.. Reminder for header structure: Parts (H1) : #################### with overline Chapters (H2) : ******************** with overline Sections (H3) : ==================== Subsections (H4) : -------------------- Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^ Paragraphs (H6) : """"""""""""""""""""" .. meta:: :description: Configuring ACL :keywords: ACL, WAPT, documentation, Access Control Lists .. |enterprise_feature| image:: wapt-resources/icon_wapt_enterprise.png :scale: 3% :alt: WAPT Enterprise feature only ######################################################## Enhancing the security of your WAPT setup - Console side ######################################################## .. _generating_CA: ************************************************************** Generating the Certificate Authority (CA) |enterprise_feature| ************************************************************** When installing WAPT, you are asked to :ref:`create ` a :mimetype:`.pem` / :mimetype:`.crt` pair by checking the boxes :guilabel:`Tag as code signing` and :guilabel:`Tag as CA Certificate`. This :mimetype:`.pem` / :mimetype:`.crt` pair will allow to sign WAPT packages and new certificates. Generating a new certificate with the Certificate Authority =========================================================== :ref:`Build a new ` :file:`.pem` / :file:`.crt` pair. .. note:: The new certificate will not be a self-signed certificate; This new certificate will be signed by the CA (the key generated at the time of the first installation of WAPT); You **MUST** then fill in the :guilabel:`Authority Signing Key` and the :guilabel:`Authority Signing Certificate`. When generating the new pem/ crt pair, you have the option to choose whether or not the new certificate will be a **Code Signing** type. .. hint:: For recall, a *Code Signing* certificate is reserved to individuals with the :term:`Administrator` role in the context of WAPT and a simple SSL certificate without the ``Code Signing`` attribute is reserved to individuals with the role of :term:`Package Deployer`. :term:`Administrators` will be authorized to sign packages that **CONTAIN** a :file:`setup.py` executable file (i.e. *base* packages). Individuals with the :term:`Package Deployer` role will be authorized to sign packages that **DO NOT CONTAIN** :file:`setup.py` executable file (i.e. *host*, *unit* and *group* packages). .. figure:: wapt-resources/wapt_console_generate-certicate-non-code-signing_dialog-box.png :align: center :alt: Generating a certificate without the *Code Signing* attribute Generating a certificate without the *Code Signing* attribute Keys and certificates that are **Not Code Signing** may be distributed to individuals in charge of deploying packages on the installed base of WAPT equipped devices. Another team with certificates having the **Code Signing** attribute will prepare the WAPT packages that contain applications that will need to be configured according to the security guidelines of the :term:`Organization` and the user customizations desired by her. .. figure:: wapt-resources/wapt_console_generate-certificate-code-signing_dialog-box.png :align: center :alt: Generating a certificate with the *Code Signing* attribute Generating a certificate with the *Code Signing* attribute Generating a new .pem / .crt pair will also allow to formally identify the individual who has signed a package by looking up the :abbr:`CN (Common Name)` attribute of the WAPT package certificate. .. hint:: The new certificates will not be *CA Certificates*, which means that they will not be authorized to sign other certificates. As a general rule, there is only one **CA Certificate** pem / crt pair per :term:`Organization`. .. attention:: It is not necessary to deploy child certificates with the WAPT Agent. Child certificates are used with the WAPT Console to allow or restrict actions. Deploying certificates of local IT admins on clients ==================================================== .. hint:: Some Organizations will choose to let local IT administrators perform actions on WAPT equipped devices by issuing them personal certificates that will work on the set of devices for which the local IT admins are responsible. The headquarter IT admins will deploy the certificates of local IT admins on the computers that local admins manage on their respective sites. This way, local IT admins will not be able to manage computers located in headquarters, but on their own sites only. It is possible to manage simply and in a finer way using :ref:`Access Control Lists ` with the Enterprise version of WAPT. You will need to copy the certificates of allowed local IT admins on WAPT clients in :file:`C:\\program files(x86)\\wapt\\ssl`. .. hint:: Do not forget to restart the WAPT service on clients for them to use their new certificate. Open a command line :program:`cmd.exe`. .. code-block:: bash net stop waptservice && net start waptservice If you want to deploy the certificates using WAPT, use :ref:`WAPT package templates ` ***************************************************************************************** Displaying the Certificates trusted by the hosts in the WAPT Console |enterprise_feature| ***************************************************************************************** In this tab, you can see the certificates that the host accepts to trust. .. figure:: wapt-resources/wapt_console_certificate-tab.png :align: center :alt: Window showing the certificates trusted by the selected host Window showing the certificates trusted by the selected host .. _ACL: ***************************************************** Configuring Access Control Lists |enterprise_feature| ***************************************************** .. hint:: The *SuperAdmin* user of WAPT is authenticated by a password stored in :file:`waptserver.ini` as a value of the :code:`wapt_password` attribute. Others WAPT users may be local users :code:`htpasswd_path`) or AD account users (:code:`ldap_auth_server` / :code:`ldap_auth_base_dn`). ACLs define actions enabled for all types of users in the WAPT context. .. note:: Default ACLs user level are defined by :code:`default_ldap_users_acls` in :file:`waptserver.ini`. The default ACL for a new user is ``view``. .. attention:: **Security is define by the certificate deployed on clients, not by ACLs.** **ACLs simply limit what actions the WAPT Server is allowed to relay from the WAPT Console to the WAPT Agents.** **As of |date|, the WAPT Agents do not check ACL rights.** To configure ACLs in WAPT, go to :menuselection:`Tools --> Manage WAPT users and rights`. .. image:: wapt-resources/wapt_console_tools_menu-list.png :align: center :alt: Menu list for managing ACLs in the WAPT Console .. note:: On first launch after the WAPT Server installation, only the *SuperAdmin* account is present in the list of users. If the *SuperAdmin* account does not exist or does not have the *admin* right, then the account is recreated by restarting the WAPT Server service. The *SuperAdmin* account is authenticated using the value of :code:`wapt_password` in the :file:`waptserver.ini` configuration file. Two types of account are manageable by ACL, *local* and *Active Directory*. Local user account ================== Local users are defined by a :mimetype:`.htpasswd` file. WAPT Server configuration ------------------------- For using local user accounts, you need create a file named :file:`waptusers.htpasswd` in the same :ref:`folder ` on the WAPT Server containing the :file:`waptserver.ini` file. .. tabs:: .. code-tab:: bash Linux: touch /opt/wapt/conf/waptusers.htpasswd chown wapt /opt/wapt/conf/waptusers.htpasswd .. code-tab:: bash Windows cd. > C:\wapt\conf\waptusers.htpasswd * On :file:`waptserver.ini` add ``htpasswd_path`` settings. .. code-block:: bash htpasswd_path = password file location .. hint:: Restart **the WAPT Server** service Creating the user account ------------------------- * In :guilabel:`WAPT Users rights` window, click on :guilabel:`New account`. .. figure:: wapt-resources/wapt_console_acl-new-account_screen-item.png :align: center :alt: Creating a new local account It is possible to rename accounts by pressing :kbd:`F2` on the :guilabel:`User` column. * Save by clicking on :guilabel:`Save account`. * For setting a password, see below. * For setting rights, see the section on :ref:`managing ACL rights `. If the local user has a password in :file:`waptusers.htpasswd`, then the username appears in **bold** and `Local User` is checked, else change the password for this user. Changing the user password -------------------------- To change the password for the selected account: * Do a :menuselection:`right click on the account --> Change User Password on Wapt Server`. .. image:: wapt-resources/wapt_console_tools_menu-list.png :align: center :alt: Menu list for managing ACLs in the WAPT Console * Enter the new password. .. figure:: wapt-resources/wapt_console_acl-change-password_dialog-box.png :align: center :alt: Dialog box for changing the user password in the htaccess file Dialog box for changing the user password in the htaccess file The local user appears in *bold* and the `Local User` is checked. WAPT users set as Active Directory users ======================================== To manage WAPT users with Active Directory, you need to activate :ref:`Active Directory authentication `. After a first successful login, the AD account will appear automatically in the list of WAPT users. Blocking local user accounts ============================ To unregister local users, do :menuselection:`right click on the account --> Invalidate User Password on WAPT Server`. .. image:: wapt-resources/wapt_console_tools_menu-list.png :align: center :alt: Menu list for managing ACLs in the WAPT Console The user account will be blocked from managing anything in WAPT. .. _ACL_rigths: List of rights ============== Many :ref:`rights and restrictions ` can be set for each user in the WAPT Console. .. list-table:: List of user rights :header-rows: 1 :align: center :widths: auto * - Right - Description * - :guilabel:`Admin` - Grants the same rights as *SuperAdmin*, all rights are granted except :guilabel:`local user`. * - :guilabel:`View` - Allows only view information on the WAPT Console. * - :guilabel:`Register hosts` - Allows to use the Admin credentials to :ref:`register manually a host ` with the WAPT Server. * - :guilabel:`Unregister hosts` - Allows to :ref:`remove a host ` from the WAPT Console. * - :guilabel:`Edit hosts` - Allows to :ref:`edit the host profile ` on the WAPT Console. * - :guilabel:`Edit packages` - Allows to :ref:`modify base packages ` on the WAPT Console. * - :guilabel:`Edit groups` - Allows to :ref:`modify group packages ` on the WAPT Console. * - :guilabel:`Edit self-service` - Allows to :ref:`modify self-service rules ` on the WAPT Console. * - :guilabel:`WUA` - Allows to :ref:`modify WUA / WSUS rules ` on the WAPT Console. * - :guilabel:`Edit unit package` - Allows to :ref:`modify unit packages ` on the WAPT Console. * - :guilabel:`Edit profiles package` - Allows to :ref:`modify profiles packages ` on the WAPT Console. * - :guilabel:`Apply upgrades` - Allows to remotely apply upgrades on her perimeter of hosts, if host is on **PENDING** status. * - :guilabel:`Remote hosts actions` - Allows to make use of the Windows Computer Management tool with the WAPT Console. * - :guilabel:`Edit Reports` - Allows to :ref:`create new or modify reporting queries `. * - :guilabel:`Run Reports` - Allows to :ref:`run existing SQL reports `. * - :guilabel:`Local user` - Defines a Local User .. _manage_right_acl: Managing rights =============== By default, the **SuperAdmin** is the :ref:`CA certificate ` user. For other user, it is possible to associate a certificate that has been generated from the WAPT :abbr:`PKI (Public Key Infrastructure)` or from another :abbr:`CA (Certificate Authority)`. These certificates may or may not be children of the WAPT Certificate Authority. .. attention:: If certificates are not issued from the Certificate Authority: * Updated WAPT packages are available only to computers where certificates are deployed. * ACLs are valid only on the perimeter of the hosts where the certificates are deployed. Associating a certificate to a user ----------------------------------- .. hint:: By default no certificate is set for any user (including *SuperAdmin*). The account in the WAPT Console appears in *italic* if no certificate is associated to the user. To associate a certificate to an user, do :menuselection:`Right-Click on user --> Register user certificate`. .. image:: wapt-resources/wapt_console_tools_menu-list.png :align: center :alt: Menu list for managing ACLs in the WAPT Console Then, choose the certificate to associate to the user. Adding / Removing rights ------------------------ To add or remove rights, select the cell with :menuselection:`left click` and check-it by pressing the :kbd:`spacebar`. .. image:: wapt-resources/wapt_console-acl-check-right_screen-item.gif :align: center :alt: Checking the ACL rights .. hint:: It is possible to do a multiple selection by using keyboard shortcuts :kbd:`Crtl+left-click` and pressing the :kbd:`spacebar`. Restricting the perimeter of rights permitted to user ----------------------------------------------------- It is possible to associate a perimeter to a right given to a user. View ^^^^ .. list-table:: Definition of the allowed perimeter :header-rows: 1 :widths: auto * - Perimeter - Description * - :guilabel:`Deny all` - Denies any view right (not checked). * - :guilabel:`Allow on any perimeter` - Allows view right for all WAPT Agents. * - :guilabel:`Allow specific perimeters` - Allows view right on the selected perimeter defined as a list of certificates. * - :guilabel:`Allow where user certificate is deployed` - Allows view only on the perimeter where the certificate of the WAPT Administrator is deployed. Edit group packages ^^^^^^^^^^^^^^^^^^^ .. hint:: All group packages work on the same principle as described below. .. list-table:: Definition of the allowed perimeter :header-rows: 1 :widths: auto * - Perimeter - Description * - :guilabel:`Deny all packages` - Denies any edit right to any package (not checked). * - :guilabel:`Allow any packages` - Allows edit right to all WAPT packages. * - :guilabel:`Allow specific packages name` - Allows edit right for the WAPT packages selected in the list.