.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. meta::
  :description: WAPT documentation version 2.7 WAPT Serveur Post-configuration script
  :keywords: waptserver, WAPT, preferences, post-configuration, documentation, security, the WAPT Server



.. _wapt_postconf_cspn:

.. warning::

  **CSPN (First Level Security Certification by ANSSI) mode does not include WAPTWUA, WADS, Secondary Repos or Peercache. These features are not part of the Target Of Evaluation (TOE).**

.. attention::

  For post-configuration to work properly:

    * The *hostname* of the WAPT Server **MUST** be properly configured.
      To check, use the command :command:`echo $(hostname)` which **MUST** return the DNS address that will be used by WAPT Agents on client computers.
  
    * The DNS resolver **MUST** be correctly configured.
    
    * The WAPT Server **MUST** be able to contact a Domain Controller in write mode.

  The post-configuration script rewrites the nginx configuration.
  A backup file is created when running the postconf in the same directory.

  This post-configuration script **MUST** be run as **root**.
  
In :abbr:`CSPN ((First Level Security Certification), issued by ANSSI, validates the security of a standard IT product. In this context, the WAPT product is placed within the framework of a CSPN evaluation.)` mode, the WAPT Server installation activates more security features and is less tolerant with misconfigurations.

In this mode:

  * Administrator password length is 20 characters and password complexity is enforced.

  * Administrator and user certificate password length is 20 characters and password complexity is enforced.

  * Kerberos registration and authentication are mandatory.

  * Client-Side Certificate Authentication is mandatory.

  * The SSL certificate verification is mandatory.

  * Various backward compatibility settings are disabled.

  * Functionalities excluded from the :abbr:`CSPN (Certification de Sécurité de Premier Niveau)` :abbr:`TOE (Target of Evaluation)` (namely secondary repositories, peercache, WADS and WAPT WUA) are disabled.

  * Waptconsole login on server is restricted to *kerb and *admin* methods (admin mode can be disabled after initial setup).

  * Session cookies maximum lifetime is 12 hours.

  * Default lifetime for certificates signed by WAPT is 3 years.

|

.. hint:: 

  If you want to stick to one specific wapt version on the server, like a specific CSPN version, it is recommanded to disable wapt repo configuration by removing :file:`/etc/yum.repos.d/wapt.repo` or specifying 
  the full version number in that same file, like :code:`baseurl=https://wapt.tranquil.it/redhat10/wapt-2.6.1.17567/`


The Kerberos service account created for authentication on the Wapt server must be configured with msDS-SupportedEncryptionTypes: 24 (AES 128, AES 256), either AD wide or at least
on the service computer object. The msktutil script run during postconf should set this value correctly.

* Run the script with option ``--cspn-toe``.

* Run the script.

.. code-block:: bash

  /opt/wapt/waptserver/scripts/postconf.sh --cspn-toe


* Choose a password (**if not defined**) for the :term:`SuperAdmin` account of the WAPT Server (minimum length is 10 characters).

.. tab-set::

  .. tab-item:: First launch of the post-configuration script

      .. code-block:: bash

        Please enter the wapt server password (min. 10): 

        Please enter the wapt server password again:

  .. tab-item:: Keep the existing administrator password

      .. code-block:: bash

        Do you want to reset main admin (user: admin) password ? [y/N]:
      
      .. hint::

        You can skip this step by using Enter keyboard key.

  .. tab-item:: Reset the administrator password

      .. code-block::

        Do you want to reset main admin (user: admin) password ? [y/N]: y

        Please enter the wapt server password (min. 10): 
        
        Please enter the wapt server password again: 

* Choose the authentication mode for the initial registering of the WAPT Agents:

.. code-block::

  WaptAgent Authentication type ?
    1) Allow unauthenticated registration
    2) Enable kerberos authentication required for machines registration
    3) Disable Kerberos but registration require strong authentication
  Select (1-3) [your previous choice was * ]:

.. tab-set::

  .. tab-item:: Choice 1: Open Registration

    .. note::

      The WAPT Server registers all computers that ask to be registered.

      Without a certificate, it is not possible to download WAPT Packages and query some WAPT Server endpoints.
    
      **This method is recommended if you are installing WAPT for the first time.**

  .. tab-item:: Choice 2: Kerberos-Based Registration

    .. note::

      Activates the initial registration based on Kerberos (you can activate it later).

      If you experience some problems while upgrading **or** if you use a reverse proxy, this method is recommended while upgrading.
      
      If your Kerberos keytab does not exist, the :file:`postconf.sh` script will create it, after you valid option 2.

    .. blue_toggle::
      :titleen: Creating your Keytab, after select enable kerberos option for the first time.
      :titlefr: Création de votre Keytab, après selection de l'activation kerberos pour la première fois.

      .. code-block:: bash

        Enter a new Kerberos REALM (e.g., MYDOMAIN.LAN) or press Enter to keep [ * ]:
      
      .. code-block:: bash

        Enter a new Domain Controller name (e.g., DC01.MYDOMAIN.LAN) or press Enter to keep [ * ]: 
      
      .. code-block:: bash

        Enter a username authorized to join machines (e.g., ADMINISTRATEUR) or press Enter to keep [ * ]: 

      .. code-block:: bash

        Enter password for administrator: 
      
      .. code-block:: bash
        
        Enter a new computer name for the WAPT server (e.g., SRV-WAPT) or press Enter to keep [ * ]:

  .. tab-item:: Choice 3: Credential-Based Registration

    .. note::
      
      Does not activate the Kerberos authentication mechanism for the initial registering of hosts equipped with WAPT.

      The WAPT Server will require a login and a password for each host registering with it.

.. warning::

  If you are upgrading from WAPT 2.X to 2.5, verify the current configuration of the WAPT Agents and more specifically the :code:`verify_cert` option.

  If in your current configuration :code:`verify_cert` is set to True or a set to a file path (certificate pinning), then choose option #1 below.

  If in your current configuration :code:`verify_cert` is set to False, then choose option #2 below.

* Choose if you want to use WAPT for OS Deployment.

.. code-block::
  
  Do you want to activate OS deployment (WADS)? [currently is * ] [Y/n]: 

.. tab-set::

  .. tab-item:: Activate WADS

    .. note::

      If you have chosen **Yes** to activate os deployment, the post-configuration will ask whether to use a secure authentication to deploy OS images.

      It will ask a user / password when you will deploy OS images using WADS.
      
    .. code-block:: bash

      Do you want to activate WADS secure authentication? [currently is * ] [y/N]: 

  .. tab-item:: Disable WADS

    .. note::
    
      If you have chosen **No** to confirm to disable the OS deployment (WADS) , Nginx will not enable WADS API endpoints for WAPT Agents.

* If you activate WADS, you can activate the WADS secure authentification.

  .. tab-set::

    .. tab-item:: Enable WADS secure authentication
      
      .. note::

        Choose **Yes**, and mention subnets.

        You can mention subnet ip exempt from wads authentication, for the other secure authentification will be required.

      .. code-block:: bash
        
        Mention here the subnets ex: 192.168.1.0/24 [ * ]: 
    
    .. tab-item:: Disable WADS secure authentication

      .. note:: 
        
        Choose **No**.

        WADS secure authentification will stay disable.


* Choose if you want to enable the default proxycache configuration for the WAPT server.

.. code-block::

  Do you want to enable/copy the default wapt proxycache configuration ? [Y/n]:

.. tab-set::

  .. tab-item:: Enable proxycache configuration

    .. note::

      Choose **Yes**, after this a new service will be stat on the waptserver: waptproxycache.

      More information about this :ref:`here <serverproxycache>`.
  
  .. tab-item:: Disable proxycache configuration

    .. note::

      Choose **No**, after this the waptproxycache service will be disable and stop.

* Choose if you want to use WAPT WUA for Windows Update.

.. code-block::
  
  Do you want to activate Windows Update by WAPT (WUA)? [currently is * ] [Y/n]: 

.. note::

  If you choose **Yes**, Nginx will enable WUA API endpoints for the WAPT Agents.

* Indicate the :term:`FQDN` for the WAPT server.

.. code-block::
  
  FQDN for the WAPT server (eg. wapt.acme.com) [Currently your FQDN is * ]: 

* Wait few seconds and the post-configuration is now finished.

.. code-block::

  [*] Postconfiguration completed.
  Please connect to https://yourservername/ to access the server.

.. versionadded:: 2.5

  The access to the WAPT web interface is now password protected.

Finally, the postconf show somes informations about the WAPT Server SSL certificate and the URL to download WaptSetup and install on the WAPT Administrator's computer.


But in CSPN TOE mode, TOTP is required on admin account.

.. figure:: wapt-resources/secure_postconf_OTP_code.png
  :scale: 50%
  :align: center
  :alt: secure postconf OTP code

  secure postconf OTP code

Use your second device (smartphone,YubiKey, etc.) and get the code who will appear in the picture. Put the code in the dedicated field.

.. note::

  If you are having problems with your kerberos system. Check the owner and the right on, the keytab file ( :file:`http-krb5.keytab` ).

  .. code-block::

    chown root:nginx /etc/nginx/http-krb5.keytab
    chmod 640 /etc/nginx/http-krb5.keytab

.. list-table:: Listing of post-configuration script options
  :header-rows: 1
  :widths: 40 60
  :align: center

  * - Options
    - Description
  * - ``--force-https`` or ``-s``
    - Configures :program:`Nginx` so that *port 80 is permanently redirected to 443*.
  * - ``--cspn-toe``
    - Defines the settings for CSPN TOE mode (default: False).
  * - ``--server-names=SERVER_NAMES``
    - Defines the server name and ip for certificate :abbr:`CN (Common Name)` and altdnsnames.
      Separator is a comma (default: None).

.. Warning::

  In **CSPN mode**, WADS and WUA will not appear in the WAPT console. 
  However, the Peer Cache, reporting and Secondary Repositories features can be enabled, though **they should not be activated** because it is not assessed in the CSPN target.
  
  Enabling *Peer Cache* in the WAPT console :
      By edit a new agent configuration :

        Go to :menuselection:`Tools --> Edit agent dynamic configurations`.
        Check the option :guilabel:`Use Peer Cache`.

      By use a WAPT configuration package :

        Create a package in :guilabel:`WAPT Packages` → :menuselection:`Make package template from setup file → Host agent dynamic configuration`.
        Check the option :guilabel:`Use Peer Cache`.

  Enabling *Secondary Repositories* in the WAPT console  :
    *For the agent :*
      By edit a new agent configuration :

        Go to :menuselection:`Tools --> Edit agent dynamic configurations`.
        Check :guilabel:`Use repository rules`.

      By use a WAPT configuration package :

        Create a package in :guilabel:`WAPT Packages` → :menuselection:`Make package template from setup file → Host agent dynamic configuration`.
        Check the option :guilabel:`Use repository rules`.

    *For Configuring an agent as a secondary repository :*
      By edit a new agent configuration :

        Go to :menuselection:`Tools --> Edit agent dynamic configurations`.
        Go to the :guilabel:`Repo-sync` tab and check :guilabel:`Synchronize packages and system updates on the agent`.

      By use a WAPT configuration package :

        Create a package in :guilabel:`WAPT Packages` → :menuselection:`Make package template from setup file → Host agent dynamic configuration`.
        Go to the :guilabel:`Repo-sync` tab and check :guilabel:`Synchronize packages and system updates on the agent`


