This section describes how to install and configure the Key Manager service for Red Hat Enterprise Linux 7 and CentOS 7.
Before you install and configure the Key Manager service, you must create a database, service credentials, and API endpoints.
To create the database, complete these steps:
Use the database access client to connect to the database
server as the root
user:
$ mysql -u root -p
Create the barbican
database:
CREATE DATABASE barbican;
Grant proper access to the barbican
database:
GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' \
IDENTIFIED BY 'BARBICAN_DBPASS';
GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' \
IDENTIFIED BY 'BARBICAN_DBPASS';
Replace BARBICAN_DBPASS
with a suitable password.
Exit the database access client.
exit;
Source the admin
credentials to gain access to
admin-only CLI commands:
$ source admin-openrc
To create the service credentials, complete these steps:
Create the barbican
user:
$ openstack user create --domain default --password-prompt barbican
Add the admin
role to the barbican
user:
$ openstack role add --project service --user barbican admin
Create the creator
role:
$ openstack role create creator
Add the creator
role to the barbican
user:
$ openstack role add --project service --user barbican creator
Create the barbican service entities:
$ openstack service create --name barbican --description "Key Manager" key-manager
Create the Key Manager service API endpoints:
$ openstack endpoint create --region RegionOne \
key-manager public http://controller:9311/v1/%\(tenant_id\)s
$ openstack endpoint create --region RegionOne \
key-manager internal http://controller:9311/v1/%\(tenant_id\)s
$ openstack endpoint create --region RegionOne \
key-manager admin http://controller:9311/v1/%\(tenant_id\)s
Install the packages:
# yum install openstack-barbican-api
Edit the /etc/barbican/barbican.conf
file and complete the following
actions:
In the [database]
section, configure database access:
[database]
...
connection = mysql+pymysql://barbican:BARBICAN_DBPASS@controller/barbican
Replace BARBICAN_DBPASS
with the password you chose for the
Key Manager service database.
In the [DEFAULT]
and [oslo_messaging_rabbit]
sections,
configure RabbitMQ
message queue access:
[DEFAULT]
...
rpc_backend = rabbit
[oslo_messaging_rabbit]
...
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = RABBIT_PASS
Replace RABBIT_PASS
with the password you chose for the
openstack
account in RabbitMQ
.
In the [keystone_authtoken]
section, configure Identity
service access:
[keystone_authtoken]
...
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = barbican
password = BARBICAN_PASS
Replace BARBICAN_PASS
with the password you chose for the
barbican
user in the Identity service.
Note
Comment out or remove any other options in the
[keystone_authtoken]
section.
Edit the /etc/barbican/barbican-api-paste.ini
file and complete the
following actions:
In the [pipeline:barbican_api]
section, configure the pipeline to
use the Identity Service auth token.
[pipeline:barbican_api]
pipeline = cors authtoken context apiapp
Populate the Key Manager service database:
The Key Manager service database will be automatically populated
when the service is first started. To prevent this, and run the
database sync manually, edit the /etc/barbican/barbican.conf
file
and set db_auto_create in the [DEFAULT]
section to False.
Then populate the database as below:
$ su -s /bin/sh -c "barbican-manage db_sync" barbican
Note
Ignore any deprecation messages in this output.
Barbican has a plugin architecture which allows the deployer to store secrets in a number of different back-end secret stores. By default, Barbican is configured to store secrets in a basic file-based keystore. This key store is NOT safe for production use.
For a list of supported plugins and detailed instructions on how to configure them, see Secret Store Back-ends
Create the /etc/httpd/conf.d/wsgi-barbican.conf
file with the following content:
<VirtualHost [::1]:9311>
ServerName controller
## Vhost docroot
DocumentRoot "/var/www/cgi-bin/barbican"
## Directories, there should at least be a declaration for /var/www/cgi-bin/barbican
<Directory "/var/www/cgi-bin/barbican">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Require all granted
</Directory>
## Logging
ErrorLog "/var/log/httpd/barbican_wsgi_main_error_ssl.log"
LogLevel debug
ServerSignature Off
CustomLog "/var/log/httpd/barbican_wsgi_main_access_ssl.log" combined
WSGIApplicationGroup %{GLOBAL}
WSGIDaemonProcess barbican-api display-name=barbican-api group=barbican processes=2 threads=8 user=barbican
WSGIProcessGroup barbican-api
WSGIScriptAlias / "/var/www/cgi-bin/barbican/main"
WSGIPassAuthorization On
</VirtualHost>
Start the Apache HTTP service and configure it to start when the system boots:
# systemctl enable httpd.service
# systemctl start httpd.service
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.