Install the Identity Service on the controller node: # apt-get install keystone python-keystone python-keystoneclient # yum install openstack-keystone python-keystoneclient # zypper install openstack-keystone python-keystoneclient openstack-utils The Identity Service uses a database to store information. Specify the location of the database in the configuration file. In this guide, we use a MySQL database on the controller node with the username keystone. Replace KEYSTONE_DBPASS with a suitable password for the database user. # openstack-config --set /etc/keystone/keystone.conf \ sql connection mysql://keystone:KEYSTONE_DBPASS@controller/keystone Edit /etc/keystone/keystone.conf and change the [sql] section. ... [sql] # The SQLAlchemy connection string used to connect to the database connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone ... Use the openstack-db command to create the database and tables, as well as a database user called keystone to connect to the database. Replace KEYSTONE_DBPASS with the same password used in the previous step. # openstack-db --init --service keystone --password KEYSTONE_DBPASS First, we need to create a database user called keystone, by logging in as root using the password we set earlier. # mysql -u root -p mysql> CREATE DATABASE keystone; mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; We now start the keystone service and create its tables. # keystone-manage db_sync # service keystone restart You need to define an authorization token that is used as a shared secret between the Identity Service and other OpenStack services. Use openssl to generate a random token, then store it in the configuration file. # ADMIN_TOKEN=$(openssl rand -hex 10) # echo $ADMIN_TOKEN # openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN # openssl rand -hex 10 Edit /etc/keystone/keystone.conf and change the [DEFAULT] section, replacing ADMIN_TOKEN with the results of the command. [DEFAULT] # A "shared secret" between keystone and other openstack services admin_token = ADMIN_TOKEN ... By default Keystone will use PKI tokens. Create the signing keys and certificates. # keystone-manage pki_setup --keystone-user keystone --keystone-group keystone # chown -R keystone:keystone /etc/keystone/* /var/log/keystone/keystone.log # keystone-manage pki_setup --keystone-user openstack-keystone --keystone-group openstack-keystone # chown -R openstack-keystone:openstack-keystone /etc/keystone/* /var/log/keystone/keystone.log Setup the /etc/keystone/default_catalog.templates file: # KEYSTONE_CATALOG=/etc/keystone/default_catalog.templates # sed -e "s,%SERVICE_HOST%,192.168.0.10,g" -e "s/%S3_SERVICE_PORT%/8080/" \ $KEYSTONE_CATALOG.sample > $KEYSTONE_CATALOG Restart the Identity service. # service keystone restart Start the Identity Service and enable it so it start when the system boots. # service openstack-keystone start # chkconfig openstack-keystone on # systemctl start openstack-keystone.service # systemctl enable openstack-keystone.service