diff --git a/labs/config/credentials b/labs/config/credentials
index 04a9925a..55db1ce1 100644
--- a/labs/config/credentials
+++ b/labs/config/credentials
@@ -10,4 +10,17 @@
 # Used for MySQL or whatever other DBMS is configured
 : ${DATABASE_PASSWORD:=secrete}
 
+# A "shared secret" used as OS_SERVICE_TOKEN, together with
+# OS_SERVICE_ENDPOINT, before keystone can be used for authentication
+# Produced by: openssl rand -hex 10
+: ${ADMIN_TOKEN:=c9fbb405c325e018fc5e}
+
+# Tenant and role for admin accounts
+: ${ADMIN_ROLE_NAME:=admin}
+: ${ADMIN_TENANT_NAME:=admin}
+
+# User name and password for administrator
+: ${ADMIN_USER_NAME:=admin}
+: ${ADMIN_PASSWORD:=admin_pass}
+
 # vim: set ai ts=4 sw=4 et ft=sh:
diff --git a/labs/config/labs-openstackrc.sh b/labs/config/labs-openstackrc.sh
new file mode 100644
index 00000000..3281c5b1
--- /dev/null
+++ b/labs/config/labs-openstackrc.sh
@@ -0,0 +1,15 @@
+# The variables in this file are exported for use by OpenStack client
+# applications.
+
+# Unlike a regular openstackrc.sh file, this file gets its variable values
+# from other configuration files (to limit redundancy).
+
+# Use BASH_SOURCE so the file works when sourced from a shell, too
+CONFIG_DIR=$(dirname "$BASH_SOURCE")
+source "$CONFIG_DIR/openstack"
+source "$CONFIG_DIR/credentials"
+
+export OS_USERNAME=$ADMIN_USER_NAME
+export OS_PASSWORD=$ADMIN_PASSWORD
+export OS_TENANT_NAME=$ADMIN_TENANT_NAME
+export OS_AUTH_URL="http://controller-mgmt:5000/v2.0"
diff --git a/labs/config/scripts.controller b/labs/config/scripts.controller
index 7b33beee..b5c05ff9 100644
--- a/labs/config/scripts.controller
+++ b/labs/config/scripts.controller
@@ -1,3 +1,3 @@
 # Scripts for controller node
 scripts apt_install_mysql.sh
-scripts setup_keystonedb.sh
+scripts setup_keystone.sh
diff --git a/labs/lib/functions.guest b/labs/lib/functions.guest
index e62e3176..b826db0b 100644
--- a/labs/lib/functions.guest
+++ b/labs/lib/functions.guest
@@ -143,6 +143,34 @@ function iniset_sudo {
     cat "$tmpfile" | sudo tee "$file" >/dev/null
 }
 
+#-------------------------------------------------------------------------------
+# OpenStack helpers
+#-------------------------------------------------------------------------------
+
+function mysql_exe {
+    local cmd="$1"
+    echo "MySQL cmd: $cmd."
+    mysql -u "root" -p"$DATABASE_PASSWORD" -e "$cmd"
+}
+
+function setup_database {
+    local service=$1
+    local user_name=$(service_to_user_name $service)
+    local user_password=$(service_to_user_password $service)
+    mysql_exe "CREATE DATABASE $service"
+    mysql_exe "GRANT ALL ON ${service}.* TO '$user_name'@'%' IDENTIFIED BY '$user_password';"
+}
+
+function service_to_user_name {
+    local service_name=$1
+    echo "${service_name}User"
+}
+
+function service_to_user_password {
+    local service_name=$1
+    echo "${service_name}Pass"
+}
+
 #-------------------------------------------------------------------------------
 # Network configuration
 #-------------------------------------------------------------------------------
diff --git a/labs/scripts/setup_keystone.sh b/labs/scripts/setup_keystone.sh
new file mode 100755
index 00000000..b0b34fa4
--- /dev/null
+++ b/labs/scripts/setup_keystone.sh
@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+TOP_DIR=$(cd $(dirname "$0")/.. && pwd)
+source "$TOP_DIR/config/paths"
+source "$CONFIG_DIR/credentials"
+source "$LIB_DIR/functions.guest"
+
+exec_logfile
+
+indicate_current_auto
+
+#------------------------------------------------------------------------------
+# Set up keystone for controller node
+#------------------------------------------------------------------------------
+
+echo "Installing keystone."
+sudo apt-get install -y keystone
+
+echo "Removing default SQLite database."
+sudo rm -f /var/lib/keystone/keystone.db
+
+echo "Setting up database for keystone."
+setup_database keystone
+
+function get_database_url {
+    local user_name=$(service_to_user_name keystone)
+    local user_password=$(service_to_user_password keystone)
+    local database_host=controller-mgmt
+
+    echo "mysql://$user_name:$user_password@$database_host/keystone"
+}
+
+database_url=$(get_database_url)
+
+echo "Configuring /etc/keystone/keystone.conf."
+
+echo "Setting database connection: $database_url."
+iniset_sudo /etc/keystone/keystone.conf database connection "$database_url"
+
+echo "Setting admin_token to bootstrap authentication."
+iniset_sudo /etc/keystone/keystone.conf DEFAULT admin_token "$ADMIN_TOKEN"
+
+echo "Setting log directory to /var/log/keystone."
+iniset_sudo /etc/keystone/keystone.conf DEFAULT log_dir "/var/log/keystone"
+
+sudo service keystone restart
+
+echo "Creating the database tables for keystone."
+sudo keystone-manage db_sync
+
+#------------------------------------------------------------------------------
+# Configure keystone users, roles, and endpoints so it can be used for
+# authentication.
+#------------------------------------------------------------------------------
+
+echo "Using OS_SERVICE_TOKEN, OS_SERVICE_ENDPOINT for authentication."
+export OS_SERVICE_TOKEN=$ADMIN_TOKEN
+export OS_SERVICE_ENDPOINT="http://controller-mgmt:35357/v2.0"
+
+echo "Adding admin tenant."
+keystone tenant-create --name "$ADMIN_TENANT_NAME" --description "Admin Tenant"
+
+echo "Creating admin user."
+keystone user-create --name "$ADMIN_USER_NAME" --pass "$ADMIN_PASSWORD" --email admin@domain.com
+
+echo "Creating admin roles."
+keystone role-create --name "$ADMIN_ROLE_NAME"
+
+echo "Adding admin roles to admin user."
+keystone user-role-add \
+    --tenant "$ADMIN_TENANT_NAME" \
+    --user "$ADMIN_USER_NAME" \
+    --role "$ADMIN_ROLE_NAME"
+
+echo "Creating keystone service."
+keystone service-create \
+    --name keystone \
+    --type identity \
+    --description 'OpenStack Identity'
+
+echo "Creating endpoints for keystone."
+keystone_service_id=$(keystone service-list | awk '/ keystone / {print $2}')
+keystone endpoint-create \
+    --service-id "$keystone_service_id" \
+    --publicurl "http://controller-api:5000/v2.0" \
+    --adminurl "http://controller-mgmt:35357/v2.0" \
+    --internalurl "http://controller-mgmt:5000/v2.0"
diff --git a/labs/scripts/setup_openstackdb.sh b/labs/scripts/setup_openstackdb.sh
deleted file mode 100755
index 66c6380a..00000000
--- a/labs/scripts/setup_openstackdb.sh
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/usr/bin/env bash
-TOP_DIR=$(cd $(dirname "$0")/.. && pwd)
-source "$TOP_DIR/config/paths"
-source "$CONFIG_DIR/credentials"
-source "$LIB_DIR/functions.guest"
-
-exec_logfile
-
-indicate_current_auto
-
-#-------------------------------------------------------------------------------
-# Create database Keystone, Glance, Neutron, Nova, and Cinder
-#-------------------------------------------------------------------------------
-function mysql_exe {
-    local CMD="$1"
-    mysql -u "root" -p"$DATABASE_PASSWORD" -e "$CMD"
-}
-
-function setup_database {
-    local DB=$1
-    mysql_exe "CREATE DATABASE $DB"
-    mysql_exe "GRANT ALL ON ${DB}.* TO '${DB}User'@'%' IDENTIFIED BY '${DB}Pass';"
-}
-
-setup_database keystone
-setup_database glance
-setup_database neutron
-setup_database nova
-setup_database cinder
-