2.2. Enrolling nodes in Red Hat Identity Manager (IdM) with novajoin

Novajoin is the default tool that you use to enroll your nodes with Red Hat Identity Manager (IdM) as part of the deployment process. As a result, you can integrate IdM features with your Red Hat OpenStack Platform deployment, including identities, kerberos credentials, and access controls. You must perform the enrollment process before you proceed with the rest of the IdM integration.

The enrollment process includes the following steps:

  1. Adding the undercloud node to the certificate authority (CA)
  2. Adding the undercloud node to IdM
  3. Optional: Setting the IdM server as the DNS server for the overcloud
  4. Preparing the environment files and deploying the overcloud
  5. Testing the overcloud enrollment in IdM and in RHOSP
  6. Optional: Adding DNS entries for novajoin in IdM

IdM enrollment with novajoin is currently only available for the undercloud and overcloud nodes. Novajoin integration for overcloud instances is expected to be supported in a later release.

2.2.1. Adding the undercloud node to the certificate authority

Before you deploy the overcloud, add the undercloud to the certificate authority (CA) by installing the python3-novajoin package on the undercloud node and running the novajoin-ipa-setup script.


  1. On the undercloud node, install the python3-novajoin package:

    $ sudo dnf install python3-novajoin
  2. On the undercloud node, run the novajoin-ipa-setup script, and adjust the values to suit your deployment:

    $ sudo /usr/libexec/novajoin-ipa-setup \
        --principal admin \
        --password <IdM admin password> \
        --server <IdM server hostname> \
        --realm <realm> \
        --domain <overcloud cloud domain> \
        --hostname <undercloud hostname> \

    Use the resulting One-Time Password (OTP) to enroll the undercloud.