Installation Guide
4 Using the controller with a remote Keystone server
This chapter describes how to install the controller for use in an environment that employs a remote
Keystone server. However, in most cases, Hewlett-Packard recommends using the controller with
a local Keystone server installation instead. (See “Installing a new controller with a local Keystone
server” (page 9).) Using a remote Keystone server involves security implications that should be
discussed with your system administrator before proceeding.
CAUTION: The HP VAN SDN Controller does not support role based authentication. Thus, when
using a remote keystone server, any successful login grants the user ADMIN access to the controller,
which can result in unauthorized persons receiving ADMIN access.
NOTE: Downloading the controller software package as described under “Downloading the
controller software” (page 7) is required before using this chapter.
This procedure assumes that the Keystone server you will use is installed and configured on a
remote machine. For information on configuring a remote Keystone server, see the OpenStack
Keystone documentation at http://docs.openstack.org/developer/keystone/.
The configured keystone server must be accessible and responsive to basic Keystone REST API
queries.
The controller supports v2.0 of the Keystone REST API.
Although the HP VAN SDN Controller operates with the Folsom, Grizzly, Havana, or Icehouse
releases of OpenStack Keystone, HP recommends that you use the Icehouse version with release
2.4 of the controller. If you use Grizzly, Havana, or Icehouse, set the provider type for the server
to UUID, as described below.
Where a command in this procedure is shown with multiple lines, the line breaks are inserted at
the points where a space occurs in the actual command.
4.1 Setting the provider type to UUID on the remote Keystone server
If the provider type on the remote Keystone server is already set to UUID, skip this section and go
to “Unpacking the controller software on your local machine” (page 14).
NOTE: On the machine running the remote Keystone server, the provider type must be set to
UUID to support operation with the HP VAN SDN Controller. If the PKI provider type is required
on the remote Keystone server to support other applications, then that server will not support
controller operation. In this case, do either of the following:
• Install the server on the same machine as the controller (recommended). (See “Installing a new
controller with a local Keystone server” (page 9) instead of continuing in this chapter.
• Select another machine on which to install and configure the remote Keystone server, then
continue in this section.
UUID is the default provider type for the Folsom release of Keystone. However, if the remote machine
supporting your Keystone server is running the Grizzly, Havana, or Icehouse version of Keystone
(which all use the PKI provider type), edit the /etc/keystone/keystone.conf file on your
Keystone server by adding the following line to set UUID as the provider type:
provider=keystone.token.providers.uuid.Provider
NOTE: The PKI provider type is not currently supported on the HP VAN SDN Controller.
For example, in the Icehouse version of Keystone, you would use a file editor to insert the above
command in the [token] section of the file, as shown in the boldface entry, below:
4.1 Setting the provider type to UUID on the remote Keystone server 13