Install Security Compliance Management on a host without SSH access
When necessary, you can create an air-gapped bundle from a Puppet Bolt project and copy the bundle to the install target. This bundle contains all the images and dependencies needed to install Security Compliance Management on the desired host.
Before you begin:
Ensure that the required runtime environment (Docker or Podman) and Bolt (3.27.2 or later) are installed on the air-gapped target machine.
Ensure that the required runtime environment (Docker or Podman) and Bolt (3.27.2 or later) are installed on the air-gapped target machine.
To access the Security Compliance Managementcomplyadm module, you need a Forge API token.
- On your non air-gapped machine, create the Security Compliance Management Bolt project and switch to that directory.
mkdir comply-bolt-project cd comply-bolt-project bolt project init comply_bolt_project
- Edit the bolt-project.yaml file to specify the module to
install and your Forge API token. Change the
modulesandmodule-installsections to:--- name: comply_bolt_project modules: - name: puppetlabs/complyadm version_requirement: 3.y.z module-install: forge: authorization_token: 'Bearer <your API token>' baseurl: https://forgeapi.puppet.com - Install the
complyadmmodule using the command:bolt module install. - Create an inventory.yaml
file for a localhost installation, for example:
--- targets: - name: security-compliance-management uri: localhost config: transport: local features: - puppet-agent - Create an air-gapped bundle using:
bolt plan run complyadm::install::create_offline_bundle
This creates a bundle called project.zip that contains all the images and dependencies needed to install Security Compliance Management.
- On the air-gapped target machine, create the Bolt project using:
mkdir comply-bolt-project. - Copy the air-gapped bundle to the
comply-bolt-projectfolder. - Extract the bundle using:
cd comply-bolt-project unzip project.zip
- Install Security Compliance Management on the target host using:
bolt plan run complyadm::install. - If you would like to install everything on a single host (referred to as All-in-One in the installer), specify an inventory target you would like to use.
- Specify the DNS-resolvable hostname of the new Security Compliance Management web console.
- A runtime cannot be installed on the air-gapped machine using the offline bundle, but it is a required prompt for the Bolt installation plan. So you need to choose a runtime then answer No when you are prompted to install one.
- Configure an mTLS certificate or choose to configure this at a later time. Automatically generated certificates are only available for hosts that support SSH.
- Choose whether to manually configure a TLS certificate or use the automatically generated self-signed certificate. You can update this certificate at a later time. If you choose to manually configure the TLS certificate, you need a TLS certificate chain, private key, and certificate revocation list (CRL).
Results
You can now log into the application at the resolvable hostname with the default username and password (
You can now log into the application at the resolvable hostname with the default username and password (
comply:compliance). You are
prompted to change the username and password when you first log in.
