Attention : support for WAPT 2.2 ended on March the 3rd 2023.

Please upgrade to the latest supported version

The WAPT Server having been successfully installed, now we will install the WAPT Console.

The WAPT management Console¶

Attention

If you have already generated the WAPT Agent and deployed the Agent on your Administrator’s workstation, then launch the WAPT Console.

Note

Managing WAPT is done mainly via the WAPT Console installed on the Administrator’s workstation.
It is recommended that the Administrator’s computer be joined to the Organization’s Active Directory.
The host name of the Administrator’s workstation MUST NOT be longer than 15 characters. This is a limit of sAMAccountName attribute in Active Directory.
The Administrator’s computer will become critical for WAPT administration and WAPT package testing.
If DNS records are properly configured, you should be able to access the WAPT web interface by visiting https://srvwapt.mydomain.lan.
As of 2024-09-20, the WAPT Console only installs on Windows.

Hint

It is highly recommended to use the Console on a dedicated management host.

Warning

The WAPT Console MUST NOT be installed on your Windows based WAPT Server.

The WAPT Console MUST be installed on the workstation from which you manage your network.

For installing the WAPT Console, download waptsetup.exe from Tranquil IT on the WAPT Server.

Rename the file waptsetup-tis.exe.

Copy to C:\wapt\waptserver\repository\wapt.

You may now go on downloading and launching the installation of the WAPT Console on the Administrator’s computer.

Go to next step, the WAPT Console is already on your WAPT Server.

The WAPT Server interface in a web browser¶

If DNS records are properly configured, you should be able to access the WAPT web interface by visiting: https://srvwapt.mydomain.lan.
Click on WAPTSetup link on the right-hand side of the WAPT Server web page.

Installing the WAPT Agent on the Administrator’s computer¶

Attention

If the WAPT Agent is not compiled and installed on your computer, you need to run de WAPT Agent installer to open and configure the WAPT Console.

Start the executable installer as Local Administrator on the Administrator’s workstation.
Choose the language for the WAPT installer.

Choosing the language for deploying the WAPT installer

Click on OK to go on to the next step.

Accept the licence terms and click on Next to go to next step.
Choose additional configuration tasks (leave the default if not sure).

Choosing the WAPT Agent installer options¶

Available options of the WAPT Agent installer¶
Settings	Description	Default value
Install WAPT service checkbox	Enables the WAPT service on this computer.	Checked
Launch notification icon upon session opening checkbox	Launches the WAPT Agent in systray on host startup.	Not checked
Disable hiberboot, and increase shutdown GPO timeout (recommended) checkbox	Disables Windows fast startup for stability, it increases the timeout for the WAPT Exit utility.	Checked
Install the certificates provided by this installer checkbox	Installs Tranquil IT certificate on this computer.	Not checked
Use a random UUID to identify the computer instead of BIOS checkbox	For more information, check the documentation on BIOS UUID bugs	Not checked

Set up the WAPT Server URL.

Hint

Here, two choices become available to you.

If this is the first installation and the WAPT Agent has not already been built / installed.
- Check Static WAPT Informations and set:
  - WAPT repository URL: http://srvwapt.mydomain.lan/wapt.
  - WAPT Server URL: https://srvwapt.mydomain.lan.

Choosing the WAPT repository and the WAPT Server¶

Choose the WAPT repository and the WAPT Server; click Next.

If the WAPT Console or the WAPT Agent is already installed:
- Check Don’t change current setup, then click Next.

The WAPT repository and the WAPT Server are already set¶

Get a summary of the WAPT Console installation.

Summary of the WAPT installation abstract¶

Click Install to launch the installation, wait for the installation to complete, then click on Finish (leave default options).

Dialog box showing the WAPT installation in progress

Uncheck Show installation documentation.

Starting the WAPT Console¶

Launch the WAPT Console:
- By looking for the binary.
  
  C:\Program Files (x86)\wapt\waptconsole.exe
- Or using the Start Menu.
Launching the WAPT Console from the Windows Start Menu¶
Log into the WAPT Console with the SuperAdmin login and password.

The WAPT Console authentication window¶

If you have any issue logging into the WAPT Console, please refer to the FAQ: Error message when opening the WAPT Console.

It is recommended to launch the WAPT Console with a Local Administrator account to enable local debugging of WAPT packages.

For Enterprise version, it is possible to authenticate with Active Directory.

First start after the WAPT Server installation¶

Hint

On first start, you MUST start the WAPT Console with elevated privileges. Right-click on the WAPT Console binary ‣ Start as Local Administrator.

Certificate affectation¶

Note

A message may appear indicating that no personal certificate has been defined.

WAPT personal certificate not found in the WAPT Console¶

Select Yes

Window for the basic configuration of the WAPT Console¶

Click on New private key and certicate and see create your certificate.

Packet prefix definition¶

Note

A message may appear indicating that no package prefix has been defined.

Dialog box informing that no prefix has been set in the WAPT configuration¶

Select Yes
Set your packages prefix on WAPT packages prefix

waptagent.exe errors¶

Note

A message may appear indicating that your WAPT Agent version is obsolete or not yet present.

Dialog box informing that the WAPT Agent is not present on the WAPT Server¶

If the administrator’s certicate existing, it’s possible to generating new WAPT Agent by clicking on Yes.

Also click on No and generate the administrator’s certicate.

Activating a WAPT licence¶

Note

With WAPT, Discovery and Enterprise versions have different licences.

Hint

To activate the licence, use the licence.lic file provided by our sales department.

In the WAPT Console, click on the ? tab:

More information tab in the WAPT Console

Then choose Licences:

Window listing no subscribed WAPT licences in the WAPT Console¶

Finally, select your licence.lic and click Open:

Window showing an activated licence in the WAPT Console¶

Removing a WAPT licence¶

In the WAPT Console, click on the ? tab:

Then choose Licences:

Finally, select the row and click Remove License:

Confirmation window to remove a licence from the WAPT Console¶

When confirmed, the selected licences are removed:

License location¶

licence.json are stocked on the WAPT Server in the following location:

/var/www/licences.json

/var/www/html/licences.json

C:\wapt\waptserver\repository\licences.json

License error¶

Expired licence¶

If a licence has expired, then its status displays Expired.

Old licence location¶

When installaing the WAPT Console, if licence is located in an old location, this error appear will show:

WAPT licence error message when upgrading WAPT to 2.1¶

Error activating a WAPT licence¶

This error is due to a problem with the post-configuration script and a special configuration of NGINX.

Dialog box informing an error occured while activating a WAPT licence¶

3 points are to be checked.

Check whether /etc/nginx/sites-enabled/wapt.conf is a symbolic link of /etc/nginx/sites-available/wapt.conf, using this command:

ls -l /etc/nginx/sites-enabled/wapt.conf
If the symbolic link exists, the output should be:
lrwxrwxrwx 1 root root 36 Jun  9 09:35 /etc/nginx/sites-enabled/wapt.conf --> /etc/nginx/sites-available/wapt.conf
If the symbolic link does not exist, then remove /etc/nginx/sites-enabled/wapt.conf and create a new symbolic link:
rm /etc/nginx/sites-enabled/wapt.conf

ln -s /etc/nginx/sites-available/wapt.conf /etc/nginx/sites-enabled/wapt.conf

Check whether the file licences.json is present in location section of /etc/nginx/sites-enabled/wapt.conf:

location ~ ^/(wapt/waptsetup-tis.exe|wapt/waptagent.exe|wapt/waptdeploy.exe|sync.json|rules.json|licences.json)$ {
        add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
        add_header Pragma "no-cache";
        root "/var/www";
    }

If the licences.json file exist, then restart Nginx:

systemctl restart nginx

Then, add the licences.json file in location section of /etc/nginx/sites-enabled/wapt.conf and restart NGINX.

systemctl restart nginx

If you get an error, empty /var/www/licences.json:

> /var/www/licences.json
Then, retry activating the WAPT licence.

Generating the Administrator’s certificate for signing WAPT packages¶

Hint

The name of the private key is wapt-private.pem.
The name of the public certificate signed with the private key is wapt-private.crt.

Private key wapt-private.pem¶

Attention

The wapt-private.pem file is fundamental for security. It MUST be stored in a safe place and correctly protected.

The wapt-private.pem file is the private key, it is located by default in the C:\private folder of the Administrator workstation and is password protected.

This private key will be used along with the certificate to sign packages before uploading them onto the WAPT repository.

Danger

The wapt-private.pem file MUST NOT be stored on the WAPT Server.

Public certificate : wapt-private.crt¶

The wapt-private.crt file is the public certificate that is used along with the private key. It is by default created in the C:\private folder of the Administrator, copied and deployed in C:\Program Files (x86)\wapt\ssl on the Windows desktops or in /opt/wapt/ssl on the Linux and MacOS devices managed by the Administrator via a WAPT package, a GPO or an Ansible role.

This certificate is used to validate the signature of packages before installation.

Attention

If the public certificate used on the WAPT Console is not derived from the private key used for generating the WAPT Agents, the WAPT Console will not see the WAPT Agents and you will not be able to perform any action on any WAPT Agent.
The child certificates of private keys are functional for interactions.

Generating a certificate to use with WAPT¶

In the WAPT Console go to Tools ‣ Build certificate.

Note

The WAPT Enterprise version features additional options With WAPT Enterprise, you can create a Master key with a Certificate Authority flag that can both sign packages and sign new certificates.

Hint

In order to create new signed certificates for delegated users, please refer to creating a new certificate.

Creating a self-signed certificate for the WAPT Enterprise version¶

Certificate informations¶
Value	Description	Required
Target key directory	Defines the folder where the private key and the public certificate will be stored.
Key filename	Defines the name of the .pem private key.
Private key password	Defines the password for unlocking the key.
Confirm password	Confirms the password for unlocking the key.
Certificate name	Defines the name of the .crt certificate.
Tag as code signing	Defines whether the certificate/ key pair will be allowed to sign software packages.
Tag as CA certificate	Defines whether the certificate can be used to sign other certificates (main or intermediate Certificate Authority).
Common Name (CN)	Defines the Common Name to register in the certificate.
City	Defines the name of the certificate holder’s city to register in the certificate.
Country (2 chars. E.g : FR)	Defines the name of the certificate holder’s country (FR, EN, ES, DE …) to register in the certificate.
Service	Defines the name of certificate holder’s service or organizational department to register in the certificate.
Organization	Defines the name of the certificate holder’s Organization to register in the certificate.
E-mail address	Defines the email address of the certificate holder to register in the certificate.
Authority Signing Key	Defines the key (.pem) of the CA.
Authority Signing Certificate	Defines the certicate (.crt) of the CA.
Export PKCS12	Forces the creation of the `*.p12` certicate in the Targets keys directory	(recommended)

Additional details are stored in the private key. This information will help with identifying the origin of the certificate and the origin of the WAPT package.

Hint

The password complexity MUST comply with your Organization’s security requirements (visit the ANSSI website for recommendations on passwords).

Danger

The path to your private key MUST NOT be in the installation path of WAPT (C:\Program Files (x86)\wapt).
If your key is stored in C:\Program Files (x86)\wapt, your Administrator’s private key will be deployed on your clients, ABSOLUTELY A NO GO!.
Finally, the wapt-private.pem file MUST NOT be stored on the WAPT Server.

Click on OK to go on to the next step.

If everything has gone well the following message will appear:

Dialog box informing the certificate has been generated successfully¶

Click on OK.

Dialog box requesting confirmation of the copy of the certificate in the ssl folder in the WAPT Console¶

Click on Yes to copy the newly generated certificate in the folder C:\Program Files (x86)\wapt\ssl on Windows or /opt/wapt/ssl on Linux or macOS. This certificate will be picked up during the compilation of the WAPT Agent and deployed on the client computers.

You may go on to the next step and Building the WAPT Agent installer.

Building the WAPT Agent installer¶

The waptagent binary is an InnoSetup installer.

Once the WAPT Console has been installed on the Administrator computer, we have all files required to build the WAPT Agent installer:

Files that will be used during building of the WAPT Agent are located in C:\Program Files (x86)\wapt.
Installer source files (.iss files) are located in C:\Program Files (x86)\wapt\waptsetup.

Hint

Before building the WAPT Agent, please verify the public certificate(s) in C:\Program Files (x86)\wapt\ssl.

If you wish to deploy other public certificates on your Organization’s computers that are equipped with WAPT, you will have to copy them in that folder.

Danger

DO NOT COPY the private key of any Administrator in C:\Program Files (x86)\wapt.

This folder is used when building the WAPT Agent and the private keys would then be deployed on all the computers.

In the WAPT Console, go to Tools ‣ Build WAPT Agent

Generating the WAPT Agent from the WAPT Console¶

Hint

Before building the WAPT Agent, you need to choose how it will identify itself with the WAPT Server.

Choosing the mode to uniquely identify the WAPT Agents¶

In WAPT you can choose the unique identification mode of the WAPT Agents.

When a WAPT Agent registers the WAPT Server MUST know if it is a new host or if it is a host that has already been registered.

For this, the WAPT Server looks at the UUID in the inventory.

WAPT offers 3 modes to help you distinguish between hosts, it is up to you to choose the mode that best suits you.

Attention

After choosing a mode of operation it is difficult to change it, think carefully!

This mode of operation makes it possible to identify the hosts in the WAPT Console in a physical manner.

If you replace a computer and give the new computer the same name as the previous one, you will have two computers that will appear in the WAPT Console since you will have physically two different computers.

Note

Some vendors do inadequate work and assign the same BIOS UUIDs to entire batches of computers. In this case, WAPT will only see one computer!!!

Build¶

In the WAPT Console, go to Tools ‣ Build WAPT Agent

Fill in the informations that are necessary for the installer.

Filling in the informations on your Organization¶

WAPT Agent informations¶
Value	Description	Required	Enterprise
Authorized packages certificates bundle	Defines the folder of trusted certificates.
Include non CA too	Defines whether to include local WAPT certificate.
Main WAPT repository address	Defines the URL of the main WAPT repository.
WAPT Server address	Defines the URL of the WAPT Server.
Verify https server certificate	Defines whether the HTTPS certificate client authentication is activated on the WAPT Server.
Use repository access rules	Defines whether repository access rules are to be used for replicating remote repositories.
Path to the WAPT https Servers CA certificates bundle	Defines the path to the certificates used for HTTPS verification.
Use Kerberos for initial registration	Defines whether Kerberos authentication of the WAPT Agents is to be used with the WAPT Server.
Organization	Defines the name of the Organization to identify the origin of WAPT packages.
Use computer FQDN for UUID	Defines whether FQDNs are to be used for identifying WAPT Agents.
Use random host UUID (for buggy BIOS)	Defines whether random UUIDs are to be used for identifying WAPT Agents.
Always install these packages	Defines whether to automatically install group packages upon WAPT Agent installation.
Enable automatic install of packages based on AD Groups	Enables the installation of profile packages. This feature can degrade the performance of WAPT.
Allow remote reboot	Defines whether to allow remote reboots from the WAPT Console.
Allow remote shutdown	Defines whether to allow remote shutdowns from the WAPT Console.
Manage Windows updates with WAPT \| Disable WAPT WUA \| Don’t set anything	Enables or disables WAPT WUA.
Allow all updates by default unless explicitely forbidden by rules	Defines whether to allow all Windows Updates if not forbidden by WUA rule packages.
Scan / download scheduling	Sets the Windows Update scan periodicity.
Minimum delay before installation (days after publish date)	Sets a deferred installation delay before publication.
Install pending Windows updates at shutdown	Forces updates to install when the host shuts down.
Waptupgrade package maturity	Allows to choose the maturity of the waptupgrade package.

Hint

For more information to Windows update section, refer to this article on configuring WAPTWUA on the WAPT Agent

Danger

The checkbox Use kerberos for the initial registration may be checked ONLY IF you have followed the documentation on Configuring the kerberos authentication.
The checkbox Verify the WAPT Server HTTPS certificate may be checked ONLY IF you have followed the documentation on Activating the verification of the SSL / TLS certificate.

Provide the password for unlocking the private key.

Providing the password for unlocking the private key¶

Progression of WAPT Agent installer building¶

Once the WAPT Agent installer has finished building, a confirmation dialog pops up indicating that the waptagent binary has been successfully uploaded to https://srvwapt.mydomain.lan/wapt/.

Confirmation of the WAPT Agent loading onto WAPT repository¶

Note

A warning shows up indicating that the GPO hash value should be changed. GPOs may be used to deploy the WAPT Agent on your Organization’s computer.

Attention

After building the Agent on your management PC, quit the WAPT Console and install the new WAPT Agent that has been generated on your WAPT management computer.

Initial Configuration¶

It is possible to configure the agent for standard and advanced options via a GUI.

In the WAPT Console, go to Tools ‣ Edit initial configurations

Fill in the informations that are necessary for the configuration

Header¶
Value	Description
Advanced Editing	Use to display the options as in `wapt-get.ini`.
Add certificate	Add the deployed certificate with the configuration.
Load Json	Load a previously created configuration
Refresh Server Configuration	Refreshes the list of available configurations
+	Create a new configuration
-	Delete a configuration

Value	Description	Required	Enterprise
Main WAPT Repository URL	Defines the URL of the main WAPT repository.
WAPT Server URL	Defines the URL of the WAPT Server.
Verify https server certificate	Defines whether the HTTPS certificate client authentication is activated on the WAPT Server.
Path to certificate authority for https servers	Defines the path to the certificates used for HTTPS verification.
Allow remote reboot	Defines whether to allow remote reboots from the WAPT Console.
Allow remote shutdown	Defines whether to allow remote shutdowns from the WAPT Console.
Wake On Lan Relay	Activates the WoL functionality on secondary repositories.
Use computer FQDN for UUID	Defines whether FQDNs are to be used for identifying WAPT Agents.
Always install these packages	Defines whether to automatically install group packages upon WAPT Agent installation.
Use repository rules	Defines whether repositories are replicated.
Use Kerberos	Defines whether Kerberos authentication of the WAPT Agents is to be used with the WAPT Server.
Enable automatic install of packages based on AD Groups	Enables the installation of profile packages. This feature can degrade the performance of WAPT.
Maturities	List of package maturities than can be viewed and installed by WAPT Agent. Default value is `PROD`. Only `DEV`, `PREPROD` and `PROD` values are used by Tranquil IT, however any value can be used to suit your internal processes.
Authentification type	Sets how the self service authentication works. Possible values are: `system`, `waptserver-ldap` or `waptagent-ldap`.
Packages Audit Period	Defines the frequency at which audits are triggered.

Value	Description	Required
Manage Windows updates with WAPT	Enables or disables WAPT WUA.
Allow all updates by default unless explicitely forbidden by rules	Defines whether to allow all Windows Updates if not forbidden by WUA rule packages.
Allowed Severities	Defines a severity list that will be automatically accepted during a WAPT windows update scan. ex: Important, Critical, Moderate.
Download updates from Microsoft Servers	Defines whether updates are downloaded directly from Microsoft servers.
Scan / download scheduling	Defines the Windows Update scan recurrence (Will not do anything if waptwua package rule or `wsusscn2.cab` file have not changed).
Install pending Windows updates at shutdown	Forces updates to install when the host shuts down.
Installation scheduling	Defines the Windows Update install recurrence (Will do nothing if no update is pending).
Minimum delay before installation (days after publish date)	Sets a deferred installation delay before publication.

Attention

These options should only be used on a secondary repository.

Value	Description	Required
Use remote repo	Enables the WAPT Server to serve as a repository.
Remote repository directories	Defines folders to synchronize
Synchronize only when asked	Enable or disable automatic synchronization
Synchronize task period	Sets synchronization periodicity
Local repository time for synchronization start	Sets synchronization start time (HH:MM / 24h format)
Local repository time for synchronization end	Sets synchronization start stop (HH:MM / 24h format)

Column¶
Value	Description
Saved Properties	List of options with the configuration.
Certificate	List of certificate with the configuration.

Footer¶
Value	Description
Save on server	Save the configuration on the server
Export As Json File	Export the configuration in JSON
Close	Close the window

After configuration it is possible to copy commands by right clicking on the configuration

Copy options¶
Value	Description
Copy URL	Gives a download URL to retrieve the .json from the server.
Copy installation command	Gives a command to install the configuration for a WAPT agent.

Note

It is possible to install a blank agent and give it the copied installation command to provide the configuration.