.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. meta::
  :description: WAPT Serveur Post-configuration script
  :keywords: waptserver, WAPT, preferences, post-configuration, documentation, security, the WAPT Server



.. _wapt_postconf_cspn:

.. warning::

  **CSPN (First Level Security Certification by ANSSI) mode does not include WAPTWUA, WADS, Secondary Repos or Peercache. These features are not part of the Target Of Evaluation (TOE).**

.. attention::

  For post-configuration to work properly:

    * The *hostname* of the WAPT Server **MUST** be properly configured.
      To check, use the command :command:`echo $(hostname)` which **MUST** return the DNS address that will be used by WAPT Agents on client computers.
  
    * The DNS resolver **MUST** be correctly configured.
    
    * The WAPT Server **MUST** be able to contact a Domain Controller in write mode.

  The post-configuration script rewrites the nginx configuration.
  A backup file is created when running the postconf in the same directory.

  This post-configuration script **MUST** be run as **root**.
  
In :abbr:`CSPN ((First Level Security Certification), issued by ANSSI, validates the security of a standard IT product. In this context, the WAPT product is placed within the framework of a CSPN evaluation.)` mode, the WAPT Server installation activates more security features and is less tolerant with misconfigurations.

In this mode:

  * Administrator password length is 20 characters and password complexity is enforced.

  * Administrator and user certificate password length is 20 characters and password complexity is enforced.

  * Kerberos registration and authentication are mandatory.

  * Client-Side Certificate Authentication is mandatory.

  * The SSL certificate verification is mandatory.

  * Various backward compatibility settings are disabled.

  * Functionalities excluded from the :abbr:`CSPN (Certification de Sécurité de Premier Niveau)` :abbr:`TOE (Target of Evaluation)` (namely secondary repositories, peercache, WADS and WAPT WUA) are disabled.

  * Waptconsole login on server is restricted to *kerb and *admin* methods (admin mode can be disabled after initial setup).

  * Session cookies maximum lifetime is 12 hours.

  * Default lifetime for certificates signed by WAPT is 3 years.

|

.. hint:: 

  If you want to stick to one specific wapt version on the server, like a specific CSPN version, it is recommanded to disable wapt repo configuration by removing :file:`/etc/yum.repos.d/wapt.conf` or specifying 
  the full version number in that same file, like :code:`baseurl=https://wapt.tranquil.it/redhat10/wapt-2.6.1.17567/`


The Kerberos service account created for authentication on the Wapt server must be configured with msDS-SupportedEncryptionTypes: 24 (AES 128, AES 256), either AD wide or at least
on the service computer object. The msktutil script run during postconf should set this value correctly.

* Run the script with option ``--cspn-toe``.

.. code-block:: bash

  /opt/wapt/waptserver/scripts/postconf.sh --cspn-toe

* Click on :guilabel:`Yes` to run the postconf script.

.. code-block:: bash

  do you want to launch post configuration tool?

              < yes >          < no >
              
* Choose a password (if not defined) for the :term:`SuperAdmin` account of the WAPT Server.
  The minimum length is 20 characters with at least 1 upper case characters, 1 lower case characters and 1 punctuation mark.

.. code-block:: bash

  Please enter the wapt server password (min. 20 characters, punctuation, upper and lower case):

  *****************

                  < OK >          < Cancel >

* Confirm the password.

.. code-block:: bash

  Please enter the server password again:

  *****************

                  < OK >          < Cancel >


* Select :guilabel:`Yes` to configure Nginx.

.. code-block:: bash

  Do you want to configure nginx?

          < Yes >        < No >

* Fill in the :term:`FQDN` of the WAPT Server.

.. code-block:: bash

  FQDN for the WAPT Server (eg. wapt.example.com)

  ---------------------------------------------
  wapt.mydomain.lan
  ---------------------------------------------

              < OK >          < Cancel >

* Enter the Kerberos Realm name.

.. code-block:: bash

  Enter Kerberos REALM
  
  -------------------------------------------
  MYDOMAIN.LAN
  -------------------------------------------

              < OK >          < Cancel >
              
* Enter a valid Domain Controller name.

.. code-block:: bash

  Enter a Domain Controller name in write mode
  
  -------------------------------------------
  dc1
  -------------------------------------------

              < OK >          < Cancel >
              
* Enter a username having write privilege on the Active Directory.

.. code-block:: bash

  Enter a username with administrator privileges
  
  -------------------------------------------
  administrator
  -------------------------------------------

              < OK >          < Cancel >

* Enter the username's password.

.. code-block:: bash

  Enter administrator password
  
  -------------------------------------------
  *****************************
  -------------------------------------------

              < OK >          < Cancel >

* If the credentials are correct, the keytab is generated in :file:`/etc/nginx/http-krb5.keytab`.
  The correct ACL are set.
  Else, you must read the documentation.

* Restart Nginx.

.. code-block:: bash

  The Nginx config is done.
  We need to restart Nginx?

                < OK >

* The last step, start waptserver and wapttasks.

.. code-block:: bash

  Press OK to start 
  waptserver and wapttasks
  daemons

                < OK >

The post-configuration is now finished. 

.. code-block:: bash

  Postconfiguration completed.
  
                                    < OK >

But in CSPN TOE mode, TOTP is required on admin account.

.. figure:: wapt-resources/secure_postconf_OTP_code.png
  :scale: 50%
  :align: center
  :alt: secure postconf OTP code

  secure postconf OTP code

Use your second device (smartphone,YubiKey, etc.) and get the code who will appear in the picture. Put the code in the dedicated field.

.. note::

  If you are having problems with your kerberos system. Check the owner and the right on, the keytab file ( :file:`http-krb5.keytab` ).

  .. code-block::

    chown root:nginx /etc/nginx/http-krb5.keytab
    chmod 640 /etc/nginx/http-krb5.keytab

.. list-table:: Listing of post-configuration script options
  :header-rows: 1
  :widths: 40 60
  :align: center

  * - Options
    - Description
  * - ``--force-https`` or ``-s``
    - Configures :program:`Nginx` so that *port 80 is permanently redirected to 443*.
  * - ``--cspn-toe``
    - Defines the settings for CSPN TOE mode (default: False).
  * - ``--server-names=SERVER_NAMES``
    - Defines the server name and ip for certificate :abbr:`CN (Common Name)` and altdnsnames.
      Separator is a comma (default: None).

.. Warning::

  In **CSPN mode**, WADS and WUA will not appear in the WAPT console. 
  However, the Peer Cache and Secondary Repositories features can be enabled, though **they should not be activated** because it is not assessed in the CSPN target.
  
  Enabling *Peer Cache* in the WAPT console :
      By edit a new agent configuration :

        Go to :menuselection:`Tools --> Edit agent dynamic configurations`.
        Check the option :guilabel:`Use Peer Cache`.

      By use a WAPT configuration package :

        Create a package in :guilabel:`WAPT Packages` → :menuselection:`Make package template from setup file → Host agent dynamic configuration`.
        Check the option :guilabel:`Use Peer Cache`.

  Enabling *Secondary Repositories* in the WAPT console  :
    *For the agent :*
      By edit a new agent configuration :

        Go to :menuselection:`Tools --> Edit agent dynamic configurations`.
        Check :guilabel:`Use repository rules`.

      By use a WAPT configuration package :

        Create a package in :guilabel:`WAPT Packages` → :menuselection:`Make package template from setup file → Host agent dynamic configuration`.
        Check the option :guilabel:`Use repository rules`.

    *For Configuring an agent as a secondary repository :*
      By edit a new agent configuration :

        Go to :menuselection:`Tools --> Edit agent dynamic configurations`.
        Go to the :guilabel:`Repo-sync` tab and check :guilabel:`Synchronize packages and system updates on the agent`.

      By use a WAPT configuration package :

        Create a package in :guilabel:`WAPT Packages` → :menuselection:`Make package template from setup file → Host agent dynamic configuration`.
        Go to the :guilabel:`Repo-sync` tab and check :guilabel:`Synchronize packages and system updates on the agent`


