To enable password checkout feature for the OpenStack server perform the following:
In the OpenStack server, create a user and assign the user to a project (tenant) with a role. For information about user creation and project and role assignment, see OpenStack Documentation.
In the Privileged Account Manager Admin Console,
You can add the OpenStack policy template to automatically create an account domain and a rule for OpenStack. Then, you can customize the OpenStack acount domain and rule as required. For more information about adding the policy template, see Adding a Policy Template.
You can create an account domain and a rule manually for OpenStack. For information about creating an account domain for OpenStack, see Creating an Account Domain for OpenStack. For information about creating a rule, see Adding a Rule.
NOTE:For the password check out of accounts belonging to different OpenStack projects (tenants), you must create a different account domain for each tenant.
After creating the appropriate account domain and rules for OpenStack server, you can check out the password for the OpenStack server from the Myaccess page. For more information, refer Section 23.0, Requesting and Accessing through User Console
Create a privileged account for the OpenStack server:
On the home page of the console, click.
In the left pane, click.
In the middle pane, click.
If you have imported a policy template for password checkout, a sample account domain gets created with the name http://myOpenstack/dashboard/auth/login/_openstack. You must modify the sample account domain by clicking in the details pane.
In the right pane, specify the following information:
Name: Specify the name of the application domain. The name of the domain should be the OpenStack server IP followed by an underscore (_) and the application name.
For example, if the OpenStack server IP is 172.16.0.1, you need to specify the as http://172.16.0.1/dashboard/auth/login/_openstack.
Sub-Type: This field gets auto populated with the application name that you have specified in http://172.16.0.1/dashboard/auth/login/_openstack, the is auto-populated as openstack.. For example, if you have specified the as
Host: Specify the IP address of the OpenStack server. Also provide the appropriate port number.
Password Reset: Select the appropriate option that can be used for password check-in. You can specify either of the following:
Script: Specify any perl script to reset the account password for the application. For the OpenStack password reset script, see Openstack Password Reset Script. The perl script should return 0 when the reset is unsuccessful or 1 when the reset is successful. You can add more attributes to the script. To add a custom attribute to the script, use the custom fields that you define in .
Delegate to Identity Manager: You can delegate the password check-in process to Identity Manager. When you select this option, the Identity Manager driver for Privileged Account Manager takes care of generating random password and synchronizing the password to Identity Manager. The Privileged Account Manager driver checks-in the new password to Privileged Account Manager. Identity Manager takes care of synchronizing password on the applications through the respective application driver. For more information, see the Driver Implementation guide on the PAM documentation page.
NOTE:Before delegating password check-in to Identity Manager, ensure that the Privileged Account Manager driver and the application driver are functional.
Never: You can use this option if you do not want to reset the password.
Password Policy: Select the appropriate password policy. By default, Specifying Password Policies.is selected. You can either modify the default password policy or create a new password policy. For more information about specifying password policy refer,
Create Command for subtype: Select this option to create a command for the application. For example, if the application is ABC_PQR a command APP PQR is created for the application, that you can use for the application rule.
If you have imported a policy template for application password checkout, the command is created automatically.
Custom Fields: To add additional fields, use.
For OpenStack, you must create two custom fieldsand . Specify the OpenStack keystone version in field and specify the tenant or the project in OpenStack to which the user belongs in the field.
If you have imported a policy template for application password checkout, theand custom fields are created automatically with the default value. You can modify the value of these fields as required.
NOTE:You must add only one tenant in the account domain. If you have multiple tenant, you must create separate account domains for each tenant.
Clickto save the account domain details.
Add the appropriate OpenStack user and its account credentials. For more information refer, Adding Shared Account Credentials in the Account Domain
These credentials are provided to the user when they check out the password for the application. The available credentials are provided to the users and if all credentials are used, then the user who checks out password later will get a message that all credentials are in use. The user can try to connect after some time.