Specify your initial configuration settings and deploy Security Compliance Management for the first time.
Before you begin
Unlike version 2.x, Security Compliance Management 3.x uses Puppet Bolt for installation,
configuration, and administration instead of PAM.
Before installing, please make sure the system you plan to install Bolt on
has internet access as well as SSH access to the system on which you intend to
install Security Compliance Management 3.x. In addition, because
Bolt is installed on one or more systems and used to manage one
centralized Security Compliance Management installation, it may be a good
idea to maintain the Bolt project in its own VCS repo.
-
Install Bolt version 3.27.2
or later on a jumphost. This can be the intended Security Compliance Management 3.x host, or any other system.
-
Create the Security Compliance Management
Bolt project and switch to that directory.
mkdir comply-bolt-project
cd comply-bolt-project
bolt project init comply_bolt_project
-
Edit the bolt-project.yaml file and change the
modules section to:
---
name: comply_bolt_project
modules:
- name: puppetlabs/complyadm
version_requirement: 3.y.z
-
Install the
complyadm module using the command:
bolt module install.
-
Create an inventory.yaml
file with the connection information for the host on which Security Compliance Management 3.x is to be installed. If you intend to
automatically generate an mTLS certificate in a later step, you also need to
include the Puppet Enterprise host as this enables the
generation of TLS Certificates required for secure interaction (mTLS) between
Security Compliance Management and Puppet Enterprise. Otherwise, if you intend to manually
provide the mTLS certificate, you do not need to provide the Puppet Enterprise host. For example:
---
targets:
- name: security-compliance-management
uri: <security-compliance-management-fqdn>
config:
transport: ssh
ssh:
user: <username>
private-key: <path to SSH private key>
run-as: root
host-key-check: false
native-ssh: true
ssh-command: <Path to SSH command>
- name: puppet-enterprise
uri: <puppet-enterprise-fqdn>
config:
transport: ssh
ssh:
user: <username>
private-key: <path to SSH private key>
run-as: root
host-key-check: false
native-ssh: true
ssh-command: <Path to SSH command>
If you are installing on a localhost, use the following connection information
instead:
---
targets:
- name: security-compliance-management
uri: localhost
config:
transport: local
- name: puppet-enterprise
uri: <puppet-enterprise-fqdn>
config:
transport: ssh
ssh:
user: <username>
private-key: <path to SSH private key>
run-as: root
host-key-check: false
native-ssh: true
ssh-command: <Path to SSH command>
-
Install Security Compliance Management on the target host using:
bolt plan run complyadm::install.
-
Specify an inventory target you would like to use for an All-in-One
install.
-
Specify the DNS-resolvable hostname of the new Security Compliance Management web console.
-
Choose whether to use Docker or Podman for the container
runtime and agree to install the runtime on the target host if one is not
already installed.
-
Choose whether to manually configure an mTLS certificate, use the automatically
generated certificate, or to configure this at a later time. If you choose the
automatically generated configuration, you must have an existing Puppet
Enterprise host as a target in your inventory.yaml file.
-
Choose whether to manually configure a TLS certificate or use the automatically
generated self-signed certificate. You can update this certificate at a later
time. If you choose to manually configure the TLS certificate, you need a TLS
certificate chain, private key, and certificate revocation list (CRL).
Results
You can now log into the application at the resolvable hostname with the default
username and password (comply:compliance). You are
prompted to change the username and password when you first log in.