Install and configure for Red Hat Enterprise Linux and CentOS

This section describes how to install and configure the Key Manager service for Red Hat Enterprise Linux 7 and CentOS 7.

Prerequisites

Before you install and configure the Key Manager service, you must create a database, service credentials, and API endpoints.

  1. To create the database, complete these steps:

    • Use the database access client to connect to the database server as the root user:

      # mysql
      
    • Create the barbican database:

      CREATE DATABASE barbican;
      
    • Grant proper access to the barbican database:

      GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' \
        IDENTIFIED BY 'BARBICAN_DBPASS';
      GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' \
        IDENTIFIED BY 'BARBICAN_DBPASS';
      

      Replace BARBICAN_DBPASS with a suitable password.

    • Exit the database access client.

      exit;
      
  2. Source the admin credentials to gain access to admin-only CLI commands:

    $ source admin-openrc
    
  3. To create the service credentials, complete these steps:

    • Create the barbican user:

      $ openstack user create --domain default --password-prompt barbican
      
    • Add the admin role to the barbican user:

      $ openstack role add --project service --user barbican admin
      
    • Create the creator role:

      $ openstack role create creator
      
    • Add the creator role to the barbican user:

      $ openstack role add --project service --user barbican creator
      
    • Create the barbican service entities:

      $ openstack service create --name barbican --description "Key Manager" key-manager
      
  4. Create the Key Manager service API endpoints:

    $ openstack endpoint create --region RegionOne \
      key-manager public http://controller:9311
    $ openstack endpoint create --region RegionOne \
      key-manager internal http://controller:9311
    $ openstack endpoint create --region RegionOne \
      key-manager admin http://controller:9311
    

Install and configure components

  1. Install the packages:

    # yum install openstack-barbican-api
    
  1. Edit the /etc/barbican/barbican.conf file and complete the following actions:

    • In the [DEFAULT] section, configure database access:

      [DEFAULT]
      ...
      sql_connection = mysql+pymysql://barbican:BARBICAN_DBPASS@controller/barbican
      

      Replace BARBICAN_DBPASS with the password you chose for the Key Manager service database.

    • In the [DEFAULT] section, configure RabbitMQ message queue access:

      [DEFAULT]
      ...
      transport_url = rabbit://openstack:RABBIT_PASS@controller
      

      Replace RABBIT_PASS with the password you chose for the openstack account in RabbitMQ.

    • In the [keystone_authtoken] section, configure Identity service access:

      [keystone_authtoken]
      ...
      www_authenticate_uri = http://controller:5000
      auth_url = http://controller:5000
      memcached_servers = controller:11211
      auth_type = password
      project_domain_name = default
      user_domain_name = default
      project_name = service
      username = barbican
      password = BARBICAN_PASS
      

      Replace BARBICAN_PASS with the password you chose for the barbican user in the Identity service.

      Note

      Comment out or remove any other options in the [keystone_authtoken] section.

  2. Populate the Key Manager service database:

    The Key Manager service database will be automatically populated when the service is first started. To prevent this, and run the database sync manually, edit the /etc/barbican/barbican.conf file and set db_auto_create in the [DEFAULT] section to False.

    Then populate the database as below:

    $ su -s /bin/sh -c "barbican-manage db upgrade" barbican
    

    Note

    Ignore any deprecation messages in this output.

  3. Barbican has a plugin architecture which allows the deployer to store secrets in a number of different back-end secret stores. By default, Barbican is configured to store secrets in a basic file-based keystore. This key store is NOT safe for production use.

    For a list of supported plugins and detailed instructions on how to configure them, see Configure Secret Store Back-end

Finalize installation

  1. Create the /etc/httpd/conf.d/wsgi-barbican.conf file with the following content:

    <VirtualHost [::1]:9311>
        ServerName controller
    
        ## Logging
        ErrorLog "/var/log/httpd/barbican_wsgi_main_error_ssl.log"
        LogLevel debug
        ServerSignature Off
        CustomLog "/var/log/httpd/barbican_wsgi_main_access_ssl.log" combined
    
        WSGIApplicationGroup %{GLOBAL}
        WSGIDaemonProcess barbican-api display-name=barbican-api group=barbican processes=2 threads=8 user=barbican
        WSGIProcessGroup barbican-api
        WSGIScriptAlias / "/usr/lib/python2.7/site-packages/barbican/api/app.wsgi"
        WSGIPassAuthorization On
    </VirtualHost>
    
  2. Start the Apache HTTP service and configure it to start when the system boots:

    # systemctl enable httpd.service
    # systemctl start httpd.service