4 Using the controller with a remote Keystone server

This chapter describes how to install the controller for use in an environment that employs a remote Keystone server. However, in most cases, Hewlett-Packard recommends using the controller with a local Keystone server installation instead. (See “Installing a new controller with a local Keystone server” (page 9).) Using a remote Keystone server involves security implications that should be discussed with your system administrator before proceeding.

CAUTION: The HP VAN SDN Controller does not support role based authentication. Thus, when using a remote keystone server, any successful login grants the user ADMIN access to the controller, which can result in unauthorized persons receiving ADMIN access.

NOTE: Downloading the controller software package as described under “Downloading the controller software” (page 7) is required before using this chapter.

This procedure assumes that the Keystone server you will use is installed and configured on a remote machine. For information on configuring a remote Keystone server, see the OpenStack Keystone documentation at http://docs.openstack.org/developer/keystone/.

The configured keystone server must be accessible and responsive to basic Keystone REST API queries.

The controller supports v2.0 of the Keystone REST API.

Although the HP VAN SDN Controller operates with the Folsom, Grizzly, Havana, or Icehouse releases of OpenStack Keystone, HP recommends that you use the Icehouse version with release

2.4of the controller. If you use Grizzly, Havana, or Icehouse, set the provider type for the server to UUID, as described below.

Where a command in this procedure is shown with multiple lines, the line breaks are inserted at the points where a space occurs in the actual command.

4.1 Setting the provider type to UUID on the remote Keystone server

If the provider type on the remote Keystone server is already set to UUID, skip this section and go to “Unpacking the controller software on your local machine” (page 14).

NOTE: On the machine running the remote Keystone server, the provider type must be set to UUID to support operation with the HP VAN SDN Controller. If the PKI provider type is required on the remote Keystone server to support other applications, then that server will not support controller operation. In this case, do either of the following:

Install the server on the same machine as the controller (recommended). (See “Installing a new controller with a local Keystone server” (page 9) instead of continuing in this chapter.

Select another machine on which to install and configure the remote Keystone server, then continue in this section.

UUID is the default provider type for the Folsom release of Keystone. However, if the remote machine supporting your Keystone server is running the Grizzly, Havana, or Icehouse version of Keystone (which all use the PKI provider type), edit the /etc/keystone/keystone.conf file on your Keystone server by adding the following line to set UUID as the provider type:

provider=keystone.token.providers.uuid.Provider

NOTE: The PKI provider type is not currently supported on the HP VAN SDN Controller.

For example, in the Icehouse version of Keystone, you would use a file editor to insert the above command in the [token] section of the file, as shown in the boldface entry, below:

4.1 Setting the provider type to UUID on the remote Keystone server 13