Install Security Compliance Management on a host without SSH access

When necessary, you can create an air-gapped bundle from a Puppet Bolt project and copy the bundle to the install target. This bundle contains all the images and dependencies needed to install Security Compliance Management on the desired host.

Before you begin
Ensure that the required runtime environment (Docker or Podman) and Bolt (3.27.2 or later) are installed on the air-gapped target machine.
  1. On your non air-gapped machine, create the Security Compliance Management Bolt project and switch to that directory. 
    mkdir comply-bolt-project 
cd comply-bolt-project
bolt project init comply_bolt_project
  2. Edit the bolt-project.yaml file and change the modules section to: 
    --- 
name: comply_bolt_project
modules:
- name: puppetlabs/complyadm
  version_requirement: 3.y.z
  3. Install the complyadm module using the command: bolt module install.
  4. Create an inventory.yaml file for a localhost installation, for example: 
    --- 
targets: 
  - name: security-compliance-management 
    uri: localhost 
    config: 
      transport: local
    features: 
      - puppet-agent
  5. Create an air-gapped bundle using: 
    bolt plan run complyadm::install::create_offline_bundle
    This creates a bundle called project.zip that contains all the images and dependencies needed to install Security Compliance Management.
  6. On the air-gapped target machine, create the Bolt project using: mkdir comply-bolt-project.
  7. Copy the air-gapped bundle to the comply-bolt-project folder.
  8. Extract the bundle using: 
    cd comply-bolt-project
unzip project.zip
  9. Install Security Compliance Management on the target host using: bolt plan run complyadm::install.
  10. Specify an inventory target you would like to use for an All-in-One install.
  11. Specify the DNS-resolvable hostname of the new Security Compliance Management web console.
  12. A runtime cannot be installed on the air-gapped machine using the offline bundle, but it is a required prompt for the Bolt installation plan. So you need to choose a runtime then answer No when you are prompted to install one.
  13. Configure an mTLS certificate or choose to configure this at a later time. Automatically generated certificates are only available for hosts that support SSH.
  14. Choose whether to manually configure a TLS certificate or use the automatically generated self-signed certificate. You can update this certificate at a later time. If you choose to manually configure the TLS certificate, you need a TLS certificate chain, private key, and certificate revocation list (CRL).
Results
You can now log into the application at the resolvable hostname with the default username and password (comply:compliance). You are prompted to change the username and password when you first log in.