Install the OpenStack Identity Service on the controller node, together with python-keystoneclient (which is a dependency): # apt-get install keystone # yum install openstack-keystone python-keystoneclient # zypper install openstack-keystone python-keystoneclient openstack-utils Answer to the debconf and dbconfig-common questions for setting-up the database. The Identity Service uses a database to store information. Specify the location of the database in the configuration file. In this guide, we use a MySQL database on the controller node with the username keystone. Replace KEYSTONE_DBPASS with a suitable password for the database user. # openstack-config --set /etc/keystone/keystone.conf \ database connection mysql://keystone:KEYSTONE_DBPASS@controller/keystone Edit /etc/keystone/keystone.conf and change the [database] section: ... [database] # The SQLAlchemy connection string used to connect to the database connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone ... By default, the Ubuntu packages create a SQLite database. Delete the keystone.db file created in the /var/lib/keystone/ directory so that it does not get used by mistake: # rm /var/lib/keystone/keystone.db Use the password that you set previously to log in as root. Create a keystone database user: $ mysql -u root -p mysql> CREATE DATABASE keystone; mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; mysql> exit Create the database tables for the Identity Service: # su -s /bin/sh -c "keystone-manage db_sync" keystone Define an authorization token to use as a shared secret between the Identity Service and other OpenStack services. Respond to the debconf prompt with the value in the admin_token directive in the keystone.conf file. Use the openssl rand -hex 10 command to generate this password. Later, you can verify that the /etc/keystone/keystone.conf file contains the password you have set using debconf: [DEFAULT] # A "shared secret" between keystone and other openstack services admin_token = ADMIN_TOKEN ... If you omit a password (for example by pressing Enter at the debconf prompt, or installing Keystone using the Debconf non-interactive mode) the package generates a random ADMIN_TOKEN value. Respond to the prompts to create an administrative tenant: If this is the first time you have installed the Identity Service, register the Identity Service in the service catalog: Define an authorization token to use as a shared secret between the Identity Service and other OpenStack services. Use openssl to generate a random token and store it in the configuration file: # ADMIN_TOKEN=$(openssl rand -hex 10) # echo $ADMIN_TOKEN # openstack-config --set /etc/keystone/keystone.conf DEFAULT \ admin_token $ADMIN_TOKEN # openssl rand -hex 10 For SUSE Linux Enterprise use instead as first command: # ADMIN_TOKEN=$(openssl rand 10|hexdump -e '1/1 "%.2x"') Edit /etc/keystone/keystone.conf and change the [DEFAULT] section, replacing ADMIN_TOKEN with the results of the command: [DEFAULT] # A "shared secret" between keystone and other openstack services admin_token = ADMIN_TOKEN ... By default, Keystone uses PKI tokens. Create the signing keys and certificates and restrict access to the generated data: # keystone-manage pki_setup --keystone-user keystone --keystone-group keystone # chown -R keystone:keystone /etc/keystone/ssl # chmod -R o-rwx /etc/keystone/ssl Configure the log directory. Edit the /etc/keystone/keystone.conf file and update the [DEFAULT] section: [DEFAULT] ... log_dir = /var/log/keystone Restart the Identity Service: # service keystone restart Start the Identity Service and enable it to start when the system boots: # service openstack-keystone start # chkconfig openstack-keystone on By default, the Identity Service stores expired tokens in the database indefinitely. While potentially useful for auditing in production environments, the accumulation of expired tokens will considerably increase database size and may decrease service performance, particularly in test environments with limited resources. We recommend configuring a periodic task using cron to purge expired tokens hourly. Run the following command to purge expired tokens every hour and log the output to /var/log/keystone/keystone-tokenflush.log: # (crontab -l -u keystone 2>&1 | grep -q token_flush) || \ echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/crontabs/keystone # (crontab -l -u keystone 2>&1 | grep -q token_flush) || \ echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/keystone # (crontab -l -u keystone 2>&1 | grep -q token_flush) || \ echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/tabs/keystone