The WAPT Server having been successfully installed, now installation of WAPT console are need.

WAPT management console

Attention

If already generate a build the WAPT agent and deploy on you’r Administrator’s workstation, go to starting the WAPT console.

Note

  • managing WAPT is done mainly via the WAPT console installed on the Administrator’s workstation;

  • the Administrator’s computer must be joined to the Organization’s Active Directory;

  • the host name of the Administrator’s workstation must not be longer than 15 characters. This is a limit of sAMAccountName attribute in Active Directory;

  • the Administrator’s computer will become critical for WAPT administration and WAPT package testing;

  • if DNS records are properly configured, you should be able to access the WAPT web interface by visiting: https://srvwapt.mydomain.lan;

  • actually, WAPT Console is only installable on Windows.

If WAPT is installed on Windows Server

Warning

The WAPT console MUST NOT be installed on your Windows based WAPT server.

The WAPT console must be installed on the workstation from which you manage your network.

Before installing WAPT Console, download on Tranquil IT server:

  • Discovery version: WAPT Discovery will be released later. For the time being the free Edition of WAPT please refer to wapt-1.8 documentation https://www.wapt.fr/en/doc-1.8/

  • Enterprise version:

    • Download waptsetup.exe on the WAPT server;

    • rename the file waptsetup-tis.exe;

    • copy to C:\wapt\waptserver\repository\wapt;

You may now go on downloading and launching the installation of the WAPT console on the Administrator’s computer

If WAPT is installed on a Linux server

Go to next step, WAPT Console is already on your server.

Downloading on WAPT server home page

WAPT Server web interface

WAPT Server web interface

  • if DNS records are properly configured, you should be able to access the WAPT web interface by visiting: https://srvwapt.mydomain.lan;

  • click on WAPTSetup link on the right-hand side of the WAPT Server web page;

Installing on the Administrator’s computer

Attention

If waptagent are not compiled and installed on your computer, need to install waptsetup.

Else, WAPT console has already installed with waptagent, you just need configure it.

Choose the language for WAPT

Choose the language for WAPT

  • click on OK to go on to the next step;

Accept the WAPT license terms

Accept the WAPT license terms

  • accept the licence terms and click on Next to go to next step;

  • click on Next and choose your installation options (default value should be right for most installations);

Choose the installer's options

Choose the installer’s options

Note

  • check Install WAPT service if you want to have the WAPT service running on your Administrator workstation;

  • check Launch notification tray upon session opening if you want to have the WAPT icon running in the tray by default;

  • setting up the WAPT Server URL

Hint

Here, two choices become available to you.

  1. If first installation and WAPT agent not build/installed

Check Static WAPT Informations and set :

Choose the WAPT repository and server

Choose the WAPT repository and server; click Next

  1. If console or agent is already install

Check Don’t change current setup

The WAPT repository and server already set

The WAPT repository and server already set; click Next

  • resume of installation

The WAPT console installation abstract

The WAPT console installation abstract

  • click Install to launch the installation, wait for the installation to complete, then click on Finish (leave default options)

  • install in progress

Installation Wizard in progress

Installation Wizard in progress

  • install finished

Installation Wizard has finished

Installation Wizard has finished.

Uncheck Show installation documentation.

Starting the WAPT console

  • launch the WAPT console :

    • by looking for the binary

    C:\Program Files (x86)\wapt\waptconsole.exe

    • by Start Menu

    WAPT Console Start Menu
  • log into the WAPT console with the SuperAdmin login and password;

WAPT Server connexion form

WAPT Server connexion form

If you have any issue logging into the WAPT console, please refer to the FAQ: Error message when opening the WAPT console.

It’ recommeded to launch console with admin organisation account.

For Enterprise version, it’s possible to logging with Active Directory authentication.

Attention

On Enterprise version, copy your licence.lic on C:\Program Files (x86)\wapt\licences for using Enterprise features.

First start after server installation

Hint

On first start, you must start the WAPT console with elevated privileges. Right-click on the WAPT console binary –> Start as Local Administrator;

Attention

If follwing message appear, you don’t have copy you’r licence.lic on C:\Program Files (x86)\wapt\licences for using Enterprise features.

Wapt licence not found

Note

A message may appear indicating that no personal certificate defined.

See the next step to create your certificate.

Wapt personal certicate not present

Note

A message may appear indicating that your WAPT agent version is obsolete or not yet present.

Wapt agent not present

Generating the Administrator’s certificate for signing WAPT packages

Hint

  • name of the private key: wapt-private.pem;

  • public certificate signed with private key: wapt-private.crt;

Private key wapt-private.pem

Attention

The wapt-private.pem file is fundamental for security. It must be stored in a safe place and correctly protected.

The wapt-private.pem file is the private key, it is located by default in the C:\private folder of the Administrator workstation and is password protected.

This private key will be used along with the certificate to sign packages before uploading them onto the WAPT repository.

Danger

The wapt-private.pem file shoul’d not be stored on the WAPT server.

Public certificate : wapt-private.crt

The wapt-private.crt file is the public certificate that is used along with the private key. It is by default created in the C:\private folder of the Administrator, copied and deployed in C:\Program Files (x86)\wapt\ssl on the Windows desktops or in /opt/wapt/ssl on the Linux and MacOS devices managed by the Administrator via a WAPT package, a GPO or an Ansible role.

This certificate is used to validate the signature of packages before installation.

Attention

  • If public certificate used on WAPT console aren’t same of private key used for WAPT agent generation, no interaction are possible.

  • The child certificate of private key are functional fo interaction.

Building a certificate

In the WAPT console go to Tools ‣ Build certificate;

Building a self-signed certificate

Building a self-signed certificate

Discovery

  • fill in the following fields:

Creating a self-signed certificate for Discovery version

Creating a self-signed certificate for Discovery version

Certificate informations

Value

Description

Required

Targets keys directory

Folder where the private key and the public certificate will be stored

feature available

Key filename

name of the .pem and Name of the private key

feature available

Private key password

Password for locking and unlocking the key

feature available

Confirm password

Password confirmation for locking and unlocking the key

feature available

Certificate name

Name of the .crt certificate:

feature available

Common Name (CN)

Display name of the certificate

feature available

City

Name of city in certificate

feature not available

Country (2 chars. E.g : FR)

Name of country (FR, EN, ES, DE …) in certificate

feature not available

Service

Name of service in certificate

feature not available

Organisation

Name of service in certificate

feature not available

E-mail address

Email address in certificate

feature not available

Export PKCS12

Create *.p12 certicate in Targets keys directory

feature not available (recommended)

Optional information

  • Additional details stored in the private key. This information will help with identifying the origin of the certificate and WAPT package;

Hint

The password complexity must comply with your Organization’s security requirements (eg. ANSSI password recommendations).

Danger

  • the path to your private key must not be in the installation path of WAPT (C:\Program Files (x86)\wapt);

  • if your key is stored in C:\Program Files (x86)\wapt, your Administrator private key will be deployed on your clients, absolutely a no go!

  • The wapt-private.pem file shoul’d not be stored on the WAPT server.

  • click on OK to go on to the next step;

If everything has gone well the following message will appear:

Certificate generated successfully

Certificate generated successfully

  • click on OK.

Confirmation of the copy of the certificate in the ssl folder

Confirmation of the copy of the certificate in the ssl folder

  • click on Yes to copy the newly generated certificate in the folder C:\Program Files (x86)\wapt\ssl on Windows or /opt/wapt/ssl on Linux or MacOS. This certificate will be picked up during the compilation of the WAPT agent and deployed on the client computers;

You may go on to the next step and Building the WAPT agent installer.

Enterprise

With WAPT Enterprise, you can create a Master key with a Certificate Authority flag that can both sign packages and sign new certificates.

Hint

In order to create new signed certificates for delegated, please refer to Differentiating user roles in WAPT .

Creating a self-signed certificate for Enterprise version

Creating a self-signed certificate for Enterprise version

Certificate informations

Value

Description

Required

Targets keys directory

Folder where the private key and the public certificate will be stored

feature available

Key filename

name of the .pem and Name of the private key

feature available

Private key password

Password for locking and unlocking the key

feature available

Confirm password

Password confirmation for locking and unlocking the key

feature available

Tag as code signing

Check this box if the certificate/ key pair will be allowed to sign software packages

feature available

Tag as CA certificate

check this box if this certificate can be used to sign other certificates (main or intermediate Certificate Authority)

feature available

Certificate name

Name of the .crt certificate:

feature available

Common Name (CN)

Display name of the certificate

feature available

City

Name of city in certificate

feature not available

Country (2 chars. E.g : FR)

Name of country (FR, EN, ES, DE …) in certificate

feature not available

Service

Name of service in certificate

feature not available

Organisation

Name of service in certificate

feature not available

E-mail address

Email address in certificate

feature not available

Authority Signing Key

Key (*.pem) of CA

feature not available

Authority Signing Certificate

Certicate (*.crt) of CA

feature not available

Export PKCS12

Create *.p12 certicate in Targets keys directory

feature not available (recommended)

Optional information

  • Additional details stored in the private key. This information will help with identifying the origin of the certificate and WAPT package;

Hint

The password complexity must comply with your Organization’s security requirements (eg. ANSSI password recommendations).

Note

If your Organization is already equipped with an Certificate Authority (CA), you will have to fill the certificate and the key in the fields Authority Signing Key and Authority Signing Certificate.

With this procedure you can generate new certificates/ key pairs with or without Code Signing capability.

For creating certificate authority go to Generating the Certificate Authority (CA)

Danger

  • the path to your private key must not be in the installation path of WAPT (C:\Program Files (x86)\wapt );

  • if your key is stored in C:\Program Files (x86)\wapt , your Administrator private key will be deployed on your clients, absolutely a no go!

  • The wapt-private.pem file shoul’d not be stored on the WAPT server.

If everything has gone well the following message will appear:

Certificate generated successfully

Certificate generated successfully

  • click on OK to go on to the next step;

Confirmation of the copy of the certificate in the ssl folder

Confirmation of the copy of the certificate in the ssl folder

  • click on Yes to copy the newly generated certificate in the C:\Program Files (x86)\wapt\ssl folder. This certificate will be picked up during the compilation of the WAPT agent and deployed on the clients computers;

You may go on to the next step and Building the WAPT agent installer.

Building the WAPT agent installer

The waptagent binary is an InnoSetup installer.

Once the WAPT console has been installed on the Administrator computer, we have all files required to build the WAPT agent installer.

  • files that will be used during building of the WAPT agent are located in C:\Program Files (x86)\wapt;

  • installer source files (.iss files) are located in C:\Program Files (x86)\wapt\waptsetup;

Hint

Before building the WAPT agent, please verify the public certificate(s) in C:\Program Files (x86)\wapt\ssl.

If you wish to deploy other public certificates on your Organization’s computers that are equipped with WAPT, you will have to copy them in that folder.

Danger

DO NOT COPY the private key of any Administrator in C:\Program Files (x86)\wapt.

This folder is used when building the WAPT agent and the private keys would then be deployed on all the computers.

  • In the WAPT console, go to Tools ‣ Build WAPT agent.

Generate the WAPT agent from the console

Generate the WAPT agent from the console

Hint

Before building agent, choose the identifing mode

Choosing the mode to uniquely identify the WAPT agents

In WAPT you can choose the unique identification mode of the agents.

When a WAPT agent registers the server must know if it is a new machine or if it is a machine already registered.

For this, the WAPT server looks at the unique number “UUID” in the inventory.

WAPT offers 3 modes of operation to help you distinguish between hosts, it is up to you to choose the mode that best suits you.

Attention

After choosing a mode of operation it is difficult to change it, think carefully!

Identifying the WAPT agents by their BIOS UUID (serial number)

This mode of operation makes it possible to identify the machines in the console in a physical manner.

If you replace a computer and give the new computer the same name as the previous one, you will have two computers that will appear in the WAPT console since you will have physically two different computers.

Note

Some vendors do inadequate work and assign the same BIOS UUIDs to entire batches of computers. In this case, WAPT will only see one computer …

Identifying the WAPT agent by host name

This mode of operation is similar to that in Active Directory. The machines are identified by their hostname.

Note

This mode does not work if several machines in your fleet share the same name. We all know it should not happen!!

Identifying the WAPT agents with a randomly generated UUID

This mode of operation allows PCs to be identified by their WAPT installation. Each installation of WAPT generates a unique random number. If you uninstall WAPT and then reinstall it, you will see a new pc appear in your console.

Discovery

Generate the WAPT agent from the console

Generate the WAPT agent from the console

  • fill in the informations that are necessary for the installer:

Fill in the informations on your Organization

Fill in the informations on your Organization

  • the field Authorized certificates bundle: required;

    example : C:\private\test.crt

  • the field Main WAPT repository address: required;

    example : https://srvwapt.mydomain.lan/wapt

  • the field WAPT Server address: required;

    example : https://srvwapt.mydomain.lan

  • the checkbox Verify HTTPS server certificate;

  • the field Path to the https servers CA certificates bundle to verify the HTTPS certificate of the WAPT Server;

  • the checkbox Use kerberos for initial registering;

  • the field Organization to identify the origin of WAPT packages;

  • the field Use computer FQDN for UUID and Use random host UUID (for buggy BIOS) (see explanation in the previous paragraph of this documentation);

    Danger

    • The checkbox Use kerberos for the initial registration must be checked ONLY IF you have followed the documentation on Configuring the kerberos authentication.

    • The checkbox Verify the WAPT Server HTTPS certificate**must be checked **ONLY IF you have followed the documentation on Activating the verification of the SSL / TLS certificate.

  • provide the password for unlocking the private key:

Provide the password for unlocking the private key

Provide the password for unlocking the private key

Progression of WAPT agent installer building

Progression of WAPT agent installer building

Once the WAPT agent installer has finished building, a confirmation dialog pops up indicating that the waptagent binary has been successfully uploaded to https://srvwapt.mydomain.lan/wapt/.

Confirmation of the WAPT agent loading onto WAPT repository

Confirmation of the WAPT agent loading onto WAPT repository

Note

A warning shows up indicating that the GPO hash value should be changed. GPOs may be used to deploy the WAPT agent on your Organization’s computer.

Danger

After building the agent, install the new WAPT agent on the WAPT management console.

Enterprise

  • fill in the informations that are necessary for the installer:

Fill in the informations on your Organization

Fill in the informations on your Organization

WAPT Agent informations

Value

Description

Required

Authorized certificates bundle

Folder of private key

feature available

Include non CA too

Include local WAPT certificate

feature not available

Address of the WAPT repository

Address to repository on WAPT server

feature available

Address of the WAPT Server

Address to repository on WAPT server

feature available

Verify https server certificate

If HTTPS certificate activate on WAPT server

feature not available

Use repository access rules

For unsing rules of replicating repository

feature not available

Path to the https servers CA certificates bundle

Certificate are used for HTTPS verification

feature not available

Use Kerberos for initial registration

If :ref:`Kerberos <configuring_kerberos_authentication>`authentification is used on server

feature not available

Organization

Name of Organisation to identify the origin of WAPT packages

feature not available

Use computer FQDN for UUID

If use FQDN for agent identification

feature not available

Use random host UUID (for buggy BIOS)

If use random UUID for agent identification

feature not available

Always install these packages

Install automatically a group packages on WAPT agent installation;

feature not available

Enable automatic install of packages based on AD Groups

enables the installation of profile packages. This feature can degrade the performance of WAPT

feature not available

Allow remote reboot

Allows reboot by WAPT console

feature not available

Allow remote shutdown

Allows shutdown by WAPT console

feature not available

Manage Windows updates with WAPT | Disable WAPT WUA | Don't set anything

For using or not WAPT WUA

feature available

Allow all updates by default unless explicitely forbidden by rules

Allow all Windows updates if not forbidden by rules WUA rules package

feature not available

Scan / download scheduling

Set the Windows Update scan recurrence

feature not available

Minimum delay before installation (days after publish date)

Set a deferred installation delay before publication

feature not available

Install pending Windows updates at shutdown

Install update when the machine will shutdown

feature not available

Danger

  • provide the password for unlocking the private key:

Provide the password for unlocking the private key

Provide the password for unlocking the private key

Progression of WAPT agent installer building

Progression of WAPT agent installer building

Once the WAPT agent installer has finished building, a confirmation dialog pops up indicating that the waptagent binary has been successfully uploaded to https://srvwapt.mydomain.lan/wapt/.

Confirmation of the WAPT agent loading onto WAPT repository

Confirmation of the WAPT agent loading onto WAPT repository

Note

A warning shows up indicating that the GPO hash value should be changed. GPOs may be used to deploy the WAPT agent on your Organization’s computer.

Danger

After building the agent, install the new WAPT agent generated on computer who execute the WAPT management console.

Quit WAPT Console before installation.