.. Reminder for header structure: Parts (H1) : #################### with overline Chapters (H2) : ******************** with overline Sections (H3) : ==================== Subsections (H4) : -------------------- Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^ Paragraphs (H6) : """"""""""""""""""""" .. meta:: :description: Enhancing the security of your WAPT setup :keywords: Documentation, Security, WAPT .. |date| date:: .. |enterprise_feature| image:: wapt-resources/icon_wapt_enterprise.png :scale: 3% :alt: WAPT Enterprise feature only .. _waptserver_ini_file_options: ################################## WAPT Server Advanced Configuration ################################## The WAPT Server configuration file on GNU/ Linux and macOS systems is found in :file:`/opt/wapt/conf/waptserver.ini` or in :file:`/opt/wapt/waptserver/waptserver.ini`. The WAPT Server configuration file on Windows is found in :file:`C:\\\wapt\\\conf\\\waptserver.ini`. .. attention:: **Modification of these files is reserved for advanced users!!** *************************************************** Default configurations of waptserver file and nginx *************************************************** Modify the [options] section of waptserver.ini ============================================== Several options can be defined in the [options] section. .. code-block:: ini [options] .. list-table:: Available parameters for the [options] section of :file:`waptserver.ini` :header-rows: 1 :widths: auto :align: center * - Options (Default Value) - Description - Example * - :code:`agents_folder` (default ``watpagent in wapt repository``) - Defines where the WAPT Agents are stored on the WAPT Server. - agents_folder = /var/www/wapt/waptagent * - :code:`allow_unauthenticated_connect` (default ``None``) - Defines whether websocket connections should be authenticated. If :code:`use_kerberos` = ``True``, then :code:`allow_unauthenticated_connect` **MUST BE** set to ``False`` or it will take precedence. - allow_unauthenticated_connect = True * - :code:`allow_unauthenticated_registration` (default ``False``) - Allows the initial registration of the WAPT Agent using a login and password. - allow_unauthenticated_registration = True * - :code:`allow_unsigned_status_data` (default ``False``) - Debug only - Allows unsigned status data from Agent. - allow_unsigned_status_data = True * - :code:`application_root` (default ``None``) - Defines a custom WAPT Server application root path. - application_root = wapt * - :code:`authentication_logs` (default ``True``) - Enables authentication logs. - authentication_logs = False * - :code:`auto_create_waptagent_from_config` (default ``False``) - Enables automatic configuration when waptsetup is installed. - auto_create_waptagent_from_config = True * - :code:`client_certificate_lifetime` (default ``3650``) - Defines the host certificate lifetime (in days). - client_certificate_lifetime = 500 * - :code:`cleanup_kbs` (default ``True``) - Defines whether unused :ref:` Windows KB should be automatically deleted ` from the WAPT Server. - cleanup_kbs = False * - :code:`clients_read_timeout` (default ``5``) - Defines the websocket client timeout (in seconds). - clients_read_timeout = 10 * - :code:`clients_signing_certificate` (default ``None``) - Defines the host certificate signing certificate. - clients_signing_certificate = C:\\private\\org-coder.crt * - :code:`clients_signing_crl_days` (default ``30``) - Defines the host certificate signing :abbr:`CRL (Certificate Revocation List)` periodicity (in days). - clients_signing_crl_days = 15 * - :code:`clients_signing_crl` (default ``None``) - Defines the host certificate signing CRL path. - clients_signing_crl = C:\\private\\org-coder.crt * - :code:`clients_signing_crl_url` (default ``None``) - Defines the host certificate signing CRL URL. - clients_signing_crl_url = https://srvwapt.mydomain.lan/crl * - :code:`clients_signing_key` (default ``None``) - Defines the host certificate signing key path. - clients_signing_key = C:\\private\\org-coder.crt * - :code:`client_tasks_timeout` (default ``5``) - Defines the maximum allowed delay before WAPT Agent requests time out (in seconds). - client_tasks_timeout = 5 * - :code:`copy_winpe_x64_in_tftp_folder` (default ``False``) - If x64, allows you to copy all WinPE from :file:`wads_folder` when WinPE is uploaded. - copy_winpe_x64_in_tftp_folder = True * - :code:`db_connect_timeout` (default ``3``) - Defines the maximum allowed delay before PostgreSQL queries time out (in seconds). - db_connect_timeout = 10 * - :code:`db_host` (default ``None``) - Defines the url of the PostgreSQL server (by default WAPT use a local Unix Socket). - db_host = https://wapt.mydomain.lan * - :code:`db_max_connections` (default ``90``) - Defines the maximum simultaneous connections to the PostgreSQL database. - db_max_connections = 100 * - :code:`db_name` (default ``wapt``) - Defines the PostgreSQL database that the WAPT Server connects to. - db_name = wapt * - :code:`db_password` (default ``None``) - Defines the password for authenticating the user on the PostgreSQL database (by default WAPT uses a local UNIX socket). - db_password = WAPT_DB_PASSWORD * - :code:`db_port` (default ``5432``) - Defines the port of the PostgreSQL server. - db_port = 5432 * - :code:`db_stale_timeout` (default ``300``) - Defines the database stale timeout (in seconds). - db_stale_timeout = 500 * - :code:`db_user` (default ``wapt``) - Defines the PostgreSQL user connecting to the database. - db_user = wapt * - :code:`default_ldap_users_acls` (default ``view``) - Defines the default acl for a new user opening the WAPT Console. - default_ldap_users_acls = admin * - :code:`download_wsusscn2` (default ``False``) - Automatically downloads the :file:`wsusscn2.cab` file. - download_wsusscn2 = False * - :code:`enable_store` (default ``False``) - Enables WAPT Store Webui (**Deprecated**). - enable_store = False * - :code:`encrypt_host_packages` (default ``False``) - Encrypts host package with client certificate. - encrypt_host_packages = True * - :code:`htpasswd_path` (default ``None``) - Adds basic authentication to WAPT Server. - htpasswd_path = True * - :code:`http_proxy` (default ``None``) - Defines the proxy server to allow the WAPT Server to recover its :abbr:`CRL (Certificate Revocation List)`. - http_proxy = http://srvproxy.mydomain.lan:3128 * - :code:`known_certificates_folder` (default WAPT :file:`/ssl/` folder) - Adds additional known :abbr:`CA (Certificate Authority)` to verify certificates. - known_certificates_folder = /opt/wapt/ssl/ * - :code:`ldap_account_service_login` (default ``None``) - Defines the UPN Active directory user for SSO and/or waptserver-ldap mode for self-service. - ldap_account_service_login = wapt-ldap@ad.tranquil.it * - :code:`ldap_account_service_password` (default ``None``) - Defines the user password for SSO and/or waptserver-ldap mode for self-service. - ldap_account_service_password = PASSWORD * - :code:`ldap_auth_base_dn` (default ``None``) - Defines the LDAP authentication base DN. - ldap_auth_base_dn = dc=mydomain,dc=lan * - :code:`ldap_auth_server` (default ``None``) - Defines the LDAP authentication server. - ldap_auth_server = srvads.mydomain.lan * - :code:`ldap_nesting_group_support` (default ``True``) - Enables the search of nested group in Active Directory. - ldap_nesting_group_support = False * - :code:`ldap_primary_group_ad_support` (default ``True``) - Enables the search on Active Directory primary group users. - ldap_primary_group_ad_support = False * - :code:`list_subnet_skip_login_wads` (default ``[]``) - Lists subnets without authentication requirement. - list_subnet_skip_login_wads = 192.168.0.0/24,192.168.1.0/24 * - :code:`login_on_wads` (default ``False``) - Enables authentication to use WADS (format is ``user:password``). - login_on_wads = True * - :code:`loglevel` (default ``warning``) - Defines the log level. Possible values are: ``debug``, ``info``, ``warning``, ``critical``. - loglevel = debug * - :code:`max_clients` (default ``4096``) - Sets the maximum simultaneous WAPT client connections. - max_clients = 2048 * - :code:`min_password_length` (default ``10``) - Sets the minimum :term:`SuperAdmin` password length. - min_password_length = 15 * - :code:`nginx_http` (default ``80``) - Defines the Nginx web server **HTTP** port (Windows only). - nginx_http = 8080 * - :code:`nginx_https` (default ``443``) - Defines the Nginx web server **HTTPS** port (Windows only). - nginx_https = 44380 * - :code:`optimized_authentication_logs` (default ``True``) - If one of the option is set, it will not log it: ``waptagent_version``, ``host_tasks_status``, ``get_ad_groups``, ``get_ad_sites``, ``get_ad_ou_split``, ``host_data``, ``get_hosts`` , ``audit_data``, ``wsus.windows_updates``, ``wsus.windows_products``, ``wsus.windows_updates_classifications``, ``packages_for_hosts``, ``enterprise.reporting_exec``, ``known_packages``, ``repositories.get_all_agentrepos``, ``repositories.get_sync_version``, ``repositories.get_all_rules``, ``get_all_users_acls``, ``known_signers_certificates``, ``enterprise.reporting_list``, ``usage_statistics``, ``repositories.get_createupdatefilesync``, ``repositories.get_sync_changelog``, ``licences`` - optimized_authentication_logs = False * - :code:`remote_repo_update_delay` (default ``1``) - Défines the periodicity at which the WAPT Server verifies the synchronization status of remote repositories (in minutes). - remote_repo_update_delay = 5 * - :code:`remote_repo_websockets` (default ``True``) - Enables websocket communication with WAPT Agents configured as remote repositories. - remote_repo_websockets = False * - :code:`secret_key` (default ``None``) - Defines the random string for initializing the Python Flask application server. The string is generated when first installing the WAPT Server and is unique for every WAPT Server. - secret_key = FKjfzjfkF687fjrkeznfkj7678jknk78687 * - :code:`server_uuid` (default ``None``) - Defines the WAPT Server :term:`UUID` (this anonymous id is used for WAPT statistics). - server_uuid = 76efezfa6-b309-1fez5-92cd-8ea48fc122dc * - :code:`session_lifetime` (default ``126060``) - Defines the maximum allowed time the session is opened (in seconds). - session_lifetime = 352120 * - :code:`signature_clockskew` (default ``300``) - Defines the maximum allowed time difference for the websockets (in seconds). - signature_clockskew = 72000 * - :code:`token_lifetime` (default ``43200``) - Defines the authentication token lifetime (in seconds). - token_lifetime = 43200 * - :code:`trusted_signers_certificates_folder` (default ``None``) - Defines the path to the trusted signers certificate directory. - trusted_signers_certificates_folder = C:\\private\\org-coder.crt * - :code:`trusted_users_certificates_folder` (default ``None``) - Defines the path to trusted users CA certificate directory. - trusted_users_certificates_folder = C:\\private\\org-coder.crt * - :code:`use_kerberos` (default ``False``) - Enables a WAPT Agent to register using its kerberos account. If :code:`use_kerberos` = ``True``, then :code:`allow_unauthenticated_connect` **MUST BE** set to ``False`` or it will take precedence. - use_kerberos = True * - :code:`use_ssl_client_auth` (default ``False``) - Enables :ref:`client certificate authentication `. - use_ssl_client_auth = True * - :code:`wads_enable` (default ``False``) - Enables the WADS feature and enables :program:`wapttftpserver`. - wads_enable = True * - :code:`wads_folder` (default ``wads folder in wapt repository``) - Defines the folder on the WAPT Server that stores files related to WADS. - wads_folder = /var/www/waptwads * - :code:`wapt_admin_group_dn` (default ``None``) - Defines the LDAP DN of Active Directory User Group allowed to connect to the WAPT Console. - wapt_admin_group_dn = CN=waptadmins,OU=groups,DC=ad,DC=mydomain,DC=lan * - :code:`wapt_admin_group` (default ``None``) - Defines the sAMAccountName Active Directory User Group(s) allowed to connect to the WAPT Console. The value can be several groups, separated by commas. - wapt_admin_group = waptadmins, wapttechs * - :code:`wapt_folder` (default :file:`/var/www/wapt` or :file:`/var/www/html/wapt` or :file:`root_dir/waptserver/repository/wapt`) - Defines the directory path of the WAPT repository. - wapt_folder = /var/www/wapt * - :code:`wapt_huey_db` (default ``None``) - Defines the path to database that stores the status of running tasks. - wapt_huey_db = C:\\Program Files(x86)\\wapt\\db\\waptservertasks.sqlite * - :code:`wapt_password` (default ``None``) - Defines the :term:`SuperAdmin` password for connecting to the WAPT Console. - wapt_password = 46642dd2b1dfezfezgfezgadf0ezgeezgezf53d * - :code:`waptserver_port` (default ``8080``) - Defines the WAPT Server python service port. - waptserver_port = 1313 * - :code:`wapt_user` (default ``admin``) - Defines the :term:`SuperAdmin` username in the WAPT Console. - wapt_user = wapt_admin * - :code:`waptwua_folder` (default wapt_folder + 'wua') - Defines the location of WAPT WUA folder. - waptwua_folder = /var/www/waptwua * - :code:`wol_port` (default ``7,9``) - Defines the list of WakeOnLAN UDP ports to send magic packets to. - wol_port = 9, 123, 4000 * - :code:`wapt_bind_interface` (default ``127.0.0.1``) - Defines how to listen to the WAPT Server service. - wapt_bind_interface = 127.0.0.1 * - :code:`ipxe_script_jinja_path` (default ``/opt/wapt/waptserver/templates/ipxe-default.j2``) - Defines the location of jinja template used for WADS ipxe script. - ipxe_script_jinja_path = /opt/wapt/waptserver/templates/ipxe-autoregister.j2 .. _config_nginx: Configuring Nginx ================= The default Nginx configuration is as follows: .. code-block:: nginx # uwsgi upstream server upstream waptserver { server unix:///run/waptserver/uwsgi.sock; } log_format combined_ssl '$remote_addr $ssl_client_s_dn $ssl_client_verify $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; server { listen 80; listen [::]:80; listen 443 ssl; listen [::]:443 ssl; server_name srvwapt.mydomain.lan; server_name 192.168.100.12; access_log "/var/log/nginx/access.log" combined_ssl; ssl_certificate "/opt/wapt/waptserver/ssl/cert.pem"; ssl_certificate_key "/opt/wapt/waptserver/ssl/key.pem"; ssl_protocols TLSv1.2; ssl_dhparam "/etc/ssl/certs/dhparam.pem"; ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_stapling on; ssl_stapling_verify on; ssl_session_cache none; ssl_session_tickets off; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; ssl_client_certificate "/opt/wapt/conf/ca-srvwapt.mydomain.lan.crt"; ssl_crl "/opt/wapt/conf/ca-check-clients.crl"; ssl_verify_client optional; gzip_min_length 1000; gzip_buffers 4 8k; gzip_http_version 1.0; gzip_disable "msie6"; gzip_types text/plain text/css application/json; gzip_vary on; index index.html; server_tokens off; client_max_body_size 12288m; client_body_timeout 1800; large_client_header_buffers 4 16k; proxy_headers_hash_max_size 1024; proxy_headers_hash_bucket_size 128; proxy_request_buffering off; location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /var/www/html; } # sub instances include "/opt/wapt/conf/wapt.d/*.conf"; location /static { alias "/opt/wapt/waptserver/static"; } location /ssl { alias "/var/www/ssl"; } # not protected URL location ~ ^/(wapt/waptsetup.*\.exe|wapt/ping|wapt/waptagent/.*|wapt/waptagent\.exe|wapt/waptdeploy\.exe|wapt/conf\.d/.*\.json)$ { add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0"; add_header Pragma "no-cache"; root "/var/www"; } location ~ ^/api/v3/(wads_register_host|set_host_wads_status|baseipxe|get_host_ipxe|get_wads_exe.*|get_wads_config)$ { proxy_http_version 1.1; proxy_request_buffering off; include "/opt/wapt/conf/forward_ssl_auth.conf"; rewrite /(.*) /$1 break; proxy_pass http://127.0.0.1:8080; } # not protected URL location /wads { alias "/var/www/wads"; } location = / { include "/opt/wapt/conf/forward_ssl_auth.conf"; proxy_pass http://127.0.0.1:8080; } # SSL protected URL location /waptwua { add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0"; add_header Pragma "no-cache"; include "/opt/wapt/conf/forward_ssl_auth.conf"; include "/opt/wapt/conf/require_ssl_auth.conf"; alias "/var/www/waptwua"; } # SSL protected URL location ~ ^/(wapt/.*|wapt-diff-repos/.*|licences\.json|sync\.json)$ { add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0"; add_header Pragma "no-cache"; include "/opt/wapt/conf/forward_ssl_auth.conf"; include "/opt/wapt/conf/require_ssl_auth.conf"; root "/var/www"; } location /rules.json { add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0"; add_header Pragma "no-cache"; include "/opt/wapt/conf/forward_ssl_auth.conf"; root "/var/www"; } # we don't want to expose our list of computers in case someone scan this folder. location /wapt-host/Packages { return 403; } location ~ ^/(wapt-host/.*)$ { log_not_found off; add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0"; add_header Pragma "no-cache"; include "/opt/wapt/conf/forward_ssl_auth.conf"; include "/opt/wapt/conf/require_ssl_auth.conf"; root "/var/www"; } location ~ ^/.*_kerberos$ { proxy_http_version 1.1; proxy_request_buffering off; include "/opt/wapt/conf/forward_ssl_auth.conf"; auth_gss on; auth_gss_format_full on; auth_gss_keytab /etc/nginx/http-krb5.keytab; proxy_pass http://127.0.0.1:8080; } # we need socketio for these actions. # they are enabled only locally on the loopback location ~ ^/api/v3/(update_hosts_sid_table|hosts_sid)$ { proxy_http_version 1.1; proxy_request_buffering off; include "/opt/wapt/conf/forward_ssl_auth.conf"; rewrite /(.*) /$1 break; proxy_pass http://127.0.0.1:8080; allow 127.0.0.1; deny all; } # we need socketio for these actions location ~ ^/api/v3/(update_hosts_sid_table|trigger_host_action|reset_hosts_sid|host_tasks_status|trigger_cancel_task|hosts_delete|launch_sync_on_remotes_repos|broadcast_sync_on_remotes_repo)$ { proxy_http_version 1.1; proxy_request_buffering off; include "/opt/wapt/conf/forward_ssl_auth.conf"; include "/opt/wapt/conf/require_ssl_auth.conf"; rewrite /(.*) /$1 break; proxy_pass http://127.0.0.1:8080; } location /get_websocket_auth_token { return 404; } # these actions are not protected by SSL client side certificate, as we perhaps don't have one at this stage. # in case uwsgi is enabled, we wat this to still be handled by eventlet waptserver as these endpoints are not cpu intensive but often called location ~ ^/(ping)$ { proxy_http_version 1.1; proxy_request_buffering off; include "/opt/wapt/conf/forward_ssl_auth.conf"; rewrite /(.*) /$1 break; proxy_pass http://127.0.0.1:8080; } # these actions are not protected by SSL client side certificate, as we perhaps don't have one at this stage. location ~ ^/(login|api/v3/login|api/v3/logout|api/v3/get_hash_json_content|api/v3/waptagent_version|add_host|api/v3/add_host|api/v3/get_waptagent_exe/.*/waptagent.exe)$ { proxy_http_version 1.1; proxy_request_buffering off; include "/opt/wapt/conf/forward_ssl_auth.conf"; rewrite /(.*) /$1 break; include /opt/wapt/conf/uwsgi_params; uwsgi_pass waptserver; } location / { proxy_http_version 1.1; proxy_request_buffering off; include "/opt/wapt/conf/forward_ssl_auth.conf"; include "/opt/wapt/conf/require_ssl_auth.conf"; include /opt/wapt/conf/uwsgi_params; uwsgi_pass waptserver; } location /socket.io { proxy_http_version 1.1; proxy_request_buffering off; include "/opt/wapt/conf/forward_ssl_auth.conf"; include "/opt/wapt/conf/require_ssl_auth.conf"; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_pass http://127.0.0.1:8080/socket.io; } } .. _configuring_WAPT_for_large_deployment: ************************************************* Configuring WAPT Server for large infrastructures ************************************************* The default operating system, Nginx and PostgreSQL settings are adapted for around 400 WAPT Agents. If you have more than 400 clients it is necessary to modify a few system level parameters along with PostgreSQL database, Nginx web and WAPT Server python server. In the future, the :program:`postconf.sh` script might take charge of this configuration depending on the expected number of client computers. With the following parameters, one WAPT Server should scale up to around 5000 concurrent active clients. You may have more clients in the database if they are not all running at the same time. If you have more than 5000 clients it is recommended to have more than one WAPT Server. The limit in the number of end point clients is due to the bottleneck in the python code and the PostgreSQL backend. WAPT performance gets better with time and in the future WAPT Server might support a large base on a single host. However the Nginx part scales very well and it can takes full advantage of a 10Gbps connection for high load package deployments. .. note:: **The parameters to be modified below are linked together and should be modified globally and not individually**. Multithreading support with uWSGI ================================= To enable multithreading with uWSGI, you can add the following parameter in section [options] of :file:`/opt/wapt/conf/waptserver.ini`: .. code-block:: bash use_uwsgi = True You must run :file:`/opt/wapt/waptserver/scripts/postconf.sh` after this modification. Configuring Nginx ================= .. list-table:: :file:`nginx.conf` configuration file location :header-rows: 1 :widths: auto :align: center * - OS Type - File location * - Debian and derivatives - :file:`/etc/nginx/nginx.conf` * - RedHat and derivatives - :file:`/etc/nginx/nginx.conf` * - Windows - :file:`C:\\wapt\\waptserver\\nginx\\conf\\nginx.conf` In the :file:`nginx.conf` file, modify the :code:`worker_connections` parameter. The value should be around 2.5 times the number of WAPT clients (n connections for websockets and n connections for package downloads and inventory upload + some margin). .. code-block:: bash events { worker_connections 4096; } Then upgrade the number of *filedescriptors* in the :file:`nginx.conf` file: .. code-block:: bash worker_rlimit_nofile 32768; Depending on the partitioning of your WAPT Server you might have to be careful with the Nginx temporary file upload directory. Nginx acts as a reverse proxy for the WAPT Server Python engine and its does a caching of packages uploaded when uploading a new package from the Console. The packages are stored in the :file:`/var/lib/nginx/proxy` directory. You have to make sure that the partition hosting this directory is large enough. You may change this directory location using the following Nginx configuration parameter. .. code-block:: ini $client_body_temp_path Configuring the Linux System ============================ Increase the number of *filedescriptors*. The system unit file asks for an increase in the allowed number of *filedescriptors* (LimitNOFILE=32768). We should have the same thing for Nginx. There are a few limits to modify. First we modify system wide the number of *filedescriptors* allowed for Nginx and WAPT. * Create the :file:`/etc/security/limits.d/wapt.conf`. .. code-block:: bash cat > /etc/security/limits.d/wapt.conf < /etc/sysctl.d/wapt.conf <` command uploads a package onto the main WAPT repository. The command :command:`wapt-get upload-package C:\\waptdev\\tis-tightvnc.wapt` returns: .. code-block:: console Using config file: C:\Users\documentation\AppData\Local\waptconsole\waptconsole.ini Uploading packages to https://srvwapt.mydomain.lan Please get login for https://srvwapt.mydomain.lan/api/v3/upload_xxx:admin Password: c:\waptdev\tis-tightvnc.wapt[================================] 54316019/54316019 - 00:00:17 OK : 1 Packages uploaded, 0 errors wapt-get scan-packages ====================== .. hint:: This command applies to Windows repositories **ONLY**. The :command:`wapt-get scan-packages ` command rebuilds a :file:`Packages` file for a WAPT package repository. The command :command:`wapt-get scan-packages C:\wapt\waptserver\repository\wapt` returns: .. code-block:: console Using config file: C:\Program Files (x86)\wapt\wapt-get.ini Packages filename: C:\wapt\waptserver\repository\wapt Processed packages: C:\wapt\waptserver\repository\wapt\tis-firefox.wapt C:\wapt\waptserver\repository\wapt\tis-tightvnc.wapt C:\wapt\waptserver\repository\wapt\tis-7zip.wapt Skipped packages: wapt-scanpackages ================= .. hint:: This command applies to Linux repositories **ONLY**. The :command:`wapt-scanpackages ` command rebuilds a :file:`Packages` file for a WAPT package repository. The command :command:`wapt-scanpackages /var/www/wapt/` returns nothing. .. _re_sign_package_cmd: Re-signing packages on the WAPT Server using a command line =========================================================== Use this method if re-signing from the WAPT console method does not complete successfully. These commands are **ONLY** available for WAPT Servers running Linux. .. warning:: Before using this method, ensure that your WAPT Server is safe and not under the control of an unauthorized third party entity. * Copy your :file:`.crt` and :file:`.pem` to :file:`/tmp/` on the WAPT Server using :program:`Winscp` or an equivalent tool. * It is then possible to re-sign all the packages at once on the WAPT Server with the following commands. .. code-block:: bash wapt-signpackages -d /var/www/wapt-host -c /tmp/wapt_pub_key.crt -k /tmp/wapt_priv_key.pem -s wapt-signpackages -d /var/www/wapt -c /tmp/wapt_pub_key.crt -k /tmp/wapt_priv_key.pem -s wapt-scanpackages /var/www/wapt/ If the error **Access violation** appears, the reason is that the WAPT package is too voluminous. Edit the package and check :ref:`this procedure to transfert a voluminous package `. .. danger:: Remove the :mimetype:`.crt` and :mimetype:`.pem` from :file:`/tmp/` on the WAPT Server or the server will become a sensitive asset. For more available options, please see the :ref:`command line section `.