2.2. Installing WAPT Server on a RedHat based distribution

2.2.1. Setting up the RedHat based WAPT Server

In order to install a fresh RedHat or derivative host (virtual or physical) please refer to official documentation.

Warning

  • Install the server without the graphical user interface.

2.2.1.1. Configuring network parameters

The different parameters presented below are not specific to WAPT; you may adapt them as required for your environment.

Modify the following files in order to get a proper naming (FQDN) and network addressing strategy.

In the following example:

  • the FQDN name is srvwapt.mydomain.lan;

  • the short-name of the WAPT Server is srvwapt;

  • the DNS suffix is mydomain.lan;

  • the IP address is 10.0.0.10/24;

2.2.1.2. Configuring the name of the WAPT Server

Hint

The short name of the WAPT Server MUST not be longer than 15 characters (the limit is due to sAMAccountName restriction in Active Directory).

The name of the WAPT Server MUST be a FQDN, that is to say it has both the WAPT Server name and the DNS suffix.

  • Modify the /etc/hostname file and write the FQDN of the WAPT Server.

# /etc/hostname of the WAPT Server
srvwapt.mydomain.lan
  • Configure the /etc/hosts file, be sure to put both the FQDN and the short name of the WAPT Server.

# /etc/hosts of the waptserver
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.0.10   srvwapt.mydomain.lan srvwapt

Hint

  • On the line defining the DNS server IP address, be sure to have the IP of the WAPT Server (not 127.0.0.1), then the FQDN, then the short name.

  • Do not change the line with localhost.

2.2.1.3. Configuring the IP address of the WAPT Server

  • Define a static IP address using the nmcli command or nmtui for a semi-graphical interface (Click here for more information about the nmtui command). The name of the file can be different, like enp0s17, ifcfg-eth0 for example.

nmcli con mod enp0s17 ipv4.method manual ipv4.addresses 10.11.7.215/16 ipv4.gateway 10.11.255.254 ipv4.dns 10.11.7.212
  • Apply the network configuration by rebooting the host with a reboot.

reboot
  • If it has not already been done, create the DNS entry for the WAPT Server in the Organization’s Active Directory or DNS server.

  • After having rebooted, configure the system locale in English in order to have non-localized logs for easier searching of common errors.

dnf update && dnf install langpacks-en glibc-all-langpacks -y
localectl set-locale LANG=en_US.utf8
localectl status
  • Check that the host clock is on time and that SELinux and the firewall are enabled.

date
sestatus
systemctl status firewalld
  • Check whether the machine is properly synchronized with NTP server. If it is not synchronized please refer to the OS documentation to configure timedatectl.

timedatectl status
  • Update the distribution and set up the EPEL repository.

dnf update
dnf install epel-release wget sudo -y

The WAPT Server is now ready.

Attention

The upgrade procedure is different from an initial installation. For an upgrade, please refer to the documentation on upgrading the WAPT Server.

2.2.2. Installing the WAPT Server packages

  • Add Tranquil IT’s repository.

cat > /etc/yum.repos.d/wapt.repo <<EOF
[wapt]
name=WAPT Server Repo
baseurl=https://wapt.tranquil.it/redhat9/wapt-2.6/
enabled=1
gpgcheck=1
EOF
  • Retrieve the .gpg key and install the necessary packages.

wget -q -O /tmp/tranquil_it.gpg "https://wapt.tranquil.it/redhat9/RPM-GPG-KEY-TISWAPT-9"; rpm --import /tmp/tranquil_it.gpg
dnf install epel-release -y
dnf module enable nginx:1.22 -y
wget https://wapt.tranquil.it/redhat9/wapt-2.6.0.16613/nginx-mod-http-auth-spnego-1.22.1-5.el9.alma.1.x86_64.rpm
dnf install ./nginx-mod-http-auth-spnego-1.22.1-5.el9.alma.1.x86_64.rpm
dnf install krb5-workstation -y
dnf install msktutil -y
dnf install policycoreutils-python-utils postgresql-server postgresql-contrib -y
dnf install tis-waptserver tis-waptsetup cabextract -y
  • Initialize the PostgreSQL database and activate the services.

sudo /usr/bin/postgresql-setup initdb
sudo systemctl enable postgresql waptserver nginx
sudo systemctl start postgresql

2.2.3. Standard mode post-configuration

Note

For the CSPN security certification mode, please visit this documentation.

Attention

For post-configuration to work properly:

  • The hostname of the WAPT Server MUST be properly configured. To check, use the command echo $(hostname) which MUST return the DNS address that will be used by WAPT Agents on client computers.

  • The DNS resolver MUST be correctly configured.

  • The WAPT Server MUST be able to contact a Domain Controller in write mode for Kerberos authentication mode.

The post-configuration script rewrites the nginx configuration. A backup file is created when running the postconf in the same directory.

This post-configuration script MUST be run as root.

  • Run the script.

/opt/wapt/waptserver/scripts/postconf.sh
  • Click on Yes to run the postconf script.

Do you want to launch post configuration tool?

            < yes >          < no >
  • Choose a password (if not defined) for the SuperAdmin account of the WAPT Server (minimum length is 10 characters).

Please enter the wapt server password (min. 10 characters)

*****************

                < OK >          < Cancel >
  • Confirm the password.

Please enter the server password again:

*****************

                < OK >          < Cancel >
  • Choose the authentication mode for the initial registering of the WAPT Agents:

    • Choice #1: allows to register computers without authentication. The WAPT Server registers all computers that ask to be registered.

    • Choice #2: activates the initial registration based on kerberos (you can activate it later).

    • Choice #3: does not activate the kerberos authentication mechanism for theinitial registering of hosts equipped with WAPT. The WAPT Server will require a login and a password for each host registering with it.

WaptAgent Authentication type?

--------------------------------------------------------------------------
(x) 1 Allow unauthenticated registration
( ) 2 Enable kerberos authentication required for machines registration.
        Registration will ask for password if kerberos not available
( ) 3 Disable kerberos but registration require strong authentication
--------------------------------------------------------------------------
                                        < OK >          < Cancel >

Added in version 2.5: If you are upgrading from WAPT 2.X to 2.5, verify the current configuration of the WAPT Agents and more specifically the verify_cert option. If in your current configuration verify_cert is set to True or a set to a file path (certificate pinning), then choose option #1 below. If in your current configuration verify_cert is set to False, then choose option #2 below.

  • Choose how the WAPT Server will verify the WAPT Agents.

    • Choice #1: for simplicity and better security, we recommend to activate this authentication method. Without a certificate, it is not possible to download WAPT Packages and query some WAPT Server endpoints. This method is recommanded if you are installing WAPT for the first time.

    • Choice #2: if you experiment some problems while upgrading OR if you use a reverse proxy, this method is recommended while upgrading.

WaptAgent client certificate checking

----------------------------------------------------------------------------
(x) 1 Authenticate Agents using https client certificate (recommended)
( ) 2 Don't check https client certificate (legacy)
----------------------------------------------------------------------------
                                        < OK >          < Cancel >
  • If you want to use WAPT for OS Deployment, select Yes.

    • If you have chosen Yes to activate os deployment, the post-configuration will ask whether to use a secure authentication to deploy OS images. It will ask a user / password when you will deploy OS images using WADS.

    • If you have chosen No, Nginx will not enable WADS API endpoints for WAPT Agents.

Do you want to activate os deployment?

        < Yes >        < No >
Would you like to activate secure authentication on wads?

        < Yes >        < No >
  • Still about wads, if you answered Yes to the last two questions, you will be asked a final question:

Would you like to mention subnet ip exempt from wads authentication

        < Yes >        < No >

If you answer Yes here too, you will have to give subnets as a list, for example: 192.168.0.0/24,192.168.1.0/24.

  • Choose if you want to use WAPT WUA for Windows Update.

Do you want to activate WUA?

        < Yes >        < No >

If you choose Yes, Nginx will enable WUA API endpoints for the WAPT Agents.

  • Select Yes to configure Nginx.

Do you want to configure nginx?

        < Yes >        < No >
  • Fill in the FQDN of the WAPT Server.

FQDN for the WAPT Server (eg. wapt.example.com)

---------------------------------------------
wapt.mydomain.lan
---------------------------------------------

            < OK >          < Cancel >
  • Select OK and a self-signed certificate will be generated, this step may take a long time.

Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time
.......................................+...............................+...

Nginx is now configured, select OK to restart Nginx:

The Nginx config is done.
We need to restart Nginx?

              < OK >
  • Select OK to start WAPT Server.

Press OK to start waptserver and wapttasks daemons

             < OK >

The post-configuration is now finished.

Postconfiguration completed.
Please connect to https://wapt.mydomain.lan/ to access the WAPT Server.

                                  < OK >

Added in version 2.5: The access to the WAPT web interface is now password protected.

Finally, the postconf show somes informations about the WAPT Server SSL certificate and the URL to download WaptSetup and install on the WAPT Administrator’s computer.

List of post-configuration script options

Options

Description

-c or --config

Specifies a configuration file path (default: /opt/wapt/conf/waptserver.ini).

-s or --force-https

Configures Nginx so that port 80 is permanently redirected to 443

-q or --quiet

Runs the post-configuration in quiet mode.

-n or --nginx

Runs nginx configuration if the post-configuration is set in quiet mode.

--dhparam-key-size=NUMBER

Defines the size for dhparam key (default: 2048).

-p or --admin-password

Defines the admininistrator password for the WAPT Server if the post-configuration is set in quiet mode.

--server-names=SERVER_NAMES

Defines the WAPT Server name and ip for certificate CN and SubjectAltNames. The separator is a comma (default: fqdn and IP address).

--cspn-toe

Defines settings for CSPN TOE mode (default: False). This enable more strict security default values, and disable all the features that are not included in the TOE of the CSPN certification

2.2.4. CSPN mode post-configuration

Attention

For post-configuration to work properly:

  • The hostname of the WAPT Server MUST be properly configured. To check, use the command echo $(hostname) which MUST return the DNS address that will be used by WAPT Agents on client computers.

  • The DNS resolver MUST be correctly configured.

  • The WAPT Server MUST be able to contact a Domain Controller in write mode.

The post-configuration script rewrites the nginx configuration. A backup file is created when running the postconf in the same directory.

This post-configuration script MUST be run as root.

In secure mode, the WAPT Server installation activates more security features and is less tolerant with misconfigurations.

In this mode:

  • Administrator password length is 20 characters and password complexity is enforced.

  • Administrator and user certificate password length is 20 characters and password complexity is enforced.

  • Kerberos registration and authentication are mandatory.

  • Client-Side Certificate Authentication is mandatory.

  • The SSL certificate verification is mandatory.

  • Various backward compatibility settings are disabled.

  • Functionalities excluded from the CSPN TOE (namely secondary repositories, peercache, WADS and WAPT WUA) are disabled.

  • Waptconsole login on server is restricted to kerb and *admin methods (admin mode can be disabled after initial setup).

  • Session cookies maximum lifetime is 12 hours.

  • Default lifetime for certificates signed by WAPT is 3 years.

  • Run the script with option --cspn-toe.

/opt/wapt/waptserver/scripts/postconf.sh --cspn-toe
  • Click on Yes to run the postconf script.

do you want to launch post configuration tool?

            < yes >          < no >
  • Choose a password (if not defined) for the SuperAdmin account of the WAPT Server. The minimum length is 20 characters with at least 1 upper case characters, 1 lower case characters and 1 punctuation mark.

Please enter the wapt server password (min. 20 characters, punctuation, upper and lower case):

*****************

                < OK >          < Cancel >
  • Confirm the password.

Please enter the server password again:

*****************

                < OK >          < Cancel >
  • Select Yes to configure Nginx.

Do you want to configure nginx?

        < Yes >        < No >
  • Fill in the FQDN of the WAPT Server.

FQDN for the WAPT Server (eg. wapt.example.com)

---------------------------------------------
wapt.mydomain.lan
---------------------------------------------

            < OK >          < Cancel >
  • Enter the Kerberos Realm name.

Enter Kerberos REALM

-------------------------------------------
MYDOMAIN.LAN
-------------------------------------------

            < OK >          < Cancel >
  • Enter a valid Domain Controller name.

Enter a Domain Controller name in write mode

-------------------------------------------
dc1
-------------------------------------------

            < OK >          < Cancel >
  • Enter a username having write privilege on the Active Directory.

Enter a username with administrator privileges

-------------------------------------------
administrator
-------------------------------------------

            < OK >          < Cancel >
  • Enter the username’s password.

Enter administrator password

-------------------------------------------
*****************************
-------------------------------------------

            < OK >          < Cancel >
  • If the credentials are correct, the keytab is generated in /etc/nginx/http-krb5.keytab. The correct ACL are set. Else, you must read the documentation.

  • Restart Nginx.

The Nginx config is done.
We need to restart Nginx?

              < OK >
  • The last step, start waptserver and wapttasks.

Press OK to start
waptserver and wapttasks
daemons

              < OK >

The post-configuration is now finished.

Postconfiguration completed.

                                  < OK >

But in CSPN TOE mode, TOTP is required on admin account.

secure postconf OTP code

secure postconf OTP code

Use your second device (smartphone,YubiKey, etc.) and get the code who will appear in the picture. Put the code in the dedicated field.

Note

If you are having problems with your kerberos system. Check the owner and the right on, the keytab file ( http-krb5.keytab ).

chown root:nginx /etc/nginx/http-krb5.keytab
chmod 640 /etc/nginx/http-krb5.keytab
Listing of post-configuration script options

Options

Description

--force-https or -s

Configures Nginx so that port 80 is permanently redirected to 443.

--cspn-toe

Defines the settings for CSPN TOE mode (default: False).

--server-names=SERVER_NAMES

Defines the server name and ip for certificate CN and altdnsnames. Separator is a comma (default: None).

Warning

In CSPN mode, WADS and WUA will not appear in the WAPT console. However, the Peer Cache and Secondary Repositories features can be enabled, though they should not be activated because it is not assessed in the CSPN target.

Enabling Peer Cache in the WAPT console :

By edit a new agent configuration :

Go to Tools ‣ Edit agent dynamic configurations. Check the option Use Peer Cache.

By use a WAPT configuration package :

Create a package in WAPT PackagesMake package template from setup file → Host agent dynamic configuration. Check the option Use Peer Cache.

Enabling Secondary Repositories in the WAPT console :
For the agent :

By edit a new agent configuration :

Go to Tools ‣ Edit agent dynamic configurations. Check Use repository rules.

By use a WAPT configuration package :

Create a package in WAPT PackagesMake package template from setup file → Host agent dynamic configuration. Check the option Use repository rules.

For Configuring an agent as a secondary repository :

By edit a new agent configuration :

Go to Tools ‣ Edit agent dynamic configurations. Go to the Repo-sync tab and check Synchronize packages and system updates on the agent.

By use a WAPT configuration package :

Create a package in WAPT PackagesMake package template from setup file → Host agent dynamic configuration. Go to the Repo-sync tab and check Synchronize packages and system updates on the agent

Your WAPT Server is now ready. You may go to the documentation on installing the WAPT Console.