Install the OpenStack Identity Service on the controller node, together with python-keystoneclient (which is a dependency): # apt-get install keystone # yum install openstack-keystone python-keystoneclient # zypper install openstack-keystone python-keystoneclient openstack-utils Answer to the debconf and dbconfig-common questions for setting-up the database. The Identity Service uses a database to store information. Specify the location of the database in the configuration file. In this guide, we use a MySQL database on the controller node with the username keystone. Replace KEYSTONE_DBPASS with a suitable password for the database user. # openstack-config --set /etc/keystone/keystone.conf \ database connection mysql://keystone:KEYSTONE_DBPASS@controller/keystone Edit /etc/keystone/keystone.conf and change the [database] section. ... [database] # The SQLAlchemy connection string used to connect to the database connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone ... Use the openstack-db command to create the database and tables, as well as a database user called keystone to connect to the database. Replace KEYSTONE_DBPASS with the same password used in the previous step. # openstack-db --init --service keystone --password KEYSTONE_DBPASS By default, the Ubuntu packages create an SQLite database. Delete the keystone.db file created in the /var/lib/keystone/ directory so that it does not get used by mistake. Use the password that you set previously to log in as root. Create a keystone database user: # mysql -u root -p mysql> CREATE DATABASE keystone; mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; Create the database tables for the Identity Service: # keystone-manage db_sync Define an authorization token to use as a shared secret between the Identity Service and other OpenStack services. Respond to the debconf prompt with the value in the admin_token directive in the keystone.conf file. Use the openssl rand -hex 10 command to generate this password. Later, you can verify that the /etc/keystone/keystone.conf file contains the password you have set using debconf: [DEFAULT] # A "shared secret" between keystone and other openstack services admin_token = ADMIN_TOKEN ... If you omit a password (for example by pressing Enter at the debconf prompt, or installing Keystone using the Debconf non-interactive mode) the package generates a random ADMIN_TOKEN value. Respond to the prompts to create an administrative tenant: If this is the first time you have installed the Identity Service, register the Identity Service in the service catalog: Define an authorization token to use as a shared secret between the Identity Service and other OpenStack services. Use openssl to generate a random token and store it in the configuration file: # ADMIN_TOKEN=$(openssl rand -hex 10) # echo $ADMIN_TOKEN # openstack-config --set /etc/keystone/keystone.conf DEFAULT \ admin_token $ADMIN_TOKEN # openssl rand -hex 10 For SUSE Linux Enterprise use instead as first command: # ADMIN_TOKEN=$(openssl rand 10|hexdump -e '1/1 "%.2x"') Edit /etc/keystone/keystone.conf and change the [DEFAULT] section, replacing ADMIN_TOKEN with the results of the command. [DEFAULT] # A "shared secret" between keystone and other openstack services admin_token = ADMIN_TOKEN ... By default, Keystone uses PKI tokens. Create the signing keys and certificates: # keystone-manage pki_setup --keystone-user keystone --keystone-group keystone # chown -R keystone:keystone /etc/keystone/* /var/log/keystone/keystone.log # keystone-manage pki_setup --keystone-user openstack-keystone \ --keystone-group openstack-keystone # chown -R openstack-keystone:openstack-keystone /etc/keystone/* \ /var/log/keystone/keystone.log Restart the Identity Service: # service keystone restart Start the Identity Service and enable it to start when the system boots: # service openstack-keystone start # chkconfig openstack-keystone on