Configure Comply TLS certificates

You need to generate certificates for Comply in Puppet Enterprise (PE) to enable automatic upgrades of the CIS-CAT assessor and for tasks to upload reports.

Before you begin
Make sure you have configured Comply in Puppet Application Manager (PAM).

Certificates are required when setting up Comply for the following interactions:

  • Interactions between Comply and PE. Interactions between Comply and PE require correct configuration of the CA certificate. Any issues with the CA certificate with regard to communication between Comply and PE result in an error on the Comply UI.
  • Agent runs. If you have set up the Comply module to download the assessor from the Comply server (as opposed to being hosted locally) then the assessor is downloaded using Mutual Transport Layer Security (MTLS) with the client certificate from the node. The Comply mtls-proxy component requires the configured TLS and CA certificate.
  • Scan task runs. Running a scan sends reports back into Comply via an HTTP POST. This POST goes through the mtls-proxy and use MTLS with the client certificate from the node.

Configuring Comply TLS certificates involves first generating the certificates in Puppet Enterprise (PE) and then setting up Mutual Transport Layer Security (MTLS) in Puppet Application Manager (PAM). MTLS enables a secure authenticated connection between your nodes and Comply.

For information on troubleshooting problems with certificates, see Troubleshooting TLS issues in Comply

  1. SSH into your PE primary server and generate the certificates:
    puppetserver ca generate --certname <COMPLY-HOSTNAME>
    This command does the following:
    • Saves the private key to /etc/puppetlabs/puppet/ssl/private_keys/<COMPLY-HOSTNAME>.pem
    • Saves the certificate to /etc/puppetlabs/puppet/ssl/certs/<COMPLY-HOSTNAME>.pem
  2. Log in to Puppet Application Manager, click the Version history tab, and click Check for update.
  3. Click the Config tab, and scroll down to Transport layer security (TLS) certificates to interact with PE.
  4. Ensure Use a NodePort is selected. If you want to change the Comply port from the default (30303), add the new port number in the Comply port for PE nodes field.
    Note: To host the assessor on your own supported cluster via NGINX ingress, see Configure Comply for a custom NGINX ingress (online environment) and Configure Comply TLS certificates for a custom NGINX ingress
  5. Enter the hostname of you PE instance in the PE hostname field to enable validation of the keys and certificates added in the next step.
  6. Upload the signed certificate public key, the private key files, and the CA certificate, with the following locations:
    • Paste the contents of /etc/puppetlabs/puppet/ssl/certs/<COMPLY-HOSTNAME>.pem to the TLS certificate field.
    • Paste the contents of /etc/puppetlabs/puppet/ssl/private_keys/<COMPLY-HOSTNAME>.pem to the TLS private key field.
    • Paste the contents of /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem to the CA certificate field.
  7. Click Save Config.
  8. Monitor the new version's preflight checks. The Running Checks indicator is shown on the screen while your system is checked to make sure your cluster meets minimum system requirements.

    The Config: Check if we can connect to PE using provided certificates preflight passes if the certificates are configured correctly.

    • If the preflight checks status is Checks Failed, click View preflights. Correct the issues and click Re-run. Repeat this step as needed.
      Important: Do not move on until all preflight checks pass.
    • If the preflight checks status is Ready to Deploy, move on to the next step.
  9. Click Deploy.
What to do next
Install the comply module.