diff --git a/README.md b/README.md
index 207bf869a..9cf0f4fb0 100644
--- a/README.md
+++ b/README.md
@@ -43,7 +43,6 @@ scenario](#all-in-one).
 | ssl        |     yes     |      yes    |      yes    |     yes     |     no       |
 | ipv6       |   centos7   |    centos7  |    centos7  |   centos7   |     no       |
 | keystone   |      X      |       X     |       X     |      X      |      X       |
-| tokens     |    uuid     |     uuid    |    fernet   |   fernet    |    uuid      |
 | glance     |     rbd     |     swift   |     file    |  swift+rgw  |    file      |
 | nova       |     rbd     |       X     |       X     |     rbd     |      X       |
 | neutron    |     ovs     |      ovs    | linuxbridge |     ovs     |     ovs      |
diff --git a/fixtures/scenario003.pp b/fixtures/scenario003.pp
index 349ef9af2..8a3df1047 100644
--- a/fixtures/scenario003.pp
+++ b/fixtures/scenario003.pp
@@ -56,9 +56,7 @@ include ::openstack_integration::cacert
 include ::openstack_integration::memcached
 include ::openstack_integration::rabbitmq
 include ::openstack_integration::mysql
-class { '::openstack_integration::keystone':
-  token_provider => 'fernet',
-}
+include ::openstack_integration::keystone
 include ::openstack_integration::glance
 class { '::openstack_integration::neutron':
   driver => 'linuxbridge',
diff --git a/fixtures/scenario004.pp b/fixtures/scenario004.pp
index 1d4b36440..54a8dd5d2 100644
--- a/fixtures/scenario004.pp
+++ b/fixtures/scenario004.pp
@@ -42,9 +42,7 @@ include ::openstack_integration::cacert
 include ::openstack_integration::memcached
 include ::openstack_integration::rabbitmq
 include ::openstack_integration::mysql
-class { '::openstack_integration::keystone':
-  token_provider => 'fernet',
-}
+include ::openstack_integration::keystone
 class { '::openstack_integration::glance':
   backend => 'swift',
 }
diff --git a/manifests/keystone.pp b/manifests/keystone.pp
index a90a851db..df7f736d6 100644
--- a/manifests/keystone.pp
+++ b/manifests/keystone.pp
@@ -11,10 +11,6 @@
 #   and the associated configuration in keystone.conf is set up right.
 #   Defaults to false
 #
-# [*token_provider*]
-#   (optional) Define the token provider to use.
-#   Default to 'uuid'.
-#
 # [*token_expiration*]
 #   (optional) Define the token expiration to use.
 #   Default to '600'.
@@ -23,7 +19,6 @@
 class openstack_integration::keystone (
   $default_domain      = undef,
   $using_domain_config = false,
-  $token_provider      = 'uuid',
   $token_expiration    = '600',
 ) {
 
@@ -43,18 +38,20 @@ class openstack_integration::keystone (
     Exec['update-ca-certificates'] ~> Service['httpd']
   }
 
-  if $token_provider == 'fernet' {
-    $enable_fernet_setup = true
-    class { '::keystone::cron::fernet_rotate':
-      hour   => '*',
-      minute => '*/5',
-    }
+  # Keystone credential setup is not packaged in UCA yet.
+  # It should be done when Newton is released.
+  if $::osfamily == 'RedHat' {
+    $enable_credential_setup = true
   } else {
-    $enable_fernet_setup = false
+    $enable_credential_setup = false
   }
 
   class { '::keystone::client': }
   class { '::keystone::cron::token_flush': }
+  class { '::keystone::cron::fernet_rotate':
+    hour   => '*',
+    minute => '*/5',
+  }
   class { '::keystone::db::mysql':
     password => 'keystone',
   }
@@ -71,8 +68,7 @@ class openstack_integration::keystone (
     public_bind_host           => $::openstack_integration::config::host,
     admin_bind_host            => $::openstack_integration::config::host,
     manage_policyrcd           => true,
-    token_provider             => $token_provider,
-    enable_fernet_setup        => $enable_fernet_setup,
+    enable_credential_setup    => $enable_credential_setup,
     fernet_max_active_keys     => '4',
     token_expiration           => $token_expiration,
     default_transport_url      => os_transport_url({