Install the Identity Service on the controller node, together with python-keystoneclient (which is a dependency): # apt-get install keystone # yum install openstack-keystone python-keystoneclient # zypper install openstack-keystone python-keystoneclient openstack-utils Note that on Debian system, the above is all what is needed to install the Identity Service. During the setup, the debconf system will prompt the user for the database access information. It will then automatically create the database, configure access rights, and then modify /etc/keystone/keystone.conf to reflect this configuration. Debconf will also be used to configure the AUTH_TOKEN administrator password. The Debian package will then perform the keystone-manage db_sync for you, and create an "admin/admin" tenant and user, which you can later use for setting-up the other OpenStack service (later called "auth token" in this documentation). Finally, the package will also ask the user to setup the keystone endpoint. Therefore, if you use Debian, you can skip all the remaining steps below. If you need to reconfigure Keystone, you can use: # dpkg-reconfigure -plow keystone or edit the configuration files and manually restart the daemon. Remember that for using a database server that is installed remotely, you need to call before installing the Identity Service: # apt-get install dbconfig-common && dpkg-reconfigure -plow dbconfig-common The Identity Service uses a database to store information. Specify the location of the database in the configuration file. In this guide, we use a MySQL database on the controller node with the username keystone. Replace KEYSTONE_DBPASS with a suitable password for the database user. # openstack-config --set /etc/keystone/keystone.conf \ sql connection mysql://keystone:KEYSTONE_DBPASS@controller/keystone Edit /etc/keystone/keystone.conf and change the [sql] section. ... [sql] # The SQLAlchemy connection string used to connect to the database connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone ... Use the openstack-db command to create the database and tables, as well as a database user called keystone to connect to the database. Replace KEYSTONE_DBPASS with the same password used in the previous step. # openstack-db --init --service keystone --password KEYSTONE_DBPASS First, we need to create a database user called keystone, by logging in as root using the password we set earlier. # mysql -u root -p mysql> CREATE DATABASE keystone; mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; We now start the keystone service and create its tables. # keystone-manage db_sync # service keystone restart You need to define an authorization token that is used as a shared secret between the Identity Service and other OpenStack services. Use openssl to generate a random token, then store it in the configuration file. # ADMIN_TOKEN=$(openssl rand -hex 10) # echo $ADMIN_TOKEN # openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN # openssl rand -hex 10 For SUSE Linux Enterprise use instead as first command: # ADMIN_TOKEN=$(openssl rand 10|hexdump -e '1/1 "%.2x"') Edit /etc/keystone/keystone.conf and change the [DEFAULT] section, replacing ADMIN_TOKEN with the results of the command. [DEFAULT] # A "shared secret" between keystone and other openstack services admin_token = ADMIN_TOKEN ... By default Keystone will use PKI tokens. Create the signing keys and certificates. # keystone-manage pki_setup --keystone-user keystone --keystone-group keystone # chown -R keystone:keystone /etc/keystone/* /var/log/keystone/keystone.log # keystone-manage pki_setup --keystone-user openstack-keystone --keystone-group openstack-keystone # chown -R openstack-keystone:openstack-keystone /etc/keystone/* /var/log/keystone/keystone.log Setup the /etc/keystone/default_catalog.templates file: # KEYSTONE_CATALOG=/etc/keystone/default_catalog.templates # sed -e "s,%SERVICE_HOST%,192.168.0.10,g" -e "s/%S3_SERVICE_PORT%/8080/" \ $KEYSTONE_CATALOG.sample > $KEYSTONE_CATALOG Restart the Identity service. # service keystone restart Start the Identity Service and enable it so it start when the system boots. # service openstack-keystone start # chkconfig openstack-keystone on