Install and configure for Red Hat Enterprise Linux and CentOS

Install and configure for Red Hat Enterprise Linux and CentOS

This section describes how to install and configure the Key Manager service for Red Hat Enterprise Linux 7 and CentOS 7.

Prerequisites

Before you install and configure the Key Manager service, you must create a database, service credentials, and API endpoints.

  1. To create the database, complete these steps:

    • Use the database access client to connect to the database server as the root user:

      $ mysql -u root -p
      
    • Create the barbican database:

      CREATE DATABASE barbican;
      
    • Grant proper access to the barbican database:

      GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' \
        IDENTIFIED BY 'BARBICAN_DBPASS';
      GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' \
        IDENTIFIED BY 'BARBICAN_DBPASS';
      

      Replace BARBICAN_DBPASS with a suitable password.

    • Exit the database access client.

      exit;
      
  2. Source the admin credentials to gain access to admin-only CLI commands:

    $ source admin-openrc
    
  3. To create the service credentials, complete these steps:

    • Create the barbican user:

      $ openstack user create --domain default --password-prompt barbican
      
    • Add the admin role to the barbican user:

      $ openstack role add --project service --user barbican admin
      
    • Create the creator role:

      $ openstack role create creator
      
    • Add the creator role to the barbican user:

      $ openstack role add --project service --user barbican creator
      
    • Create the barbican service entities:

      $ openstack service create --name barbican --description "Key Manager" key-manager
      
  4. Create the Key Manager service API endpoints:

    $ openstack endpoint create --region RegionOne \
      key-manager public http://controller:9311/v1/%\(tenant_id\)s
    $ openstack endpoint create --region RegionOne \
      key-manager internal http://controller:9311/v1/%\(tenant_id\)s
    $ openstack endpoint create --region RegionOne \
      key-manager admin http://controller:9311/v1/%\(tenant_id\)s
    

Install and configure components

  1. Install the packages:

    # yum install openstack-barbican-api
    
  1. Edit the /etc/barbican/barbican.conf file and complete the following actions:

    • In the [database] section, configure database access:

      [database]
      ...
      connection = mysql+pymysql://barbican:BARBICAN_DBPASS@controller/barbican
      

      Replace BARBICAN_DBPASS with the password you chose for the Key Manager service database.

    • In the [DEFAULT] and [oslo_messaging_rabbit] sections, configure RabbitMQ message queue access:

      [DEFAULT]
      ...
      rpc_backend = rabbit
      
      [oslo_messaging_rabbit]
      ...
      rabbit_host = controller
      rabbit_userid = openstack
      rabbit_password = RABBIT_PASS
      

      Replace RABBIT_PASS with the password you chose for the openstack account in RabbitMQ.

    • In the [keystone_authtoken] section, configure Identity service access:

      [keystone_authtoken]
      ...
      auth_uri = http://controller:5000
      auth_url = http://controller:35357
      memcached_servers = controller:11211
      auth_type = password
      project_domain_name = default
      user_domain_name = default
      project_name = service
      username = barbican
      password = BARBICAN_PASS
      

      Replace BARBICAN_PASS with the password you chose for the barbican user in the Identity service.

      Note

      Comment out or remove any other options in the [keystone_authtoken] section.

  2. Edit the /etc/barbican/barbican-api-paste.ini file and complete the following actions:

    • In the [pipeline:barbican_api] section, configure the pipeline to use the Identity Service auth token.

      [pipeline:barbican_api]
      pipeline = cors authtoken context apiapp
      
  3. Populate the Key Manager service database:

    The Key Manager service database will be automatically populated when the service is first started. To prevent this, and run the database sync manually, edit the /etc/barbican/barbican.conf file and set db_auto_create in the [DEFAULT] section to False.

    Then populate the database as below:

    $ su -s /bin/sh -c "barbican-manage db_sync" barbican
    

    Note

    Ignore any deprecation messages in this output.

  4. Barbican has a plugin architecture which allows the deployer to store secrets in a number of different back-end secret stores. By default, Barbican is configured to store secrets in a basic file-based keystore. This key store is NOT safe for production use.

    For a list of supported plugins and detailed instructions on how to configure them, see Secret Store Back-ends

Finalize installation

  1. Create the /etc/httpd/conf.d/wsgi-barbican.conf file with the following content:

    <VirtualHost [::1]:9311>
        ServerName controller
    
        ## Vhost docroot
        DocumentRoot "/var/www/cgi-bin/barbican"
    
        ## Directories, there should at least be a declaration for /var/www/cgi-bin/barbican
    
        <Directory "/var/www/cgi-bin/barbican">
            Options Indexes FollowSymLinks MultiViews
            AllowOverride None
            Require all granted
        </Directory>
    
        ## Logging
        ErrorLog "/var/log/httpd/barbican_wsgi_main_error_ssl.log"
        LogLevel debug
        ServerSignature Off
        CustomLog "/var/log/httpd/barbican_wsgi_main_access_ssl.log" combined
    
        WSGIApplicationGroup %{GLOBAL}
        WSGIDaemonProcess barbican-api display-name=barbican-api group=barbican processes=2 threads=8 user=barbican
        WSGIProcessGroup barbican-api
        WSGIScriptAlias / "/var/www/cgi-bin/barbican/main"
        WSGIPassAuthorization On
    </VirtualHost>
    
  2. Start the Apache HTTP service and configure it to start when the system boots:

    # systemctl enable httpd.service
    # systemctl start httpd.service
    
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.