Install Security Compliance Management on a host without SSH access

When necessary, you can create an air-gapped bundle from a Puppet Bolt project and copy the bundle to the install target. This bundle contains all the images and dependencies needed to install Security Compliance Management on the desired host.

1. On your non air-gapped machine, create the Security Compliance Management Bolt project and switch to that directory.

   mkdir comply-bolt-project 
   cd comply-bolt-project
   bolt project init comply_bolt_project

2. Edit the bolt-project.yaml file to specify the module to install and your Forge API token. Change the modules and module-install sections to:

   --- 
   name: comply_bolt_project
   modules:
   - name: puppetlabs/complyadm
     version_requirement: 3.y.z
   
   module-install:
     forge:
        authorization_token: 'Bearer <your API token>'
        baseurl: https://forgeapi.puppet.com
   

3. Install the complyadm module using the command: bolt module install.
   If you are installing Security Compliance Management as a non-root user, see Install Security Compliance Management as a non-root user starting with the next step.
4. Create an inventory.yaml file for a localhost installation, for example:

   --- 
   targets: 
     - name: security-compliance-management 
       uri: localhost 
       config: 
         transport: local
       features: 
         - puppet-agent

5. Create an air-gapped bundle using:

   bolt plan run complyadm::install::create_offline_bundle

   This creates a bundle called project.zip that contains all the images and dependencies needed to install Security Compliance Management.

6. On the air-gapped target machine, create the Bolt project using: mkdir comply-bolt-project.
7. Copy the air-gapped bundle to the comply-bolt-project folder.
8. Extract the bundle using:

   cd comply-bolt-project
   unzip project.zip

9. Install Security Compliance Management on the target host using: bolt plan run complyadm::install.
10. Select root as the install type to install Security Compliance Management. If you are installing Security Compliance Management as a non-root user, see Install Security Compliance Management as a non-root user for those instructions.
11. Specify the inventory target you would like to install on.
12. Specify the DNS-resolvable hostname of the new Security Compliance Management web console.
13. A runtime cannot be installed on the air-gapped machine using the offline bundle, but it is a required prompt for the Bolt installation plan. So you need to choose a runtime then answer No when you are prompted to install one.
14. Configure an mTLS certificate or choose to configure this at a later time. Automatically generated certificates are only available for hosts that support SSH.
15. Choose whether to manually configure a TLS certificate or use the automatically generated self-signed certificate. You can update this certificate at a later time. If you choose to manually configure the TLS certificate, you need a TLS certificate chain, private key, and certificate revocation list (CRL).