.. Reminder for header structure: Parts (H1) : #################### with overline Chapters (H2) : ******************** with overline Sections (H3) : ==================== Subsections (H4) : -------------------- Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^ Paragraphs (H6) : """"""""""""""""""""" .. meta:: :description: Configuring the WAPT Agent with advanced options :keywords: waptconsole, waptagent, wapt_deploy, WAPT, preferences, post-configuration, documentation, waptserver, repository, security, the WAPT Console, the WAPT Agent, the WAPT Server .. |enterprise_feature| image:: wapt-resources/icon_wapt_enterprise.png :scale: 1% :alt: WAPT Enterprise feature only .. _wapt_agent_ini_file_options: ************************************************ Configuring the WAPT Agent with advanced options ************************************************ The configuration file :file:`wapt-get.ini` defines the behavior of the WAPT Agent. .. list-table:: Location of :file:`wapt-get.ini` by system :header-rows: 1 :widths: auto :align: center * - System - Location * - Windows - :file:`C:\\Program Files(x86)\\wapt\\wapt-get.ini` * - Linux - :file:`/opt/wapt/wapt-get.ini` * - Mac OS - :file:`/opt/wapt/wapt-get.ini` The ``[global]`` section is required. .. code-block:: ini [global] After standard installation, the default configuration is: .. code-block:: ini [global] waptupdate_task_period=120 wapt_server=https://srvwapt.mydomain.lan repo_url=https://srvwapt.mydomain.lan/wapt/ use_hostpackages=1 All parameters are not set when the WAPT Agent is generated. It is possible to make changes in :file:`wapt-get.ini` manually or by deploying a WAPT package with the new configuration settings. An example package is available from the `Tranquil IT repository `_. .. code-block:: python # -*- coding: utf-8 -*- from setuphelpers import * uninstallkey = [] def install(): print('Modify max_gpo_script_wait') inifile_writestring(WAPT.config_filename,'global','max_gpo_script_wait',180) print('Modify Preshutdowntimeout') inifile_writestring(WAPT.config_filename,'global','pre_shutdown_timeout',180) print('Disable Hyberboot') inifile_writestring(WAPT.config_filename,'global','hiberboot_enabled',0) print('Disable Notify User') inifile_writestring(WAPT.config_filename,'global','notify_user',0) print('Reload WAPT configuration') WAPT.reload_config_if_updated() The function :code:`inifile_writestring` definition is: .. code-block:: python inifile_writestring(inifilename,section,key,value) Description of available sections ================================= .. list-table:: Description of available sections for the WAPT Agent :header-rows: 1 :widths: auto :align: center * - Section - Description * - ``[global]`` - Global WAPT Agent options. * - ``[wapt]`` - Main repository options. * - ``[wapt-template]`` - External remote repository options. * - ``[wapt-host]`` - Repository for host packages options. * - ``[waptwua]`` - WUA Agent options. * - ``[repo-sync]`` - For synching multiple repositories. All sections are detailed below. Description of available options by section =========================================== [global] -------- General settings ^^^^^^^^^^^^^^^^ .. list-table:: Description of available options for the WAPT Agent in the [global] section :header-rows: 1 :widths: auto :align: center * - Options (Default Value) - Description - Example * - |enterprise_feature| :code:`allow_remote_reboot` (default ``False``) - Allows to reboot the selected host(s) remotely from the WAPT Console. - allow_remote_reboot = True * - |enterprise_feature| :code:`allow_remote_shutdown` (default ``False``) - Allows to shut down the selected host(s) remotely from the WAPT Console. - allow_remote_reboot = True * - :code:`check_certificates_validity` (default ``False``) - Forces the package certificate's date and CRL to be verified. - check_certificates_validity = True * - :code:`dbpath` (default :file:`\\wapt\\db\\waptdb.sqlite`) - Path to the local database file. - dbpath = C:\\Program Files (x86)\\db\\waptdb.sqlite * - :code:`download_after_update_with_waptupdate_task_period` (default ``True``) - Defines whether a download of pending packages should be started after an update with :code:`waptupdate_task_period`. - download_after_update_with_waptupdate_task_period = False * - |enterprise_feature| :code:`host_organizational_unit_dn` (default ``None``) - Allows to force an Organizational Unit on the WAPT Agent (convenient for assigning a :ref:`fake OU ` for out-of-domain PC). Make sure it respects a consistent case (do not mix "dc"s and "DC"s, for example), which you can find in the Console (in the DN/``computer_ad_dn`` fields for each host) - host_organizational_unit_dn = OU=TOTO,OU=TEST,DC=MYDOMAIN,DC=LAN * - |enterprise_feature| :code:`host_profiles` (default ``None``) - Allows to define a WAPT package list that the WAPT Agent **MUST** install. - host_profiles = tis-firefox,tis-java * - :code:`language` (default language on the WAPT Client) - Forces the default language for the GUI (not for package filtering) - language = en * - :code:`locales` (default locale on WAPT Client) - Allows to set the list of WAPT Agent languages to pre-filter the list of packages visible by the WAPT Agent (for package filtering). The parameter accepts multiple entries ordered by preference (eg. :code:`locales` = ``fr,en``). - locales = en * - :code:`log_to_windows_events` (default ``False``) - Sends the WAPT logs in the Window event log. - log_to_windows_events = True * - :code:`loglevel` (default ``warning``) - Log level of the WAPT Agent. Possible values are: ``debug``, ``info``, ``warning``, ``critical``. - loglevel = critical * - :code:`maturities` = (default ``PROD``) - List of package maturities than can be viewed and installed by WAPT Agent. Default value is ``PROD``. Only ``DEV``, ``PREPROD`` and ``PROD`` values are used by Tranquil IT, however any value can be used to suit your internal processes. - maturities = PROD, PREPROD * - :code:`repo_url` (default your WAPT repo address) - Address of the main WAPT repository. - repo_url = https://srvwapt.mydomain.lan/wapt * - :code:`repositories` (default ``None``) - List of enabled repositories, separated by a comma. Each value defines a section of the :file:`wapt-get.ini` file. More info :ref:`here `. - repositories = repo1, repo2 * - :code:`send_usage_report` (default ``True``) - Allows the WAPT Console to send anonymous statistics to Tranquil IT. Set to False to disable telemetry. - send_usage_report = True * - :code:`service_auth_type` (default ``system``) - Sets how the self service authentication works. Possible values are: ``system``, ``waptserver-ldap`` or ``waptagent-ldap``. - service_auth_type = waptserver-ldap * - |enterprise_feature| :code:`uninstall_allowed` (default ``True``) - Defines whether or not it is possible for the user to uninstall applications via the self-service. - uninstall_allowed = False * - |enterprise_feature| :code:`use_ad_groups` (default ``False``) - For using :ref:`group packages `. - use_ad_groups = True * - :code:`use_fqdn_as_uuid` (default ``False``) - Allows to use the :abbr:`FQDN (Fully Qualified Domain Name)` rather than the BIOS UUID as the unique host identifier in WAPT. - use_fqdn_as_uuid = True * - :code:`use_hostpackages` (default ``False``) - Defines whether :ref:`host packages ` are to be used. - use_hostpackages = True * - |enterprise_feature| :code:`use_repo_rules` (default ``False``) - Defines whether :ref:`repositories are replicated `. - use_repo_rules = True * - :code:`waptaudit_task_period` (default ``None``) - Defines the frequency at which audits are triggered. - waptaudit_task_period = 120 * - :code:`wapt_server` (default ``None``) - Defines the WAPT Server URL. If the attribute is not present, no WAPT Server will be contacted. - wapt_server = https://srvwapt.mydomain.lan * - :code:`waptservice_port` (default ``8088``) - WAPT Agent loopback port. **The port is not accessible from the network**. - waptservice_port = 8080 * - :code:`waptupdate_task_period` (default ``120m``) - Defines the update frequency (120 minutes by default). - waptupdate_task_period = 24h * - :code:`waptupgrade_task_period` (default ``None``) - Defines the upgrade frequency. - waptupgrade_task_period = 360 * - :code:`wol_relay` (if remote_repo = ``False`` then default : ``False``, if remote_repo = ``True`` the default = ``True``) - Enable agent to be used as a Wake On Lan wol_relay - wol_relay = True .. _wol_relay: .. note:: * If there is no :code:`repo_url` attribute in the [global] section, then a repository in the ``[wapt]`` section will have to be explicitly defined. It will have to be enabled by adding it to the :code:`repositories` attribute. * If there is no :code:`wapt_server` attribute in the ``[global]`` section, then no WAPT Server will be used. .. _wapt-get-ini-waptserver: .. _wapt-get-ini-kerberos: Settings for the WAPT Server ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ These options will set the WAPT Agent behavior when connecting to the WAPT Server. .. list-table:: Description of available options for the WAPT Agent in the [global] section for the WAPT Server configuration :header-rows: 1 :widths: auto :align: center * - Options (Default Value) - Description - Example * - :code:`public_certs_dir` (default ``None``) - Folder of certificates authorized to verify the signature of WAPT packages. - :code:`public_certs_dir` = :file:`C:\\Program Files (x86)\\wapt\\ssl` (on Windows). :code:`public_certs_dir` = :file:`/opt/wapt/ssl/` (on Linux and MacOS) * - :code:`use_kerberos` (default ``False``) - Use kerberos authentication for initial registration on the WAPT Server. - :code:`use_kerberos` = ``True`` * - :code:`verify_cert` (default ``False``) - See the documentation on activating the :ref:`verification of HTTPS certificates `. - :code:`verify_cert` = ``True`` * - :code:`wapt_server` (default ``None``) - WAPT Server URL. If the attribute is not present, no WAPT Server will be contacted. - :code:`wapt_server` = ``https://srvwapt.mydomain.lan`` * - :code:`wapt_server_timeout` (default ``30``) - WAPT Server HTTPS connection timeout in seconds. - :code:`wapt_server_timeout` = ``10`` .. _waptexit_ini_file_options: Settings for the WAPT Exit utility ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. list-table:: Description of available options for the WAPT Agent in the [global] section for the WAPT Exit utility :header-rows: 1 :widths: auto :align: center * - Options (Default Value) - Description - Example * - :code:`allow_cancel_upgrade` (default ``True``) - Prevents users from canceling package upgrades on computer shutdown. If disabled, users will not be able to cancel an upgrade on computer shutdown. If this value is not indicated the default value will be **10**. - allow_cancel_upgrade = True * - :code:`hiberboot_enabled` (default ``None``) - Disables Hiberboot on Windows 10 to make :program:`waptexit` work correctly. - hiberboot_enabled = True * - :code:`max_gpo_script_wait` (default ``None``) - Timeout for GPO execution at computer shutdown. - max_gpo_script_wait = 180 * - :code:`pre_shutdown_timeout` (default ``None``) - Timeout for scripts at computer shutdown. - pre_shutdown_timeout = 180 * - :code:`upgrade_only_if_not_process_running` (default ``False``) - Prevents the software upgrade if the software is currently running on the host (*impacted_process* attribute of the package). - upgrade_only_if_not_process_running = True * - :code:`upgrade_priorities` (default ``None``) - Only upgrade packages with a specific priority. - upgrade_priorities = high * - :code:`waptexit_countdown` (default ``1``) - Delay (in seconds) before the automatic start of the installations. - waptexit_countdown = 25 .. _waptself_ini_file_options: Settings for the WAPT Self-Service and the WAPT service Authentification ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. list-table:: Description of available options for the WAPT Agent in the [global] section for the WAPT Self-service and the WAPT service Authentification :header-rows: 1 :widths: auto :align: center * - Options (Default Value) - Description - Example * - :code:`ldap_auth_base_dn` (default ``None``) - Useful with :code:`service_auth_type` = ``waptagent-ldap``, defines the *base dn* for the LDAP request. - ldap_auth_base_dn = dc=mydomain,dc=lan * - :code:`ldap_auth_ssl_enabled` (default ``False``) - Useful with :code:`service_auth_type` = ``waptagent-ldap``, defines whether the LDAP request must be encrypted. - ldap_auth_ssl_enabled = True * - :code:`ldap_auth_server` (default ``None``) - Useful with :code:`service_auth_type` =``waptagent-ldap``, defines the LDAP server to contact. - ldap_auth_server = srvads.mydomain.lan * - :code:`service_auth_type` (default ``system``) - Defines the authentication system of the WAPT service, available value are ``system``, ``waptserver-ldap``, ``waptagent-ldap``. - service_auth_type = waptagent-ldap * - :code:`verify_cert_ldap` (default ``False``) - Useful with :code:`service_auth_type` = ``waptagent-ldap``, define whether the certificate should be verified. - verify_cert_ldap = True * - :code:`waptservice_admin_filter` (default ``False``) - Apply *selfservice package* view filtering for Local Administrators. - waptservice_admin_filter = True * - :code:`waptservice_password` (default ``None``) - sha256 hashed password when *waptservice_user* is used (the value *NOPASSWORD* disables the requirement for a password). - waptservice_password = 5e884898da * - :code:`waptservice_user` (default ``None``) - Forces a user to authenticate on the WAPT service. - waptservice_user = admin Settings for the the WAPT System Tray utility ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. list-table:: Description of available options for the WAPT Agent in the [global] section for the WAPT Tray utility :header-rows: 1 :widths: auto :align: center * - Options (Default Value) - Description - Example * - :code:`notify_user` (default ``False``) - Prevents the WAPT System Tray utility from sending notifications (popup). - notify_user = True Settings for the Proxy ^^^^^^^^^^^^^^^^^^^^^^ .. list-table:: Description of available options for the WAPT Agent in the [global] section for the proxy :header-rows: 1 :widths: auto :align: center * - Options (Default Value) - Description - Example * - :code:`http_proxy` (default ``None``) - Defines the address of the HTTP proxy. - :code:`http_proxy` = ``http://user:pwd@host_fqdn:port`` * - :code:`use_http_proxy_for_repo` (default ``False``) - Use a proxy to access the repositories. - :code:`use_http_proxy_for_repo` = ``True`` * - :code:`use_http_proxy_for_server` (default ``False``) - Use a proxy to access the WAPT Server. - :code:`use_http_proxy_for_server` = ``True`` Settings for creating WAPT packages ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. list-table:: Description of available options for the WAPT Agent in the [global] section for creating WAPT packages :header-rows: 1 :widths: auto :align: center * - Options (Default Value) - Description - Example * - :code:`default_package_prefix` (default ``tis``) - Defines the default prefix for new or imported packages. - :code:`default_package_prefix` = ``doc`` * - :code:`default_sources_root` (default :file:`C:\\waptdev` on Windows or :file:`~/waptdev` on Linux) - Defines the directory for storing packages while in development. - :code:`default_sources_root` = ``C:\\waptdev`` * - :code:`default_sources_suffix` (default ``wapt``) - Defines the default suffix for new or imported packages. - :code:`default_sources_suffix` = ``doc`` * - :code:`personal_certificate_path` (default ``None``) - Defines the path to the Administrator's private key. - :code:`personal_certificate_path` = ``None TODO`` [wapt-wua] ---------- Refer to :ref:`configuring WAPTWUA on the WAPT Agent `. .. _repository_ini_file_options: Settings for using multiple repositories ---------------------------------------- To add more repositories, new ``[repository_name]`` sections can be added in the :file:`wapt-get.ini`. .. note:: Active repositories are listed in the :code:`repositories` attribute of the ``[global]`` section. .. attention:: This parameter can be configured both in the WAPT Agent configuration and in the WAPT Console configuration file :file:`C:\\Users\\%username%\\AppData\\Local\\waptconsole\\waptconsole.ini`. For information on configuring the WAPT Console, please refer to :ref:`this documentation `. Section [wapt] ^^^^^^^^^^^^^^ .. hint:: If this section does not exist, parameters are read from the ``[global]`` section. Section [wapt-templates] ^^^^^^^^^^^^^^^^^^^^^^^^ External remote repositories that will be used in the WAPT Console for importing new or updated packages. The Tranquil IT repository is set by default. Section [wapt-host] ^^^^^^^^^^^^^^^^^^^ Repository for host packages. If this section does not exist, default locations will be used on the main repository. More information on that usage can be found in :ref:`this article on working with multiple public or private repositories `. .. _waptconsole_ini_file_options: **************************** Configuring the WAPT Console **************************** .. hint:: the WAPT Console configuration is stored in 2 locations: * :file:`C:\\Users\\%username%\\AppData\\Local\\waptconsole\\waptconsole.ini`. * :file:`C:\\Users\\%username%\\AppData\\Roaming\\waptconsole\\waptconsole.ini`. These files are automatically generated when the :program:`waptconsole` is first launched and it is generated from the :file:`wapt-get.ini` file configured on the :term:`Administrator`'s workstation; Description of available sections ================================= .. list-table:: Description of available sections for the WAPT Agent :header-rows: 1 :widths: auto :align: center * - Section - Description * - ``[global]`` - Defines the global WAPT Console options * - ``[sections]`` - Defines external repository options. ``[wapt-template]`` has :guilabel:`Tranquil IT` default :ref:`repositories `. * - ``[waptwua]`` - WUA options All sections are detailed below. Others sections present on :file:`C:\\Users\\%username%\\AppData\\Roaming\\waptconsole\\waptconsole.ini` are not editable manually, therefore they are not detailed. .. attention:: For parameters both present in :file:`wapt-get.ini` and :file:`waptconsole.ini`, values are set in :file:`wapt-get.ini` and copied to :file:`waptconsole.ini`. Do not edit manually these parameters. Description of available options by section =========================================== [global] -------- Several options are available in the ``[global]`` section of the :file:`waptconsole.ini` file. .. list-table:: Description of available options in :file:`AppData\\Local` :header-rows: 1 :widths: auto :align: center * - Options (Default Value) - Description - Example * - :code:`advanced_mode` (default ``False``) - Launches the WAPT Console in debug mode. - advanced_mode = True * - |enterprise_feature| :code:`allow_remote_reboot` (default ``False``) - Allows to reboot the selected host(s) remotely from the WAPT Console. - allow_remote_reboot = True * - |enterprise_feature| :code:`allow_remote_shutdown` (default ``False``) - Allows to shut down the selected host(s) remotely from the WAPT Console. - allow_remote_shutdown = True * - :code:`client_certificate` (default ``None``) - Defines whether the remote repository is using Client Side SSL Authentification - client_certificate = C:\\private\\org-coder.crt * - :code:`client_private_key` (default ``None``) - Defines whether the remote repository is using Client Side SSL Authentification - client_private_key = C:\\private\\org-coder.pem * - :code:`check_certificates_validity` (default ``False``) - Forces the package certificate's date and CRL to be verified. - check_certificates_validity = True * - :code:`default_maturity` (default ``None``) - Defines the default upload maturity for WAPT packages. - default_maturity = PROD * - :code:`default_package_prefix` (default ``tis``) - Defines the default prefix for new or imported packages. - default_package_prefix = doc * - :code:`default_sources_root` (default :file:`C:\\waptdev` on Windows or :file:`~/waptdev` on Linux) - Defines the directory for storing packages while in development. - default_sources_root = C:\\waptdev * - :code:`grid_hosts_plugins` (default ``W10=``) - Lists :ref:`external plugins ` for the WAPT Console. Default is ``W10=`` because ``[]`` is encoded in base64. - grid_hosts_plugins = W3siZXhlY3V0YWJsZSI6ImV4cGxd * - :code:`host_profiles` (default ``None``) - Defines a WAPT package list that the WAPT Agent **MUST** install. - host_profiles = tis-firefox,tis-java * - :code:`hiberboot_enabled` (default ``False``) - Disables Hiberboot on Windows 10 to make :program:`waptexit` - hiberboot_enabled = True * - :code:`http_proxy` (default ``None``) - Defines the address of the proxy server in the WAPT Console. - http_proxy = https://proxy.mydomain.lan * - :code:`last_usage_report` (default ``None``) - Provides the date when the WAPT Console was last used. - last_usage_report = 12/05/2021 18:45:51 * - :code:`lastwaptserveruser` (default ``None``) - Provides the last user logged on this WAPT Console. - lastwaptserveruser = admin * - :code:`max_gpo_script_wait` (default ``180``) - Defines the timeout for GPO execution at computer shutdown (in seconds). - max_gpo_script_wait = 360 * - :code:`personal_certificate_path` (default ``None``) - Defines the path to the certificate associated with the Administrator's private key. - personal_certificate_path = C:\\private\\mykey.crt * - :code:`pre_shutdown_timeout` (default ``180``) - Defines the timeout for scripts at computer shutdown (in seconds). - pre_shutdown_timeout = 360 * - :code:`repo_url` (default your WAPT repo address) - Defines the address of the main WAPT repository. - repo_url = https://srvwapt.mydomain.lan/wapt * - :code:`send_usage_report` (default ``True``) - Allows the WAPT Console to send anonymous statistics to Tranquil IT. Set to False to disable telemetry. - send_usage_report = True * - :code:`sign_digests` (default ``sha256``) - Lists allowed signature algorithms for the WAPT packages. - sign_digests = sha1 * - |enterprise_feature| :code:`use_ad_groups` (default ``False``) - Allows using :ref:`unit packages `. - use_ad_groups = True * - :code:`use_fqdn_as_uuid` (default ``False``) - Allows using the :abbr:`FQDN (Fully Qualified Domain Name)` rather than the BIOS UUID as the unique host identifier in WAPT. - use_fqdn_as_uuid = True * - :code:`use_kerberos` (default ``False``) - Allows using kerberos authentication for initial registration of WAPT Agents with the WAPT Server. - use_kerberos = True * - :code:`use_hostpackages` (default ``False``) - Allows using :ref:`host packages `. - use_hostpackages = True * - :code:`use_http_proxy_for_repo` (default ``False``) - Allows using a proxy to connect to the main WAPT repository from the WAPT Console. - use_http_proxy_for_repo = True * - :code:`use_http_proxy_for_server` (default ``False``) - Allows using a proxy to connect to the WAPT Server from the WAPT Console. - use_http_proxy_for_server = True * - |enterprise_feature| :code:`use_repo_rules` (default ``False``) - Allows using :ref:`replication for repositories `. - use_repo_rules = True * - :code:`verify_cert` (default ``False``) - Allows :ref:`verifying SSL / TLS certificate `. - verify_cert = True * - :code:`wapt_server` (default ``None``) - Defines the address of the WAPT Server. - wapt_server = https://srvwapt.mydomain.lan .. list-table:: Description of available options on :file:`AppData\\Roaming` :header-rows: 1 :widths: auto :align: center * - Options (Default Value) - Description - Example * - :code:`advanced_mode` (default ``False``) - Launches the WAPT Console in debug mode. - advanced_mode = True * - :code:`enable_external_tools` (default ``False``) - Displays the actions that call external applications (RDP, Windows tools etc...). - enable_external_tools = True * - :code:`enable_management_features` (default ``False``) - Displays the button to create self-signed certificates or to create the WAPT Agent's installer. - enable_management_features = True * - :code:`hide_unavailable_actions` (default ``False``) - Hides actions that are not available for the WAPT Agent - hide_unavailable_actions = True * - :code:`HostsLimit` (default ``2000``) - Limits hosts displayed in the WAPT Console. - HostsLimit = 300 * - :code:`language` (default language on the WAPT Client) - Forces the default langage for GUI (not for package filtering) - language = en * - :code:`lastappinifilename` (default ``None``) - Defines the :mimetype:`.ini` file used to store the WAPT Console configuration. - lastappinifilename = C:\\Users\\%username%\\AppData\\Roaming\\waptconsole\\waptconsole.ini * - :code:`show_host_audit_data_tab` (default ``False``) - Displays the :guilabel:`Audit data` tab on host inventory. - show_host_audit_data_tab = True * - |enterprise_feature| :code:`use_ad_groups` (default ``False``) - Allows using :ref:`unit packages `. - use_ad_groups = True * - :code:`use_fqdn_as_uuid` (default ``False``) - Forces the use of the :abbr:`FQDN (Fully Qualified Domain Name)` instead of the uuid BIOS as the unique host identifier in WAPT. - use_fqdn_as_uuid = True * - :code:`waptconsole.version` (default ``None``) - Displays the version of the WAPT Console. - waptconsole.version = 2.0.0.9424 * - :code:`waptwua_enabled` (default ``False``) - Allows displaying the :guilabel:`Windows Update` tab on the WAPT Console. - waptwua_enabled = True .. _wapt_repository_ini_file_options: [sections] ---------- You may add several external repositories by adding ``[sections]`` in :file:`C:\\Users\\%username%\\AppData\\Local\\waptconsole\\waptconsole.ini`. .. attention:: This parameter can be configured both in the WAPT Agent configuration and in the WAPT Console configuration :file:`C:\\Users\\%username%\\AppData\\Local\\waptconsole\\waptconsole.ini`. For information on configuring the WAPT Agent, please refer to :ref:`this point `. See available parameters and configurations by visiting :ref:`this documentation on setting up multiple repositories `. .. _waptserver_ini_file_options: *************************** Configuring the WAPT Server *************************** The WAPT Server configuration file on GNU/ Linux and macOS systems is found in :file:`/opt/wapt/conf/waptserver.ini` or in :file:`/opt/wapt/waptserver/waptserver.ini`. The WAPT Server configuration file on Windows is found in :file:`C:\\wapt\\conf\\waptserver.ini`. .. attention:: **Modification of these files is reserved for advanced users!!** Section [options] of waptserver.ini =================================== Several options can be defined in the [options] section. .. code-block:: ini [options] .. list-table:: Available parameters for the [options] section of :file:`waptserver.ini` :header-rows: 1 :widths: auto :align: center * - Options (Default Value) - Description - Example * - :code:`allow_unauthenticated_connect` (default ``None``) - Defines whether websocket connections should be authenticated. If :code:`use_kerberos` = ``True``, then :code:`allow_unauthenticated_connect` **MUST BE** set to ``False`` or it will take precedence. - allow_unauthenticated_connect = True * - :code:`allow_unauthenticated_registration` (default ``False``) - Allows the initial registration of the WAPT Agent using a login and password. - allow_unauthenticated_registration = True * - :code:`allow_unsigned_status_data` (default ``False``) - Debug only - Allows unsigned status data from Agent. - allow_unsigned_status_data = True * - :code:`application_root` (default ``None``) - Defines a custom WAPT Server application root path. - application_root = wapt * - :code:`client_certificate_lifetime` (default ``3650``) - Defines the host certificate lifetime (in days). - client_certificate_lifetime = 500 * - :code:`cleanup_kbs` (default ``True``) - Defines whether unused :ref:` Windows KB should be automatically deleted ` from the WAPT Server. - cleanup_kbs = False * - :code:`clients_read_timeout` (default ``5``) - Defines the websocket client timeout (in seconds). - clients_read_timeout = 10 * - :code:`clients_signing_certificate` (default ``None``) - Defines the host certificate signing cert . - clients_signing_certificate = C:\\private\\org-coder.crt * - :code:`clients_signing_crl_days` (default ``30``) - Defines the host certificate signing :abbr:`CRL (Certificate Revocation List)` periodicity (in days). - clients_signing_crl_days = 15 * - :code:`clients_signing_crl` (default ``None``) - Defines the host certificate signing CRL path. - clients_signing_crl = C:\\private\\org-coder.crt * - :code:`clients_signing_crl_url` (default ``None``) - Defines the host certificate signing CRL URL. - clients_signing_crl_url = https://srvwapt.mydomain.lan/crl * - :code:`clients_signing_key` (default ``None``) - Defines the host certificate signing key path. - clients_signing_key = C:\\private\\org-coder.crt * - :code:`client_tasks_timeout` (default ``5``) - Defines the maximum allowed delay before WAPT Agent requests time out (in seconds). - client_tasks_timeout = 5 * - :code:`db_connect_timeout` (default ``3``) - Defines the maximum allowed delay before PostgreSQL queries time out (in seconds). - db_connect_timeout = 10 * - :code:`db_host` (default ``None``) - Defines the url of the PostgreSQL server (by default WAPT use a local Unix Socket). - db_host = https://wapt.mydomain.lan * - :code:`db_max_connections` (default ``90``) - Defines the maximum simultaneous connections to the PostgreSQL database. - db_max_connections = 100 * - :code:`db_name` (default ``wapt``) - Defines the PostgreSQL database that the WAPT Server will connect to. - db_name = wapt * - :code:`db_password` (default ``None``) - Defines the password for authenticating the user on the PostgreSQL database (by default WAPT uses a local UNIX socket). - db_password = WAPT_DB_PASSWORD * - :code:`db_port` (default ``5432``) - Defines the port of the PostgreSQL server. - db_port = 5432 * - :code:`db_stale_timeout` (default ``300``) - Defines the database stale timeout (in seconds). - db_stale_timeout = 500 * - :code:`db_user` (default ``wapt``) - Defines the PostgreSQL user connecting to the database. - db_user = wapt * - :code:`enable_store` (default ``False``) - Enables WAPT Store Webui (**Deprecated**). - enable_store = False * - :code:`encrypt_host_packages` (default ``False``) - Encrypts host package with client certificate. - encrypt_host_packages = True * - :code:`htpasswd_path` (default ``None``) - Adds basic authentication to WAPT Server. - htpasswd_path = True * - :code:`http_proxy` (default ``None``) - Defines the proxy server to allow the WAPT Server to recover its :abbr:`CRL (Certificate Revocation List)`. - http_proxy = http://srvproxy.mydomain.lan:3128 * - :code:`known_certificates_folder` (default WAPT :file:`/ssl/` folder) - Adds additional known :abbr:`CA (Certificate Authority)` to verify certificates. - known_certificates_folder = /opt/wapt/ssl/ * - :code:`ldap_auth_base_dn` (default ``None``) - Defines the LDAP authentication base DN. - ldap_auth_base_dn = dc=mydomain,dc=lan * - :code:`ldap_auth_server` (default ``None``) - Defines the LDAP authentication server. - ldap_auth_server = srvads.mydomain.lan * - :code:`ldap_auth_ssl_enabled` (default ``True``) - Sets SSL authentication on LDAP connections. - ldap_auth_ssl_enabled = False * - :code:`loglevel` (default ``warning``) - Defines the log level. Possible values are: ``debug``, ``info``, ``warning``, ``critical``. - loglevel = debug * - :code:`max_clients` (default ``4096``) - Sets the maximum simultaneous WAPT clients connection. - max_clients = 2048 * - :code:`min_password_length` (default ``10``) - Sets the minimum :term:`SuperAdmin` password length. - min_password_length = 15 * - :code:`nginx_http` (default ``80``) - Defines the Nginx web server **HTTP** port (Windows only). - nginx_http = 8080 * - :code:`nginx_https` (default ``443``) - Defines the Nginx web server **HTTPS** port (Windows only). - nginx_https = 44380 * - :code:`remote_repo_support` (default ``False``) - Enables remote repositories functionality from the WAPT Server. - remote_repo_support = True * - :code:`remote_repo_websockets` (default ``True``) - Enables websocket communication with Agents configured as remote repositories. - remote_repo_websockets = False * - :code:`secret_key` (default ``None``) - Defines the random string for initializing the Python Flask application server. It is generated when first installing the WAPT Server and is unique for every WAPT Server. - secret_key = FKjfzjfkF687fjrkeznfkj7678jknk78687 * - :code:`server_uuid` (default ``None``) - Defines the WAPT Server :term:`UUID` (this anonymous id is used for WAPT statistics). - server_uuid = 76efezfa6-b309-1fez5-92cd-8ea48fc122dc * - :code:`signature_clockskew` (default ``300``) - Defines the maximum allowed time difference for the websockets (in seconds). - signature_clockskew = 72000 * - :code:`token_lifetime` (default ``43200``) - Defines the authentication token lifetime (in seconds). - token_lifetime = 43200 * - :code:`trusted_signers_certificates_folder` (default ``None``) - Defines the path to the trusted signers certificate directory. - trusted_signers_certificates_folder = C:\\private\\org-coder.crt * - :code:`trusted_users_certificates_folder` (default ``None``) - Defines the path to trusted users CA certificate directory. - trusted_users_certificates_folder = C:\\private\\org-coder.crt * - :code:`use_kerberos` (default ``False``) - Enables a WAPT Agent to register using its kerberos account. If :code:`use_kerberos` = ``True``, then :code:`allow_unauthenticated_connect` **MUST BE** set to ``False`` or it will take precedence. - use_kerberos = True * - :code:`use_ssl_client_auth` (default ``False``) - Enables :ref:`client certificate authentication `. - use_ssl_client_auth = True * - :code:`wapt_admin_group_dn` (default ``None``) - LDAP DN of Active Directory User Group allowed to connect to the WAPT Console. - wapt_admin_group_dn = CN=waptadmins,OU=groups,DC=ad,DC=mydomain,DC=lan * - :code:`wapt_folder` (default :file:`/var/www/wapt` or :file:`/var/www/html/wapt` or WAPT :file:`root_dir/waptserver/repository/wapt`) - Defines the directory path of the WAPT repository. - wapt_folder = /var/www/wapt * - :code:`wapt_huey_db` (default ``None``) - Defines the path to database that handles tasks. - wapt_huey_db = C:\\Program Files(x86)\\wapt\\db\\waptservertasks.sqlite * - :code:`wapt_password` (default ``None``) - Defines the :term:`SuperAdmin` password for connecting to the WAPT Console. - wapt_password = 46642dd2b1dfezfezgfezgadf0ezgeezgezf53d * - :code:`waptserver_port` (default ``8080``) - Defines the WAPT Server python service port. - waptserver_port = 1313 * - :code:`wapt_user` (default ``admin``) - Defines the :term:`SuperAdmin` username in the WAPT Console. - wapt_user = wapt_admin * - :code:`waptwua_folder` (default wapt_folder + 'wua') - Defines the location of WAPT WUA folder. - waptwua_folder = /var/www/waptwua * - :code:`wol_port` (default ``9``) - Defines the list of WakeOnLAN UDP ports to send magic packets to. - wol_port = 9, 123, 4000 * - :code:`wapt_bind_interface` (default ``127.0.0.1``) - Defines how to listen to the WAPT Server service. - wapt_bind_interface = 127.0.0.1 * - :code:`ipxe_script_jinja_path` (default ``/opt/wapt/waptserver/templates/ipxe-default.j2``) - Defines the location of jinja template used for WAPT ipxe script. - ipxe_script_jinja_path = /opt/wapt/waptserver/templates/ipxe-autoregister.j2 .. _config_nginx: Configuring Nginx ================= The default Nginx configuration is as follows: .. code-block:: nginx server { listen 80; listen 443 ssl; server_name _; ssl_certificate "/opt/wapt/waptserver/ssl/cert.pem"; ssl_certificate_key "/opt/wapt/waptserver/ssl/key.pem"; ssl_protocols TLSv1.2; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_stapling on; ssl_stapling_verify on; ssl_session_cache none; ssl_session_tickets off; index index.html; location ~ ^/wapt.* { proxy_set_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0"; proxy_set_header Pragma "no-cache"; proxy_set_header Expires "Sun, 19 Nov 1978 05:00:00 GMT"; root "/var/www"; } location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; location ~ ^/(api/v3/upload_packages|api/v3/upload_hosts/|upload_waptsetup) { proxy_pass http://127.0.0.1:8080; client_max_body_size 4096m; client_body_timeout 1800; } location /wapt-host/Packages { return 403; } location /wapt-host/add_host_kerberos { return 403; } location / { proxy_pass http://127.0.0.1:8080; } location /socket.io { proxy_http_version 1.1; proxy_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_pass http://127.0.0.1:8080/socket.io; } } } .. _configuring_WAPT_for_large_deployment: Configuring WAPT Server for large deployments ============================================= The default operating system, Nginx and PostgreSQL settings are adapted for around 400 WAPT Agents. If you have more than 400 clients it is necessary to modify a few system level parameters along with PostgreSQL database, Nginx web and WAPT Server python server. In the future, the :program:`postconf.sh` script might take charge of this configuration depending on the expected number of client computers. With the following parameters, one WAPT Server should scale up to around 5000 concurrent active clients. You may have more clients in the database if they are not all running at the same time. If you have more than 5000 clients it is recommended to have more than one WAPT Server. The limit in the number of end point clients is due to the bottleneck in the python code and the PostgreSQL backend. WAPT performance gets better with time and in the future WAPT Server might support a large base on a single host. However the Nginx part scales very well and it can takes full advantage of a 10Gbps connection for high load package deployments. .. note:: **The parameters to be modified below are linked together and should be modified globally and not individually**. Configuring Nginx ----------------- .. list-table:: :file:`nginx.conf` configuration file location :header-rows: 1 :widths: auto :align: center * - OS Type - File location * - Debian / Ubuntu - :file:`/etc/nginx/nginx.conf` * - Redhat and derivatives - :file:`/etc/nginx/nginx.conf` * - Windows - :file:`C:\\wapt\\waptserver\\nginx\\conf\\nginx.conf` In the :file:`nginx.conf` file, modify the :code:`worker_connections` parameter. The value should be around 2.5 times the number of WAPT clients (n connections for websockets and n connections for package downloads and inventory upload + some margin). .. code-block:: bash events { worker_connections 4096; } Then upgrade the number of *filedescriptors* in the :file:`nginx.conf` file: .. code-block:: bash worker_rlimit_nofile 32768; Depending on the partitioning of your WAPT Server you might have to be careful with the Nginx temporary file upload directory. Nginx acts as a reverse proxy for the WAPT Server Python engine and its does a caching of packages uploaded when uploading a new package from the Console. The packages are stored in the :file:`/var/lib/nginx/proxy` directory. You have to make sure that the partition hosting this directory is large enough. You may change this directory location using the following Nginx configuration parameter. .. code-block:: ini $client_body_temp_path Configuring the Linux System ---------------------------- Increase the number of *filedescriptors*. The system unit file asks for an increase in the allowed number of *filedescriptors* (LimitNOFILE=32768). We should have the same thing for Nginx. There are a few limits to modify. First we modify system wide the number of *filedescriptors* allowed for Nginx and WAPT. * Create the :file:`/etc/security/limits.d/wapt.conf`. .. code-block:: bash cat > /etc/security/limits.d/wapt.conf < /etc/sysctl.d/wapt.conf <