Warning
CSPN (First Level Security Certification by ANSSI) mode does not include WAPTWUA, WADS, Secondary Repos or Peercache. These features are not part of the Target Of Evaluation (TOE).
Attention
For post-configuration to work properly:
The hostname of the WAPT Server MUST be properly configured. To check, use the command echo $(hostname) which MUST return the DNS address that will be used by WAPT Agents on client computers.
The DNS resolver MUST be correctly configured.
The WAPT Server MUST be able to contact a Domain Controller in write mode.
The post-configuration script rewrites the nginx configuration. A backup file is created when running the postconf in the same directory.
This post-configuration script MUST be run as root.
In CSPN mode, the WAPT Server installation activates more security features and is less tolerant with misconfigurations.
In this mode:
Administrator password length is 20 characters and password complexity is enforced.
Administrator and user certificate password length is 20 characters and password complexity is enforced.
Kerberos registration and authentication are mandatory.
Client-Side Certificate Authentication is mandatory.
The SSL certificate verification is mandatory.
Various backward compatibility settings are disabled.
Functionalities excluded from the CSPN TOE (namely secondary repositories, peercache, WADS and WAPT WUA) are disabled.
Waptconsole login on server is restricted to kerb and *admin methods (admin mode can be disabled after initial setup).
Session cookies maximum lifetime is 12 hours.
Default lifetime for certificates signed by WAPT is 3 years.
Hint
If you want to stick to one specific wapt version on the server, like a specific CSPN version, it is recommanded to disable wapt repo configuration by removing /etc/yum.repos.d/wapt.conf or specifying
the full version number in that same file, like baseurl=https://wapt.tranquil.it/redhat10/wapt-2.6.1.17567/
The Kerberos service account created for authentication on the Wapt server must be configured with msDS-SupportedEncryptionTypes: 24 (AES 128, AES 256), either AD wide or at least on the service computer object. The msktutil script run during postconf should set this value correctly.
Run the script with option
--cspn-toe.
/opt/wapt/waptserver/scripts/postconf.sh --cspn-toe
Click on Yes to run the postconf script.
do you want to launch post configuration tool?
< yes > < no >
Choose a password (if not defined) for the SuperAdmin account of the WAPT Server. The minimum length is 20 characters with at least 1 upper case characters, 1 lower case characters and 1 punctuation mark.
Please enter the wapt server password (min. 20 characters, punctuation, upper and lower case):
*****************
< OK > < Cancel >
Confirm the password.
Please enter the server password again:
*****************
< OK > < Cancel >
Select Yes to configure Nginx.
Do you want to configure nginx?
< Yes > < No >
Fill in the FQDN of the WAPT Server.
FQDN for the WAPT Server (eg. wapt.example.com)
---------------------------------------------
wapt.mydomain.lan
---------------------------------------------
< OK > < Cancel >
Enter the Kerberos Realm name.
Enter Kerberos REALM
-------------------------------------------
MYDOMAIN.LAN
-------------------------------------------
< OK > < Cancel >
Enter a valid Domain Controller name.
Enter a Domain Controller name in write mode
-------------------------------------------
dc1
-------------------------------------------
< OK > < Cancel >
Enter a username having write privilege on the Active Directory.
Enter a username with administrator privileges
-------------------------------------------
administrator
-------------------------------------------
< OK > < Cancel >
Enter the username’s password.
Enter administrator password
-------------------------------------------
*****************************
-------------------------------------------
< OK > < Cancel >
If the credentials are correct, the keytab is generated in
/etc/nginx/http-krb5.keytab. The correct ACL are set. Else, you must read the documentation.Restart Nginx.
The Nginx config is done.
We need to restart Nginx?
< OK >
The last step, start waptserver and wapttasks.
Press OK to start
waptserver and wapttasks
daemons
< OK >
The post-configuration is now finished.
Postconfiguration completed.
< OK >
But in CSPN TOE mode, TOTP is required on admin account.
secure postconf OTP code¶
Use your second device (smartphone,YubiKey, etc.) and get the code who will appear in the picture. Put the code in the dedicated field.
Note
If you are having problems with your kerberos system. Check the owner and the right on, the keytab file ( http-krb5.keytab ).
chown root:nginx /etc/nginx/http-krb5.keytab
chmod 640 /etc/nginx/http-krb5.keytab
Options |
Description |
|---|---|
|
Configures Nginx so that port 80 is permanently redirected to 443. |
|
Defines the settings for CSPN TOE mode (default: False). |
|
Defines the server name and ip for certificate CN and altdnsnames. Separator is a comma (default: None). |
Warning
In CSPN mode, WADS and WUA will not appear in the WAPT console. However, the Peer Cache and Secondary Repositories features can be enabled, though they should not be activated because it is not assessed in the CSPN target.
- Enabling Peer Cache in the WAPT console :
By edit a new agent configuration :
Go to . Check the option Use Peer Cache.
By use a WAPT configuration package :
Create a package in WAPT Packages → . Check the option Use Peer Cache.
- Enabling Secondary Repositories in the WAPT console :
- For the agent :
By edit a new agent configuration :
Go to . Check Use repository rules.
By use a WAPT configuration package :
Create a package in WAPT Packages → . Check the option Use repository rules.
- For Configuring an agent as a secondary repository :
By edit a new agent configuration :
Go to . Go to the Repo-sync tab and check Synchronize packages and system updates on the agent.
By use a WAPT configuration package :
Create a package in WAPT Packages → . Go to the Repo-sync tab and check Synchronize packages and system updates on the agent