The new certificate will not be a self-signed certificate;
This new certificate will be signed by the CA (the key generated at the time of the first installation of WAPT);
You MUST then fill in the Authority Signing Key and the Authority Signing Certificate.
When generating the new pem/ crt pair, you have the option to choose whether or not the new certificate will be a Code Signing type.
Hint
For recall, a Code Signing certificate is reserved to individuals with the Administrator role in the context of WAPT and a simple SSL certificate without the CodeSigning attribute is reserved to individuals with the role of Package Deployer.
Administrators will be authorized to sign packages that CONTAIN a setup.py executable file (i.e. base packages).
Individuals with the Package Deployer role will be authorized to sign packages that DO NOT CONTAINsetup.py executable file (i.e. host, unit and group packages).
Generating a certificate without the Code Signing attribute¶
Keys and certificates that are Not Code Signing may be distributed to individuals in charge of deploying packages on the installed base of WAPT equipped devices.
Another team with certificates having the Code Signing attribute will prepare the WAPT packages that contain applications that will need to be configured according to the security guidelines of the Organization and the user customizations desired by her.
Generating a certificate with the Code Signing attribute¶
Generating a new .pem / .crt pair will also allow to formally identify the individual who has signed a package by looking up the CN attribute of the WAPT package certificate.
Hint
The new certificates will not be CA Certificates, which means that they will not be authorized to sign other certificates.
As a general rule, there is only one CA Certificate pem / crt pair per Organization.
Attention
It is not necessary to deploy child certificates with the WAPT Agent.
Child certificates are used with the WAPT Console to allow or restrict actions.
10.1.2. Deploying certificates of local IT admins on clients¶
Hint
Some Organizations will choose to let local IT administrators perform actions on WAPT equipped devices by issuing them personal certificates that will work on the set of devices for which the local IT admins are responsible.
The headquarter IT admins will deploy the certificates of local IT admins on the computers that local admins manage on their respective sites.
This way, local IT admins will not be able to manage computers located in headquarters, but on their own sites only.
It is possible to manage simply and in a finer way using Access Control Lists with the Enterprise version of WAPT.
You will need to copy the certificates of allowed local IT admins on WAPT clients in C:\programfiles(x86)\wapt\ssl.
Hint
Do not forget to restart the WAPT service on clients for them to use their new certificate.
Open a command line cmd.exe.
The SuperAdmin user of WAPT is authenticated by a password stored in waptserver.ini as a value of the wapt_password attribute.
Others WAPT users may be local users htpasswd_path) or AD account users (ldap_auth_server / ldap_auth_base_dn).
ACLs define actions enabled for all types of users in the WAPT context.
Note
Default ACLs user level are defined by default_ldap_users_acls in waptserver.ini.
The default ACL for a new user is view.
Attention
Security is define by the certificate deployed on clients, not by ACLs.
ACLs simply limit what actions the WAPT Server is allowed to relay from the WAPT Console to the WAPT Agents.
As of |date|, the WAPT Agents do not check ACL rights.
To configure ACLs in WAPT, go to Tools ‣ Manage WAPT users and rights.
Note
On first launch after the WAPT Server installation, only the SuperAdmin account is present in the list of users.
If the SuperAdmin account does not exist or does not have the admin right, then the account is recreated by restarting the WAPT Server service.
The SuperAdmin account is authenticated using the value of wapt_password in the waptserver.ini configuration file.
Two types of account are manageable by ACL, local and Active Directory.
For using local user accounts, you need create a file named waptusers.htpasswd in the same folder on the WAPT Server containing the waptserver.ini file.
If the local user has a password in waptusers.htpasswd, then the username appears in bold and Local User is checked, else change the password for this user.