Install Security Compliance Management

Specify your initial configuration settings and deploy Security Compliance Management for the first time.

Before you begin

Unlike version 2.x, Security Compliance Management 3.x uses Puppet Bolt for installation, configuration, and administration instead of PAM. To install Security Compliance Management, you need a Forge API token to download the complyadm module.

Before installing, please make sure the system you plan to install Bolt on has internet access as well as SSH access to the system on which you intend to install Security Compliance Management 3.x. In addition, because Bolt is installed on one or more systems and used to manage one centralized Security Compliance Management installation, it may be a good idea to maintain the Bolt project in its own VCS repo.

  1. Install Bolt version 3.27.2 or later on a jumphost. This can be the intended Security Compliance Management 3.x host, or any other system.
  2. Create the Security Compliance Management Bolt project and switch to that directory. 
    mkdir comply-bolt-project 
cd comply-bolt-project
bolt project init comply_bolt_project
  3. Edit the bolt-project.yaml file to specify the module to install and your Forge API token. Change the modules and module-install sections to: 
    --- 
name: comply_bolt_project
modules:
- name: puppetlabs/complyadm
  version_requirement: 3.y.z

module-install:
  forge:
     authorization_token: 'Bearer <your API token>'
     baseurl: https://forgeapi.puppet.com
  4. Install the complyadm module using the command: bolt module install.
  5. Create an inventory.yaml file with the connection information for the host on which Security Compliance Management 3.x is to be installed. If you intend to automatically generate an mTLS certificate in a later step, you also need to include the Puppet Enterprise host as this enables the generation of TLS Certificates required for secure interaction (mTLS) between Security Compliance Management and Puppet Enterprise. Otherwise, if you intend to manually provide the mTLS certificate, you do not need to provide the Puppet Enterprise host. For example: 
    --- 
targets: 
  - name: security-compliance-management 
    uri: <security-compliance-management-fqdn> 
    config:
      transport: ssh 
      ssh: 
        user: <username> 
        private-key: <path to SSH private key> 
        run-as: root 
        host-key-check: false        
        native-ssh: true
        ssh-command: <Path to SSH command>
  - name: puppet-enterprise 
    uri: <puppet-enterprise-fqdn> 
    config: 
      transport: ssh 
      ssh: 
        user: <username> 
        private-key: <path to SSH private key> 
        run-as: root 
        host-key-check: false
        native-ssh: true
        ssh-command: <Path to SSH command>
    If you are installing on a localhost, use the following connection information instead:
    --- 
targets: 
  - name: security-compliance-management 
    uri: localhost 
    config: 
      transport: local 
  - name: puppet-enterprise 
    uri: <puppet-enterprise-fqdn> 
    config: 
      transport: ssh 
      ssh: 
        user: <username> 
        private-key: <path to SSH private key>
        run-as: root
        host-key-check: false 
        native-ssh: true
        ssh-command: <Path to SSH command>
  6. Install Security Compliance Management on the target host using: bolt plan run complyadm::install.
    This plan only allows you to do a new install. To migrate data from a 2.x instance, see Migrate from Security Compliance Management 2.x to 3.x.
  7. If you would like to install everything on a single host (referred to as All-in-One in the installer), specify an inventory target you would like to use.
  8. Specify the DNS-resolvable hostname of the new Security Compliance Management web console.
  9. Choose whether to use Docker or Podman for the container runtime and agree to install the runtime on the target host if one is not already installed.
  10. Choose whether to manually configure an mTLS certificate, use the automatically generated certificate, or to configure this at a later time. If you choose the automatically generated configuration, you must have an existing Puppet Enterprise host as a target in your inventory.yaml file.
  11. Choose whether to manually configure a TLS certificate or use the automatically generated self-signed certificate. You can update this certificate at a later time. If you choose to manually configure the TLS certificate, you need a TLS certificate chain, private key, and certificate revocation list (CRL).
Results
You can now log into the application at the resolvable hostname with the default username and password (comply:compliance). You are prompted to change the username and password when you first log in.