Install and configure for Red Hat Enterprise Linux and CentOS¶
This section describes how to install and configure the Key Manager service for Red Hat Enterprise Linux 7 and CentOS 7.
Prerequisites¶
Before you install and configure the Key Manager service, you must create a database, service credentials, and API endpoints.
To create the database, complete these steps:
Use the database access client to connect to the database server as the
root
user:# mysql
Create the
barbican
database:CREATE DATABASE barbican;
Grant proper access to the
barbican
database:GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' \ IDENTIFIED BY 'BARBICAN_DBPASS'; GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' \ IDENTIFIED BY 'BARBICAN_DBPASS';
Replace
BARBICAN_DBPASS
with a suitable password.Exit the database access client.
exit;
Source the
admin
credentials to gain access to admin-only CLI commands:$ source admin-openrc
To create the service credentials, complete these steps:
Create the
barbican
user:$ openstack user create --domain default --password-prompt barbican
Add the
admin
role to thebarbican
user:$ openstack role add --project service --user barbican admin
Create the
creator
role:$ openstack role create creator
Add the
creator
role to thebarbican
user:$ openstack role add --project service --user barbican creator
Create the barbican service entities:
$ openstack service create --name barbican --description "Key Manager" key-manager
Create the Key Manager service API endpoints:
$ openstack endpoint create --region RegionOne \ key-manager public http://controller:9311 $ openstack endpoint create --region RegionOne \ key-manager internal http://controller:9311 $ openstack endpoint create --region RegionOne \ key-manager admin http://controller:9311
Install and configure components¶
Install the packages:
# yum install openstack-barbican-api
Edit the
/etc/barbican/barbican.conf
file and complete the following actions:In the
[DEFAULT]
section, configure database access:[DEFAULT] ... sql_connection = mysql+pymysql://barbican:BARBICAN_DBPASS@controller/barbican
Replace
BARBICAN_DBPASS
with the password you chose for the Key Manager service database.In the
[DEFAULT]
section, configureRabbitMQ
message queue access:[DEFAULT] ... transport_url = rabbit://openstack:RABBIT_PASS@controller
Replace
RABBIT_PASS
with the password you chose for theopenstack
account inRabbitMQ
.In the
[keystone_authtoken]
section, configure Identity service access:[keystone_authtoken] ... www_authenticate_uri = http://controller:5000 auth_url = http://controller:5000 memcached_servers = controller:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = barbican password = BARBICAN_PASS
Replace
BARBICAN_PASS
with the password you chose for thebarbican
user in the Identity service.Note
Comment out or remove any other options in the
[keystone_authtoken]
section.
Populate the Key Manager service database:
The Key Manager service database will be automatically populated when the service is first started. To prevent this, and run the database sync manually, edit the
/etc/barbican/barbican.conf
file and set db_auto_create in the[DEFAULT]
section to False.Then populate the database as below:
$ su -s /bin/sh -c "barbican-manage db upgrade" barbican
Note
Ignore any deprecation messages in this output.
Barbican has a plugin architecture which allows the deployer to store secrets in a number of different back-end secret stores. By default, Barbican is configured to store secrets in a basic file-based keystore. This key store is NOT safe for production use.
For a list of supported plugins and detailed instructions on how to configure them, see Configure Secret Store Back-end
Finalize installation¶
Create the
/etc/httpd/conf.d/wsgi-barbican.conf
file with the following content:<VirtualHost [::1]:9311> ServerName controller ## Logging ErrorLog "/var/log/httpd/barbican_wsgi_main_error_ssl.log" LogLevel debug ServerSignature Off CustomLog "/var/log/httpd/barbican_wsgi_main_access_ssl.log" combined WSGIApplicationGroup %{GLOBAL} WSGIDaemonProcess barbican-api display-name=barbican-api group=barbican processes=2 threads=8 user=barbican WSGIProcessGroup barbican-api WSGIScriptAlias / "/usr/lib/python2.7/site-packages/barbican/api/app.wsgi" WSGIPassAuthorization On </VirtualHost>
Start the Apache HTTP service and configure it to start when the system boots:
# systemctl enable httpd.service # systemctl start httpd.service