Installation on a large, specific structure

Questions about WAPT Server / Requests and help related to the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
Benjamin
Messages: 8
Registration: August 25, 2016 - 6:53 PM

November 12, 2016 - 8:59 AM

Good morning,

I'm getting back to you very late, but things are progressing at their own pace here.

Thanks to all your helpful advice, I was able to run my tests in VirtualBox without any problems, and I was able to give a presentation/demo to my superiors. They appreciated the tool and approved setting up an experiment before a potential real-world deployment.
Following this, we launched a test in an establishment condition and it works perfectly under the conditions mentioned above in previous posts (central server which serves as central repository, local repository in establishment for local groups and machines, and secondary repository synchronized with the central, clients configured for these 2 repositories).

I'm hopeful that I can arrange product training for my colleagues and myself, and even have a system implementation service in place, including services to migrate from SE3 to Samba4. But that's another matter, and before that, I still need to provide some additional information.

Therefore, following these "real-world" tests and requests from my superiors, I have some questions regarding the intended use:
  • - Is there a way to create certificates in bulk (via the command line from the server, for example) so that they can be generated in advance for all sites, and then tell the local servers/consoles/clients to use these certificates rather than having to generate one during local console installation? I think so, but I'd prefer to ask you to get the command or some pointers.
    - Another very important question in our case: is there a way on the local servers of the institutions to prohibit the use of the "import from internet" and "import from file" functions to ensure that people authorized to use the consoles cannot retrieve "unauthorized" packages via the internet? I can see a way to only allow our repository through a firewall, but I would prefer that this function not be usable.
    - To confirm, the difference between using the central secondary repository and manually importing from it via the console is: In the first case, a package update will be automatically deployed to the facilities without human intervention once the rsync between the central and secondary repositories has been performed. Whereas in the second case, where the updated package is manually imported into a local console, it will not be updated because it is considered a new package with the local signature. Is that correct?
    - Also for confirmation, a lost certificate is permanently unrecoverable; in this case, a new one must be generated and all packages re-imported so that they adopt the new signature? (This seems obvious to me, but I would like confirmation.)
Thank you for your invaluable past and future help.
@micalement,

Benjamin
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

November 13, 2016 - 9:24 PM

Benjam wrote:Good morning,

I'm getting back to you very late, but things are progressing at their own pace here.

Thanks to all your helpful advice, I was able to run my tests in VirtualBox without any problems, and I was able to give a presentation/demo to my superiors. They appreciated the tool and approved setting up an experiment before a potential real-world deployment.
Following this, we launched a test in an establishment condition and it works perfectly under the conditions mentioned above in previous posts (central server which serves as central repository, local repository in establishment for local groups and machines, and secondary repository synchronized with the central, clients configured for these 2 repositories).

I'm hopeful that I can arrange product training for my colleagues and myself, and even have a system implementation service in place, including services to migrate from SE3 to Samba4. But that's another matter, and before that, I still need to provide some additional information.

Therefore, following these "real-world" tests and requests from my superiors, I have some questions regarding the intended use:
  • Is there a way to create certificates in bulk (via the command line from the server, for example) so that they can be generated in advance for all sites, and then tell the local servers/consoles/clients to use these certificates rather than having to generate one during local console installation? I think so, but I'd prefer to ask you to get the command or some pointers.
We're using OpenSSL, so yes!
Benjam wrote: - Another very important question in our case: is there a way on the local servers of the institutions to prohibit the use of the "import from internet" and "import from file" functions to ensure that people authorized to use the console cannot retrieve "unauthorized" packages via the internet? I can see how to only allow our repository via a firewall, but I would prefer that this function not be usable.
Well, that's where it gets complicated, because not to my knowledge and it's not something standardized.
I've just been hired at tranquil.it and I know that the case you want to set up is in the works and I think we might be able to offer you something.

I suggest you contact Vincent Cardon from tranquil.it; he will be able to answer your question.
Benjam wrote: - To confirm, the difference between using the central secondary repository and manually importing from it via the console is: In the first case, a package update will be automatically deployed to the facilities without human intervention once the rsync between the central and secondary repositories has been completed. Whereas in the second case, where the updated package is manually imported into a local console, it will not be updated because it will be considered a new package with a local signature. Is that correct?
That's it!
Benjam wrote: - Also, for confirmation, a lost certificate is permanently unrecoverable; in this case, a new one must be generated and all packages re-imported so that they adopt the new signature? (It seems obvious to me, but I would like confirmation)
Yes, that's it!
Benjam wrote: Thank you for your invaluable past and future help.
Sincerely,

Benjam
High
Benjamin
Messages: 8
Registration: August 25, 2016 - 6:53 PM

November 14, 2016 - 7:00 AM

Hello and thank you for your replies, which confirm what I thought.

Regarding OpenSSL, I'll take a closer look at the bulk generation of all certificates and the necessary procedures (copying them to private and SSL, I assume, and especially how to automate client deployment with this certificate) on remote consoles so they can use it.
We're not yet deploying it in our institutions, so there's no rush, but it's to prepare a small script in advance for when it's due.

Thank you also for the confirmations.

Regarding the issue of blocked import functions from other repositories, I'll contact Vincent again.
In any case, we (my superiors and/or I) need to contact him again soon about Samba4/WAPT/Package Creation, and I'll take the opportunity to ask for a solution to this problem, which could be a real obstacle to implementing this solution for my superiors.

Thanks again for your replies.
Best regards,

Benjam
High
Locked

Return to "WAPT Server"


  • To go further with WAPT