.. Reminder for header structure: Parts (H1) : #################### with overline Chapters (H2) : ******************** with overline Sections (H3) : ==================== Subsections (H4) : -------------------- Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^ Paragraphs (H6) : """"""""""""""""""""" .. meta:: :description: Enhancing the security of your WAPT setup :keywords: Documentation, Security, WAPT .. |date| date:: .. |enterprise_feature| image:: wapt-resources/icon_wapt_enterprise.png :scale: 3% :alt: WAPT Enterprise feature only .. _waptserver_ini_file_options: ################################## WAPT Server Advanced Configuration ################################## The WAPT Server configuration file on GNU/ Linux and macOS systems is found in :file:`/opt/wapt/conf/waptserver.ini` or in :file:`/opt/wapt/waptserver/waptserver.ini`. The WAPT Server configuration file on Windows is found in :file:`C:\\\wapt\\\conf\\\waptserver.ini`. .. attention:: **Modification of these files is reserved for advanced users!!** *************************************************** Default configurations of waptserver file and nginx *************************************************** Modify the [options] section of waptserver.ini ============================================== Several options can be defined in the [options] section. .. code-block:: ini [options] .. list-table:: Available parameters for the [options] section of :file:`waptserver.ini` :header-rows: 1 :widths: auto :align: center * - Options (Default Value) - Description - Example * - :code:`agents_folder` (default ``watpagent in wapt repository``) - Defines where the WAPT Agents are stored on the WAPT Server. - agents_folder = /var/www/wapt/waptagent * - :code:`allow_unauthenticated_connect` (default ``None``) - Defines whether websocket connections should be authenticated. If :code:`use_kerberos` = ``True``, then :code:`allow_unauthenticated_connect` **MUST BE** set to ``False`` or it will take precedence. - allow_unauthenticated_connect = True * - :code:`allow_unauthenticated_registration` (default ``False``) - Allows the initial registration of the WAPT Agent using a login and password. - allow_unauthenticated_registration = True * - :code:`allow_unsigned_status_data` (default ``False``) - Debug only - Allows unsigned status data from Agent. - allow_unsigned_status_data = True * - :code:`application_root` (default ``None``) - Defines a custom WAPT Server application root path. - application_root = wapt * - :code:`authentication_logs` (default ``True``) - Enables authentication logs. - authentication_logs = False * - :code:`auto_create_waptagent_from_config` (default ``False``) - Enables automatic configuration when waptsetup is installed. - auto_create_waptagent_from_config = True * - :code:`client_certificate_lifetime` (default ``3650``) - Defines the host certificate lifetime (in days). - client_certificate_lifetime = 500 * - :code:`cleanup_kbs` (default ``True``) - Defines whether unused :ref:` Windows KB should be automatically deleted ` from the WAPT Server. - cleanup_kbs = False * - :code:`clients_read_timeout` (default ``5``) - Defines the websocket client timeout (in seconds). - clients_read_timeout = 10 * - :code:`clients_signing_certificate` (default ``None``) - Defines the host certificate signing certificate. - clients_signing_certificate = C:\\private\\org-coder.crt * - :code:`clients_signing_crl_days` (default ``30``) - Defines the host certificate signing :abbr:`CRL (Certificate Revocation List)` periodicity (in days). - clients_signing_crl_days = 15 * - :code:`clients_signing_crl` (default ``None``) - Defines the host certificate signing CRL path. - clients_signing_crl = C:\\private\\org-coder.crt * - :code:`clients_signing_crl_url` (default ``None``) - Defines the host certificate signing CRL URL. - clients_signing_crl_url = https://srvwapt.mydomain.lan/crl * - :code:`clients_signing_key` (default ``None``) - Defines the host certificate signing key path. - clients_signing_key = C:\\private\\org-coder.crt * - :code:`client_tasks_timeout` (default ``5``) - Defines the maximum allowed delay before WAPT Agent requests time out (in seconds). - client_tasks_timeout = 5 * - :code:`copy_winpe_x64_in_tftp_folder` (default ``False``) - If x64, allows you to copy all WinPE from :file:`wads_folder` when WinPE is uploaded. - copy_winpe_x64_in_tftp_folder = True * - :code:`db_connect_timeout` (default ``3``) - Defines the maximum allowed delay before PostgreSQL queries time out (in seconds). - db_connect_timeout = 10 * - :code:`db_host` (default ``None``) - Defines the url of the PostgreSQL server (by default WAPT use a local Unix Socket). - db_host = https://wapt.mydomain.lan * - :code:`db_max_connections` (default ``90``) - Defines the maximum simultaneous connections to the PostgreSQL database. - db_max_connections = 100 * - :code:`db_name` (default ``wapt``) - Defines the PostgreSQL database that the WAPT Server connects to. - db_name = wapt * - :code:`db_password` (default ``None``) - Defines the password for authenticating the user on the PostgreSQL database (by default WAPT uses a local UNIX socket). - db_password = WAPT_DB_PASSWORD * - :code:`db_port` (default ``5432``) - Defines the port of the PostgreSQL server. - db_port = 5432 * - :code:`db_stale_timeout` (default ``300``) - Defines the database stale timeout (in seconds). - db_stale_timeout = 500 * - :code:`db_user` (default ``wapt``) - Defines the PostgreSQL user connecting to the database. - db_user = wapt * - :code:`default_ldap_users_acls` (default ``view``) - Defines the default acl for a new user opening the WAPT Console. - default_ldap_users_acls = admin * - :code:`download_wsusscn2` (default ``False``) - Automatically downloads the :file:`wsusscn2.cab` file. - download_wsusscn2 = False * - :code:`enable_store` (default ``False``) - Enables WAPT Store Webui (**Deprecated**). - enable_store = False * - :code:`encrypt_host_packages` (default ``False``) - Encrypts host package with client certificate. - encrypt_host_packages = True * - :code:`htpasswd_path` (default ``None``) - Adds basic authentication to WAPT Server. - htpasswd_path = True * - :code:`http_proxy` (default ``None``) - Defines the proxy server to allow the WAPT Server to recover its :abbr:`CRL (Certificate Revocation List)`. - http_proxy = http://srvproxy.mydomain.lan:3128 * - :code:`known_certificates_folder` (default WAPT :file:`/ssl/` folder) - Adds additional known :abbr:`CA (Certificate Authority)` to verify certificates. - known_certificates_folder = /opt/wapt/ssl/ * - :code:`ldap_account_service_login` (default ``None``) - Defines the UPN Active directory user for SSO and/or waptserver-ldap mode for self-service. - ldap_account_service_login = wapt-ldap@ad.tranquil.it * - :code:`ldap_account_service_password` (default ``None``) - Defines the user password for SSO and/or waptserver-ldap mode for self-service. - ldap_account_service_password = PASSWORD * - :code:`ldap_auth_base_dn` (default ``None``) - Defines the LDAP authentication base DN. - ldap_auth_base_dn = dc=mydomain,dc=lan * - :code:`ldap_auth_server` (default ``None``) - Defines the LDAP authentication server. - ldap_auth_server = srvads.mydomain.lan * - :code:`ldap_nesting_group_support` (default ``True``) - Enables the search of nested group in Active Directory. - ldap_nesting_group_support = False * - :code:`ldap_primary_group_ad_support` (default ``True``) - Enables the search on Active Directory primary group users. - ldap_primary_group_ad_support = False * - :code:`list_subnet_skip_login_wads` (default ``[]``) - Lists subnets without authentication requirement. - list_subnet_skip_login_wads = 192.168.0.0/24,192.168.1.0/24 * - :code:`login_on_wads` (default ``False``) - Enables authentication to use WADS (format is ``user:password``). - login_on_wads = True * - :code:`loglevel` (default ``warning``) - Defines the log level. Possible values are: ``debug``, ``info``, ``warning``, ``critical``. - loglevel = debug * - :code:`max_clients` (default ``4096``) - Sets the maximum simultaneous WAPT client connections. - max_clients = 2048 * - :code:`min_password_length` (default ``10``) - Sets the minimum :term:`SuperAdmin` password length. - min_password_length = 15 * - :code:`nginx_http` (default ``80``) - Defines the Nginx web server **HTTP** port (Windows only). - nginx_http = 8080 * - :code:`nginx_https` (default ``443``) - Defines the Nginx web server **HTTPS** port (Windows only). - nginx_https = 44380 * - :code:`optimized_authentication_logs` (default ``True``) - If one of the option is set, it will not log it: ``waptagent_version``, ``host_tasks_status``, ``get_ad_groups``, ``get_ad_sites``, ``get_ad_ou_split``, ``host_data``, ``get_hosts`` , ``audit_data``, ``wsus.windows_updates``, ``wsus.windows_products``, ``wsus.windows_updates_classifications``, ``packages_for_hosts``, ``enterprise.reporting_exec``, ``known_packages``, ``repositories.get_all_agentrepos``, ``repositories.get_sync_version``, ``repositories.get_all_rules``, ``get_all_users_acls``, ``known_signers_certificates``, ``enterprise.reporting_list``, ``usage_statistics``, ``repositories.get_createupdatefilesync``, ``repositories.get_sync_changelog``, ``licences`` - optimized_authentication_logs = False * - :code:`remote_repo_update_delay` (default ``1``) - Défines the periodicity at which the WAPT Server verifies the synchronization status of remote repositories (in minutes). - remote_repo_update_delay = 5 * - :code:`remote_repo_websockets` (default ``True``) - Enables websocket communication with WAPT Agents configured as remote repositories. - remote_repo_websockets = False * - :code:`secret_key` (default ``None``) - Defines the random string for initializing the Python Flask application server. The string is generated when first installing the WAPT Server and is unique for every WAPT Server. - secret_key = FKjfzjfkF687fjrkeznfkj7678jknk78687 * - :code:`server_uuid` (default ``None``) - Defines the WAPT Server :term:`UUID` (this anonymous id is used for WAPT statistics). - server_uuid = 76efezfa6-b309-1fez5-92cd-8ea48fc122dc * - :code:`session_lifetime` (default ``126060``) - Defines the maximum allowed time the session is opened (in seconds). - session_lifetime = 352120 * - :code:`signature_clockskew` (default ``300``) - Defines the maximum allowed time difference for the websockets (in seconds). - signature_clockskew = 72000 * - :code:`token_lifetime` (default ``43200``) - Defines the authentication token lifetime (in seconds). - token_lifetime = 43200 * - :code:`trusted_signers_certificates_folder` (default ``None``) - Defines the path to the trusted signers certificate directory. - trusted_signers_certificates_folder = C:\\private\\org-coder.crt * - :code:`trusted_users_certificates_folder` (default ``None``) - Defines the path to trusted users CA certificate directory. - trusted_users_certificates_folder = C:\\private\\org-coder.crt * - :code:`use_kerberos` (default ``False``) - Enables a WAPT Agent to register using its kerberos account. If :code:`use_kerberos` = ``True``, then :code:`allow_unauthenticated_connect` **MUST BE** set to ``False`` or it will take precedence. - use_kerberos = True * - :code:`use_ssl_client_auth` (default ``False``) - Enables :ref:`client certificate authentication `. - use_ssl_client_auth = True * - :code:`wads_enable` (default ``False``) - Enables the WADS feature and enables :program:`wapttftpserver`. - wads_enable = True * - :code:`wads_folder` (default ``wads folder in wapt repository``) - Defines the folder on the WAPT Server that stores files related to WADS. - wads_folder = /var/www/waptwads * - :code:`wapt_admin_group_dn` (default ``None``) - Defines the LDAP DN of Active Directory User Group allowed to connect to the WAPT Console. - wapt_admin_group_dn = CN=waptadmins,OU=groups,DC=ad,DC=mydomain,DC=lan * - :code:`wapt_admin_group` (default ``None``) - Defines the sAMAccountName Active Directory User Group(s) allowed to connect to the WAPT Console. The value can be several groups, separated by commas. - wapt_admin_group = waptadmins, wapttechs * - :code:`wapt_folder` (default :file:`/var/www/wapt` or :file:`/var/www/html/wapt` or :file:`root_dir/waptserver/repository/wapt`) - Defines the directory path of the WAPT repository. - wapt_folder = /var/www/wapt * - :code:`wapt_huey_db` (default ``None``) - Defines the path to database that stores the status of running tasks. - wapt_huey_db = C:\\Program Files(x86)\\wapt\\db\\waptservertasks.sqlite * - :code:`wapt_password` (default ``None``) - Defines the :term:`SuperAdmin` password for connecting to the WAPT Console. - wapt_password = 46642dd2b1dfezfezgfezgadf0ezgeezgezf53d * - :code:`waptserver_port` (default ``8080``) - Defines the WAPT Server python service port. - waptserver_port = 1313 * - :code:`wapt_user` (default ``admin``) - Defines the :term:`SuperAdmin` username in the WAPT Console. - wapt_user = wapt_admin * - :code:`waptwua_folder` (default wapt_folder + 'wua') - Defines the location of WAPT WUA folder. - waptwua_folder = /var/www/waptwua * - :code:`wol_port` (default ``7,9``) - Defines the list of WakeOnLAN UDP ports to send magic packets to. - wol_port = 9, 123, 4000 * - :code:`wapt_bind_interface` (default ``127.0.0.1``) - Defines how to listen to the WAPT Server service. - wapt_bind_interface = 127.0.0.1 * - :code:`ipxe_script_jinja_path` (default ``/opt/wapt/waptserver/templates/ipxe-default.j2``) - Defines the location of jinja template used for WADS ipxe script. - ipxe_script_jinja_path = /opt/wapt/waptserver/templates/ipxe-autoregister.j2 .. _config_nginx: Configuring Nginx ================= The default Nginx configuration is as follows: .. code-block:: nginx # uwsgi upstream server upstream waptserver { server unix:///run/waptserver/uwsgi.sock; } log_format combined_ssl '$remote_addr $ssl_client_s_dn $ssl_client_verify $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; server { listen 80; listen [::]:80; listen 443 ssl; listen [::]:443 ssl; server_name srvwapt.mydomain.lan; server_name 192.168.100.12; access_log "/var/log/nginx/access.log" combined_ssl; ssl_certificate "/opt/wapt/waptserver/ssl/cert.pem"; ssl_certificate_key "/opt/wapt/waptserver/ssl/key.pem"; ssl_protocols TLSv1.2; ssl_dhparam "/etc/ssl/certs/dhparam.pem"; ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_stapling on; ssl_stapling_verify on; ssl_session_cache none; ssl_session_tickets off; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; ssl_client_certificate "/opt/wapt/conf/ca-srvwapt.mydomain.lan.crt"; ssl_crl "/opt/wapt/conf/ca-check-clients.crl"; ssl_verify_client optional; gzip_min_length 1000; gzip_buffers 4 8k; gzip_http_version 1.0; gzip_disable "msie6"; gzip_types text/plain text/css application/json; gzip_vary on; index index.html; server_tokens off; client_max_body_size 12288m; client_body_timeout 1800; large_client_header_buffers 4 16k; proxy_headers_hash_max_size 1024; proxy_headers_hash_bucket_size 128; proxy_request_buffering off; location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /var/www/html; } # sub instances include "/opt/wapt/conf/wapt.d/*.conf"; location /static { alias "/opt/wapt/waptserver/static"; } location /ssl { alias "/var/www/ssl"; } # not protected URL location ~ ^/(wapt/waptsetup.*\.exe|wapt/ping|wapt/waptagent/.*|wapt/waptagent\.exe|wapt/waptdeploy\.exe|wapt/conf\.d/.*\.json)$ { add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0"; add_header Pragma "no-cache"; root "/var/www"; } location ~ ^/api/v3/(wads_register_host|set_host_wads_status|baseipxe|get_host_ipxe|get_wads_exe.*|get_wads_config)$ { proxy_http_version 1.1; proxy_request_buffering off; include "/opt/wapt/conf/forward_ssl_auth.conf"; rewrite /(.*) /$1 break; proxy_pass http://127.0.0.1:8080; } # not protected URL location /wads { alias "/var/www/wads"; } location = / { include "/opt/wapt/conf/forward_ssl_auth.conf"; proxy_pass http://127.0.0.1:8080; } # SSL protected URL location /waptwua { add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0"; add_header Pragma "no-cache"; include "/opt/wapt/conf/forward_ssl_auth.conf"; include "/opt/wapt/conf/require_ssl_auth.conf"; alias "/var/www/waptwua"; } # SSL protected URL location ~ ^/(wapt/.*|wapt-diff-repos/.*|licences\.json|sync\.json)$ { add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0"; add_header Pragma "no-cache"; include "/opt/wapt/conf/forward_ssl_auth.conf"; include "/opt/wapt/conf/require_ssl_auth.conf"; root "/var/www"; } location /rules.json { add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0"; add_header Pragma "no-cache"; include "/opt/wapt/conf/forward_ssl_auth.conf"; root "/var/www"; } # we don't want to expose our list of computers in case someone scan this folder. location /wapt-host/Packages { return 403; } location ~ ^/(wapt-host/.*)$ { log_not_found off; add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0"; add_header Pragma "no-cache"; include "/opt/wapt/conf/forward_ssl_auth.conf"; include "/opt/wapt/conf/require_ssl_auth.conf"; root "/var/www"; } location ~ ^/.*_kerberos$ { proxy_http_version 1.1; proxy_request_buffering off; include "/opt/wapt/conf/forward_ssl_auth.conf"; auth_gss on; auth_gss_format_full on; auth_gss_keytab /etc/nginx/http-krb5.keytab; proxy_pass http://127.0.0.1:8080; } # we need socketio for these actions. # they are enabled only locally on the loopback location ~ ^/api/v3/(update_hosts_sid_table|hosts_sid)$ { proxy_http_version 1.1; proxy_request_buffering off; include "/opt/wapt/conf/forward_ssl_auth.conf"; rewrite /(.*) /$1 break; proxy_pass http://127.0.0.1:8080; allow 127.0.0.1; deny all; } # we need socketio for these actions location ~ ^/api/v3/(update_hosts_sid_table|trigger_host_action|reset_hosts_sid|host_tasks_status|trigger_cancel_task|hosts_delete|launch_sync_on_remotes_repos|broadcast_sync_on_remotes_repo)$ { proxy_http_version 1.1; proxy_request_buffering off; include "/opt/wapt/conf/forward_ssl_auth.conf"; include "/opt/wapt/conf/require_ssl_auth.conf"; rewrite /(.*) /$1 break; proxy_pass http://127.0.0.1:8080; } location /get_websocket_auth_token { return 404; } # these actions are not protected by SSL client side certificate, as we perhaps don't have one at this stage. # in case uwsgi is enabled, we wat this to still be handled by eventlet waptserver as these endpoints are not cpu intensive but often called location ~ ^/(ping)$ { proxy_http_version 1.1; proxy_request_buffering off; include "/opt/wapt/conf/forward_ssl_auth.conf"; rewrite /(.*) /$1 break; proxy_pass http://127.0.0.1:8080; } # these actions are not protected by SSL client side certificate, as we perhaps don't have one at this stage. location ~ ^/(login|api/v3/login|api/v3/logout|api/v3/get_hash_json_content|api/v3/waptagent_version|add_host|api/v3/add_host|api/v3/get_waptagent_exe/.*/waptagent.exe)$ { proxy_http_version 1.1; proxy_request_buffering off; include "/opt/wapt/conf/forward_ssl_auth.conf"; rewrite /(.*) /$1 break; include /opt/wapt/conf/uwsgi_params; uwsgi_pass waptserver; } location / { proxy_http_version 1.1; proxy_request_buffering off; include "/opt/wapt/conf/forward_ssl_auth.conf"; include "/opt/wapt/conf/require_ssl_auth.conf"; include /opt/wapt/conf/uwsgi_params; uwsgi_pass waptserver; } location /socket.io { proxy_http_version 1.1; proxy_request_buffering off; include "/opt/wapt/conf/forward_ssl_auth.conf"; include "/opt/wapt/conf/require_ssl_auth.conf"; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_pass http://127.0.0.1:8080/socket.io; } } .. _configuring_WAPT_for_large_deployment: ************************************************* Configuring WAPT Server for large infrastructures ************************************************* The default operating system, Nginx and PostgreSQL settings are adapted for around 400 WAPT Agents. If you have more than 400 clients it is necessary to modify a few system level parameters along with PostgreSQL database, Nginx web and WAPT Server python server. In the future, the :program:`postconf.sh` script might take charge of this configuration depending on the expected number of client computers. With the following parameters, one WAPT Server should scale up to around 5000 concurrent active clients. You may have more clients in the database if they are not all running at the same time. If you have more than 5000 clients it is recommended to have more than one WAPT Server. The limit in the number of end point clients is due to the bottleneck in the python code and the PostgreSQL backend. WAPT performance gets better with time and in the future WAPT Server might support a large base on a single host. However the Nginx part scales very well and it can takes full advantage of a 10Gbps connection for high load package deployments. .. note:: **The parameters to be modified below are linked together and should be modified globally and not individually**. Multithreading support with uWSGI ================================= To enable multithreading with uWSGI, you can add the following parameter in section [options] of :file:`/opt/wapt/conf/waptserver.ini`: .. code-block:: bash use_uwsgi = True You must run :file:`/opt/wapt/waptserver/scripts/postconf.sh` after this modification. Configuring Nginx ================= .. list-table:: :file:`nginx.conf` configuration file location :header-rows: 1 :widths: auto :align: center * - OS Type - File location * - Debian and derivatives - :file:`/etc/nginx/nginx.conf` * - RedHat and derivatives - :file:`/etc/nginx/nginx.conf` * - Windows - :file:`C:\\wapt\\waptserver\\nginx\\conf\\nginx.conf` In the :file:`nginx.conf` file, modify the :code:`worker_connections` parameter. The value should be around 2.5 times the number of WAPT clients (n connections for websockets and n connections for package downloads and inventory upload + some margin). .. code-block:: bash events { worker_connections 4096; } Then upgrade the number of *filedescriptors* in the :file:`nginx.conf` file: .. code-block:: bash worker_rlimit_nofile 32768; Depending on the partitioning of your WAPT Server you might have to be careful with the Nginx temporary file upload directory. Nginx acts as a reverse proxy for the WAPT Server Python engine and its does a caching of packages uploaded when uploading a new package from the Console. The packages are stored in the :file:`/var/lib/nginx/proxy` directory. You have to make sure that the partition hosting this directory is large enough. You may change this directory location using the following Nginx configuration parameter. .. code-block:: ini $client_body_temp_path Configuring the Linux System ============================ Increase the number of *filedescriptors*. The system unit file asks for an increase in the allowed number of *filedescriptors* (LimitNOFILE=32768). We should have the same thing for Nginx. There are a few limits to modify. First we modify system wide the number of *filedescriptors* allowed for Nginx and WAPT. * Create the :file:`/etc/security/limits.d/wapt.conf`. .. code-block:: bash cat > /etc/security/limits.d/wapt.conf < /etc/sysctl.d/wapt.conf <` command uploads a package onto the main WAPT repository. The command :command:`wapt-get upload-package C:\\waptdev\\tis-tightvnc.wapt` returns: .. code-block:: console Using config file: C:\Users\documentation\AppData\Local\waptconsole\waptconsole.ini Uploading packages to https://srvwapt.mydomain.lan Please get login for https://srvwapt.mydomain.lan/api/v3/upload_xxx:admin Password: c:\waptdev\tis-tightvnc.wapt[================================] 54316019/54316019 - 00:00:17 OK : 1 Packages uploaded, 0 errors wapt-get scan-packages ====================== .. hint:: This command applies to Windows repositories **ONLY**. The :command:`wapt-get scan-packages ` command rebuilds a :file:`Packages` file for a WAPT package repository. The command :command:`wapt-get scan-packages C:\wapt\waptserver\repository\wapt` returns: .. code-block:: console Using config file: C:\Program Files (x86)\wapt\wapt-get.ini Packages filename: C:\wapt\waptserver\repository\wapt Processed packages: C:\wapt\waptserver\repository\wapt\tis-firefox.wapt C:\wapt\waptserver\repository\wapt\tis-tightvnc.wapt C:\wapt\waptserver\repository\wapt\tis-7zip.wapt Skipped packages: wapt-scanpackages ================= .. hint:: This command applies to Linux repositories **ONLY**. The :command:`wapt-scanpackages ` command rebuilds a :file:`Packages` file for a WAPT package repository. The command :command:`wapt-scanpackages /var/www/wapt/` returns nothing. .. _re_sign_package_cmd: Re-signing packages on the WAPT Server using a command line =========================================================== Use this method if re-signing from the WAPT console method does not complete successfully. These commands are **ONLY** available for WAPT Servers running Linux. .. warning:: Before using this method, ensure that your WAPT Server is safe and not under the control of an unauthorized third party entity. * Copy your :file:`.crt` and :file:`.pem` to :file:`/tmp/` on the WAPT Server using :program:`Winscp` or an equivalent tool. * It is then possible to re-sign all the packages at once on the WAPT Server with the following commands. .. code-block:: bash wapt-signpackages -d /var/www/wapt-host -c /tmp/wapt_pub_key.crt -k /tmp/wapt_priv_key.pem -s wapt-signpackages -d /var/www/wapt -c /tmp/wapt_pub_key.crt -k /tmp/wapt_priv_key.pem -s wapt-scanpackages /var/www/wapt/ If the error **Access violation** appears, the reason is that the WAPT package is too voluminous. Edit the package and check :ref:`this procedure to transfert a voluminous package `. .. danger:: Remove the :mimetype:`.crt` and :mimetype:`.pem` from :file:`/tmp/` on the WAPT Server or the server will become a sensitive asset. For more available options, please see the :ref:`command line section `. .. _enhancing_the_security_of_your_wapt_setup: ####################################################### Enhancing the security of your WAPT setup - Server side ####################################################### By default, all WAPT packages are signed with your private key, which already provides a great level of security. However you can further improve the security of WAPT. To fully secure your WAPT setup; you will want to do the following: * Enable authenticated registration to filter who is authorized to register the device with the WAPT Server. * Enable https certificate verification on the WAPT Agents and the WAPT Console to ensure that the WAPT Agents and the WAPT Console are connecting to the correct WAPT Server. * Configure authentication against Active Directory to allow access to the WAPT Console only to authorized WAPT admins. * Enable Client-Side Certificate Authentication to only allow authenticated devices to access the WAPT Server (Note: it is especially important if you want to expose your WAPT Server to the outside in a :abbr:`DMZ (De-Militarized Zone)`). * If you are using the **Enterprise** version of WAPT and you operate a large fleet with multiple administrators, you may be interested in knowing how to properly configure and apply the :abbr:`ACLs (Access Control Lists)`. .. _firewall_wapt_secure: ******************************************* Configuring the firewall on the WAPT Server ******************************************* WAPT Server firewall configuration is essential and should be the first step towards achieving better security in WAPT. As WAPT aims to be secure by design, only a minimal :ref:`set of open ports ` is needed on the WAPT Server compared to other solutions. You will find in the following documentation firewall tips to improve WAPT security. Configuring the firewall for WAPT Server on Debian and derivatives ================================================================== **By default on Debian Linux, no firewall rule applies**. * Disable :program:`ufw` and install :program:`firewalld` instead. .. code-block:: bash ufw disable apt update apt -y install firewalld * Simply apply this :program:`firewalld` configuration. .. code-block:: bash systemctl start firewalld systemctl enable firewalld firewall-cmd --zone=public --add-port=80/tcp --permanent firewall-cmd --zone=public --add-port=443/tcp --permanent systemctl restart firewalld Configuring the firewall for WAPT Server on RedHat and derivatives ================================================================== * Simply apply this :program:`firewalld` configuration. .. code-block:: bash systemctl start firewalld systemctl enable firewalld firewall-cmd --zone=public --add-port=80/tcp --permanent firewall-cmd --zone=public --add-port=443/tcp --permanent systemctl restart firewalld .. _configuring_kerberos_authentication: *********************************** Configuring kerberos authentication *********************************** .. note:: * Without kerberos authentication, you have to either trust initial registration or enter a password for each workstation on initial registration. * For more information, visit the documentation on :ref:`registering a host with the WAPT Server ` and :ref:`signing inventory updates `. * The kerberos authentication will be used only when registering the device. Installing the kerberos components and configuring krb5.conf file ================================================================= .. tabs:: .. code-tab:: bash Debian and derivatives apt install krb5-user msktutil libnginx-mod-http-auth-spnego .. code-tab:: bash RedHat and derivatives yum install krb5-workstation msktutil nginx-mod-http-auth-spnego .. note:: **Registering with kerberos is not available with a WAPT Server running on Windows.** Modify the :file:`/etc/krb5.conf` file and **replace all the content with the following 4 lines** replacing **MYDOMAIN.LAN** with your Active Directory domain name (i.e. **). .. attention:: :code:`default_realm` value **MUST** be written with **ALL CAPS**!! .. code-block:: ini [libdefaults] default_realm = MYDOMAIN.LAN dns_lookup_kdc = true dns_lookup_realm=false Retrieving a service keytab. Use the :command:`kinit` and :command:`klist`. You can use an :term:`Administrator` account or any other account with the delegated right to join a computer to the domain in the proper destination container (by default *CN=Computers*). In the shell transcript below, commands are in black and returned text is commented in light gray: .. code-block:: bash sudo kinit administrator ## Password for administrator@MYDOMAIN.LAN: ## Warning: Your password will expire in 277 days on Mon. 17 sept. 2018 10:51:21 CEST sudo klist ## Ticket cache: FILE:/tmp/krb5cc_0 ## Default principal: administrator@MYDOMAIN.LAN ## ## Valid starting Expires Service principal ## 01/12/2017 16:49:31 02/12/2017 02:49:31 krbtgt/MYDOMAIN.LAN@MYDOMAIN.LAN ## renew until 02/12/2017 16:49:27 If the authentication request is successful, you can then create your HTTP Keytab with the :program:`msktutil` command. Be sure to modify the ** string with the name of your domain controller (eg: **srvads.mydomain.lan**). .. code-block:: bash sudo msktutil --server DOMAIN_CONTROLER --precreate --host $(hostname) -b cn=computers --service HTTP --description "host account for wapt server" --enctypes 24 -N sudo msktutil --server DOMAIN_CONTROLER --auto-update --keytab /etc/nginx/http-krb5.keytab --host $(hostname) -N .. attention:: Be sure to have properly configured your WAPT Server *hostname* before running these commands; In order to double check your *hostname*, you can run :command:`echo $(hostname)` and it **MUST** return the name that will be used by WAPT Agent running on client workstations. If your WAPT server is available from the internet, you should add another servicePrincipalName (SPN) to match with the WAPT public URL. In order to update the keytab file, you must run the 2nd msktutil command every time you add a new SPN. You can add an auto-update task in *crontab*. It will frequently change the machine account password in Active Directory so you can pass security audits. *Crontab* content: .. code:: bash 32 23 * * * root msktutil --auto-update --keytab /etc/nginx/http-krb5.keytab * Apply the proper access rights to the :file:`http-krb5.keytab` file. If you are with RedHat based OS with selinux, please fix rights with :program:`restorecon`. .. tabs:: .. code-tab:: bash Debian and derivatives sudo chmod 640 /etc/nginx/http-krb5.keytab sudo chown root:www-data /etc/nginx/http-krb5.keytab .. code-tab:: bash RedHat and derivatives sudo chown root:nginx /etc/nginx/http-krb5.keytab sudo chmod 640 /etc/nginx/http-krb5.keytab restorecon -v -R /etc/nginx/http-krb5.keytab Post-configuring kerberos for the WAPT Server ============================================= You can now use post-configuration script to configure the WAPT Server to use kerberos. The post-configuration script will configure :program:`Nginx` and the WAPT Server to use kerberos authentication. .. hint:: This post-configuration script **MUST** be run as **root**. .. code-block:: bash /opt/wapt/waptserver/scripts/postconf.sh --force-https Kerberos authentication will now be configured. Special use cases ================= My WAPT Server does not have access to a writeable Active Directory ------------------------------------------------------------------- * Connect to your Active Directory (Not a RODC). * Create a computer account *srvwapt*. * Add a :abbr:`SPN (Service Principal Name)` on the *srvwapt$* account. .. code-block:: bash setspn -A HTTP/srvwapt.mydomain.lan srvwapt * Create a keytab for this WAPT Server. .. code-block:: batch ktpass -out C:\http-krb5.keytab -princ HTTP/srvwapt.mydomain.lan@MYDOMAIN.LAN rndpass -minpass 64 -crypto all -pType KRB5_NT_PRINCIPAL /mapuser srvwapt$@MYDOMAIN.LAN Reset SRVWAPT$'s password [y/n]? y .. note:: If the address of your WAPT Server is different from your active directory domain, replace *HTTP/srvwapt.mydomain.lan@MYDOMAIN.LAN* with *HTTP/srvwapt.othername.com@MYDOMAIN.LAN*. * Transfer this file to :file:`/etc/nginx/` (with :program:`winscp` for example). * Apply the proper access rights to the :file:`http-krb5.keytab` file. If you are with RedHat based OS with selinux, please fix rights with :program:`restorecon`. .. tabs:: .. code-tab:: bash Debian and derivatives sudo chmod 640 /etc/nginx/http-krb5.keytab sudo chown root:www-data /etc/nginx/http-krb5.keytab .. code-tab:: bash RedHat and derivatives sudo chown root:nginx /etc/nginx/http-krb5.keytab sudo chmod 640 /etc/nginx/http-krb5.keytab restorecon -v -R /etc/nginx/http-krb5.keytab WAPT Agents only have access to a RODC domain controller -------------------------------------------------------- * For :abbr:`RODC (Read-Only Domain Controller)`, add the *srvwapt* account to the allowed password group for replication. * Remember to preload the password of the WAPT Server with the different RODC servers. .. figure:: wapt-resources/windows_rsat_rodc-preload_dialog-box.png :align: center :alt: Preload Password srvwapt account You have multiple Active Directory domains with or without relationships ------------------------------------------------------------------------ If you have multiple Active Directory domains, you **MUST** create one :file:`keytab` per domain by following the procedure above, ex: * :file:`http-krb5-domain1.local.keytab`; * :file:`http-krb5-domain2.local.keytab`; * :file:`http-krb5-domain3.local.keytab`. You will then have to merge all these :file:`keytabs` into a unique :file:`keytab`: .. code-block:: bash ktutil read_kt http-krb5-domain1.local.keytab read_kt http-krb5-domain2.local.keytab read_kt http-krb5-domain3.local.keytab write_kt http-krb5.keytab Debug problems with the kerberos ================================ .. attention:: * The WAPT Server address cannot be an IP, Kerberos works well only with DNS. * In your test, the url used **MUST** be **exactly** the same address as the one indicated in :file:`C:\\Program Files (x86)\\wapt\\wapt-get.ini`. Did you restart nginx correctly? -------------------------------- .. code-block:: bash systemctl restart nginx Check the permissions of the http-krb5.keytab file -------------------------------------------------- .. code-block:: bash [root@srvwapt.mydomain.lan]# ls -l /etc/nginx/http-krb5.keytab -rw-r----- 1 root www-data 921 janv. 4 16:20 /etc/nginx/http-krb5.keytab Is kerberos mode active on my WAPT Agent? ----------------------------------------- On the Windows host: * Check in your :file:`C:\\Program Files (x86)\\wapt\\wapt-get.ini` that the :code:`use_kerberos` value is ``True``. .. code-block:: bash [global] use_kerberos=True * If you change the value, do not forget to restart the WAPT service. .. code-block:: bash net stop waptservice net start waptservice Is Kerberos mode active on my WAPT Server? ------------------------------------------ On the Linux host: * Check in your :file:`/opt/wapt/conf/waptserver.ini` that the :code:`use_kerberos` value is ``True``. .. code-block:: bash [options] use_kerberos=True * Check in your :file:`/etc/nginx/sites-enabled/wapt.conf` that this configuration is present. .. code-block:: bash location ~ ^/.*_kerberos$ { proxy_http_version 1.1; proxy_request_buffering off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # be sure these headers are not forwarded proxy_set_header X-Ssl-Client-Dn ""; proxy_set_header X-Ssl-Authenticated ""; auth_gss on; auth_gss_keytab /etc/nginx/http-krb5.keytab; proxy_pass http://127.0.0.1:8080; } * If one of the two configurations is not present, restart the post-configuration and activate kerberos. Checking that the keytab file contains the correct url ------------------------------------------------------ .. code-block:: bash [root@srvwapt.mydomaine.lan]# KRB5_KTNAME=/etc/nginx/http-krb5.keytab klist -k Keytab name: FILE:/etc/nginx/http-krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- ... 3 HTTP/srvwapt.ad.mydomain.lan@AD.MYDOMAIN.LAN ... Trying to register the host using a system account -------------------------------------------------- To switch to a system account you **MUST** use the :program:`psexe` tool from Microsoft: :download:`psexe `. * In :program:`cmd` as an Administrator. .. code-block:: bash C:\Users\\xxxxxx\\Downloads\\PSTools\\psexec.exe -accepteula -s -i cmd * In the new :program:`cmd` window, check that you are identified as *System*. .. code-block:: bash C:\WINDOWS\\system32>whoami NT AUTHORITY\System * Run :command:`register`. .. code-block:: bash wapt-get register Trying an authentication with the keytab from your WAPT Server -------------------------------------------------------------- * On the Linux host. .. code-block:: bash [root@srvwapt.ad.tranq ~]# ktutil ktutil: read_kt /etc/nginx/http-krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 srvwapt$@AD.TRANQUIL.IT 2 3 srvwapt$@AD.TRANQUIL.IT 3 3 srvwapt$@AD.TRANQUIL.IT 4 3 SRVWAPT$@AD.TRANQUIL.IT 5 3 SRVWAPT$@AD.TRANQUIL.IT 6 3 SRVWAPT$@AD.TRANQUIL.IT 7 3 host/srvwapt@AD.TRANQUIL.IT 8 3 host/srvwapt@AD.TRANQUIL.IT 9 3 host/srvwapt@AD.TRANQUIL.IT 10 3 HTTP/srvwapt.ad.tranquil.it@AD.TRANQUIL.IT 11 3 HTTP/srvwapt.ad.tranquil.it@AD.TRANQUIL.IT 12 3 HTTP/srvwapt.ad.tranquil.it@AD.TRANQUIL.IT ktutil: quit [root@srvwapt.ad.tranq ~]# kinit -k -t /etc/nginx/http-krb5.keytab srvwapt\$@AD.TRANQUIL.IT [root@srvwapt.ad.tranq ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: srvwapt$@AD.TRANQUIL.IT Valid starting Expires Service principal 05/02/2021 19:06:05 06/02/2021 05:06:05 krbtgt/AD.TRANQUIL.IT@AD.TRANQUIL.IT renew until 06/02/2021 19:06:05 Attempting an authentication with curl -------------------------------------- * On the Linux host. .. code-block:: bash [root@srvwapt.ad.tranq ~]# kdestroy [root@srvwapt.ad.tranq ~]# kinit sfonteneau Password for sfonteneau@AD.TRANQUIL.IT: [root@srvwapt.ad.tranq ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: sfonteneau@AD.TRANQUIL.IT Valid starting Expires Service principal 05/02/2021 19:10:42 06/02/2021 05:10:42 krbtgt/AD.TRANQUIL.IT@AD.TRANQUIL.IT renew until 06/02/2021 19:10:39 root@srvwapt.ad.tranq ~]# curl -v --negotiate -u : https://srvwapt.ad.tranquil.it/api/v3/add_host_kerberos -k * Expire in 0 ms for 6 (transfer 0x563dece09f90) * Uses proxy env variable no_proxy == 'localhost,127.0.01/8,192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,ad.tranquil.it' * Expire in 1 ms for 1 (transfer 0x563dece09f90) ... {"success":true,"msg":"Authentication OK","result":{"auth_result":{"auth_method":"kerb","user":"sfonteneau","auth_date":"2024-11-04T16:53:03.817821","with2fa":false},"server_uuid":"7j54647e-1b54-11ea-bcbe-cae466b691e5","version":"2.6.0","server_domain":"ad.tranquil.it","edition":"enterprise","user_acls":{},"token":null},"request_time":0.006450653076171875} Verifying that you are successfully obtaining a Kerberos ticket --------------------------------------------------------------- .. attention:: Always execute commands in system account (see previous point)! .. code-block:: bash klist purge klist get http/srvwapt.ad.mydomain.lan You should get (in your language): .. code-block:: bash C:\Windows\System32>klist get http/srvwapt.ad.mydomain.lan LogonId est 0:0x13794d Un ticket pour http/srvwapt.ad.mydomain.lan a été récupéré. Tickets mis en cache : (2) #0> Client : sfonteneau @ AD.MYDOMAIN.LAN Serveur : krbtgt/AD.MYDOMAIN.LAN @ AD.MYDOMAIN.LAN Type de chiffrement KerbTicket : AES-256-CTS-HMAC-SHA1-96 Indicateurs de tickets 0x40e00000 -> forwardable renewable initial pre_authent Heure de démarrage : 2/4/2021 15:51:07 (Local) Heure de fin : 2/5/2021 1:51:07 (Local) Heure de renouvellement : 2/11/2021 15:51:07 (Local) Type de clé de session : AES-256-CTS-HMAC-SHA1-96 Indicateurs de cache : 0x1 -> PRIMARY KDC appelé : srvads.AD.MYDOMAIN.LAN #1> Client : sfonteneau @ AD.MYDOMAIN.LAN Serveur : http/srvwapt.AD.MYDOMAIN.LAN @ AD.MYDOMAIN.LAN Type de chiffrement KerbTicket : AES-256-CTS-HMAC-SHA1-96 Indicateurs de tickets 0x40a80000 -> forwardable renewable pre_authent 0x80000 Heure de démarrage : 2/4/2021 15:51:07 (Local) Heure de fin : 2/5/2021 1:51:07 (Local) Heure de renouvellement : 2/11/2021 15:51:07 (Local) Type de clé de session : AES-256-CTS-HMAC-SHA1-96 Indicateurs de cache : 0 KDC appelé : srvads.AD.MYDOMAIN.LAN If that does not work, check in your Active Directory that the :code:`serviceprincipalname` attribute on the computer account of the WAPT Server has this value: ``HTTP/srvwapt.mydomain.lan``. Check that it works with Firefox -------------------------------- .. note:: You need to first configure Firefox for kerberos authentication. * Type :command:`about:config` in the URL bar in your Firefox. * Edit ``network.negotiate-auth.trusted-uris``, and add the url of the WAPT Server: ``srvwapt.mydomain.lan``. * You can now visit the url: https://srvwapt.mydomain.lan/add_host_kerberos. * If the authentication does not work, then the WAPT Server will return a 403 error message. In case of an error on one of the previous checks ------------------------------------------------- * Delete the host account from the Active Directory. * Delete the :file:`/etc/nginx/http-krb5.keytab` file. * Reboot the host you are testing with and re-run the keytab creation process again. .. note:: * It is important to restart the host to purge the kerberos tickets previously obtained by the host. * To avoid restarting you can also execute the command "klist purge" as SYSTEM. .. _activating_HTTPS_certificate_verification: ******************************************************** Activating the verification of the SSL / TLS certificate ******************************************************** When running the WAPT Server post-configuration script, the script will generate a self-signed certificate in order to enable HTTPS communications. The WAPT Agent checks the WAPT HTTPS Server certificate according to the ``verify_cert`` value in section ``[global]`` in :file:`C:\\Program Files (x86)\\wapt\\wapt-get.ini`. .. list-table:: Options for ``verify_cert`` :header-rows: 1 :widths: auto * - Options for ``verify_cert`` - Working principle of the WAPT Agent * - ``verify_cert`` = 0 - the WAPT Agent will not check the WAPT Server HTTPS certificate. * - ``verify_cert`` = 1 - the WAPT Agent will check the WAPT Server HTTPS certificate using the certificate bundle. :file:`C:\\Program Files (x86)\\wapt\\lib\\site-packages\\certifi\\cacert.pem` * - ``verify_cert`` = C:\\Program Files (x86)\\wapt\\ssl\\srvwapt.mydomain.lan.crt - the WAPT Agent will check the WAPT Server HTTPS certificate with the certificate bundle. :file:`C:\\Program Files (x86)\\wapt\\ssl\\srvwapt.mydomain.lan.crt` .. hint:: To quickly and easily enable verification of the HTTPS certificate, you can use the *Pinning* method. .. _pinning_certificate: Pinning the certificate ======================= The *pinning of certificate* consists of verifying the SSL/ TLS certificate with a well defined and restricted bundle. .. hint:: This method is the easiest when using a self-signed certificate. For this, you need to launch the following commands in the Windows :program:`cmd.exe` shell (with elevated privileges if :abbr:`UAC (User Account Control)` is active). If you already have a Windows :program:`cmd.exe` shell open, close it and open a new shell so to take into account the updated environment variables: .. code-block:: bash wapt-get enable-check-certificate wapt-get restart-waptservice Validate the certificate with :command:`wapt-get update` When you have executed the :command:`update` command, make sure that everything has gone well, and if in doubt check :ref:`error_run_check_cert`. .. attention:: If `wapt-get enable-check-certificate` returns an error, remove the :mimetype:`.crt` with same name on :file:`C:\\Program Files (x86)\\wapt\\ssl\server` .. note:: * The command :command:`enable-check-certificate` downloads the certificate :file:`srvwapt.mydomain.lan.crt` in the folder :file:`C:\\Program Files (x86)\\WAPT\\ssl\\server`. * It then modifies the file :file:`wapt-get.ini` to specify the value ``verify_cert`` = :file:`C:\\Program Files (x86)\\wapt\\ssl\\server\\srvwapt.mydomain.lan.crt`. * The WAPT Agent will now verify certificates using the pinned certificate. .. attention:: If you use the *certificate pinning* method, **BE REMINDED** to archive the :file:`/opt/wapt/waptserver/ssl` folder on your WAPT Server. The file will have to be restored on your WAPT Server if you migrate or upgrade your WAPT Server, if you want the WAPT Agents to continue to be able to establish trusted HTTPS connections with the WAPT Server. How to use a commercial certificate or certificates provided by your Organization? ================================================================================== If the pinning method does not suit you, you can replace the self-signed certificate generated during the installation of :program:`WAPT`. Replace the old certificate with the new one in the folder :file:`/opt/wapt/waptserver/ssl/` (Linux) or :file:`C:\\wapt\\waptserver\\ssl\\` (Windows). **The new key pair MUST be in PEM encoded Base64 format**. .. note:: **Special case where your certificate has been signed by an internal Certificate Authority** Certificates issued by an internal :term:`Certificate Authority` **MUST** have the complete certificate chain of the :term:`Certificate Authority`. You can manually add the certificate chain of the Certificate Authority to the certificate that will be used by :program:`Nginx`. Example: :code:`echo srvwapt.mydomain.lan.crt ca.crt > cert.pem` * For Linux servers it is also necessary to reset the :abbr:`ACLs (Access Control List)`, if you are with RedHat based OS with selinux, please fix rights with :program:`restorecon` : .. tabs:: .. code-tab:: bash Debian and derivatives chown root:www-data /opt/wapt/waptserver/ssl/*.pem .. code-tab:: bash RedHat and derivatives chown root:nginx /opt/wapt/waptserver/ssl/*.pem restorecon -v -R /opt/wapt/waptserver/ssl/ * Restart :program:`Nginx` to take into account the new certificates. .. tabs:: .. code-tab:: bash Linux systemctl restart nginx .. code-tab:: bash Windows: net stop waptnginx net start waptnginx Configuring the WAPT Agent -------------------------- For a commercial certificate you can set ``verify_cert = 1`` in :file:`wapt-get.ini`. For a certificate issued by an internal Certificate Authority, you **MUST** place the certificate in the :file:`C:\\Program Files (x86)\\wapt\\ssl\\server\\ca.crt` folder and specify the certificate path with ``verify_cert`` in the :file:`wapt-get.ini` file of the WAPT Agent. To apply the new configuration to your entire fleet: * Regenerate a WAPT Agent with the appropriate settings. * Use a `WAPT package `_ to modify :file:`wapt-get.ini` and push the certificate. Verifying the certificate in the WAPT Console ============================================= When the WAPT Console first starts, it reads the content of :file:`C:\\Program Files (x86)\\WAPT\\wapt-get.ini` and it builds its configuration file :file:`C:\\Users\\admin\\AppData\\Local\\waptconsole\\waptconsole.ini`. This properly sets the ``verify_cert`` attribute for the HTTPS communication between the WAPT Console and the WAPT Server. .. _configure_ad_auth: ***************************************************************************** Configuring user authentication against Active Directory |enterprise_feature| ***************************************************************************** By default, the WAPT Server is configured with a single :term:`SuperAdmin` account whose password is setup during initial post-configuration. **On large and security-minded networks, the SuperAdmin account should not be used since it cannot provide the necessary traceability for administrative actions that are done on the network assets**. It is thus necessary to configure authentication against the Active Directory for the WAPT Console users; this will allow to use named accounts for tasks. .. note:: * Active Directory authentication is used to authenticate access to the inventory via the WAPT Console. * However, all actions on the WAPT equipped remote devices are based on X.509 signatures, so an :term:`Administrator` will need both an Active Directory login **AND** a private key whose certificate is recognized by the remote devices that the Administrator manages using WAPT. * Only the :term:`SuperAdmin` account and the members of the Active Directory security group **waptadmins** will be allowed to upload packages on the main repository (authentication mode by login and password). .. _ldap_authentication: Enabling Active Directory authentication ======================================== * To enable authentication of the WAPT Server with Active Directory, configure the file :file:`waptserver.ini` as follows. .. note:: The WAPT Server configuration file on GNU/ Linux and macOS systems is found in :file:`/opt/wapt/conf/waptserver.ini` or in :file:`/opt/wapt/waptserver/waptserver.ini`. The WAPT Server configuration file on Windows systems is found in :file:`C:\\wapt\\conf\\waptserver.ini`. .. code-block:: ini #waptserver.ini wapt_admin_group=waptadmins ad_domain_name=mydomain.lan .. list-table:: Available authentication options :header-rows: 1 :widths: auto :align: center * - Options (Default Value) - Description - Example * - :code:`wapt_admin_group` (default []) - Defines the sAMAccountName of the Active Directory User Group allowed to connect to WAPT Console, it is a list that can contain several groups. You can use this option over ``wapt_admin_group_dn``, but **DO NOT** use both attributes at the same time. - wapt_admin_group = waptadmins, wapttech * - :code:`ldap_auth_server` (default ``None``) - Defines the LDAP authentication server. If not specified, a cldap query will be used with the ad_domain_name option to find the best domain controller based on the site and Active Directory service. - ldap_auth_server = srvads.mydomain.lan * - :code:`ldap_auth_base_dn` (default ``None``) - Defines the LDAP authentication base DN. If not specified, The root will be used - ldap_auth_base_dn = dc=domain,dc=lan * - :code:`ad_domain_name` (default ``None``) - Defines the domain name. - ad_domain_name = mydomain.lan * Restart :program:`waptserver` service. Enabling Single Sign On (SSO) for the WAPT Console and the self-service ======================================================================= .. warning:: This configuration is only available for WAPT Servers running on WAPT supported Linux distributions. You can use Kerberos to authenticate yourself on the :program:`waptconsole` and the :program:`selfservice`. This way, users do not need to enter their password. It is not necessary to register the WAPT Agent using kerberos in order to use the kerberos :abbr:`SSO (Single Sign-On)` on the WAPT Console and in the Self-Service. Preparing the WAPT Server for Kerberos Single Sign On ----------------------------------------------------- .. attention:: To enable Kerberos on the WAPT Server with :code:`use_kerberos` = ``True`` option, launch the :ref:`WAPT Server postconf script `. .. code-block:: bash /opt/wapt/waptserver/scripts/postconf.sh Please, refer to :ref:`the documentation on configuring kerberos for authentication ` beforehand. If you do not want to use Kerberos for Client registration, set the option :code:`allow_unauthenticated_registration` to ``True``. Finally, restart the waptserver and wapttasks services. .. code-block:: bash systemctl restart waptserver wapttasks You will need to modify the :ref:`waptserver.ini `. * Then, you will need to add these options in the :file:`waptserver.ini`: .. code-block:: ini ldap_account_service_login = wapt-ldap@ad.tranquil.it ldap_account_service_password = PASSWORD ldap_auth_server = srvads.mydomain.lan ldap_auth_base_dn = dc=mydomain,dc=lan use_kerberos = True The :code:`ldap_account_service_login` and :code:`ldap_account_service_password` require a service user account on your Active Directory. It is not necessary that the service account had elevated right, just enough rights to read groups and group members. * Finally, restart services on the WAPT Server: .. code-block:: bash systemctl restart waptserver wapttasks Configuring the WAPT Agent -------------------------- On the client side, you will have to make sure that theses 2 options are set in the :ref:`wapt-get.ini ` of the WAPT Agent: .. code-block:: ini service_auth_type = waptserver-ldap use_kerberos = True It is possible to make changes in :file:`wapt-get.ini` manually or by deploying a WAPT package with the new configuration settings. An `example package `_ is available from the Tranquil IT repository. With this configuration, you can launch your WAPT Console or your selfservice without being prompted for a password. To make this feature work, the Active Directory has to be available. .. note:: The WAPT Console will continue to ask for a login / password. It is perfectly normal, this way you can use another user than the current user logged in the underlying desktop session. Otherwise, you just have to put your login and click on :guilabel:`OK`. .. _ldap_enable_ssl_tls_support: Enabling SSL/ TLS support for the LDAP connection to the Active Directory Domain Controller =========================================================================================== By default, authentication on Active Directory relies on LDAP SSL (default port 636). SSL / TLS is not enabled by default on Microsoft Active Directory until a SSL certificate has been configured for the Domain Controller. .. note:: The WAPT Server uses Certificate Authority *bundles* from the operating system for validating the SSL/ TLS connection to Active Directory. If the Active Directory certificate is self-signed or the certificate has been signed by an internal :abbr:`CA (Certificate Authority)`, you will need to add the certificates to the operating system certificate store. To do so, just add a :term:`Certificate Authority` in the :file:`/etc/pki/ca-trust/source/anchors/` and update the certificate store. .. tabs:: .. code-tab:: bash Debian and derivatives cp cainterne.crt /usr/local/share/ca-certificates/cainterne.crt update-ca-certificates .. code-tab:: bash RedHat and derivatives cp cainterne.crt /etc/pki/ca-trust/source/anchors/cainterne.crt update-ca-trust .. code-tab:: bash Windows certutil -addstore -f "ROOT" cainterne.crt * Once you have setup LDAP SSL/ TLS on your Active Directory (please refer to Microsoft documentation for that), then you can enable support for SSL/TLS security for AD in :file:`waptserver.ini`. .. code-block:: ini ldap_auth_ssl_enabled = True * Restart :program:`waptserver` service. .. _client_side_certificate_authentication: *********************************************************************** Configuring Client-Side Certificate Authentication |enterprise_feature| *********************************************************************** If your business needs a public WAPT Server on Internet, it can be secured with **Client-Side Certificate Authentication**. That configuration restricts the visibility of the WAPT Server only to registered WAPT clients. It is done by relying on the WAPT Agent private key generated during registration. It works as follows: * The WAPT Agent sends a :abbr:`CSR (Certificate Signing Request)` to the WAPT Server which the WAPT Server signs and sends back to WAPT Agent. * Using the signed certificate, the Agent can access protected parts of the :program:`Nginx` web server. .. note:: We strongly recommend enabling Kerberos or login / password registration in the WAPT Server post-configuration. .. warning:: All actions are to be carried out on the WAPT Server Enabling Client-Side Certificate Authentication on WAPT Server ============================================================== .. warning:: For **Linux** check if the symbolic link in :file:`sites-enabled` exists: .. code-block:: bash cd /etc/nginx/sites-enabled/ find . -maxdepth 1 -type l -ls The expected result should be: .. code-block:: bash 269091 0 lrwxrwxrwx 1 root root 36 juil. 22 15:51 ./wapt.conf -> /etc/nginx/sites-available/wapt.conf Otherwise use the following command: .. code-block:: bash ln -s /etc/nginx/sites-available/wapt.conf ./wapt.conf To enable the authentication, you need to add those parameters on WAPT :ref:`server configuration file ` in the option section: .. code-block:: ini use_ssl_client_auth = True Relaunch the post-configuring script. .. attention:: Please note that as of |date|, WAPT does not support :abbr:`CRL (Certificate Revocation Lists)`, which means that when you delete a host in the WAPT Console, the host will still have access to the WAPT repository. The WAPT Deployment utility cannot use **https** to retrieve the WAPT Agent, you will have to add this section in the file: .. code-block:: ini server { listen 80; listen [::]:80; server_name _; location ~ ^/(wapt/waptsetup-tis.exe|wapt/waptagent.exe|wapt/waptdeploy.exe)$ { add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0"; add_header Pragma "no-cache"; root "/var/www"; } return 301 https://$host$request_uri; }