Migrate from Security Compliance Management 2.x to 3.x

Migrate your existing Security Compliance Management instance from 2.x to 3.x.

Before you begin:

Unlike version 2.x, Security Compliance Management 3.x uses https://www.puppet.com/docs/bolt/latest/bolt for installation, configuration, and administration instead of PAM. To install Security Compliance Management, you need a Forge API token to download the complyadm module.

Before installing, please make sure the system you plan to install Bolt on has internet access as well as SSH access to the system on which your Security Compliance Management 2.x installation is hosted and the system on which you intend to install Security Compliance Management 3.x. In addition, because Bolt is installed on one or more systems and used to manage one centralized Security Compliance Management installation, it may be a good idea to maintain the Bolt project in its own VCS repo.

Before migrating to Security Compliance Management 3.x, please make sure you have upgraded to the latest version of 2.x and that you are on the latest version of assessor.
  1. Install Bolt version 3.27.2 or later on a jumphost. This can be the intended Security Compliance Management 3.x host, or any other system.
  2. Create the Security Compliance Management Bolt project and switch to that directory.
    mkdir comply-bolt-project 
cd comply-bolt-project
bolt project init comply_bolt_project
  3. Edit the bolt-project.yaml file to specify the module to install and your Forge API token. Change the modules and module-install sections to:
    --- 
name: comply_bolt_project
modules:
- name: puppetlabs/complyadm
  version_requirement: 3.y.z

module-install:
  forge:
     authorization_token: 'Bearer <your API token>'
     baseurl: https://forgeapi.puppet.com
  4. Install the complyadm module using the command: bolt module install.
  5. Create an inventory.yaml file with two targets: One for the host on which Security Compliance Management 3.x is to be installed and one for the host running the most recent version of Security Compliance Management 2.x. If you intend to automatically generate an mTLS certificate in a later step, you also need to include the Puppet Enterprise host as this enables the generation of TLS Certificates required for secure interaction (mTLS) between Security Compliance Management and Puppet Enterprise. Otherwise, if you intend to manually provide the mTLS certificate, you do not need to provide the Puppet Enterprise host. For example:
    --- 
targets: 
  - name: security-compliance-management 
    uri: <security-compliance-management-fqdn>   
    config:
      transport: ssh 
      ssh: 
        user: <username> 
        private-key: <path to SSH private key> 
        run-as: root 
        host-key-check: false 
        native-ssh: true
        ssh-command: <Path to SSH command>
  - name: comply-host 
    uri: <comply-fqdn> 
    config: 
      transport: ssh 
      ssh: 
        user: <username> 
        private-key: <path to SSH private key> 
        run-as: root 
        host-key-check: false 
  - name: puppet-enterprise 
    uri: <puppet-enterprise-fqdn> 
    config: 
      transport: ssh 
      ssh: 
        user: <username> 
        private-key: <path to SSH private key> 
        run-as: root 
        host-key-check: false
        native-ssh: true
        ssh-command: <Path to SSH command>

    If you are installing on a localhost, use the following connection information instead:

    --- 
targets: 
  - name: security-compliance-management 
    uri: localhost 
    config: 
      transport: local 
  - name: puppet-enterprise 
    uri: <puppet-enterprise-fqdn> 
    config: 
      transport: ssh 
      ssh: 
        user: <username> 
        private-key: <path to SSH private key>
        run-as: root
        host-key-check: false
        native-ssh: true
        ssh-command: <Path to SSH command>
  6. Run the migration plan on the target host using: bolt plan run complyadm::migrate.

    This plan only allows you to migrate from a 2.x instance. To do a new install, see Install Security Compliance Management.

  7. Specify the inventory target you would like to install on.
  8. Specify the DNS-resolvable hostname of the new Security Compliance Management web console.
  9. Choose whether to use Docker or Podman for the container runtime and agree to install the runtime on the target host if one is not already installed.
  10. Choose whether to manually configure an mTLS certificate, use the automatically generated certificate, or to configure this at a later time. If you choose the automatically generated configuration, you must have an existing Puppet Enterprise host as a target in your inventory.yaml file.
  11. Choose whether to manually configure a TLS certificate or use the automatically generated self-signed certificate. You can update this certificate at a later time. If you choose to manually configure the TLS certificate, you need a TLS certificate chain, private key, and certificate revocation list (CRL).
Results
You can now log into the application at the resolvable hostname with the same credentials that you used on your 2.x system.