machine.
To avoid restarting you can also execute the command “klist purge” as SYSTEM.
Activating the verification of the SSL / TLS certificate¶
When running the WAPT Server post-configuration script, the script will generate a self-signed certificate in order to enable HTTPS communications.
The WAPT agent checks the HTTPS server certificate according to the verify_cert
value in section [global]
in C:\Program Files (x86)\wapt\wapt-get.ini
.
Options for |
Working principle of the WAPT agent |
---|---|
|
the WAPT agent will not check the WAPT Server HTTPS certificate. |
|
the WAPT agent will check the WAPT Server HTTPS certificate using the certificate bundle.
|
|
the WAPT agent will check the WAPT Server HTTPS certificate with the certificate bundle.
|
Hint
To quickly and easily enable verification of the HTTPS certificate, you can use the Pinning method.
Pinning the certificate¶
The pinning of certificate consists of verifying the SSL/ TLS certificate with a well defined and restricted bundle.
Hint
This method is the easiest when using a self-signed certificate.
For this, you need to launch the following commands in the Windows cmd.exe shell (with elevated privileges if UAC is active).
If you already have a Windows cmd.exe shell open, close it and open a new shell so to take into account the updated environment variables:
wapt-get enable-check-certificate
net stop waptservice
net start waptservice
Validate the certificate with wapt-get update
When you have executed the update command, make sure that everything has gone well, and if in doubt check Problems when enabling enable-check-certificate.
Attention
If wapt-get enable-check-certificate returns an error, remove the .crt with same name on C:\Program Files (x86)\wapt\sslserver
Note
The command enable-check-certificate downloads the certificate
srvwapt.mydomain.lan.crt
in the folderC:\Program Files (x86)\WAPT\ssl\server
.It then modifies the file
wapt-get.ini
to specify the valueverify_cert
=C:\Program Files (x86)\wapt\ssl\server\srvwapt.mydomain.lan.crt
.The WAPT agent will now verify certificates using the pinned certificate.
Attention
If you use the certificate pinning method, BE REMINDED to archive the /opt/wapt/waptserver/ssl
folder on your WAPT Server.
The file will have to be restored on your server if you migrate or upgrade your WAPT Server, if you want the WAPT agents to continue to be able to establish trusted HTTPS connections with the WAPT Server.
How to use a commercial certificate or certificates provided by your Organization?¶
If the pinning method does not suit you, you can replace the self-signed certificate generated during the installation of WAPT.
Replace the old certificate with the new one in the folder /opt/wapt/waptserver/ssl/
(Linux) or C:\wapt\waptserver\ssl\
(Windows).
The new key pair must be in PEM encoded Base64 format.
Note
Special case where your certificate has been signed by an internal Certificate Authority
Certificates issued by an internal Certificate Authority must have the complete certificate chain of the Certificate Authority.
You can manually add the certificate chain of the Certificate Authority to the certificate that will be used by Nginx.
Example: echo srvwapt.mydomain.lan.crt ca.crt > cert.pem
For Linux servers it is also necessary to reset the ACLs:
# Debian / Ubuntu chown root:www-data /opt/wapt/waptserver/ssl/*.pem # CentOS / RedHat chown root:nginx /opt/wapt/waptserver/ssl/*.pem
Restart Nginx to take into account the new certificates.
#Centos:
#Debian:
systemctl restart nginx
#Windows:
net stop waptnginx
net start waptnginx
Configuring the WAPT agent¶
For a commercial certificate you can set verify_cert = 1
in wapt-get.ini
.
For a certificate issued by an internal Certificate Authority, you must place the certificate in the C:\Program Files (x86)\wapt\ssl\server\ca.crt
folder and specify the certificate path with verify_cert
in the wapt-get.ini
file of the WAPT agent.
To apply the new configuration to your entire fleet:
Regenerate a WAPT agent with the appropriate settings.
Use a WAPT package to modify
wapt-get.ini
and push the certificate.
Verifying the certificate in the WAPT console¶
When the WAPT console first starts, it reads the content of C:\Program Files (x86)\WAPT\wapt-get.ini
and it builds its configuration file C:\Users\admin\AppData\Local\waptconsole\waptconsole.ini
.
This properly sets the verify_cert
attribute for the HTTPS communication between the WAPT console and the WAPT Server.
Configuring user authentication against Active Directory ¶
By default, the WAPT Server is configured with a single SuperAdmin account whose password is setup during initial post-configuration.
On large and security-minded networks, the SuperAdmin account should not be used since it cannot provide the necessary traceability for administrative actions that are done on the network assets.
It is thus necessary to configure authentication against the Active Directory for the WAPT console users; this will allow to use named accounts for tasks.
Note
Active Directory authentication is used to authenticate access to the inventory via the WAPT Console.
However, all actions on the WAPT equipped remote devices are based on X.509 signatures, so an Administrator will need both an Active Directory login AND a private key whose certificate is recognized by the remote devices that the Administrator manages using WAPT.
Only the SuperAdmin account and the members of the Active Directory security group waptadmins will be allowed to upload packages on the main repository (authentication mode by login and password).
Enabling Active Directory authentication¶
To enable authentication of the WAPT Server with Active Directory, configure the file
waptserver.ini
as follows.
Note
The WAPT Server configuration file on GNU/ Linux and macOS systems is found in /opt/wapt/conf/waptserver.ini
or in /opt/wapt/waptserver/waptserver.ini
.
The WAPT Server configuration file on Windows systems is found in C:\wapt\conf\waptserver.ini
.
#waptserver.ini
wapt_admin_group_dn=CN=waptadmins,OU=groupes,OU=tranquilit,DC=mydomain,DC=lan
ldap_auth_server=srvads.mydomain.lan
ldap_auth_base_dn=DC=mydomain,DC=lan
ldap_auth_ssl_enabled=False
Options / Default value |
Description |
Example |
---|---|---|
|
LDAP DN of Active Directory User Group allowed to connect to WAPT console |
|
|
Defines LDAP authentication server |
|
|
Defines LDAP authentication base DN |
|
|
Sets SSL auth on LDAP connections |
|
Restart waptserver service.
Warning
For Microsoft Active Directory, Microsoft has announced that SimpleBind* authentication on MS-AD without SSL/TLS will be blocked by default from April 2020. If you don’t have a certificate installed, you’ll have to modify a registry key to have authentication working.
Note
By default Samba-AD does not allow SimpleBind authentication without SSL/TLS.
If you do not have a valid certificate you will need to modify the ldap server require strong auth
parameter in /etc/samba/smb.conf
. For more information you may refer to Tranquil IT documentation on https://dev.tranquil.it/samba/en/index.html.
Enabling Single Sign On (SSO) for WAPT onsole and self-service¶
Warning
This configuration is only available for server under Linux : CentOS, Debian or Ubuntu.
You can use Kerberos to authenticate yourself on the waptconsole and the selfservice. This way, users don’t need to enter their password anymore.
Hint
Is not necessery to use Kerberos for agent registering in order to use SSO.
Preparing the server for Kerberos Single Sign On¶
Attention
To enable Kerberos on the WAPT Server with use_kerberos = True
option, please, refer to Configuring kerberos authentication beforehand.
There are 3 ways to configure your WAPT Server for Kerberos and LDAP authentication.
For each of these, you’ll need to modify the waptserver.ini.
The first way is the most insecure.
With theses options, you don’t verify ldap certification nor use a secured port to request server :
ldap_auth_ssl_enabled=False
verify_cert_ldap=False
Indeed, ldap_auth_ssl_enabled=False
won’t try to request Active Directory with LDAPS protocol.
The verify_cert_ldap=False
option is set if you don’t use SSL/TLS support.
Hint
If your Active Directory Server is a Samba-AD, and you have this option in the waptserver.ini :
ldap_auth_ssl_enabled=False
Then Samba Server will refuse connection.
By default Samba-AD does not allow SimpleBind authentication without SSL/TLS.
If you do not have a valid certificate you will need to modify the ldap server require strong auth
parameter in /etc/samba/smb.conf
.
For more information you may refer to Tranquil IT documentation on https://dev.tranquil.it/samba/en/index.html.
The second way more secure but not perfect.
Is to enable authentication ssl but without certification verification :
ldap_auth_ssl_enabled = True
verify_cert_ldap=False
WAPT Server will try to use LDAPS protocol but without Certificate verification to contact Active Directory.
The recommanded way is the most secure.
She use theses options :
ldap_auth_ssl_enabled = True
verify_cert_ldap=True
But to make it work, you’ll have to enable the SSL/TLS support.
Finally, you’ll have to add these options :
ldap_account_service_login = wapt-ldap@ad.tranquil.it
ldap_account_service_password = PASSWORD
ldap_auth_server = srvads.mydomain.lan
ldap_auth_base_dn =dc=mydomain,dc=lan
use_kerberos = True
Then, restart services on the server :
systemctl restart waptserver wapttasks
Note
The ldap_account_service_login
and ldap_account_service_password
require a user account on your Active Directory.
It’s not necessary to have an account with elevated right, just a user as a service account in order to get users group.
Configuring the WAPT agent¶
On the client side, you’ll have to make sure that theses 2 options are set on the wapt-get.ini :
service_auth_type=waptserver-ldap
use_kerberos =1
It is possible to make changes in wapt-get.ini
manually or by deploying a WAPT package with the new configuration settings.
An example package is available from the Tranquil IT repository.
With this configuration, you can launch your WAPT console or your selfservice without prompted password.
Note
The WAPT console will continue to ask you for a login/password : it’s perfectly normal, this way you can use another user than your current user in your Windows session.
Otherwise, you just have to put your login and click on OK
.
Enabling SSL/ TLS support for the LDAP connection to the Active Directory Domain Controller¶
By default, authentication on Active Directory relies on LDAP SSL (default port 636).
SSL/ TLS is not enabled by default on Microsoft Active Directory until a SSL certificate has been configured for the Domain Controller.
Note
The WAPT Server uses the Certificate Authority bundles from the operating system for validating the SSL/ TLS connection to Active Directory.
If the Active Directory certificate is self-signed or has been signed by an internal CA, you will need to add these certificates to the certificate store.
Add a Certificate Authority in the /etc/pki/ca-trust/source/anchors/
and update the CA store.
# Debian / Ubuntu
cp cainterne.crt /usr/local/share/ca-certificates/cainterne.crt
update-ca-certificates
# CentOS / RedHat
cp cainterne.crt /etc/pki/ca-trust/source/anchors/cainterne.crt
update-ca-trust
# Windows
certutil -addstore -f "ROOT" cainterne.crt
Once you have setup LDAP SSL/ TLS on your Active Directory (please refer to Microsoft documentation for that), then you can enable support for SSL/TLS security for AD in
waptserver.ini
.
ldap_auth_ssl_enabled = True
Restart waptserver service.
Configuring Client-Side Certificate Authentication ¶
If your business needs a public WAPT server on Internet, it can be secured with Client-Side Certificate Authentication.
That configuration restricts the visibility of the WAPT Server to registered clients only. It is done by relying on the WAPT agent private key generated during registration. It works as follows:
The WAPT agent sends a CSR to the WAPT server which the WAPT server signs and sends back to WAPT agent.
Using the signed certificate, the agent can access protected parts of the Nginx web server.
Note
We strongly recommend enabling Kerberos or login/password registration in the WAPT server post-configuration.
Warning
All actions are to be carried out on the WAPT server
Enabling Client-Side Certificate Authentication on WAPT Server¶
Warning
For Linux check if the symbolic link in sites-enabled
exists:
cd /etc/nginx/sites-enabled/
find . -maxdepth 1 -type l -ls
The expected result should be:
269091 0 lrwxrwxrwx 1 root root 36 juil. 22 15:51 ./wapt.conf -> /etc/nginx/sites-available/wapt.conf
Otherwise use the following command:
ln -s /etc/nginx/sites-available/wapt.conf ./wapt.conf
To enable the authentication, you need to add those parameters on WAPT server configuration file in the option section:
use_ssl_client_auth = True
Relaunch the post-configuring script .
Hint
Please note that as of 2024-09-20, WAPT does not support CRL, which means that when you delete a machine in the WAPT console, the machine will still have access to the WAPT repository.
Warning
WAPTDeploy cannot use https to retrieve the WAPT agent, you will have to add this section in the file:
server {
listen 80;
listen [::]:80;
server_name _;
location ~ ^/(wapt/waptsetup-tis.exe|wapt/waptagent.exe|wapt/waptdeploy.exe)$ {
add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Pragma "no-cache";
root "/var/www";
}
return 301 https://$host$request_uri;
}
Deploying certificates of local IT admins on clients¶
Hint
Some Organizations will choose to let local IT administrators perform actions on WAPT equipped devices by issuing them personal certificates that will work on the set of devices for which the local IT admins are responsible.
The headquarter IT admins will deploy the certificates of local IT admins on the computers that local admins manage on their respective sites.
This way, local IT admins will not be able to manage computers located in headquarters, but on their own sites only.
It is possible to manage simply and in a finer way using Access Control Lists with the Enterprise version of WAPT.
You will need to copy the certificates of allowed local IT admins on WAPT clients in C:\program files(x86)\wapt\ssl
.
Hint
Do not forget to restart the WAPT service on clients for them to use their new certificate. Open a command line cmd.exe then:
net stop waptservice && net start waptservice
If you want to deploy the certificates using WAPT, use package templates
Configuring Access Control Lists ¶
Hint
Default admin
user of WAPT are authenticated by password stored in waptserver.ini
as a value of wapt_password
key.
Others WAPT users may be local users (htpasswd_path
) or AD account users (ldap_auth_server
/ ldap_auth_base_dn
).
ACLs define actions enabled for all types of users in the WAPT context.
Note
Default ACLs user level are defined by default_ldap_users_acls
in waptserver.ini
.
The default ACL for a new user is view
.
Attention
Security is define by the certificate deployed on clients, not by ACLs.
ACLs simply limit what actions the server is allowed to relay from the WAPT console to the WAPT agents.
As of |date|, the WAPT agents do not check ACL rights.
To configure ACLs in WAPT, go to
.On first launch after server installation, only the SuperAdmin account is present in the list of users.
Note
If the SuperAdmin account does not exist or does not have the admin right, then the account is recreated by restarting the waptserver service.
The SuperAdmin account is authenticated using the value of wapt_password
in the waptserver.ini
configuration file.
Two types of account are manageable by ACL, local and Active Directory.
Local user account¶
Local users are defined by a .htpasswd file.
WAPT server configuration¶
For using local user accounts, you need create a file named waptusers.htpasswd
in the same folder on the WAPT server containing the waptserver.ini
file.
Create the
waptusers.htpasswd
.On Linux:
touch /opt/wapt/conf/waptusers.htpasswd chown wapt /opt/wapt/conf/waptusers.htpasswd
On Windows:
cd. > C:\wapt\conf\waptusers.htpasswd
On
waptserver.ini
addhtpasswd_path
settings.
htpasswd_path = password file location
Hint
Restart waptserver service
Creating the user account¶
In WAPT Users rights window, click on New account.
It is possible to rename accounts by pressing F2 on the User column.
Save by clicking on Save account.
For setting a password, see Change password point.
For setting rights, see the section on managing ACL rights.
If the local user has a password in waptusers.htpasswd
, then the username appears in bold and Local User is checked, else change the password for this user.
Changing the user password¶
To change the password for the selected account:
Do a
.
Enter the new password.
The local user appears in bold and the Local User is checked.
WAPT users set as Active Directory users¶
To manage WAPT users with your Active Directory, you need to activate Active Directory authentication.
After a first successful login, the AD account will appear automatically in the list of WAPT users.
Blocking local users accounts¶
To unregister local users, do
.The account will be blocked from managing anything in WAPT.
List of rights¶
Many rights and restrictions can be set for each users in the WAPT console.
Right |
Description |
---|---|
Admin |
Same as SuperAdmin, all rights are granted except local user. |
View |
Allows only view information on the WAPT console. |
Register hosts |
Allows to use the Admin credentials to register manually a host with the WAPT server. |
Unregister hosts |
Allows to remove a host from the WAPT console. |
Edit hosts |
Allows to edit the host profile on the WAPT console. |
Edit packages |
Allows to modify base packages on the WAPT console. |
Edit groups |
Allows to modify group packages on the WAPT console. |
Edit self-service |
Allows to modify self-service rules on the WAPT console. |
WUA |
Allows to modify WUA / WSUS rules on the WAPT console. |
Edit unit package |
Allows to modify unit packages on the WAPT console. |
Edit profiles package |
Allows to modify profiles packages on the WAPT console. |
Apply upgrades |
Allows to remotely apply upgrades on her perimeter of hosts, if host is on PENDING status. |
Remote hosts actions |
Allows to make use of Windows Computer Management tool with the WAPT console. |
Edit Reports |
Allows to create new or modify reporting queries. |
Run Reports |
Allows to run existing SQL reports. |
Local user |
Defines a Local User |
Managing rights¶
By default, the SuperAdmin is the CA certificate user.
For other user, it is possible to associate a certificate that has been generated from the WAPT PKI or from another CA.
These certificates may or may not be children of the WAPT Certificate Authority.
Attention
If certificates are not issued from the Certificate Authority:
Updated packages are available only to computers where certificates are deployed.
ACL are valid only on the perimeter of hosts where the certificates are deployed.
Associating a certificate to an user¶
Hint
By default no certificate is set for any user (including SuperAdmin).
The account in the WAPT console appears in italic if no certificate is associated to the user.
To associate a certificate to an user, do
.Then, choose the certificate to associate to the user.
Adding / Removing rights¶
To add or remove rights, select the cell with
and check-it by pressing the spacebar.Hint
It is possible to do a multiple selection by using keyboard shortcuts
and pressing the spacebar.Restricting the perimeter of rights permitted to user¶
It is possible to associate a perimeter to a right given to a user.
View¶
Perimeter |
Description |
---|---|
Deny all |
No view right is allowed (not checked). |
Allow on any perimeter |
View is allowed for all WAPT agents. |
Allow specific perimeters |
View is allowed on the selected perimeter defined as a list of certificates. |
Allow where user certificate is deployed |
View is allowed only on the perimeter where the certificate of the Administrator is deployed. |
Edit group packages¶
Hint
All group packages work on the same principle as described below.
Perimeter |
Description |
---|---|
Deny all packages |
No Edit is allowed for any package (not checked). |
Allow any packages |
Edit Right is allowed for all packages. |
Allow specific packages name |
Edit Right is allowed for selected packages available in list. |