To go further, more configuration options are available in this part of the documentation:

Configuring WAPT agent

The configuration file C:\Program Files(x86)\wapt\wapt-get.ini defines the behavior of the WAPT agent.

The [global] section is required:

[global]

After standard installation, the default configuration is:

[global]
waptupdate_task_period=120
waptserver=https://srvwapt.mydomain.lan
repo_url=https://srvwapt.mydomain.lan/wapt/
use_hostpackages=1

Making changes in wapt-get.ini and regenerating an agent is not sufficient to push the new configuration.

You can create a WAPT package to push updated wapt-get.ini settings.

The package is available from the Tranquil IT repository: https://store.wapt.fr/wapt/tis-wapt-conf-policy_6_f913e7abc2f223c3e243cc7b7f95caa5.wapt:

# -*- coding: utf-8 -*-
from setuphelpers import *

uninstallkey = []

def install():

  print('Modify max_gpo_script_wait')
  inifile_writestring(WAPT.config_filename,'global','max_gpo_script_wait',180)

  print('Modify Preshutdowntimeout')
  inifile_writestring(WAPT.config_filename,'global','pre_shutdown_timeout',180)

  print('Disable Hyberboot')
  inifile_writestring(WAPT.config_filename,'global','hiberboot_enabled',0)

  print('Disable Notify User')
  inifile_writestring(WAPT.config_filename,'global','notify_user',0)

Description of available options

Note

  • if repo_url and wapt_server fields are empty, the WAPT agent will look for a repository using SRV records in the dnsdomain zone;

  • if there is no wapt_server attribute in the [global] section, no WAPT Server will be used;

  • if there is no repo_url attribute in the [global] section, a repository in the [wapt] section will have to be explicitly defined;

  • it will have to be enabled by adding it to the repositories attribute to the [global] section;

Description of available options for the WAPT agent

Options

Description

use_hostpackages = 1

Use host packages (default 1).

waptupdate_task_period = 120

Update frequency (120 minutes by default).

waptupgrade_task_period = 360

Upgrade frequency (disabled by default)

waptservice_port = 8088

WAPT agent loopback port. It is not accessible from the network.

dbpath = C:\Program Files(x86)\wapt\db\waptdb.sqlite

Path to the local database file.

loglevel = warning

Log level of the WAPT agent. Possible values are: debug, info, warning, critical.

maturities = PROD

List of packages maturities than can be viewed and installed by WAPT Agent. Default value is PROD. Any value can be used.

use_fqdn_as_uuid = 1

Allows you to use the fqdn name rather than the uuid BIOS as the unique machine identifier in wapt.

waptaudit_task_period = 120

Define the frequency where the agent checks if he has audits to perform.

locales = en

Allows you to set the list of wapt agent languages to modify the list of packages visible by wapt (for package filtering). You can add multiple language (eg. locales=fr,en) in order of preference.

host_profiles = tis-firefox,tis-java

Allows you to define a wapt package list that the wapt agent must install.

language = en

Force default langauge for GUI (not for package filtering)

host_organizational_unit_dn = OU=TOTO,OU=TEST,DC=DEMO,DC=LAN

Allows you to force an Organizational Unit on the WAPT agent. (Convenient to assign a fake OU for out-of-domain PC) Make sure it respects a consistent case (don’t mix “dc”s and “DC”s, for example), which you can find in the console (in the DN/computer_ad_dn fields for each machine)

download_after_update_with_waptupdate_task_period = True

Define whether a download of pending packages should be started after an update with waptupdate_task_period

log_to_windows_events = False

Send the log wapt in the window events

service_auth_type = system

How the self service authentication works. Possible values are: system, waptserver-ldap or waptagent-ldap

uninstall_allowed = 1

Whether or not it is possible for the user to uninstall applications via the self-service.

WAPT Server configuration attributes

These options will set WAPT agent behavior when connecting to WAPT Server.

Description of available options for the WAPT Server

Options

Description

wapt_server =

WAPT Server URL. If the attribute is not present, no WAPT Server will be contacted. If the attribute is empty, a DNS query will be triggered to find the WAPT Server using the dnsdomain attribute for the DNS zone.

dnsdomain =

DNS zone on which the DNS SRV _waptserver._tcp is searched.

wapt_server_timeout = 10

WAPT Server HTTPS connection timeout in seconds

use_kerberos = 1

Use kerberos authentication for initial registration on the WAPT Server.

verify_cert = C:\Program Files (x86)\wapt\ssl\server\srvwapt.mydomain.lan.crt (on Windows) verify_cert = /opt/wapt/ssl/server/srvwapt.mydomaine.lan.crt (on Linux and MacOS)

See the documentation on activating the verification of HTTPS certificates

public_certs_dir = C:\Program Files (x86)\wapt\ssl (on Windows) public_certs_dir = /opt/wapt/ssl/ (on Linux and MacOS)

Folder of certificates authorized to verify the signature of WAPT packages, by default, <wapt_base_dir>\\ssl. Only files in this directory with .crt or .pem extension are taken into account. There may be several X509 certificates in each file. Authorized packages in WAPT are those whose signature may be verified by one of the certificates contained in the PEM files of this directory. Each repository may have its own folder of authorized certificates.

Using several repository

There can be more sections in the wapt-get.ini file to define more repositories:

  • [wapt]: main repository. Relevant attributes: repo_url, verify_cert, dnsdomain, http_proxy, use_http_proxy_for_repo, timeout. If this section does not exist, parameters are read from the [global] section;

  • [wapt-template]: external remote repository that will be used in the WAPT console for importing new or updated packages;

  • [wapt-host]: repository for host packages. If this section does not exist, default locations will be used on the main repository;

More information on that usage can be found in this article on working with multiple public or private repositories.

Note

Active repositories are listed in the repositories attribute of the [global] section.

Description of available options for repositories

Options

Description

repositories = repo1, repo2

List of enabled repositories, separated by a comma. Each value defines a section of the wapt-get.ini file. In each section, it is possible to define repo_url, dnsdomain, public_certs_dir, http_proxy.

Note

This parameter can be configured both in the WAPT agent configuration and in the WAPT console configuration file C:\Users\%username%\AppData\Local\waptconsole\waptconsole.ini.

For information on configuring the WAPT console, please refer to this documentation.

Settings for waptexit

Description of available options for WAPTexit

Options

Description

allow_cancel_upgrade = 1

Prevents users from canceling package upgrades on computer shutdown.

pre_shutdown_timeout = 180

Timeout for scripts at computer shutdown.

max_gpo_script_wait = 180

Timeout for GPO execution at computer shutdown.

hiberboot_enabled = 0

Disables Hiberboot on Windows 10 to make waptexit work correctly.

Settings for WAPT Self-Service and Waptservice Authentification

Description of available options for the WAPT Self-Service and Waptservice Authentification

Options

Description

waptservice_admin_filter = True

Apply selfservice package view filtering for Local Administrators.

service_auth_type = system

Defines the authentication system of the wapt service, available value are system, waptserver-ldap, waptagent-ldap.

ldap_auth_ssl_enabled = False

Useful with waptagent-ldap, defines if the LDAP request must be encrypted.

verify_cert_ldap = True

Useful with waptagent-ldap, define whether the certificate should be verified.

ldap_auth_base_dn = dc=domain,dc=lan

Useful with waptagent-ldap, defines the base dn for the LDAP request.

ldap_auth_server = srvads.domain.lan

Useful with waptagent-ldap, defines the LDAP server to contact.

waptservice_user = admin

Forces a user to authenticate on the WAPT service.

waptservice_password = 5e884898da

sha256 hashed password when waptservice_user is used (the value NOPASSWORD disables the requirement for a password).

Settings for wapttray

Description of available options for the WAPT tray

Options

Description

notify_user = 0

Prevents wapttray from sending notifications (popup).

Proxy settings

Description of available options for the WAPT Server

Options

Description

http_proxy = http://user:pwd@host_fqdn:port

HTTP proxy address

use_http_proxy_for_repo = 0

Use the proxy to access the repositories.

use_http_proxy_for_server = 0

Use a proxy to access the WAPT Server.

use_http_proxy_for_templates = 0

Use a proxy to access package template server.

Settings for creating packages

Description of available options for creating WAPT packages

Options

Description

personal_certificate_path = C:\private\org-coder.crt

Path to the Administrator’s private key.

default_sources_root = C:\waptdev

Directory for storing packages in development.

default_sources_root_host = C:\waptdev\hosts

Directory for storing host packages in development.

default_package_prefix = tis

Default prefix for new or imported packages.

default_sources_suffix = wapt

Default prefix for new or imported packages.

Settings for WAPT Windows Updates

Refer to this article on configuring WAPTWUA on the WAPT agent.

Overriding settings of upload functions

It’s possible to override upload commands to define a particular behavior when uploading packages. It’s possible for example to upload packages on several repositories, or via another protocol, etc.

To upload packages on the repository (wapt-get upload-package or build-upload), use:

upload_cmd="C:\\Program Files (x86)\\WinSCP\\WinSCP.exe" admin@srvwapt.mydomain.lan /upload %(waptfile)s

To upload host-packages on the repository (upload-package or build-upload of a host package), use:

upload_cmd_host="C:\\Program Files (x86)"\\putty\\pscp -v -l admin %(waptfile)s srvwapt.mydomain.lan:/var/www/wapt-host/

To launch a command after a package upload, use:

after_upload="C:\\Program Files (x86)"\\putty\\plink -v -l admin srvwapt.mydomain.lan "python /var/www/wapt/wapt-scanpackages.py /var/www/%(waptdir)s/"

Configuring with a WAPT package

After standard installation, the default configuration is:

[global]
waptupdate_task_period=120
waptserver=https://srvwapt.mydomain.lan
repo_url=https://srvwapt.mydomain.lan/wapt/
use_hostpackages=1

Making changes in wapt-get.ini and regenerating an agent is not sufficient to push the new configuration.

You can create a WAPT package to push updated wapt-get.ini settings.

The package is available from the Tranquil IT repository: https://store.wapt.fr/wapt/tis-wapt-conf-policy_6_f913e7abc2f223c3e243cc7b7f95caa5.wapt:

# -*- coding: utf-8 -*-
from setuphelpers import *

uninstallkey = []

def install():

  print('Modify max_gpo_script_wait')
  inifile_writestring(WAPT.config_filename,'global','max_gpo_script_wait',180)

  print('Modify Preshutdowntimeout')
  inifile_writestring(WAPT.config_filename,'global','pre_shutdown_timeout',180)

  print('Disable Hyberboot')
  inifile_writestring(WAPT.config_filename,'global','hiberboot_enabled',0)

  print('Disable Notify User')
  inifile_writestring(WAPT.config_filename,'global','notify_user',0)

Configuring the WAPT console

Hint

The configuration file for the WAPT console is stored in C:\Users\%username%\AppData\Local\waptconsole\waptconsole.ini. This file is automatically generated when the waptconsole is first launched and it is generated from the wapt-get.ini file configured on the Administrator’s workstation.

Several options are available in the [global] section of the waptconsole.ini file:

Description of available options for the WAPT console

Options

Description

wapt_server = https://srvwapt.mydomain.lan

Address of the WAPT Server.

repo_url = https://srvwapt.mydomain.lan/wapt

Address of the main WAPT repository.

last_usage_report = 03/01/2017 18:45:51

Date when the WAPT console was last used.

http_proxy =

Address of the proxy server in the console.

use_http_proxy_for_server = 0

Use a proxy to connect to the WAPT Server from the console.

use_http_proxy_for_repo = 0

Use a proxy to connect to the main WAPT repository from the console.

default_package_prefix = tis

Prefix used for naming WAPT packages.

default_sources_root = C:\waptdev

WAPT base package development folder.

personal_certificate_path = C:\private\mykey.crt

Path to the certificate associated with the Administrator’s private key.

send_usage_report = 1

Allows the WAPT console to send anonymous statistics to Tranquil IT.

language = en

Language of the WAPT console.

advanced_mode = 0

Launches the console in debug mode.

verify_cert = C:\Program Files (x86)\wapt\ssl\server\srvwapt.mydomain.lan.crt (on Windows)

For verifying HTTPS certificates.

waptservice_timeout = 2

Timeout for actions applied to WAPT agents (ex: update).

enable_external_tools = 0

Displays the actions that call external applications (RDP, VNC, etc…).

enable_management_features = 0

Displays the button to create self-signed certificates or to create the WAPT agent’s installer.

hide_unavailable = 0

Hides actions that are not available for the WAPT agent.

check_certificates_validity = 1

Forces the package certificate’s date and CRL to be verified.

sign_digests = sha256,sha1

List of allowed signature algorithms for the WAPT packages.

Configuring external repositories

You may add several external repositories by adding [sections] in C:\Users\%username%\AppData\Local\waptconsole\waptconsole.ini.

Example:

[store.wapt.fr]
repo_url=https://store.wapt.fr/waptdev
verify_cert=1
http_proxy=http://proxy.mydomain.lan:8080
public_certs_dir=
timeout=2

[otherwapt.tranquil.it]
repo_url=https://otherwapt.tranquil.it/waptdev
verify_cert=0
http_proxy=
public_certs_dir=c:\Users\admin\Documents\ssl\otherwapt\
timeout=2
Description of available options for external repositories

Options

Description

repo_url = http://srvwapt.mydomain.lan/wapt

Address of the external WAPT repository.

http_proxy = http://proxy.mydomain.lan:8080

Address of the proxy to use to access the external repository referenced in the [section].

verify_cert = 1

For verifying HTTPS certificates.

public_certs_dir =

Folder that contains the certificates used to authenticate downloaded external packages.

timeout = 2

Timeout for the external repository referenced in the [section]. If left empty, no verification is performed.

Settings for creating WAPT packages

Description of available options for creating WAPT packages

Options

Description

personal_certificate_path = C:\private\coder.crt

Path to the private key to be used to sign packages.

default_sources_root = C:\waptdev

WAPT base package development folder.

default_sources_root_host = C:\waptdev\hosts

WAPT host package development folder.

default_package_prefix = tis

Default prefix for new WAPT packages.

default_sources_suffix = wapt

Default suffix for new WAPT packages.

Configuring the WAPT Server

The WAPT Server configuration file on GNU/ Linux systems is found in /opt/wapt/conf/waptserver.ini.

The WAPT Server configuration file on Windows systems is found in C:\wapt\conf\waptserver.ini.

Attention

Modification of these files is reserved for advanced users!!

Section [option] to waptserver.ini

Several options can be defined in the section:

[options]
Available parameters for the [option] section of waptserver.ini

Options

Description

allow_unauthenticated_connect = False

Defines whether websocket connections should be authenticated

allow_unauthenticated_registration = True

Allows the initial registration of the WAPT agent using a login and password

allow_unsigned_status_data = False

Debug only - Allows unsigned status data from agent

application_root = ‘’

Set custom WAPT server application root path (ex: wapt)

auto_create_ldap_users = True

Related to user ACLs

client_certificate_lifetime = 3650

Host certificate lifetime

clients_read_timeout = 5

Websocket client timeout

clients_signing_certificate =

Host certificates signing cert

clients_signing_crl_days =

Host certificates signing CRL day

clients_signing_crl =

Host certificates signing CRL

clients_signing_crl_url =

Host certificates signing CRL URL

clients_signing_key =

Host certificates signing key

client_tasks_timeout = 1

Maximum allowed delay before WAPT agent requests timeout

db_connect_timeout = 10

Maximum allowed delay before PostgreSQL queries timeout

db_host =

Address of the PostgreSQL server (empty by default, it will use a local Unix Socket).

db_max_connections = 100

Maximum simultaneous connections to the PostgreSQL database

db_name = wapt

Name of the PostgreSQL database that the WAPT Server will connect to.

db_password =

Password for authenticating the user on the PostgreSQL database (default: empty, it will use a local UNIX socket)

db_port = 5432

Port of the PostgreSQL server

db_stale_timeout = 300

Database stale timeout, default to 300 seconds

db_user =

Name of the PostgreSQL user connecting to the database (default: empty, it will use a local UNIX socket).

enable_store = False

Enables WAPT Store Webui (WAPT Enterprise only)

encrypt_host_packages = False

Encrypt host package with client certificate

htpasswd_path = None

Adds basic authentication to WAPT Server

http_proxy = http://srvproxy.mydomain.lan:3128

Defines the proxy server to allow the WAPT server to recover its CRL

known_certificates_folder = /opt/wapt/ssl/

Adds additional knowed CA for certificate validation

ldap_auth_base_dn = None

Defines LDAP authentication base DN

ldap_auth_server = None

Defines LDAP authentication server

ldap_auth_ssl_enabled = True

Sets SSL auth on LDAP connections

loglevel = debug

Debug level. default level is warning

max_clients = 4096

Sets maximum simultaneous WAPT clients connection

min_password_length = 10

Sets minimum admin password length

nginx_http = 80

Defines Nginx http port (Windows only)

nginx_https = 443

Defines Nginx https port (Windows only)

remote_repo_diff = False

Enable remote repositories diff

remote_repo_support = True

Enables remote repositories functionality on WAPT Server

remote_repo_websockets = True

Enables websocket communication with remote repositories agents

secret_key = FKjfzjfkF687fjrkeznfkj7678jknk78687

Random string for initializing the Python Flask application server. It is generated when first installing the WAPT Server and is unique for every WAPT Server.

server_uuid = 76efezfa6-b309-1fez5-92cd-8ea48fc122dc

WAPT Server UUID (this anonymous id is used for WAPT statistics).

signature_clockskew = 72000

Maximum allowed time difference for the websockets

token_lifetime = 43200

Authentication token lifetime

trusted_signers_certificates_folder = None

Path to trusted signers certificate directory

trusted_users_certificates_folder = None

Path to trusted users CA certificate directory

use_kerberos = True

Requires a kerberos authentication when first registering the WAPT agent.

use_ssl_client_auth = False

Enables client certification authentication

wapt_admin_group_dn = CN=waptadmins,OU=groups,DC=ad,DC=mydomain,DC=lan

LDAP DN of Active Directory User Group allowed to connect to WAPT console

wapt_admin_group = None

CN of Active Directory User Group allowed to connect to WAPT console

wapt_folder = /var/www/wapt

Directory of the WAPT repository.

wapt_huey_db = C:\Program Files(x86)\wapt\db\waptservertasks.sqlite

Path to database that handles tasks

wapt_password = 46642dd2b1dfezfezgfezgadf0ezgeezgezf53d

SuperAdmin password for connecting to the WAPT console.

waptserver_port = 8080

Specify WAPT Server python service port, default to 8080

wapt_user = admin

Defines the SuperAdmin username in the WAPT console.

waptwua_folder = /var/www/waptwua

Location of WAPT WUA folder

wol_port = 9,123,4000

List of WakeOnLAN UDP ports to send magic packets to

wapt_bind_interface = 127.0.0.1

Define how to listen to the waptserver service

Configuring Nginx

The default Nginx configuration is as follows:

server {
  listen                      80;
  listen                      443 ssl;
  server_name                 _;
  ssl_certificate             "/opt/wapt/waptserver/ssl/cert.pem";
  ssl_certificate_key         "/opt/wapt/waptserver/ssl/key.pem";
  ssl_protocols               TLSv1.2;
  ssl_dhparam                 /etc/ssl/certs/dhparam.pem;
  ssl_prefer_server_ciphers   on;
  ssl_ciphers                 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  ssl_stapling                on;
  ssl_stapling_verify         on;
  ssl_session_cache           none;
  ssl_session_tickets         off;
  index index.html;

  location ~ ^/wapt.* {
    proxy_set_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
    proxy_set_header Pragma "no-cache";
    proxy_set_header Expires "Sun, 19 Nov 1978 05:00:00 GMT";
    root "/var/www";
    }

  location / {
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

  location  ~ ^/(api/v3/upload_packages|api/v3/upload_hosts/|upload_waptsetup)  {
    proxy_pass http://127.0.0.1:8080;
    client_max_body_size 4096m;
    client_body_timeout 1800;
    }

  location /wapt-host/Packages {
    return 403;
    }

  location /wapt-host/add_host_kerberos {
    return 403;
    }

  location / {
    proxy_pass http://127.0.0.1:8080;
    }

  location /socket.io {
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_pass http://127.0.0.1:8080/socket.io;
    }
  }
}

Configuring WAPT Server for large deployments

The default operating system, Nginx and Postgresql settings are adapted for around 400 WAPT agents. If you have more than 400 clients it is necessary to modify a few system level parameters along with PostgreSQL database, Nginx web and WAPT Server python server.

In the future the postconf.sh script might take charge of this configuration depending on the expected number of client computers.

With the following parameters, one WAPT Server should scale up to around 5000 concurrent active clients. You may have more clients in the database if they are not all running at the same time. If you have more than 5000 clients it is recommended to have more than one WAPT Server.

The limit in the number of end point clients is due to the bottleneck in the python code and the PostgreSQL backend. WAPT performance gets better with time and in the future WAPT Server might support a large base on a single server. However the Nginx part scales very well and it can takes full advantage of a 10Gbps connection for high load package deployments.

Note

The parameters to be modified below are linked together and should be modified globally and not individually.

Configuring Nginx

In the /etc/nginx/nginx.conf file (for Windows C:\wapt\waptserver\nginx\conf\nginx.conf), modify worker_connections parameter. The value should be around 2.5 times the number of WAPT clients (n connections for websockets and n connections for package downloads and inventory upload + some margin).

events {
    worker_connections 4096;
}

Then upgrade the number of filedescriptors in the /etc/nginx/nginx.conf file (for Windows C:\wapt\waptserver\nginx\conf\nginx.conf):

worker_rlimit_nofile 32768;

Depending on the partitioning of your WAPT server you might have to be careful with the Nginx temporary file upload directory. Nginx acts as a reverse proxy for the WAPTServer Python engine and its does a caching of packages uploaded when uploading a new package from the console.

The packages are stored in the /var/lib/nginx/proxy directory. You have to make sure that the partition hosting this directory is large enough. You may change this directory location using the following Nginx configuration parameter.

$client_body_temp_path

Configuring the Linux System

Increase the number of filedescriptors. The system unit file asks for an increase in the allowed number of filedescriptors (LimitNOFILE=32768). We should have the same thing for Nginx. There are a few limits to modify.

First we modify system wide the number of filedescriptors allowed for Nginx and WAPT.

  • create the /etc/security/limits.d/wapt.conf:

    cat > /etc/security/limits.d/wapt.conf <<EOF
    wapt         hard    nofile      32768
    wapt         soft    nofile      32768
    www-data     hard    nofile      32768
    www-data     soft    nofile      32768
    EOF
    

Nginx serves as a reverse proxy and makes quite a lot of connections. Each WAPT client keeps a websocket connection up all the time in order to respond to actions from the WAPT Server.

The Linux kernel has a protection against having too many TCP connections opened at the same time and one may get the SYN flooding on port message in the Nginx log. In order to avoid these messages, it is necessary to modify the two following parameters. It must around 1.5 times the number of WAPT clients.

cat > /etc/sysctl.d/wapt.conf <<EOF
net.ipv4.tcp_max_syn_backlog=4096
net.core.somaxconn=4096
EOF

sysctl --system

Configuring the PostgreSQL database

A higher number of clients need a higher number of connections to the PostgreSQL database. In the postgresql.conf file (file:/etc/postgresql/11/main/postgresql.conf on debian 10 for example or for Windows C:\wapt\waptserver\pgsql9.6_data\postgresql.conf), you need to increase the following parameter to approximately 1/4 the number of active WAPT agents.

max_connections = 1000

In /opt/wapt/conf/waptserver.ini file (for Windows C:\wapt\conf\waptserver.ini, db_max_connections should be equal to PostgreSQL max_connections minus 10 (PostgreSQL needs to keep some connections for its housekeeping stuff). The max_clients parameter should be set around 1.2 times the number of WAPT agents:

[options]
...
max_clients = 4096
db_max_connections =  990