Install and configure

Install and configure

This section describes how to install and configure the OpenStack Identity service, code-named keystone, on the controller node. For scalability purposes, this configuration deploys Fernet tokens and the Apache HTTP server to handle requests.


Ensure that you have completed the prerequisite installation steps in the Openstack Install Guide before proceeding.


Before you install and configure the Identity service, you must create a database.

  1. Use the database access client to connect to the database server as the root user:

    # mysql
  1. Create the keystone database:

    MariaDB [(none)]> CREATE DATABASE keystone;
  2. Grant proper access to the keystone database:

    MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \

    Replace KEYSTONE_DBPASS with a suitable password.

  3. Exit the database access client.

Install and configure components


Default configuration files vary by distribution. You might need to add these sections and options rather than modifying existing sections and options. Also, an ellipsis (...) in the configuration snippets indicates potential default configuration options that you should retain.


This guide uses the Apache HTTP server with mod_wsgi to serve Identity service requests on port 5000. By default, the keystone service still listens on this port. The package handles all of the Apache configuration for you (including the activation of the mod_wsgi apache2 module and keystone configuration in Apache).

  1. Run the following command to install the packages:

    # apt install keystone
  1. Edit the /etc/keystone/keystone.conf file and complete the following actions:

    • In the [database] section, configure database access:

      # ...
      connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone

      Replace KEYSTONE_DBPASS with the password you chose for the database.


      Comment out or remove any other connection options in the [database] section.

    • In the [token] section, configure the Fernet token provider:

      # ...
      provider = fernet
  2. Populate the Identity service database:

    # su -s /bin/sh -c "keystone-manage db_sync" keystone
  3. Initialize Fernet key repositories:

    # keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
    # keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
  4. Bootstrap the Identity service:


    Before the Queens release, keystone needed to be run on two separate ports to accommodate the Identity v2 API which ran a separate admin-only service commonly on port 35357. With the removal of the v2 API, keystone can be run on the same port for all interfaces.

    # keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
      --bootstrap-admin-url http://controller:5000/v3/ \
      --bootstrap-internal-url http://controller:5000/v3/ \
      --bootstrap-public-url http://controller:5000/v3/ \
      --bootstrap-region-id RegionOne

    Replace ADMIN_PASS with a suitable password for an administrative user.

Configure the Apache HTTP server

  1. Edit the /etc/apache2/apache2.conf file and configure the ServerName option to reference the controller node:

    ServerName controller


A secure deployment should have the web server configured to use SSL or running behind an SSL terminator.

Finalize the installation

  1. Restart the Apache service:

    # service apache2 restart
  1. Configure the administrative account

    $ export OS_USERNAME=admin
    $ export OS_PROJECT_NAME=admin
    $ export OS_USER_DOMAIN_NAME=Default
    $ export OS_PROJECT_DOMAIN_NAME=Default
    $ export OS_AUTH_URL=http://controller:5000/v3

    Replace ADMIN_PASS with the password used in the keystone-manage bootstrap command in keystone-install-configure-ubuntu.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.