Install the Identity Service on the controller node, together with python-keystoneclient (which is a dependency): # apt-get install keystone # yum install openstack-keystone python-keystoneclient # zypper install openstack-keystone python-keystoneclient openstack-utils Answer to the debconf and dbconfig-common questions for setting-up the database. The Identity Service uses a database to store information. Specify the location of the database in the configuration file. In this guide, we use a MySQL database on the controller node with the username keystone. Replace KEYSTONE_DBPASS with a suitable password for the database user. # openstack-config --set /etc/keystone/keystone.conf \ sql connection mysql://keystone:KEYSTONE_DBPASS@controller/keystone Edit /etc/keystone/keystone.conf and change the [sql] section. ... [sql] # The SQLAlchemy connection string used to connect to the database connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone ... Use the openstack-db command to create the database and tables, as well as a database user called keystone to connect to the database. Replace KEYSTONE_DBPASS with the same password used in the previous step. # openstack-db --init --service keystone --password KEYSTONE_DBPASS First, we need to create a database user called keystone, by logging in as root using the password we set earlier. # mysql -u root -p mysql> CREATE DATABASE keystone; mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; We now start the keystone service and create its tables. # keystone-manage db_sync # service keystone restart You need to define an authorization token that is used as a shared secret between the Identity Service and other OpenStack services. Fill-in the debconf prompt with the value that will be put in the admin_token directive of keystone.conf. It is recommended to generate this password with openssl rand -hex 10. Later on, you can verify that /etc/keystone/keystone.conf contains the password you have set using debconf: [DEFAULT] # A "shared secret" between keystone and other openstack services admin_token = ADMIN_TOKEN ... Answer to the debconf prompts to create an admin tenant. If this is the first time you install Keystone, then you should register Keystone in the Keystone catalogue of services: You need to define an authorization token that is used as a shared secret between the Identity Service and other OpenStack services. Use openssl to generate a random token, then store it in the configuration file. # ADMIN_TOKEN=$(openssl rand -hex 10) # echo $ADMIN_TOKEN # openstack-config --set /etc/keystone/keystone.conf DEFAULT \ admin_token $ADMIN_TOKEN # openssl rand -hex 10 For SUSE Linux Enterprise use instead as first command: # ADMIN_TOKEN=$(openssl rand 10|hexdump -e '1/1 "%.2x"') Edit /etc/keystone/keystone.conf and change the [DEFAULT] section, replacing ADMIN_TOKEN with the results of the command. [DEFAULT] # A "shared secret" between keystone and other openstack services admin_token = ADMIN_TOKEN ... By default Keystone will use PKI tokens. Create the signing keys and certificates. # keystone-manage pki_setup --keystone-user keystone --keystone-group keystone # chown -R keystone:keystone /etc/keystone/* /var/log/keystone/keystone.log # keystone-manage pki_setup --keystone-user openstack-keystone \ --keystone-group openstack-keystone # chown -R openstack-keystone:openstack-keystone /etc/keystone/* \ /var/log/keystone/keystone.log Setup the /etc/keystone/default_catalog.templates file: # KEYSTONE_CATALOG=/etc/keystone/default_catalog.templates # sed -e "s,%SERVICE_HOST%,192.168.0.10,g" \ -e "s/%S3_SERVICE_PORT%/8080/" \ $KEYSTONE_CATALOG.sample > $KEYSTONE_CATALOG Restart the Identity service. # service keystone restart Start the Identity Service and enable it so it start when the system boots. # service openstack-keystone start # chkconfig openstack-keystone on