Install and configure for Red Hat Enterprise Linux and CentOS

This section describes how to install and configure the Key Manager service for Red Hat Enterprise Linux 7 and CentOS 7.

Prerequisites

Before you install and configure the Key Manager service, you must create a database, service credentials, and API endpoints.

1. To create the database, complete these steps:

   • Use the database access client to connect to the database server as the root user:

     # mysql
     

   • Create the barbican database:

     CREATE DATABASE barbican;
     

   • Grant proper access to the barbican database:

     GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' \
       IDENTIFIED BY 'BARBICAN_DBPASS';
     GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' \
       IDENTIFIED BY 'BARBICAN_DBPASS';
     

     Replace BARBICAN_DBPASS with a suitable password.

   • Exit the database access client.

     exit;
     

2. Source the admin credentials to gain access to admin-only CLI commands:

   $ source admin-openrc
   

3. To create the service credentials, complete these steps:

   • Create the barbican user:

     $ openstack user create --domain default --password-prompt barbican
     

   • Add the admin role to the barbican user:

     $ openstack role add --project service --user barbican admin
     

   • Create the creator role:

     $ openstack role create creator
     

   • Add the creator role to the barbican user:

     $ openstack role add --project service --user barbican creator
     

   • Create the barbican service entities:

     $ openstack service create --name barbican --description "Key Manager" key-manager
     

4. Create the Key Manager service API endpoints:

   $ openstack endpoint create --region RegionOne \
     key-manager public http://controller:9311
   $ openstack endpoint create --region RegionOne \
     key-manager internal http://controller:9311
   $ openstack endpoint create --region RegionOne \
     key-manager admin http://controller:9311
   

Install and configure components

1. Install the packages:

   # yum install openstack-barbican-api
   

2. Edit the /etc/barbican/barbican.conf file and complete the following actions:

   • In the [DEFAULT] section, configure database access:

     [DEFAULT]
     ...
     sql_connection = mysql+pymysql://barbican:BARBICAN_DBPASS@controller/barbican
     

     Replace BARBICAN_DBPASS with the password you chose for the Key Manager service database.

   • In the [DEFAULT] section, configure RabbitMQ message queue access:

     [DEFAULT]
     ...
     transport_url = rabbit://openstack:RABBIT_PASS@controller
     

     Replace RABBIT_PASS with the password you chose for the openstack account in RabbitMQ.

   • In the [keystone_authtoken] section, configure Identity service access:

     [keystone_authtoken]
     ...
     www_authenticate_uri = http://controller:5000
     auth_url = http://controller:5000
     memcached_servers = controller:11211
     auth_type = password
     project_domain_name = default
     user_domain_name = default
     project_name = service
     username = barbican
     password = BARBICAN_PASS
     

     Replace BARBICAN_PASS with the password you chose for the barbican user in the Identity service.

     Note

     Comment out or remove any other options in the [keystone_authtoken] section.

3. Populate the Key Manager service database:

   If you wish the Key Manager service to automatically populate the database when the service is first started, set db_auto_create to True in the [DEFAULT] section. By default this will not be active and you can populate the database manually as below:

   $ su -s /bin/sh -c "barbican-manage db upgrade" barbican
   

   Note

   Ignore any deprecation messages in this output.

4. Barbican has a plugin architecture which allows the deployer to store secrets in a number of different back-end secret stores. By default, Barbican is configured to store secrets in a basic file-based keystore. This key store is NOT safe for production use.

   For a list of supported plugins and detailed instructions on how to configure them, see Configure Secret Store Back-end

Finalize installation

1. Create the /etc/httpd/conf.d/wsgi-barbican.conf file with the following content:

   <VirtualHost [::1]:9311>
       ServerName controller
   
       ## Logging
       ErrorLog "/var/log/httpd/barbican_wsgi_main_error_ssl.log"
       LogLevel debug
       ServerSignature Off
       CustomLog "/var/log/httpd/barbican_wsgi_main_access_ssl.log" combined
   
       WSGIApplicationGroup %{GLOBAL}
       WSGIDaemonProcess barbican-api display-name=barbican-api group=barbican processes=2 threads=8 user=barbican
       WSGIProcessGroup barbican-api
       WSGIScriptAlias / "/usr/lib/python2.7/site-packages/barbican/api/app.wsgi"
       WSGIPassAuthorization On
   </VirtualHost>
   

2. Start the Apache HTTP service and configure it to start when the system boots:

   # systemctl enable httpd.service
   # systemctl start httpd.service