3.5. Configure the Identity Service

⁠3.5. Configure the Identity Service

⁠3.5.1. Set the Identity Service Administration Token

Before the Identity service is started for the first time you must define an administrative token in an environment variable. This value will be used to authenticate before user and service accounts have been defined using the Identity service.

All steps listed in this procedure must be performed while logged in as the root user into the server that will host the Identity service.

⁠

Procedure 3.2. Setting the Identity Service administrative token

Use OpenSSL to generate an initial service token and save it in the SERVICE_TOKEN environment variable.
```
# export SERVICE_TOKEN=$(openssl rand -hex 10)
```
Store the value of the administration token in a file for future use.
```
# echo $SERVICE_TOKEN > ~/ks_admin_token
```
Use the openstack-config tool to set the value of the admin_token configuration key to that of the newly created token.
```
# openstack-config --set /etc/keystone/keystone.conf \
DEFAULT admin_token $SERVICE_TOKEN
```

The administration token for the Identity service has been created. This value will be used in subsequent Identity configuration procedures.

Note

The Identity server's token database table grows unconditionally over time as new tokens are generated. To clear the token table, the administrator must run the keystone-manage token_flush command to flush the tokens. Flushing tokens simply deletes expired tokens, eliminating any means of traceability. It is recommended that this command be run approximately once per minute.

# keystone-manage token_flush

⁠3.5.2. Configure the Identity Service Database Connection

The database connection string used by the Identity service is defined in the /etc/keystone/keystone.conf file. It must be updated to point to a valid database server before starting the service.

All commands in this procedure must be run while logged in as the root user on the server hosting the Identity service.

⁠

Procedure 3.3. Configuring the Identity Service SQL database connection

Use the openstack-config command to set the value of the connection configuration key.
```
# openstack-config --set /etc/keystone/keystone.conf \
   sql connection mysql://USER:PASS@IP/DB
```
Replace:
- USER with the database user name the Identity service is to use, usually keystone.
- PASS with the password of the chosen database user.
- IP with the IP address or host name of the database server.
- DB with the name of the database that has been created for use by the Identity service, usually keystone.

Important

The IP address or host name specified in the connection configuration key must match the IP address or host name to which the keystone database user was granted access when creating the keystone database. Moreover, if the database is hosted locally and you granted permissions to 'localhost' when creating the keystone database, you must enter 'localhost'.

The database connection string has been set and will be used by the Identity service.

⁠3.5.3. Configure the Public Key Infrastructure

⁠3.5.3.1. Public Key Infrastructure Overview

The Identity service generates tokens which are cryptographically signed documents users and other services use for authentication. The tokens are signed using a private key while the public key is made available in an X509 certificate.

The certificates and relevant configuration keys are automatically generated by the keystone-manage pki_setup command. It is however possible to manually create and sign the required certificates using a third party certificate authority. If using third party certificates the Identity service configuration must be manually updated to point to the certificates and supporting files.

The configuration keys relevant to PKI setup appear in the [signing] section of the /etc/keystone/keystone.conf configuration file. These keys are:

ca_certs: Specifies the location of the certificate for the authority that issued the certificate denoted by the certfile configuration key. The default value is /etc/keystone/ssl/certs/ca.pem.
ca_key: Specifies the key of the certificate authority that issued the certificate denoted by the certfile configuration key. The default value is /etc/keystone/ssl/certs/cakey.pem.
ca_password: Specifies the password, if applicable, required to open the certificate authority file. The default action if no value is specified is not to use a password.
certfile: Specifies the location of the certificate that must be used to verify tokens. The default value of /etc/keystone/ssl/certs/signing_cert.pem is used if no value is specified.
keyfile: Specifies the location of the private key that must be used when signing tokens. The default value of /etc/keystone/ssl/private/signing_key.pem is used if no value is specified.
token_format: Specifies the algorithm to use when generating tokens. Possible values are UUID and PKI. The default value is PKI.

⁠3.5.3.2. Create the Public Key Infrastructure Files

This section explains how to create and configure the PKI files to be used by the Identity service. All steps listed in this procedure must be performed while logged into the system hosting the Identity service as the root user.

⁠

Procedure 3.4. Creating the PKI files to be used by the Identity service

Run the keystone-manage pki_setup command.

# keystone-manage pki_setup \
   --keystone-user keystone \
   --keystone-group keystone

Ensure that the keystone user owns the /var/log/keystone/ and /etc/keystone/ssl/ directories.
```
# chown -R keystone:keystone /var/log/keystone \
   /etc/keystone/ssl/
```

The Identity service PKI files have been created and will be used when generating and signing tokens.

⁠3.5.3.3. Configure the Identity Service to Use Public Key Infrastructure Files

After generating the PKI files for use by the Identity service, you will need to enable the Identity service to use them.

Set the values of the attributes in the /etc/keystone/keystone.conf file by using the following commands:

# openstack-config --set /etc/keystone/keystone.conf \
 signing token_format PKI
# openstack-config --set /etc/keystone/keystone.conf \
 signing certfile /etc/keystone/ssl/certs/signing_cert.pem
# openstack-config --set /etc/keystone/keystone.conf \
 signing keyfile /etc/keystone/ssl/private/signing_key.pem
# openstack-config --set /etc/keystone/keystone.conf \
 signing ca_certs /etc/keystone/ssl/certs/ca.pem
# openstack-config --set /etc/keystone/keystone.conf \
 signing key_size 1024
# openstack-config --set /etc/keystone/keystone.conf \
 signing valid_days 3650
# openstack-config --set /etc/keystone/keystone.conf \
 signing ca_password None

You can also update these values directly by editing the /usr/share/keystone/keystone-dist.conf file.

⁠3.5.4. Configure the Firewall to Allow Identity Service Traffic

As the Identity service is used by all of the components in the OpenStack environment for authentication it must be accessible by them.

To allow this the firewall on the system hosting the Identity service must be altered to allow network traffic on the required ports. All steps in this procedure must be run while logged in to the server hosting the Identity service as the root user.

⁠

Procedure 3.5. Configuring the firewall to allow Identity Service traffic (for Red Hat Enterprise Linux 6-based systems)

Open the /etc/sysconfig/iptables file in a text editor.
Add an INPUT rule allowing TCP traffic on ports 5000 and 35357 to the file. The new rule must appear before any INPUT rules that REJECT traffic.
```
-A INPUT -p tcp -m multiport --dports 5000,35357 -j ACCEPT
```
Save the changes to the /etc/sysconfig/iptables file.
Restart the iptables service to ensure that the change takes effect.
```
# service iptables restart
```

⁠

Procedure 3.6. Configuring the firewall to allow Identity Service traffic (for Red Hat Enterprise Linux 7-based systems)

Add rules allowing TCP traffic on port 5000 and 35357:

# firewall-cmd --permanent --add-port=5000/tcp

# firewall-cmd --permanent --add-port=35357/tcp

For the change to take immediate effect, add the rules to the runtime mode:
```
# firewall-cmd --add-port=5000/tcp
```
```
# firewall-cmd --add-port=35357/tcp
```

The firewall is now configured to allow incoming connections to the Identity service on ports 5000 and 35357.

⁠3.5.5. Populate the Identity Service Database

You can populate the Identity service database after you have successfully configured the Identity service database connection string (refer to Section 3.5.2, “Configure the Identity Service Database Connection”).

⁠

Procedure 3.7. Populating the Identity Service database

Log in to the system hosting the Identity service.
Use the su command to switch to the keystone user and run the keystone-manage db_sync command to initialize and populate the database identified in /etc/keystone/keystone.conf.
```
# su keystone -s /bin/sh -c "keystone-manage db_sync"
```

The Identity service database has been initialized and populated.