Product Documentation

Configuring LBaaS V2 using Command Line

Sep 17, 2016

LBaaS V2 supports SSL offload with certificates managed by Barbican, certificate bundles (includes intermediary Certification Authorities), SNI support along with the regular load balancing features. LBaaS V2 supports only command line interface to execute configuration tasks. LBaaS V2 API implementations are performed through Neutron LBaaS commands.


Upload certificate and key to Barbican service when you require SSL offloading feature. Perform steps 1, 2, and 3 if SSL offloading is supported, else continue from step 4 to create a load balancer, a listener, a pool and a member.

1.     Upload certificate to Barbican service using the following command:

barbican secret store --payload-content-type <content_type> --name <certificate_name> --payload<certificate_location>

Example: barbican secret store --payload-content-type='text/plain' --name='hp_server_certificate' --payload=" hp_server/tmp/server_certificate"

localized image

2. Upload key to Barbican service using the following command:

barbican secret store --payload-content-type <content_type> --name <key_name> --payload<key_location>

Example: barbican secret store -- payload-content-type='text/plain' --name='shp_server_key' --payload="hp-server/tmp/server_key"

localized image


When you execute these two Barbican commands to load the certificate and the key, the Secret href fields provide a location or url. This is where the certificate and the key are stored on the system where OpenStack is installed. Copy these links and provide these links as parameters when you create the container on Barbican service in step 3.

3.     Create a container in Barbican service to store the certificate and the key using the following command:

In the command, replace <certificate_url> with the url that you obtained from the Secret href field when you uploaded the certificate. Similarly, replace <key_url> with the url that you obtained from the Secret href field when you uploaded the key.

barbican secret container create --name<container_name> --type<container_type> --secret<certificate_url> --secret<key_url>

Example: barbican secret container create --name='hp_container' --type='certificate' --secret="certificate=http://localhost:9311/v1/secrets/e36a4a82-87e4-4873-9efe-55108875ef58" --secret="private_key=http://localhost:9311/v1/secrets/1b9e1a93-2aeb-4101-8002-e52acab987b0"

localized image

Copy the container href value. You have to provide the link to the container when creating the listener in step 6

4.         Set the environment variables in OpenStack. The variables enable the OpenStack client commands to communicate with the OpenStack services.


export OS_PASSWORD-hp

export OS_AUTH_URL=

export OS_USERNAME=hp_user

export OS_TENANT_NAME=hp



localized image


Set these variables for every SSH session before running other commands. For more information about OpenStack environment variables, see OpenStack environment variables.

5.          Create a load balancer using the following command:

neutron lbaas-loadbalancer-create --name <loadbalancer-name>  <subnet-name> --provider <netscaler>

Example: neutron lbaas-loadbalancer-create --name hp-lb-test hp-sub1 --provider netscaler

localized image

The status changes from PENDING_CREATE to ACTIVE after the load balancer is successfully created.

localized image

6.     Create a listener using the following commmand:

neutron lbaas-listener-create --loadbalancer <loadbalancer-name> --name <listener-name> --protocol <protocol_type> --protocol-port <port_number> --default-tls-container-id<container_url>

Example: neutron lbaas-listener-create --name hp-lb-test-list  --loadbalancer hp-lb-test --protocol TERMINATED_HTTPS --protocol-port 443 --default-tls-container-id


If you are creating a listener without SSL offload support, execute the following command without providing locations to the container:

neutron lbaas-listener-create --loadbalancer <loadbalancer-name> --name <listener-name> --protocol <protocol_type> --protocol-port <port_number>

localized image

7.     Create a pool using the following command:

neutron lbaas-pool-create --lb-algorithm <algorithm_type> --listener <listener-name> --protocol <protocol_type> --name <pool-name>

Example: neutron lbaas-pool-create --lb-algorithm LEAST_CONNECTIONS --listener demolistener --protocol http --name demopool

localized image

8.     Create a member using the following command:

neutron lbaas-member-create  --subnet <subnet-name> --address <ip-address of the web server> --protocol-port <port_number>  <pool-name>

Example: neutron lbaas-member-create --subnet hp-sub1 --address --protocol-port 80 hp-lb-test-pool

localized image

Monitoring OpenStack Applications in NetScaler MAS

Your tenants can log on to NetScaler MAS using their OpenStack credentials to monitor VIPs and pools created from OpenStack from any browser. The URL should be in the following format:


Where, <mas-ip-address>, is the NetScaler MAS IP address that is registered with the OpenStack.


  • OpenStack VIPs correspond to virtual servers in NetScaler MAS.
  • OpenStack Pools correspond to service groups in NetScaler MAS.
  • OpenStack Pool members correspond to service group members in NetScaler MAS.