diff --git a/swift3/test/functional/conf/keystone-paste.ini b/swift3/test/functional/conf/keystone-paste.ini
index a961a35c..10df3675 100644
--- a/swift3/test/functional/conf/keystone-paste.ini
+++ b/swift3/test/functional/conf/keystone-paste.ini
@@ -1,91 +1,80 @@
 # Keystone PasteDeploy configuration file.
 
 [filter:debug]
-paste.filter_factory = keystone.common.wsgi:Debug.factory
+use = egg:oslo.middleware#debug
+
+[filter:request_id]
+use = egg:oslo.middleware#request_id
 
 [filter:build_auth_context]
-paste.filter_factory = keystone.middleware:AuthContextMiddleware.factory
+use = egg:keystone#build_auth_context
 
 [filter:token_auth]
-paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
-
-[filter:admin_token_auth]
-paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
+use = egg:keystone#token_auth
 
 [filter:json_body]
-paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
+use = egg:keystone#json_body
 
-[filter:user_crud_extension]
-paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
+[filter:cors]
+use = egg:oslo.middleware#cors
+oslo_config_project = keystone
 
-[filter:crud_extension]
-paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
+[filter:http_proxy_to_wsgi]
+use = egg:oslo.middleware#http_proxy_to_wsgi
+
+[filter:healthcheck]
+use = egg:oslo.middleware#healthcheck
 
 [filter:ec2_extension]
-paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
+use = egg:keystone#ec2_extension
 
 [filter:ec2_extension_v3]
-paste.filter_factory = keystone.contrib.ec2:Ec2ExtensionV3.factory
-
-[filter:federation_extension]
-paste.filter_factory = keystone.contrib.federation.routers:FederationExtension.factory
-
-[filter:oauth1_extension]
-paste.filter_factory = keystone.contrib.oauth1.routers:OAuth1Extension.factory
+use = egg:keystone#ec2_extension_v3
 
 [filter:s3_extension]
-paste.filter_factory = keystone.contrib.s3:S3Extension.factory
-
-[filter:endpoint_filter_extension]
-paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
-
-[filter:simple_cert_extension]
-paste.filter_factory = keystone.contrib.simple_cert:SimpleCertExtension.factory
-
-[filter:revoke_extension]
-paste.filter_factory = keystone.contrib.revoke.routers:RevokeExtension.factory
+use = egg:keystone#s3_extension
 
 [filter:url_normalize]
-paste.filter_factory = keystone.middleware:NormalizingFilter.factory
+use = egg:keystone#url_normalize
 
-[filter:stats_monitoring]
-paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory
-
-[filter:stats_reporting]
-paste.filter_factory = keystone.contrib.stats:StatsExtension.factory
-
-[filter:access_log]
-paste.filter_factory = keystone.contrib.access:AccessLogMiddleware.factory
+[filter:sizelimit]
+use = egg:oslo.middleware#sizelimit
 
 [app:public_service]
-paste.app_factory = keystone.service:public_app_factory
+use = egg:keystone#public_service
 
 [app:service_v3]
-paste.app_factory = keystone.service:v3_app_factory
+use = egg:keystone#service_v3
 
 [app:admin_service]
-paste.app_factory = keystone.service:admin_app_factory
+use = egg:keystone#admin_service
 
 [pipeline:public_api]
-pipeline = url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service
+# The last item in this pipeline must be public_service or an equivalent
+# application. It cannot be a filter.
+pipeline = healthcheck cors sizelimit http_proxy_to_wsgi url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service
 
 [pipeline:admin_api]
-pipeline = url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service
+# The last item in this pipeline must be admin_service or an equivalent
+# application. It cannot be a filter.
+pipeline = healthcheck cors sizelimit http_proxy_to_wsgi url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service
 
 [pipeline:api_v3]
-pipeline = url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension service_v3
+# The last item in this pipeline must be service_v3 or an equivalent
+# application. It cannot be a filter.
+pipeline = healthcheck cors sizelimit http_proxy_to_wsgi url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
 
 [app:public_version_service]
-paste.app_factory = keystone.service:public_version_app_factory
+use = egg:keystone#public_version_service
 
 [app:admin_version_service]
-paste.app_factory = keystone.service:admin_version_app_factory
+use = egg:keystone#admin_version_service
 
 [pipeline:public_version_api]
-pipeline = url_normalize public_version_service
+pipeline = healthcheck cors sizelimit url_normalize public_version_service
 
 [pipeline:admin_version_api]
-pipeline = url_normalize admin_version_service
+pipeline = healthcheck cors sizelimit url_normalize admin_version_service
 
 [composite:main]
 use = egg:Paste#urlmap
diff --git a/swift3/test/functional/conf/keystone.conf.in b/swift3/test/functional/conf/keystone.conf.in
index 8711bf8f..5aac1bfe 100644
--- a/swift3/test/functional/conf/keystone.conf.in
+++ b/swift3/test/functional/conf/keystone.conf.in
@@ -22,3 +22,7 @@ certfile=%TEST_DIR%/certs/signing_cert.pem
 keyfile=%TEST_DIR%/private/signing_key.pem
 ca_certs=%TEST_DIR%/certs/ca.pem
 ca_key=%TEST_DIR%/private/cakey.pem
+
+[fernet_tokens]
+
+key_repository=%TEST_DIR%/fernet-keys/
diff --git a/swift3/test/functional/setup_keystone b/swift3/test/functional/setup_keystone
index 8e5f5465..3f7895ff 100644
--- a/swift3/test/functional/setup_keystone
+++ b/swift3/test/functional/setup_keystone
@@ -15,8 +15,11 @@
 
 set -e
 
-export OS_TOKEN=ADMIN
-export OS_URL=http://localhost:35357/v2.0
+export OS_AUTH_URL=http://localhost:35357/
+export OS_PROJECT_NAME=admin
+export OS_USERNAME=admin
+export OS_PASSWORD=admin
+export OS_IDENTITY_API_VERSION=3
 
 _get_id()
 {
@@ -33,25 +36,28 @@ _add_user()
 
     TENANT_ID=$(openstack project list | awk "/ $tenant / { print \$2 }")
     if [ "$TENANT_ID" == "" ]; then
-	# create a new tenant
-	TENANT_ID=$(openstack project create $tenant | _get_id)
+        # create a new tenant
+        TENANT_ID=$(openstack project create $tenant | _get_id)
     fi
 
-    USER_ID=$(openstack user create $user --password=$password \
-        --project $TENANT_ID | _get_id)
+    USER_ID=$(openstack user list | awk "/ $user / { print \$2 }")
+    if [ "$USER_ID" == "" ]; then
+        USER_ID=$(openstack user create $user --password=$password \
+            --project $TENANT_ID | _get_id)
+    fi
 
     if [ "$role" != "" ]; then
-	ROLE_ID=$(openstack role list | awk "/ $role / { print \$2 }")
-	if [ "$ROLE_ID" == "" ]; then
-	    # create a new role
-	    ROLE_ID=$(openstack role create $role | _get_id)
-	fi
+        ROLE_ID=$(openstack role list | awk "/ $role / { print \$2 }")
+        if [ "$ROLE_ID" == "" ]; then
+            # create a new role
+            ROLE_ID=$(openstack role create $role | _get_id)
+        fi
 
-	openstack role add --user $USER_ID --project $TENANT_ID $ROLE_ID
+        openstack role add --user $USER_ID --project $TENANT_ID $ROLE_ID
     fi
 
     eval $(openstack ec2 credentials create --user $user --project $tenant \
-	-f shell -c access -c secret)
+        -f shell -c access -c secret)
     export ${name}_ACCESS_KEY=$access
     export ${name}_SECRET_KEY=$secret
 }
@@ -63,9 +69,9 @@ _create_swift_accounts()
     _add_user TESTER test tester testing admin
     _add_user TESTER2 test tester2 testing2 member
 
-    SERVICE=$(openstack service create swift --type=object-store | _get_id)
+    SERVICE=$(openstack service create --name=swift object-store | _get_id)
     openstack endpoint create $SERVICE \
-        --publicurl "http://localhost:8080/v1/AUTH_\$(tenant_id)s"
+        public "http://localhost:8080/v1/AUTH_\$(tenant_id)s"
 }
 
 _setup_keystone()
@@ -75,11 +81,20 @@ _setup_keystone()
     local log_file="${LOG_DEST:-${TEST_DIR}/log}/keystone.log"
     mkdir -p "$(dirname "${log_file}")"
 
-    keystone-all --config-file conf/keystone.conf --debug > "${log_file}" 2>&1 &
-    export keystone_pid=$!
-
+    keystone-manage --config-file conf/keystone.conf --debug fernet_setup
     keystone-manage --config-file conf/keystone.conf --debug db_sync
     keystone-manage --config-file conf/keystone.conf --debug pki_setup
+    keystone-manage --config-file conf/keystone.conf --debug bootstrap \
+        --bootstrap-password=$OS_PASSWORD \
+        --bootstrap-admin-url=$OS_AUTH_URL \
+        --bootstrap-public-url=${OS_AUTH_URL/35357/5000}
+
+    keystone-wsgi-admin -p 35357 -- --config-file conf/keystone.conf --debug \
+        > "${log_file}" 2>&1 &
+    export keystone_pid=$!
+    # make sure it's actually running
+    sleep 1
+    ps -p $keystone_pid
 
     _create_swift_accounts
 }