Migrate your existing Security Compliance Management instance from 2.x to
3.x.
Before you begin
Unlike version 2.x, Security Compliance Management 3.x uses Puppet Bolt for installation,
configuration, and administration instead of PAM. To install Security Compliance Management, you need a Forge API token to download the
complyadm module.
Before installing, please make sure the system you plan to install Bolt on
has internet access as well as SSH access to the system on which your Security Compliance Management 2.x installation is hosted and the system on
which you intend to install Security Compliance Management 3.x. In addition,
because Bolt is installed on one or more systems and used to manage one
centralized Security Compliance Management installation, it may be a good
idea to maintain the Bolt project in its own VCS repo.
Important: Before migrating to Security Compliance Management 3.x,
please make sure you have upgraded to the latest version of 2.x and that you are on
the latest version of assessor.
-
Install Bolt version 3.27.2
or later on a jumphost. This can be the intended Security Compliance Management 3.x host, or any other system.
-
Create the Security Compliance Management
Bolt project and switch to that directory.
mkdir comply-bolt-project
cd comply-bolt-project
bolt project init comply_bolt_project
-
Edit the bolt-project.yaml file to specify the module to
install and your Forge API token. Change the
modules and module-install sections to:
---
name: comply_bolt_project
modules:
- name: puppetlabs/complyadm
version_requirement: 3.y.z
module-install:
forge:
authorization_token: 'Bearer <your API token>'
baseurl: https://forgeapi.puppet.com
-
Install the
complyadm module using the command:
bolt module install.
-
Create an inventory.yaml
file with two targets: One for the host on which Security Compliance Management 3.x is to be installed and one for the
host running the most recent version of Security Compliance Management
2.x. If you intend to automatically generate an mTLS certificate in a later
step, you also need to include the Puppet Enterprise host
as this enables the generation of TLS Certificates required for secure
interaction (mTLS) between Security Compliance Management and Puppet Enterprise. Otherwise, if you intend to manually
provide the mTLS certificate, you do not need to provide the Puppet Enterprise host. For example:
---
targets:
- name: security-compliance-management
uri: <security-compliance-management-fqdn>
config:
transport: ssh
ssh:
user: <username>
private-key: <path to SSH private key>
run-as: root
host-key-check: false
native-ssh: true
ssh-command: <Path to SSH command>
- name: comply-host
uri: <comply-fqdn>
config:
transport: ssh
ssh:
user: <username>
private-key: <path to SSH private key>
run-as: root
host-key-check: false
- name: puppet-enterprise
uri: <puppet-enterprise-fqdn>
config:
transport: ssh
ssh:
user: <username>
private-key: <path to SSH private key>
run-as: root
host-key-check: false
native-ssh: true
ssh-command: <Path to SSH command>
If you are installing on a localhost, use the following connection information
instead:
---
targets:
- name: security-compliance-management
uri: localhost
config:
transport: local
- name: puppet-enterprise
uri: <puppet-enterprise-fqdn>
config:
transport: ssh
ssh:
user: <username>
private-key: <path to SSH private key>
run-as: root
host-key-check: false
native-ssh: true
ssh-command: <Path to SSH command>
-
Run the migration plan on the target host using:
bolt
plan run complyadm::migrate.
-
If you would like to install everything on a single host (referred to as
All-in-One in the installer), specify an inventory target you would like to use.
-
Specify the DNS-resolvable hostname of the new Security Compliance Management web console.
-
Choose whether to use Docker or Podman for the container
runtime and agree to install the runtime on the target host if one is not
already installed.
-
Choose whether to manually configure an mTLS certificate, use the automatically
generated certificate, or to configure this at a later time. If you choose the
automatically generated configuration, you must have an existing Puppet
Enterprise host as a target in your inventory.yaml file.
-
Choose whether to manually configure a TLS certificate or use the automatically
generated self-signed certificate. You can update this certificate at a later
time. If you choose to manually configure the TLS certificate, you need a TLS
certificate chain, private key, and certificate revocation list (CRL).
Results
You can now log into the application at the resolvable hostname with the same
credentials that you used on your 2.x system.