Configuring the WAPT Agent with advanced options

The configuration file wapt-get.ini defines the behavior of the WAPT Agent.

Location of wapt-get.ini by system

System

Location

Windows

C:\Program Files(x86)\wapt\wapt-get.ini

Linux

/opt/wapt/wapt-get.ini

Mac OS

/opt/wapt/wapt-get.ini

The [global] section is required.

[global]

After standard installation, the default configuration is:

[global]
waptupdate_task_period=120
wapt_server=https://srvwapt.mydomain.lan
repo_url=https://srvwapt.mydomain.lan/wapt/
use_hostpackages=1

All parameters are not set when the WAPT Agent is generated. It is possible to make changes in wapt-get.ini manually or by deploying a WAPT package with the new configuration settings.

An example package is available from the Tranquil IT repository.

# -*- coding: utf-8 -*-
from setuphelpers import *

uninstallkey = []

def install():

  print('Modify max_gpo_script_wait')
  inifile_writestring(WAPT.config_filename,'global','max_gpo_script_wait',180)

  print('Modify Preshutdowntimeout')
  inifile_writestring(WAPT.config_filename,'global','pre_shutdown_timeout',180)

  print('Disable Hyberboot')
  inifile_writestring(WAPT.config_filename,'global','hiberboot_enabled',0)

  print('Disable Notify User')
  inifile_writestring(WAPT.config_filename,'global','notify_user',0)

  print('Reload WAPT configuration')
  WAPT.reload_config_if_updated()

The function inifile_writestring definition is:

inifile_writestring(inifilename,section,key,value)

Description of available sections

Description of available sections for the WAPT Agent

Section

Description

[global]

Global WAPT Agent options.

[wapt]

Main repository options.

[wapt-template]

External remote repository options.

[wapt-host]

Repository for host packages options.

[waptwua]

WUA Agent options.

[repo-sync]

For synching multiple repositories.

All sections are detailed below.

Description of available options by section

[global]

General settings

Description of available options for the WAPT Agent in the [global] section

Options (Default Value)

Description

Example

WAPT Enterprise feature only allow_remote_reboot (default False)

Allows to reboot the selected host(s) remotely from the WAPT Console.

allow_remote_reboot = True

WAPT Enterprise feature only allow_remote_shutdown (default False)

Allows to shut down the selected host(s) remotely from the WAPT Console.

allow_remote_reboot = True

check_certificates_validity (default False)

Forces the package certificate’s date and CRL to be verified.

check_certificates_validity = True

dbpath (default \wapt\db\waptdb.sqlite)

Path to the local database file.

dbpath = C:\Program Files (x86)\db\waptdb.sqlite

download_after_update_with_waptupdate_task_period (default True)

Defines whether a download of pending packages should be started after an update with waptupdate_task_period.

download_after_update_with_waptupdate_task_period = False

WAPT Enterprise feature only host_organizational_unit_dn (default None)

Allows to force an Organizational Unit on the WAPT Agent (convenient for assigning a fake OU for out-of-domain PC). Make sure it respects a consistent case (do not mix “dc”s and “DC”s, for example), which you can find in the Console (in the DN/computer_ad_dn fields for each host)

host_organizational_unit_dn = OU=TOTO,OU=TEST,DC=MYDOMAIN,DC=LAN

WAPT Enterprise feature only host_profiles (default None)

Allows to define a WAPT package list that the WAPT Agent MUST install.

host_profiles = tis-firefox,tis-java

language (default language on the WAPT Client)

Forces the default language for the GUI (not for package filtering)

language = en

locales (default locale on WAPT Client)

Allows to set the list of WAPT Agent languages to pre-filter the list of packages visible by the WAPT Agent (for package filtering). The parameter accepts multiple entries ordered by preference (eg. locales = fr,en).

locales = en

log_to_windows_events (default False)

Sends the WAPT logs in the Window event log.

log_to_windows_events = True

loglevel (default warning)

Log level of the WAPT Agent. Possible values are: debug, info, warning, critical.

loglevel = critical

maturities = (default PROD)

List of package maturities than can be viewed and installed by WAPT Agent. Default value is PROD. Only DEV, PREPROD and PROD values are used by Tranquil IT, however any value can be used to suit your internal processes.

maturities = PROD, PREPROD

repo_url (default your WAPT repo address)

Address of the main WAPT repository.

repo_url = https://srvwapt.mydomain.lan/wapt

repositories (default None)

List of enabled repositories, separated by a comma. Each value defines a section of the wapt-get.ini file. More info here.

repositories = repo1, repo2

send_usage_report (default True)

Allows the WAPT Console to send anonymous statistics to Tranquil IT. Set to False to disable telemetry.

send_usage_report = True

service_auth_type (default system)

Sets how the self service authentication works. Possible values are: system, waptserver-ldap or waptagent-ldap.

service_auth_type = waptserver-ldap

WAPT Enterprise feature only uninstall_allowed (default True)

Defines whether or not it is possible for the user to uninstall applications via the self-service.

uninstall_allowed = False

WAPT Enterprise feature only use_ad_groups (default False)

For using group packages.

use_ad_groups = True

use_fqdn_as_uuid (default False)

Allows to use the FQDN rather than the BIOS UUID as the unique host identifier in WAPT.

use_fqdn_as_uuid = True

use_hostpackages (default False)

Defines whether host packages are to be used. use_hostpackages = False disables implicit updates (host packages, unit packages, profile packages). It’s useful if you want to isolate a host and use WAPT locally.

use_hostpackages = True

WAPT Enterprise feature only use_repo_rules (default False)

Defines whether repositories are replicated.

use_repo_rules = True

waptaudit_task_period (default 60m)

Defines the frequency at which audits are triggered. Waiting for value in minutes.

waptaudit_task_period = 120

wapt_server (default None)

Defines the WAPT Server URL. If the attribute is not present, no WAPT Server will be contacted.

wapt_server = https://srvwapt.mydomain.lan

waptservice_port (default 8088)

WAPT Agent loopback port. The port is not accessible from the network.

waptservice_port = 8080

waptupdate_task_period (default 120m)

Defines the update frequency (120 minutes by default).

waptupdate_task_period = 24h

waptupgrade_task_period (default None)

Defines the upgrade frequency.

waptupgrade_task_period = 360

wol_relay (if remote_repo = False then default : False, if remote_repo = True the default = True)

Enable agent to be used as a Wake On Lan wol_relay

wol_relay = True

Note

  • If there is no repo_url attribute in the [global] section, then a repository in the [wapt] section will have to be explicitly defined. It will have to be enabled by adding it to the repositories attribute.

  • If there is no wapt_server attribute in the [global] section, then no WAPT Server will be used.

Settings for the WAPT Server

These options will set the WAPT Agent behavior when connecting to the WAPT Server.

Description of available options for the WAPT Agent in the [global] section for the WAPT Server configuration

Options (Default Value)

Description

Example

public_certs_dir (default None)

Folder of certificates authorized to verify the signature of WAPT packages.

public_certs_dir = C:\Program Files (x86)\wapt\ssl (on Windows). public_certs_dir = /opt/wapt/ssl/ (on Linux and MacOS)

use_kerberos (default False)

Use kerberos authentication for initial registration on the WAPT Server.

use_kerberos = True

verify_cert (default False)

See the documentation on activating the verification of HTTPS certificates.

verify_cert = True

wapt_server (default None)

WAPT Server URL. If the attribute is not present, no WAPT Server will be contacted.

wapt_server = https://srvwapt.mydomain.lan

wapt_server_timeout (default 30)

WAPT Server HTTPS connection timeout in seconds.

wapt_server_timeout = 10

Settings for the WAPT Exit utility

Description of available options for the WAPT Agent in the [global] section for the WAPT Exit utility

Options (Default Value)

Description

Example

allow_cancel_upgrade (default True)

Prevents users from canceling package upgrades on computer shutdown. If disabled, users will not be able to cancel an upgrade on computer shutdown. If this value is not indicated the default value will be 10.

allow_cancel_upgrade = True

hiberboot_enabled (default None)

Disables Hiberboot on Windows 10 to make waptexit work correctly.

hiberboot_enabled = True

max_gpo_script_wait (default None)

Timeout for GPO execution at computer shutdown.

max_gpo_script_wait = 180

pre_shutdown_timeout (default None)

Timeout for scripts at computer shutdown.

pre_shutdown_timeout = 180

upgrade_only_if_not_process_running (default False)

Prevents the software upgrade if the software is currently running on the host (impacted_process attribute of the package).

upgrade_only_if_not_process_running = True

upgrade_priorities (default None)

Only upgrade packages with a specific priority.

upgrade_priorities = high

waptexit_countdown (default 1)

Delay (in seconds) before the automatic start of the installations.

waptexit_countdown = 25

Settings for the WAPT Self-Service and the WAPT service Authentification

Description of available options for the WAPT Agent in the [global] section for the WAPT Self-service and the WAPT service Authentification

Options (Default Value)

Description

Example

ldap_auth_base_dn (default None)

Useful with service_auth_type = waptagent-ldap, defines the base dn for the LDAP request.

ldap_auth_base_dn = dc=mydomain,dc=lan

ldap_auth_ssl_enabled (default False)

Useful with service_auth_type = waptagent-ldap, defines whether the LDAP request must be encrypted.

ldap_auth_ssl_enabled = True

ldap_auth_server (default None)

Useful with service_auth_type =``waptagent-ldap``, defines the LDAP server to contact.

ldap_auth_server = srvads.mydomain.lan

service_auth_type (default system)

Defines the authentication system of the WAPT service, available value are system, waptserver-ldap, waptagent-ldap.

service_auth_type = waptagent-ldap

verify_cert_ldap (default False)

Useful with service_auth_type = waptagent-ldap, define whether the certificate should be verified.

verify_cert_ldap = True

waptservice_admin_filter (default False)

Apply selfservice package view filtering for Local Administrators.

waptservice_admin_filter = True

waptservice_password (default None)

sha256 hashed password when waptservice_user is used (the value NOPASSWORD disables the requirement for a password).

waptservice_password = 5e884898da

waptservice_user (default None)

Forces a user to authenticate on the WAPT service.

waptservice_user = admin

Settings for the the WAPT System Tray utility

Description of available options for the WAPT Agent in the [global] section for the WAPT Tray utility

Options (Default Value)

Description

Example

notify_user (default False)

Prevents the WAPT System Tray utility from sending notifications (popup).

notify_user = True

Settings for the Proxy

Description of available options for the WAPT Agent in the [global] section for the proxy

Options (Default Value)

Description

Example

http_proxy (default None)

Defines the address of the HTTP proxy.

http_proxy = http://user:pwd@host_fqdn:port

use_http_proxy_for_repo (default False)

Use a proxy to access the repositories.

use_http_proxy_for_repo = True

use_http_proxy_for_server (default False)

Use a proxy to access the WAPT Server.

use_http_proxy_for_server = True

Settings for creating WAPT packages

Description of available options for the WAPT Agent in the [global] section for creating WAPT packages

Options (Default Value)

Description

Example

default_package_prefix (default tis)

Defines the default prefix for new or imported packages. Prefix is case sensitive, we recommand to use lower case.

default_package_prefix = doc

default_sources_root (default C:\waptdev on Windows or ~/waptdev on Linux)

Defines the directory for storing packages while in development.

default_sources_root = C:\\waptdev

personal_certificate_path (default None)

Defines the path to the Administrator’s private key.

personal_certificate_path = None TODO

[wapt-wua]

Refer to configuring WAPTWUA on the WAPT Agent.

Settings for using multiple repositories

To add more repositories, new [repository_name] sections can be added in the wapt-get.ini.

Note

Active repositories are listed in the repositories attribute of the [global] section.

Attention

This parameter can be configured both in the WAPT Agent configuration and in the WAPT Console configuration file C:\Users\%username%\AppData\Local\waptconsole\waptconsole.ini.

For information on configuring the WAPT Console, please refer to this documentation.

Section [wapt]

Hint

If this section does not exist, parameters are read from the [global] section.

Section [wapt-templates]

External remote repositories that will be used in the WAPT Console for importing new or updated packages. The Tranquil IT repository is set by default.

Section [wapt-host]

Repository for host packages. If this section does not exist, default locations will be used on the main repository.

More information on that usage can be found in this article on working with multiple public or private repositories.

Configuring the WAPT Console

Hint

the WAPT Console configuration is stored in 2 locations:

  • C:\Users\%username%\AppData\Local\waptconsole\waptconsole.ini.

  • C:\Users\%username%\AppData\Roaming\waptconsole\waptconsole.ini.

These files are automatically generated when the waptconsole is first launched and it is generated from the wapt-get.ini file configured on the Administrator’s workstation;

Description of available sections

Description of available sections for the WAPT Agent

Section

Description

[global]

Defines the global WAPT Console options

[sections]

Defines external repository options. [wapt-template] repositories

[waptwua]

WUA options

All sections are detailed below.

Others sections present on C:\Users\%username%\AppData\Roaming\waptconsole\waptconsole.ini are not editable manually, therefore they are not detailed.

Attention

For parameters both present in wapt-get.ini and waptconsole.ini, values are set in wapt-get.ini and copied to waptconsole.ini. Do not edit manually these parameters.

Description of available options by section

[global]

Several options are available in the [global] section of the waptconsole.ini file.

Description of available options in AppData\Local

Options (Default Value)

Description

Example

advanced_mode (default False)

Launches the WAPT Console in debug mode.

advanced_mode = True

WAPT Enterprise feature only allow_remote_reboot (default False)

Allows to reboot the selected host(s) remotely from the WAPT Console.

allow_remote_reboot = True

WAPT Enterprise feature only allow_remote_shutdown (default False)

Allows to shut down the selected host(s) remotely from the WAPT Console.

allow_remote_shutdown = True

client_certificate (default None)

Defines whether the remote repository is using Client Side SSL Authentification.

client_certificate = C:\private\org-coder.crt

client_private_key (default None)

Defines whether the remote repository is using Client Side SSL Authentification.

client_private_key = C:\private\org-coder.pem

check_certificates_validity (default False)

Forces the package certificate’s date and CRL to be verified.

check_certificates_validity = True

default_maturity (default None)

Defines the default upload maturity for WAPT packages.

default_maturity = PROD

default_package_prefix (default tis)

Defines the default prefix for new or imported packages. Prefix is case sensitive, we recommand to use lower case.

default_package_prefix = doc

default_sources_root (default C:\waptdev on Windows or ~/waptdev on Linux)

Defines the directory for storing packages while in development.

default_sources_root = C:\waptdev

grid_hosts_plugins (default W10=)

Lists external plugins for the WAPT Console. Default is W10= because [] is encoded in base64.

grid_hosts_plugins = W3siZXhlY3V0YWJsZSI6ImV4cGxd

host_profiles (default None)

Defines a WAPT package list that the WAPT Agent MUST install.

host_profiles = tis-firefox,tis-java

hiberboot_enabled (default False)

Disables Hiberboot on Windows 10 to make waptexit

hiberboot_enabled = True

http_proxy (default None)

Defines the address of the proxy server in the WAPT Console.

http_proxy = https://proxy.mydomain.lan

last_usage_report (default None)

Provides the date when the WAPT Console was last used.

last_usage_report = 12/05/2021 18:45:51

lastwaptserveruser (default None)

Provides the last user logged on this WAPT Console.

lastwaptserveruser = admin

max_gpo_script_wait (default 180)

Defines the timeout for GPO execution at computer shutdown (in seconds).

max_gpo_script_wait = 360

personal_certificate_path (default None)

Defines the path to the certificate associated with the Administrator’s private key.

personal_certificate_path = C:\private\mykey.crt

pre_shutdown_timeout (default 180)

Defines the timeout for scripts at computer shutdown (in seconds).

pre_shutdown_timeout = 360

repo_url (default your WAPT repo address)

Defines the address of the main WAPT repository.

repo_url = https://srvwapt.mydomain.lan/wapt

send_usage_report (default True)

Allows the WAPT Console to send anonymous statistics to Tranquil IT. Set to False to disable telemetry.

send_usage_report = True

sign_digests (default sha256)

Lists allowed signature algorithms for the WAPT packages.

sign_digests = sha1

WAPT Enterprise feature only use_ad_groups (default False)

Allows using unit packages.

use_ad_groups = True

use_fqdn_as_uuid (default False)

Allows using the FQDN rather than the BIOS UUID as the unique host identifier in WAPT.

use_fqdn_as_uuid = True

use_kerberos (default False)

Allows using kerberos authentication for initial registration of WAPT Agents with the WAPT Server.

use_kerberos = True

use_hostpackages (default False)

Allows using host packages.

use_hostpackages = True

use_http_proxy_for_repo (default False)

Allows using a proxy to connect to the main WAPT repository from the WAPT Console.

use_http_proxy_for_repo = True

use_http_proxy_for_server (default False)

Allows using a proxy to connect to the WAPT Server from the WAPT Console.

use_http_proxy_for_server = True

WAPT Enterprise feature only use_repo_rules (default False)

Allows using replication for repositories.

use_repo_rules = True

verify_cert (default False)

Allows verifying SSL / TLS certificate.

verify_cert = True

wapt_server (default None)

Defines the address of the WAPT Server.

wapt_server = https://srvwapt.mydomain.lan

Description of available options on AppData\Roaming

Options (Default Value)

Description

Example

advanced_mode (default False)

Launches the WAPT Console in debug mode.

advanced_mode = True

enable_external_tools (default False)

Displays the actions that call external applications (RDP, Windows tools etc…).

enable_external_tools = True

enable_management_features (default False)

Displays the button to create self-signed certificates or to create the WAPT Agent’s installer.

enable_management_features = True

hide_unavailable_actions (default False)

Hides actions that are not available for the WAPT Agent

hide_unavailable_actions = True

HostsLimit (default 2000)

Limits hosts displayed in the WAPT Console.

HostsLimit = 300

language (default language on the WAPT Client)

Forces the default langage for GUI (not for package filtering)

language = en

lastappinifilename (default None)

Defines the .ini file used to store the WAPT Console configuration.

lastappinifilename = C:\Users\%username%\AppData\Roaming\waptconsole\waptconsole.ini

show_host_audit_data_tab (default False)

Displays the Audit data tab on host inventory.

show_host_audit_data_tab = True

WAPT Enterprise feature only use_ad_groups (default False)

Allows using unit packages.

use_ad_groups = True

use_fqdn_as_uuid (default False)

Forces the use of the FQDN instead of the uuid BIOS as the unique host identifier in WAPT.

use_fqdn_as_uuid = True

waptconsole.version (default None)

Displays the version of the WAPT Console.

waptconsole.version = 2.0.0.9424

waptwua_enabled (default False)

Allows displaying the Windows Update tab on the WAPT Console.

waptwua_enabled = True

[sections]

You may add several external repositories by adding [sections] in C:\Users\%username%\AppData\Local\waptconsole\waptconsole.ini.

Attention

This parameter can be configured both in the WAPT Agent configuration and in the WAPT Console configuration C:\Users\%username%\AppData\Local\waptconsole\waptconsole.ini.

For information on configuring the WAPT Agent, please refer to this point.

See available parameters and configurations by visiting this documentation on setting up multiple repositories.

Configuring the WAPT Server

The WAPT Server configuration file on GNU/ Linux and macOS systems is found in /opt/wapt/conf/waptserver.ini or in /opt/wapt/waptserver/waptserver.ini.

The WAPT Server configuration file on Windows is found in C:\wapt\conf\waptserver.ini.

Attention

Modification of these files is reserved for advanced users!!

Section [options] of waptserver.ini

Several options can be defined in the [options] section.

[options]
Available parameters for the [options] section of waptserver.ini

Options (Default Value)

Description

Example

agents_folder (default watpagent in wapt repository)

Defines where the WAPT Agents are stored on the WAPT Server.

agents_folder = /var/www/wapt/waptagent

allow_unauthenticated_connect (default None)

Defines whether websocket connections should be authenticated. If use_kerberos = True, then allow_unauthenticated_connect MUST BE set to False or it will take precedence.

allow_unauthenticated_connect = True

allow_unauthenticated_registration (default False)

Allows the initial registration of the WAPT Agent using a login and password.

allow_unauthenticated_registration = True

allow_unsigned_status_data (default False)

Debug only - Allows unsigned status data from Agent.

allow_unsigned_status_data = True

application_root (default None)

Defines a custom WAPT Server application root path.

application_root = wapt

authentication_logs (default True)

Enables authentication logs.

authentication_logs = False

auto_create_waptagent_from_config (default False)

Enables automatic configuration when waptsetup is installed.

auto_create_waptagent_from_config = True

client_certificate_lifetime (default 3650)

Defines the host certificate lifetime (in days).

client_certificate_lifetime = 500

cleanup_kbs (default True)

Defines whether unused :ref:` Windows KB should be automatically deleted <auto_kb_clean>` from the WAPT Server.

cleanup_kbs = False

clients_read_timeout (default 5)

Defines the websocket client timeout (in seconds).

clients_read_timeout = 10

clients_signing_certificate (default None)

Defines the host certificate signing certificate.

clients_signing_certificate = C:\private\org-coder.crt

clients_signing_crl_days (default 30)

Defines the host certificate signing CRL periodicity (in days).

clients_signing_crl_days = 15

clients_signing_crl (default None)

Defines the host certificate signing CRL path.

clients_signing_crl = C:\private\org-coder.crt

clients_signing_crl_url (default None)

Defines the host certificate signing CRL URL.

clients_signing_crl_url = https://srvwapt.mydomain.lan/crl

clients_signing_key (default None)

Defines the host certificate signing key path.

clients_signing_key = C:\private\org-coder.crt

client_tasks_timeout (default 5)

Defines the maximum allowed delay before WAPT Agent requests time out (in seconds).

client_tasks_timeout = 5

copy_winpe_x64_in_tftp_folder (default False)

If x64, allows you to copy all WinPE from wads_folder when WinPE is uploaded.

copy_winpe_x64_in_tftp_folder = True

db_connect_timeout (default 3)

Defines the maximum allowed delay before PostgreSQL queries time out (in seconds).

db_connect_timeout = 10

db_host (default None)

Defines the url of the PostgreSQL server (by default WAPT use a local Unix Socket).

db_host = https://wapt.mydomain.lan

db_max_connections (default 90)

Defines the maximum simultaneous connections to the PostgreSQL database.

db_max_connections = 100

db_name (default wapt)

Defines the PostgreSQL database that the WAPT Server connects to.

db_name = wapt

db_password (default None)

Defines the password for authenticating the user on the PostgreSQL database (by default WAPT uses a local UNIX socket).

db_password = WAPT_DB_PASSWORD

db_port (default 5432)

Defines the port of the PostgreSQL server.

db_port = 5432

db_stale_timeout (default 300)

Defines the database stale timeout (in seconds).

db_stale_timeout = 500

db_user (default wapt)

Defines the PostgreSQL user connecting to the database.

db_user = wapt

default_ldap_users_acls (default view)

Defines the default acl for a new user opening the WAPT Console.

default_ldap_users_acls = admin

download_wsusscn2 (default False)

Automatically downloads the wsusscn2.cab file.

download_wsusscn2 = False

enable_store (default False)

Enables WAPT Store Webui (Deprecated).

enable_store = False

encrypt_host_packages (default False)

Encrypts host package with client certificate.

encrypt_host_packages = True

htpasswd_path (default None)

Adds basic authentication to WAPT Server.

htpasswd_path = True

http_proxy (default None)

Defines the proxy server to allow the WAPT Server to recover its CRL.

http_proxy = http://srvproxy.mydomain.lan:3128

known_certificates_folder (default WAPT /ssl/ folder)

Adds additional known CA to verify certificates.

known_certificates_folder = /opt/wapt/ssl/

ldap_account_service_login (default None)

Defines the UPN Active directory user for SSO and/or waptserver-ldap mode for self-service.

ldap_account_service_login = wapt-ldap@ad.tranquil.it

ldap_account_service_password (default None)

Defines the user password for SSO and/or waptserver-ldap mode for self-service.

ldap_account_service_password = PASSWORD

ldap_auth_base_dn (default None)

Defines the LDAP authentication base DN.

ldap_auth_base_dn = dc=mydomain,dc=lan

ldap_auth_server (default None)

Defines the LDAP authentication server.

ldap_auth_server = srvads.mydomain.lan

ldap_auth_ssl_enabled (default True)

Sets SSL authentication on LDAP connections.

ldap_auth_ssl_enabled = False

ldap_nesting_group_support (default True)

Enables the search of nested group in Active Directory.

ldap_nesting_group_support = False

ldap_primary_group_ad_support (default True)

Enables the search on Active Directory primary group users.

ldap_primary_group_ad_support = False

list_subnet_skip_login_wads (default [])

Lists subnets without authentication requirement.

list_subnet_skip_login_wads = 192.168.0.0/24,192.168.1.0/24

login_on_wads (default False)

Enables authentication to use WADS (format is user:password).

login_on_wads = True

loglevel (default warning)

Defines the log level. Possible values are: debug, info, warning, critical.

loglevel = debug

max_clients (default 4096)

Sets the maximum simultaneous WAPT client connections.

max_clients = 2048

min_password_length (default 10)

Sets the minimum SuperAdmin password length.

min_password_length = 15

nginx_http (default 80)

Defines the Nginx web server HTTP port (Windows only).

nginx_http = 8080

nginx_https (default 443)

Defines the Nginx web server HTTPS port (Windows only).

nginx_https = 44380

optimized_authentication_logs (default True)

If one of the option is set, it will not log it: waptagent_version, host_tasks_status, get_ad_groups, get_ad_sites, get_ad_ou_split, host_data, get_hosts , audit_data, wsus.windows_updates, wsus.windows_products, wsus.windows_updates_classifications, packages_for_hosts, enterprise.reporting_exec, known_packages, repositories.get_all_agentrepos, repositories.get_sync_version, repositories.get_all_rules, get_all_users_acls, known_signers_certificates, enterprise.reporting_list, usage_statistics, repositories.get_createupdatefilesync, repositories.get_sync_changelog, licences

optimized_authentication_logs = False

remote_repo_update_delay (default 1)

Défines the periodicity at which the WAPT Server verifies the synchronization status of remote repositories (in minutes).

remote_repo_update_delay = 5

remote_repo_websockets (default True)

Enables websocket communication with WAPT Agents configured as remote repositories.

remote_repo_websockets = False

secret_key (default None)

Defines the random string for initializing the Python Flask application server. The string is generated when first installing the WAPT Server and is unique for every WAPT Server.

secret_key = FKjfzjfkF687fjrkeznfkj7678jknk78687

server_uuid (default None)

Defines the WAPT Server UUID (this anonymous id is used for WAPT statistics).

server_uuid = 76efezfa6-b309-1fez5-92cd-8ea48fc122dc

session_lifetime (default 126060)

Defines the maximum allowed time the session is opened (in seconds).

session_lifetime = 352120

signature_clockskew (default 300)

Defines the maximum allowed time difference for the websockets (in seconds).

signature_clockskew = 72000

token_lifetime (default 43200)

Defines the authentication token lifetime (in seconds).

token_lifetime = 43200

trusted_signers_certificates_folder (default None)

Defines the path to the trusted signers certificate directory.

trusted_signers_certificates_folder = C:\private\org-coder.crt

trusted_users_certificates_folder (default None)

Defines the path to trusted users CA certificate directory.

trusted_users_certificates_folder = C:\private\org-coder.crt

use_kerberos (default False)

Enables a WAPT Agent to register using its kerberos account. If use_kerberos = True, then allow_unauthenticated_connect MUST BE set to False or it will take precedence.

use_kerberos = True

use_ssl_client_auth (default False)

Enables client certificate authentication.

use_ssl_client_auth = True

verify_cert_ldap (default True)

Verifies whether the Active Directory SSL / TLS certificate is valid for LDAP connections.

verify_cert_ldap = False

wads_enable (default False)

Enables the WADS feature and enables wapttftpserver.

wads_enable = True

wads_folder (default wads folder in wapt repository)

Defines the folder on the WAPT Server that stores files related to WADS.

wads_folder = /var/www/waptwads

wapt_admin_group_dn (default None)

Defines the LDAP DN of Active Directory User Group allowed to connect to the WAPT Console.

wapt_admin_group_dn = CN=waptadmins,OU=groups,DC=ad,DC=mydomain,DC=lan

wapt_admin_group (default None)

Defines the sAMAccountName Active Directory User Group(s) allowed to connect to the WAPT Console. The value can be several groups, separated by commas.

wapt_admin_group = waptadmins, wapttechs

wapt_folder (default /var/www/wapt or /var/www/html/wapt or root_dir/waptserver/repository/wapt)

Defines the directory path of the WAPT repository.

wapt_folder = /var/www/wapt

wapt_huey_db (default None)

Defines the path to database that stores the status of running tasks.

wapt_huey_db = C:\Program Files(x86)\wapt\db\waptservertasks.sqlite

wapt_password (default None)

Defines the SuperAdmin password for connecting to the WAPT Console.

wapt_password = 46642dd2b1dfezfezgfezgadf0ezgeezgezf53d

waptserver_port (default 8080)

Defines the WAPT Server python service port.

waptserver_port = 1313

wapt_user (default admin)

Defines the SuperAdmin username in the WAPT Console.

wapt_user = wapt_admin

waptwua_folder (default wapt_folder + ‘wua’)

Defines the location of WAPT WUA folder.

waptwua_folder = /var/www/waptwua

wol_port (default 7,9)

Defines the list of WakeOnLAN UDP ports to send magic packets to.

wol_port = 9, 123, 4000

wapt_bind_interface (default 127.0.0.1)

Defines how to listen to the WAPT Server service.

wapt_bind_interface = 127.0.0.1

ipxe_script_jinja_path (default /opt/wapt/waptserver/templates/ipxe-default.j2)

Defines the location of jinja template used for WADS ipxe script.

ipxe_script_jinja_path = /opt/wapt/waptserver/templates/ipxe-autoregister.j2

Configuring Nginx

The default Nginx configuration is as follows:

server {
  listen                      80;
  listen                      443 ssl;
  server_name                 _;
  ssl_certificate             "/opt/wapt/waptserver/ssl/cert.pem";
  ssl_certificate_key         "/opt/wapt/waptserver/ssl/key.pem";
  ssl_protocols               TLSv1.2;
  ssl_dhparam                 /etc/ssl/certs/dhparam.pem;
  ssl_prefer_server_ciphers   on;
  ssl_ciphers                 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  ssl_stapling                on;
  ssl_stapling_verify         on;
  ssl_session_cache           none;
  ssl_session_tickets         off;
  index index.html;

  location ~ ^/wapt.* {
    proxy_set_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
    proxy_set_header Pragma "no-cache";
    proxy_set_header Expires "Sun, 19 Nov 1978 05:00:00 GMT";
    root "/var/www";
    }

  location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

  location ~ ^/(api/v3/upload_packages|api/v3/upload_hosts/|upload_waptsetup) {
    proxy_pass http://127.0.0.1:8080;
    client_max_body_size 4096m;
    client_body_timeout 1800;
    }

  location /wapt-host/Packages {
    return 403;
    }

  location /wapt-host/add_host_kerberos {
    return 403;
    }

  location / {
    proxy_pass http://127.0.0.1:8080;
    }

  location /socket.io {
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_pass http://127.0.0.1:8080/socket.io;
    }
  }
}

Configuring WAPT Server for large deployments

The default operating system, Nginx and PostgreSQL settings are adapted for around 400 WAPT Agents. If you have more than 400 clients it is necessary to modify a few system level parameters along with PostgreSQL database, Nginx web and WAPT Server python server.

In the future, the postconf.sh script might take charge of this configuration depending on the expected number of client computers.

With the following parameters, one WAPT Server should scale up to around 5000 concurrent active clients. You may have more clients in the database if they are not all running at the same time. If you have more than 5000 clients it is recommended to have more than one WAPT Server.

The limit in the number of end point clients is due to the bottleneck in the python code and the PostgreSQL backend. WAPT performance gets better with time and in the future WAPT Server might support a large base on a single host. However the Nginx part scales very well and it can takes full advantage of a 10Gbps connection for high load package deployments.

Note

The parameters to be modified below are linked together and should be modified globally and not individually.

Configuring Nginx

nginx.conf configuration file location

OS Type

File location

Debian / Ubuntu

/etc/nginx/nginx.conf

Redhat and derivatives

/etc/nginx/nginx.conf

Windows

C:\wapt\waptserver\nginx\conf\nginx.conf

In the nginx.conf file, modify the worker_connections parameter. The value should be around 2.5 times the number of WAPT clients (n connections for websockets and n connections for package downloads and inventory upload + some margin).

events {
  worker_connections 4096;
}

Then upgrade the number of filedescriptors in the nginx.conf file:

worker_rlimit_nofile 32768;

Depending on the partitioning of your WAPT Server you might have to be careful with the Nginx temporary file upload directory. Nginx acts as a reverse proxy for the WAPT Server Python engine and its does a caching of packages uploaded when uploading a new package from the Console.

The packages are stored in the /var/lib/nginx/proxy directory. You have to make sure that the partition hosting this directory is large enough. You may change this directory location using the following Nginx configuration parameter.

$client_body_temp_path

Configuring the Linux System

Increase the number of filedescriptors. The system unit file asks for an increase in the allowed number of filedescriptors (LimitNOFILE=32768). We should have the same thing for Nginx. There are a few limits to modify.

First we modify system wide the number of filedescriptors allowed for Nginx and WAPT.

  • Create the /etc/security/limits.d/wapt.conf.

cat > /etc/security/limits.d/wapt.conf <<EOF
wapt         hard    nofile      32768
wapt         soft    nofile      32768
www-data     hard    nofile      32768
www-data     soft    nofile      32768
EOF

Nginx serves as a reverse proxy and makes quite a lot of connections. Each WAPT client keeps a websocket connection up all the time in order to respond to actions from the WAPT Server.

The Linux kernel has a protection against having too many TCP connections opened at the same time and one may get the SYN flooding on port message in the Nginx log. In order to avoid these messages, it is necessary to modify the two following parameters. It should be around 1.5 times the number of WAPT clients.

cat > /etc/sysctl.d/wapt.conf <<EOF
net.ipv4.tcp_max_syn_backlog=4096
net.core.somaxconn=4096
EOF

sysctl --system

Configuring the PostgreSQL database

postgresql.conf configuration file location

OS Type

File location

Debian / Ubuntu

/etc/postgresql/{version}/main/postgresql.conf

Redhat and derivatives

/var/lib/pgsql/{version}/data/postgresql.conf

Windows

C:\wapt\waptserver\pgsql{version}_data\postgresql.conf

A higher number of clients need a higher number of connections to the PostgreSQL database. In the postgresql.conf file, you need to increase the following parameter to approximately 1/4 the number of active WAPT Agents.

max_connections = 1000

In /opt/wapt/conf/waptserver.ini file (for Windows C:\wapt\conf\waptserver.ini), db_max_connections should be equal to PostgreSQL max_connections minus 10 (PostgreSQL needs to keep some connections for its housekeeping stuff). The max_clients parameter should be set around 1.2 times the number of WAPT Agents:

[options]
...
max_clients = 4096
db_max_connections = 990