15.2 Enabling Password Checkout for OpenStack

To enable password checkout feature for the OpenStack server perform the following:

  1. In the OpenStack server, create a user and assign the user to a project (tenant) with a role. For information about user creation and project and role assignment, see OpenStack Documentation.

  2. In the Privileged Account Manager Admin Console,

    You can add the OpenStack policy template to automatically create an account domain and a rule for OpenStack. Then, you can customize the OpenStack acount domain and rule as required. For more information about adding the policy template, see Adding a Policy Template.


    You can create an account domain and a rule manually for OpenStack. For information about creating an account domain for OpenStack, see Creating an Account Domain for OpenStack. For information about creating a rule, see Adding a Rule.

    NOTE:For the password check out of accounts belonging to different OpenStack projects (tenants), you must create a different account domain for each tenant.

  3. After creating the appropriate account domain and rules for OpenStack server, you can check out the password for the OpenStack server from the Myaccess page. For more information, refer Section 23.0, Requesting and Accessing through User Console

15.2.1 Creating an Account Domain for OpenStack

  1. Create a privileged account for the OpenStack server:

    1. On the home page of the console, click Enterprise Credential Vault.

    2. In the left pane, click Credential Vault.

    3. In the middle pane, click Add Account Domain.

      If you have imported a policy template for password checkout, a sample account domain gets created with the name http://myOpenstack/dashboard/auth/login/_openstack. You must modify the sample account domain by clicking Modify in the details pane.

    4. In the right pane, specify the following information:

      Name: Specify the name of the application domain. The name of the domain should be the OpenStack server IP followed by an underscore (_) and the application name.

      For example, if the OpenStack server IP is, you need to specify the Account Name as

      Type: Select Application.

      Sub-Type: This field gets auto populated with the application name that you have specified in Account Name. For example, if you have specified the Account Name as, the Sub-Type is auto-populated as openstack.

      Host: Specify the IP address of the OpenStack server. Also provide the appropriate port number.

      Password Reset: Select the appropriate option that can be used for password check-in. You can specify either of the following:

      • Script: Specify any perl script to reset the account password for the application. For the OpenStack password reset script, see Openstack Password Reset Script. The perl script should return 0 when the reset is unsuccessful or 1 when the reset is successful. You can add more attributes to the script. To add a custom attribute to the script, use the custom fields that you define in Add Custom Fields.

      • Delegate to Identity Manager: You can delegate the password check-in process to Identity Manager. When you select this option, the Identity Manager driver for Privileged Account Manager takes care of generating random password and synchronizing the password to Identity Manager. The Privileged Account Manager driver checks-in the new password to Privileged Account Manager. Identity Manager takes care of synchronizing password on the applications through the respective application driver. For more information, see the Driver Implementation guide on the PAM documentation page.

        NOTE:Before delegating password check-in to Identity Manager, ensure that the Privileged Account Manager driver and the application driver are functional.

      • Never: You can use this option if you do not want to reset the password.

      Password Policy: Select the appropriate password policy. By default, Default Password Policy is selected. You can either modify the default password policy or create a new password policy. For more information about specifying password policy refer, Specifying Password Policies.

      Create Command for subtype: Select this option to create a command for the application. For example, if the application is ABC_PQR a command APP PQR is created for the application, that you can use for the application rule.

      If you have imported a policy template for application password checkout, the command is created automatically.

      Custom Fields: To add additional fields, use Add Custom Fields.

      For OpenStack, you must create two custom fields keystone_version and tenant. Specify the OpenStack keystone version in keystone_version field and specify the tenant or the project in OpenStack to which the user belongs in the tenant field.

      If you have imported a policy template for application password checkout, the keystone_version and tenant custom fields are created automatically with the default value. You can modify the value of these fields as required.

      NOTE:You must add only one tenant in the account domain. If you have multiple tenant, you must create separate account domains for each tenant.

    5. Click Add to save the account domain details.

  2. Add the appropriate OpenStack user and its account credentials. For more information refer, Adding Shared Account Credentials in the Account Domain

    These credentials are provided to the user when they check out the password for the application. The available credentials are provided to the users and if all credentials are used, then the user who checks out password later will get a message that all credentials are in use. The user can try to connect after some time.