Install and configure for openSUSE and SUSE Linux Enterprise¶

Prerequisites¶

Before you install and configure the Key Manager service, you must create a database, service credentials, and API endpoints.

1. To create the database, complete these steps:

   • Use the database access client to connect to the database server as the root user:

     $ mysql -u root -p
     

   • Create the barbican database:

     CREATE DATABASE barbican;
     

   • Grant proper access to the barbican database:

     GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' \
       IDENTIFIED BY 'BARBICAN_DBPASS';
     GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' \
       IDENTIFIED BY 'BARBICAN_DBPASS';
     

     Replace BARBICAN_DBPASS with a suitable password.

   • Exit the database access client.

     exit;
     

2. Source the admin credentials to gain access to admin-only CLI commands:

   $ source admin-openrc
   

3. To create the service credentials, complete these steps:

   • Create the barbican user:

     $ openstack user create --domain default --password-prompt barbican
     

   • Add the admin role to the barbican user:

     $ openstack role add --project service --user barbican admin
     

   • Create the creator role:

     $ openstack role create creator
     

   • Add the creator role to the barbican user:

     $ openstack role add --project service --user barbican creator
     

   • Create the barbican service entities:

     $ openstack service create --name barbican --description "Key Manager" key-manager
     

4. Create the Key Manager service API endpoints:

   $ openstack endpoint create --region RegionOne \
     key-manager public http://controller:9311
   $ openstack endpoint create --region RegionOne \
     key-manager internal http://controller:9311
   $ openstack endpoint create --region RegionOne \
     key-manager admin http://controller:9311
   

Install and configure components¶

1. Install the packages:

   # zypper install openstack-barbican-api openstack-barbican-keystone-listener openstack-barbican-worker
   

2. Edit the /etc/barbican/barbican.conf file and complete the following actions:

   • In the [DEFAULT] section, configure database access:

     [DEFAULT]
     ...
     sql_connection = mysql+pymysql://barbican:BARBICAN_DBPASS@controller/barbican
     

     Replace BARBICAN_DBPASS with the password you chose for the Key Manager service database.

   • In the [DEFAULT] section, configure RabbitMQ message queue access:

     [DEFAULT]
     ...
     transport_url = rabbit://openstack:RABBIT_PASS@controller
     

     Replace RABBIT_PASS with the password you chose for the openstack account in RabbitMQ.

   • In the [keystone_authtoken] section, configure Identity service access:

     [keystone_authtoken]
     ...
     www_authenticate_uri = http://controller:5000
     auth_url = http://controller:35357
     memcached_servers = controller:11211
     auth_type = password
     project_domain_name = default
     user_domain_name = default
     project_name = service
     username = barbican
     password = BARBICAN_PASS
     

     Replace BARBICAN_PASS with the password you chose for the barbican user in the Identity service.

     Note

     Comment out or remove any other options in the [keystone_authtoken] section.

3. Populate the Key Manager service database:

   The Key Manager service database will be automatically populated when the service is first started. To prevent this, and run the database sync manually, edit the /etc/barbican/barbican.conf file and set db_auto_create in the [DEFAULT] section to False.

   Then populate the database as below:

   $ su -s /bin/sh -c "barbican-manage db upgrade" barbican
   

   Note

   Ignore any deprecation messages in this output.

4. Barbican has a plugin architecture which allows the deployer to store secrets in a number of different back-end secret stores. By default, Barbican is configured to store secrets in a basic file-based keystore. This key store is NOT safe for production use.

   For a list of supported plugins and detailed instructions on how to configure them, see Secret Store Back-ends

Finalize installation¶

1. Copy the sample Apache vhost file into place:

# cp /etc/apache2/conf.d/barbican-api.conf.sample /etc/apache2/vhosts.d/barbican-api.conf

1. Start the Apache HTTP service and configure it to start when the system boots:

   # systemctl enable apache2.service
   # systemctl start apache2.service