Note
For the CSPN security certification mode, please visit this documentation.
Attention
For post-configuration to work properly:
The hostname of the WAPT Server MUST be properly configured. To check, use the command echo $(hostname) which MUST return the DNS address that will be used by WAPT Agents on client computers.
The DNS resolver MUST be correctly configured.
The WAPT Server MUST be able to contact a Domain Controller in write mode for Kerberos authentication mode.
The post-configuration script rewrites the nginx configuration. A backup file is created when running the postconf in the same directory.
This post-configuration script MUST be run as root.
Hint
If the post-configuration script has already been executed, the previously defined values will be retained.
To save time, you can simply validate each prompt by pressing the Enter key to keep the existing settings.
Run the script.
/opt/wapt/waptserver/scripts/postconf.sh
Choose a password (if not defined) for the SuperAdmin account of the WAPT Server (minimum length is 10 characters).
Please enter the wapt server password (min. 10):
Please enter the wapt server password again:
Do you want to reset main admin (user: admin) password ? [y/N]:
Hint
You can skip this step by using Enter keyboard key.
Do you want to reset main admin (user: admin) password ? [y/N]: y
Please enter the wapt server password (min. 10):
Please enter the wapt server password again:
Choose the authentication mode for the initial registering of the WAPT Agents:
WaptAgent Authentication type ?
1) Allow unauthenticated registration
2) Enable kerberos authentication required for machines registration
3) Disable Kerberos but registration require strong authentication
Select (1-3) [your previous choice was * ]:
Note
The WAPT Server registers all computers that ask to be registered.
Without a certificate, it is not possible to download WAPT Packages and query some WAPT Server endpoints.
This method is recommended if you are installing WAPT for the first time.
Note
Activates the initial registration based on Kerberos (you can activate it later).
If you experience some problems while upgrading or if you use a reverse proxy, this method is recommended while upgrading.
If your Kerberos keytab does not exist, the postconf.sh script will create it, after you valid option 2.
Creating your Keytab, after select enable kerberos option for the first time.
Enter a new Kerberos REALM (e.g., MYDOMAIN.LAN) or press Enter to keep [ * ]:
Enter a new Domain Controller name (e.g., DC01.MYDOMAIN.LAN) or press Enter to keep [ * ]:
Enter a username authorized to join machines (e.g., ADMINISTRATEUR) or press Enter to keep [ * ]:
Enter password for administrator:
Enter a new computer name for the WAPT server (e.g., SRV-WAPT) or press Enter to keep [ * ]:
Note
Does not activate the Kerberos authentication mechanism for the initial registering of hosts equipped with WAPT.
The WAPT Server will require a login and a password for each host registering with it.
Warning
If you are upgrading from WAPT 2.X to 2.5, verify the current configuration of the WAPT Agents and more specifically the verify_cert option.
If in your current configuration verify_cert is set to True or a set to a file path (certificate pinning), then choose option #1 below.
If in your current configuration verify_cert is set to False, then choose option #2 below.
Choose if you want to use WAPT for OS Deployment.
Do you want to activate OS deployment (WADS)? [currently is * ] [Y/n]:
Note
If you have chosen Yes to activate os deployment, the post-configuration will ask whether to use a secure authentication to deploy OS images.
It will ask a user / password when you will deploy OS images using WADS.
Do you want to activate WADS secure authentication? [currently is * ] [y/N]:
Note
If you have chosen No to confirm to disable the OS deployment (WADS) , Nginx will not enable WADS API endpoints for WAPT Agents.
If you activate WADS, you can activate the WADS secure authentification.
Note
Choose Yes, and mention subnets.
You can mention subnet ip exempt from wads authentication, for the other secure authentification will be required.
Mention here the subnets ex: 192.168.1.0/24 [ * ]:
Note
Choose No.
WADS secure authentification will stay disable.
Choose if you want to use WAPT WUA for Windows Update.
Do you want to activate Windows Update by WAPT (WUA)? [currently is * ] [Y/n]:
Note
If you choose Yes, Nginx will enable WUA API endpoints for the WAPT Agents.
Indicate the FQDN for the WAPT server.
FQDN for the WAPT server (eg. wapt.acme.com) [Currently your FQDN is * ]:
Wait few seconds and the post-configuration is now finished.
[*] Postconfiguration completed.
Please connect to https://yourservername/ to access the server.
Added in version 2.5: The access to the WAPT web interface is now password protected.
Finally, the postconf show somes informations about the WAPT Server SSL certificate and the URL to download WaptSetup and install on the WAPT Administrator’s computer.
Options |
Description |
|---|---|
|
Specifies a configuration file path (default: |
|
Configures Nginx so that port 80 is permanently redirected to 443 |
|
Runs the post-configuration in quiet mode. |
|
Runs nginx configuration if the post-configuration is set in quiet mode. |
|
Defines the size for dhparam key (default: 2048). |
|
Defines the admininistrator password for the WAPT Server if the post-configuration is set in quiet mode. |
|
Defines the WAPT Server name and ip for certificate CN and SubjectAltNames. The separator is a comma (default: fqdn and IP address). |
|
Defines settings for CSPN TOE mode (default: False). This enable more strict security default values, and disable all the features that are not included in the TOE of the CSPN certification |