.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. meta::
  :description: WAPT Serveur Post-configuration script
  :keywords: waptserver, WAPT, preferences, post-configuration, documentation, security, the WAPT Server



.. note::

  For the CSPN security certification mode, please :ref:`visit this documentation <wapt_postconf_cspn>`.

.. _wapt_postconf:

.. attention::

  For post-configuration to work properly:

    * The *hostname* of the WAPT Server **MUST** be properly configured.
      To check, use the command :command:`echo $(hostname)` which **MUST** return the DNS address that will be used by WAPT Agents on client computers.
  
    * The DNS resolver **MUST** be correctly configured.
    
    * The WAPT Server **MUST** be able to contact a Domain Controller in write mode for Kerberos authentication mode.

  The post-configuration script rewrites the nginx configuration.
  A backup file is created when running the postconf in the same directory.

  This post-configuration script **MUST** be run as **root**.

|

* Run the script.

.. code-block:: bash

  /opt/wapt/waptserver/scripts/postconf.sh

* Click on :guilabel:`Yes` to run the postconf script.

.. code-block:: bash

  Do you want to launch post configuration tool?

              < yes >          < no >

* Choose a password (**if not defined**) for the :term:`SuperAdmin` account of the WAPT Server (minimum length is 10 characters).

.. code-block:: bash

  Please enter the wapt server password (min. 10 characters)

  *****************

                  < OK >          < Cancel >

* Confirm the password.

.. code-block:: bash

  Please enter the server password again:

  *****************

                  < OK >          < Cancel >

* Choose the authentication mode for the initial registering of the WAPT Agents:


  * Choice #1: Allows to register computers without authentication.
    The WAPT Server registers all computers that ask to be registered.

    Without a certificate, it is not possible to download WAPT Packages and query some WAPT Server endpoints.
    
    **This method is recommended if you are installing WAPT for the first time.**

  * Choice #2: Activates the initial registration based on Kerberos (you can activate it later).

    If you experience some problems while upgrading **or** if you use a reverse proxy, this method is recommended while upgrading.

    If you want to use option 2 and your Kerberos keytab does not exist, the :file:`postconf.sh` script will create it, after you valid option 2.

    .. blue_toggle::
      :titleen: Creating your Keytab, after select enable kerberos option for the first time.
      :titlefr: Création de votre Keytab, après selection de l'activation kerberos pour la première fois.

      .. code-block:: bash

        Enter Kerberos REALM (domain name)

        -----------------------------------
        MYDOMAIN.LAN
        -----------------------------------

              < Yes >        < Cancel >


      .. code-block:: bash

        Enter a Domain Controller name in write mode

        -----------------------------------
        srvads1.mydomain.lan
        -----------------------------------

              < Yes >        < Cancel >


      .. code-block:: bash

          Enter a username authorized to join machines to the domain.

          -----------------------------------
          administrator
          -----------------------------------

                < Yes >        < Cancel >


      .. code-block:: bash

          Enter administrator password

          -----------------------------------
          **************
          -----------------------------------

                < Yes >        < Cancel >


      .. code-block:: bash
      
        Enter the URL that will be used by the WAPTAgent

        -----------------------------------
        srvwapt.mydomain.lan
        -----------------------------------

                < Yes >        < Cancel >


      .. code-block:: bash

        Choose the name of the computer used by the waptserver
        
        -----------------------------------
        SRVWAPT
        -----------------------------------

                < Yes >        < Cancel >


      .. tabs::

        .. code-tab:: bash Keytab correctly generated

          Keytab file is correctly generated in /etc/nginx/http-krb5.keytab

                                  < OK >
        
        .. code-tab:: bash Keytab not correctly generated

          Unable to create keytab file. Please refer to 
          https://www.wapt.fr/fr/doc/wapt-security-configuration-server.html#configuring-kerberos-authentication-enterprise-feature

                                                              < OK >

  * Choice #3: Does not activate the Kerberos authentication mechanism for the initial registering of hosts equipped with WAPT.

    The WAPT Server will require a login and a password for each host registering with it.


.. code-block:: bash

  WaptAgent Authentication type?

  --------------------------------------------------------------------------
  (x) 1 Allow unauthenticated registration
  ( ) 2 Enable kerberos authentication required for machines registration.
          Registration will ask for password if kerberos not available
  ( ) 3 Disable kerberos but registration require strong authentication
  --------------------------------------------------------------------------
                                          < OK >          < Cancel >


.. blue_toggle::
  :titleen: Upgrade WAPT 2.X to 2.6, verify the verify_cert option.
  :titlefr: Mise à jour de WAPT de 2.X a 2.6, vérification de l'option verify_cert.

  .. note::
     
    If you are upgrading from WAPT 2.X to 2.5, verify the current configuration of the WAPT Agents and more specifically the :code:`verify_cert` option.
    If in your current configuration :code:`verify_cert` is set to True or a set to a file path (certificate pinning), then choose option #1 below.
    If in your current configuration :code:`verify_cert` is set to False, then choose option #2 below.
    
  .. code-block:: console

      WaptAgent client certificate checking
      
      ----------------------------------------------------------------------------
      (x) 1 Authenticate Agents using https client certificate (recommended)
      ( ) 2 Don't check https client certificate (legacy)
      ----------------------------------------------------------------------------
                                              < OK >          < Cancel >


* If you want to use WAPT for OS Deployment, select :kbd:`Yes`.

  * If you have chosen **Yes** to activate os deployment, the post-configuration will ask whether to use a secure authentication to deploy OS images.
    It will ask a user / password when you will deploy OS images using WADS.

  * If you have chosen **No**, Nginx will not enable WADS API endpoints for WAPT Agents.

.. code-block:: bash

  Do you want to activate os deployment?

          < Yes >        < No >


* Secure authentication for WADS requires the user to be authenticated on the machine where the OS deployment will take place.

.. code-block:: bash

  Would you like to activate secure authentication on wads?

          < Yes >        < No >

* Still about wads, if you answered **Yes** to the last two questions, you will be asked a final question:

.. code-block:: bash

  Would you like to mention subnet ip exempt from wads authentication

          < Yes >        < No >

If you answer **Yes** here too, you will have to give subnets as a list, for example: 192.168.0.0/24,192.168.1.0/24.

* Choose if you want to use WAPT WUA for Windows Update.

.. code-block:: bash

  Do you want to activate WUA?
  
          < Yes >        < No >

If you choose **Yes**, Nginx will enable WUA API endpoints for the WAPT Agents.

* Select :guilabel:`Yes` to configure Nginx.

.. code-block:: bash

  Do you want to configure nginx?

          < Yes >        < No >

* Fill in the :term:`FQDN` of the WAPT Server.

.. code-block:: bash

  FQDN for the WAPT Server (eg. wapt.example.com)

  ---------------------------------------------
  srvwapt.mydomain.lan
  ---------------------------------------------

              < OK >          < Cancel >

* Select :guilabel:`OK` and a self-signed certificate will be generated, this step may take a long time.

.. code-block:: bash

  Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time
  .......................................+...............................+...

Nginx is now configured, select :guilabel:`OK` to restart :program:`Nginx`:

.. code-block:: bash

  The Nginx config is done.
  We need to restart Nginx?

                < OK >

* Select :guilabel:`OK` to start WAPT Server.

.. code-block:: bash

  Press OK to start waptserver and wapttasks daemons

               < OK >

The post-configuration is now finished.

.. code-block:: bash

  Postconfiguration completed.
  Please connect to https://wapt.mydomain.lan/ to access the WAPT Server.

                                    < OK >

.. versionadded:: 2.5

  The access to the WAPT web interface is now password protected.

Finally, the postconf show somes informations about the WAPT Server SSL certificate and the URL to download WaptSetup and install on the WAPT Administrator's computer.

.. list-table:: List of post-configuration script options
  :header-rows: 1
  :widths: 40 60
  :align: center

  * - Options
    - Description
  * - ``-c`` or ``--config``
    - Specifies a configuration file path (default: :file:`/opt/wapt/conf/waptserver.ini`).
  * - ``-s`` or ``--force-https``
    - Configures :program:`Nginx` so that *port 80 is permanently redirected to 443*
  * - ``-q`` or ``--quiet``
    - Runs the post-configuration in quiet mode.
  * - ``-n`` or ``--nginx``
    - Runs nginx configuration if the post-configuration is set in quiet mode.
  * - ``--dhparam-key-size=NUMBER``
    - Defines the size for dhparam key (default: 2048).
  * - ``-p`` or ``--admin-password``
    - Defines the admininistrator password for the WAPT Server if the post-configuration is set in quiet mode.
  * - ``--server-names=SERVER_NAMES``
    - Defines the WAPT Server name and ip for certificate CN and SubjectAltNames.
      The separator is a comma (default: fqdn and IP address).
  * - ``--cspn-toe``
    - Defines settings for CSPN TOE mode (default: False). This enable more strict security default values, and disable all the features that are not included in the TOE of the CSPN certification
  
  
  
