Using the WAPT Console advanced features¶

This page details the advanced use of the WAPT Console.

Using profile bundles in WAPT ¶

Working principle¶

WAPT Enterprise offers an Active Directory profile bundle functionality.

The profile bundle automates the installation of WAPT packages and configuration packages on hosts based on their membership to Active Directory Computer Security Groups.

The WAPT Agent will report to the WAPT Server the Active Directory groups to which the host belongs.

If a profile package has the same name as an Active Directory group, then the WAPT agent will install automatically the profile package for the Active Directory group of which the host is a member.

If the host is no longer a member of its Active Directory group, then the matching profile package will be uninstalled.

Profile packages are stored in the web directory https://srvwapt.mydomain.lan/wapt/.

Profile packages are not explicitly assigned to the host (i.e. as dependencies in the host package) but are implicitly taken into account by the WAPT Agent dependency engine during WAPT upgrades.

Note

For performance reasons, this feature is enabled only if the use_ad_groups option is enabled in the wapt-get.ini configuration file of the WAPT Agent.

Important

The Active Directory Computers security groups and sub-groups contain Computers, not Users.

Window showing the Computers group in Active Directory¶

Warning

Automatically installing software and configurations based on user and user group membership is not implemented with WAPT and such implementation is not desirable. The use case of installing software based on user profile is better served with the differentiated self-service feature that is also available with WAPT Enterprise.

The name of the group MUST be lower case in Active Directory and in the WAPT Console.

Creating WAPT profile bundles in the WAPT Console¶

You can create profile bundle WAPT packages by clicking on Make package template from setup file ‣ AD profile.

Important

Requirements:

The profile AD group name and the profile package MUST be all lower case.

Example:

AD Security group: hw_laptops;
WAPT profile bundle: hw_laptops.

A window opens and you are prompted to choose which WAPT packages are to be included in the newly created profile bundle.

Adding WAPT packages to a profile bundle in the WAPT Console¶

Save the profile bundle and it will be uploaded to the WAPT Server.

Using Organizational Unit packages in WAPT ¶

Working principle¶

WAPT Enterprise offers Organizational Unit package functionality.

unit packages automate software and configuration installations based on the Active Directory tree. It is a very powerful feature when used properly.

Unit packages are not explicitly assigned to the host (i.e. as dependencies in the host package) but are implicitly taken into account by the WAPT agent dependency engine during the WAPT upgrade.

Note

If the computer is removed from an Organizational Unit, obsolete unit packages are removed.

The WAPT Agent is aware of its position in the Active Directory tree structure, therefore it knows the hierarchy of Organizational Units that concerns it, for example:

DC=ad,DC=mydomain,DC=lan
OU=Paris,DC=ad,DC=mydomain,DC=lan
OU=computers,OU=Paris,DC=ad,DC=mydomain,DC=lan
OU=service1,OU=computers,OU=Paris,DC=ad,DC=mydomain,DC=lan

If a unit package is defined on each Organisational Unit level, the WAPT Agent will automatically download WAPT packages and configurations that are attached to each level. Using inheritance, WAPT will apply WAPT packages and dependencies that are attached to each Organizational Unit.

Creating Organizational Unit packages¶

You can create unit packages by Right-clicking on an OU ‣ Create or Edit Organizational Unit package.

Menu options applicable to *unit* WAPT packages

A window opens and you are prompted to choose which packages to include in the unit bundle.

Save the WAPT package and it will be deployed to all hosts belonging to the selected OU.

When you have a unit bundle, you will see a cube before the OU name in the WAPT Console.

Actions available with Organizational Units¶

Menu options applicable to Organizational Units

Menu items for creating or editing Organizational Unit package¶
Menu item	Description
The Create or Edit Organizational Unit package menu item	Visit this documentation for more details on creating or editing OU packages.
The Check updates on all hosts of this OU menu item	Allows to upload the current state of the host to the WAPT Server and force the WAPT Server to display whether the hosts in the selected OU have pending updates.
The Apply upgrades on all hosts of the OU menu item	Allows to apply waiting WAPT updates and upgrades on the all hosts in the OU.

Hint

You may filter how hosts are displayed based on the Active Directory OU they belong to.

Menu option to include hosts in subfolders

The checkbox Include hosts in subfolders allows to display hosts in subfolders.

Faking Organizational Units for WORKGROUP hosts¶

It can happen that some specific hosts cannot be joined to an Active Directory domain.

Therefore, these hosts do not show up in the Active Directory Organizational Units in the WAPT Console.

To make all hosts show up in the WAPT Console under the right Organizational Unit, whether they are joined to an AD domain or not, WAPT allows to specify a fake Organizational Unit in the WAPT Agent configuration file.

The benefits of this very useful trick are:

You can manage these hosts with WAPT as if they where joined to the Active Directory.
Out-of-domain and workgroup hosts are now showing up in the Active Directory tree view in the WAPT Console.
Unit packages become usable on these hosts.

To setup a fake Organizational Unit on hosts, create an empty WAPT package, then use the following code:

# -*- coding: utf-8 -*-
from setuphelpers import *

uninstallkey = []

def install():

  print('Setting Fake Organizational Unit')
  fake_ou = "OU=REAL_AD_SUB_OU,OU=REAL_AD_OU,DC=MYDOMAIN,DC=LAN"
  inifile_writestring(WAPT.config_filename,'global','host_organizational_unit_dn',fake_ou)

  print('Reload WAPT configuration')
  WAPT.reload_config_if_updated()

def update_package():
  pass

The host_organizational_unit_dn will be like below in wapt-get.ini:

[global]
host_organizational_unit_dn=OU=REAL_AD_SUB_OU,OU=REAL_AD_OU,DC=MYDOMAIN,DC=LAN

Note

Stick to a specific case with your host_organizational_unit_dn (do not mix “dc”s and “DC”s, “ou”s and “OU”s …).
Follow the letter case used in the DN/computer_ad_dn fields in the hosts inventory grid.

Adding plugins in the WAPT Console¶

To add custom plugins, go to the Tools ‣ Preference ‣ Plugins Tab.

Creating a custom plugin in the WAPT Console¶

Click Add to add a plugin, then edit the corresponding columns.

Column	Description
Name	Name that will appear in the menu.
Executable	Path of the executable that will be executed.
Arguments	Arguments passed to the executable. All the parameters that are diplayed in the grid can be used, like {ip}, {uuid} or {computer_fqdn}. To get the parameter name, you may right-click on the colum header, and the name will be displayed in paranthesis beside the column name.

Plugins will then appear in the menu:

Re-signing WAPT packages from the WAPT Console¶

This method for re-signing all host packages is useful when the underlying cryptographic method or library changes, as this is the case when upgrading from WAPT 1.8.2 (Python 2.7 based) to WAPT >= 2.0 (Python 3.x based).

Re-signing Host packages¶

Use the Administrator’s certificate for re-signing packages.

Select all host.
Right-click on the selected hosts.

Host configuration menu list in the WAPT Console

Select Re-sign Host packages.
Confirm re-signing the selected hosts.

Modal window for confirming re-signing the selection of hosts¶

Then, enter you private key password.

Entering the password for unlocking the private key in the WAPT Console¶

The selected WAPT host packages are now all re-signed using the new cryptographic method required with Python3.

Re-signing other types of WAPT package¶

Open the repositories in your WAPT Console.

Window showing the repositories available on the WAPT Console¶

Select all packages in the repository, then right-click on the selection.

Select Re-sign packages.
To launch the signature process, click on Re-sign packages.

After processing, which may take some time, all packages will have been re-signed.

Signature processing has ended successfully¶

Attention

Signature processing has not ended successfully

If the error Access violation appear it may mean that the WAPT package is too big.

You can resign this packages using the command line.

And if it’s still not working, you can still manually edit the package and visit this procedure for signing large WAPT packages.

Displaying the Certificates trusted by the hosts in the WAPT Console ¶

In this tab, you can see the certificates that the host accepts to trust.

Window showing the certificates trusted by the selected host¶

Displaying host audit data in the WAPT Console ¶

You can manage audit output and display the audit result if you activate the option in the View ‣ Display Preferences Tab. Check the Show host audit data tab to see the tab Audit Data on each client.

Window showing the advanced preferences¶

To use audits in WAPT packages, visit this page to manage audit_data.

Displaying encrypted data with a certificate in the audit data tab¶

With audit function, it is possible to encrypt sensitive data coming from remote hosts; it will be possible to read the encrypted sensitive with a certificate installed on the WAPT Administrator’s host. This way, the WAPT Server may store sensitive inventory data without the WAPT Server becoming a sensitive asset.

This method is particularly useful for example for securely managing LAPS random passwords in WAPT.

In setup.py, you can use a function to encrypt data with a certificate. If you have the private key matching the certificate that was used to encrypt the data, the data will be decrypted and it will appear in a readable form.

Here is an example of code:

# -*- coding: utf-8 -*-
from setuphelpers import *
from waptcrypto import print_encrypted_data

def audit():
  randompassword = '1234'
  print_encrypted_data(randompassword, glob.glob('*.crt'))

This code will encrypt the password 1234 with all certificates present on the host that is used to manage WAPT. From the WAPT Console, you will see in the audit_data tab the crypted version and you can decipher the data with your private key associated to the public certificate that was used to encrypt the data.

Audit data result showing crypted and decrypted version

Managing several WAPT Server profiles in the WAPT Console ¶

You can connect the WAPT Console to several WAPT Servers.

To do so, go to %localappdata%waptconsole, copy the waptconsole.ini file and rename it, for example waptconsole2.ini. Modify the new file with the second WAPT Server parameters (ex: IP / DNS, prefix, etc).

Then, when you re-open the WAPT Console, you can select one WAPT Server or the other.

Window showing connections with several WAPT Server profiles

Hint

You can have several WAPT Server connection profiles but the WAPT Servers do not communicate among them.