diff --git a/devstack/local.conf b/devstack/local.conf
index e19f6bb..c085987 100644
--- a/devstack/local.conf
+++ b/devstack/local.conf
@@ -16,7 +16,7 @@ Q_FLOATING_ALLOCATION_POOL=start=172.24.4.10,end=172.24.4.200
 PUBLIC_NETWORK_NAME=public
 PUBLIC_NETWORK_GATEWAY=172.24.4.1
 
-IMAGE_URL_SITE="http://download.fedoraproject.org"
-IMAGE_URL_PATH="/pub/fedora/linux/releases/27/CloudImages/x86_64/images/"
-IMAGE_URL_FILE="Fedora-Cloud-Base-27-1.6.x86_64.qcow2"
-IMAGE_URLS+=","$IMAGE_URL_SITE$IMAGE_URL_PATH$IMAGE_URL_FILE
+_IMAGE_PREFIX="http://download.fedoraproject.org/pub/fedora/linux/releases"
+_FEDORA25="/25/CloudImages/x86_64/images/Fedora-Cloud-Base-25-1.3.x86_64.qcow2"
+_FEDORA27="/27/CloudImages/x86_64/images/Fedora-Cloud-Base-27-1.6.x86_64.qcow2"
+IMAGE_URLS+=","$_IMAGE_PREFIX$_FEDORA25","$_IMAGE_PREFIX$_FEDORA27
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 8331118..c22f8d9 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -74,6 +74,13 @@ function configure_tatu {
     iniset $NOVA_CONF vendordata_dynamic_auth project_id $admin_project
     iniset $NOVA_CONF vendordata_dynamic_auth user_domain_name default
 
+    # Castellan (Barbican client) credentials
+    iniset $TATU_CONF key_manager auth_url $KEYSTONE_SERVICE_URI
+    iniset $TATU_CONF key_manager auth_type keystone_password
+    iniset $TATU_CONF key_manager user_id $admin_user
+    iniset $TATU_CONF key_manager password $ADMIN_PASSWORD
+    iniset $TATU_CONF key_manager project_id $admin_project
+
     # General Configuration
     iniset_rpc_backend tatu $TATU_CONF DEFAULT
     iniset $TATU_CONF DEFAULT rpc_response_timeout 5
diff --git a/files/user-cloud-config b/files/user-cloud-config
index e8f316f..5c31225 100644
--- a/files/user-cloud-config
+++ b/files/user-cloud-config
@@ -41,7 +41,7 @@ write_files:
         echo host public key is $host_pub_key
         data=$(echo {\"token_id\": \"$token\", \"host_id\": \"$host_id\", \"pub_key\": \"$host_pub_key\"})
         echo $data > /tmp/tatu_cert_request.json
-        api=$(echo $vendordata | grep -Po '"api_endpoint": \K[^"]*')
+        api=$(echo $vendordata | grep -Po '"api_endpoint": "\K[^"]*')
         url=$api/noauth/hostcerts
         echo Posting Host Certificate request to Tatu API at $url
         response=$(curl -s -w "%{http_code}" -d "@/tmp/tatu_cert_request.json" -X POST $url)
@@ -102,7 +102,7 @@ write_files:
         auth_id=$(echo $metadata | grep -Po 'project_id": "\K[^"]*')
         echo auth_id=$auth_id
         vendordata=$(cat /mnt/config/openstack/latest/vendor_data2.json)
-        api=$(echo $vendordata | grep -Po '"api_endpoint": \K[^"]*')
+        api=$(echo $vendordata | grep -Po '"api_endpoint": "\K[^"]*')
         url=$api/noauth/revokeduserkeys/$auth_id
         echo Fetching revoked user keys from Tatu API at $url
         response=$(curl -s -w "%{http_code}" $url)
diff --git a/tatu/config.py b/tatu/config.py
index 370dd22..2797d90 100644
--- a/tatu/config.py
+++ b/tatu/config.py
@@ -10,6 +10,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from castellan.common import utils as castellan_utils
+from castellan.options import set_defaults as set_castellan_defaults
 from designateclient.v2 import client as designate_client
 from keystoneauth1 import session as keystone_session
 from keystoneauth1.identity import v3
@@ -19,7 +21,6 @@ from neutronclient.v2_0 import client as neutron_client
 from oslo_config import cfg
 from oslo_context import context
 from oslo_log import log as logging
-from castellan.options import set_defaults as set_castellan_defaults
 
 LOG = logging.getLogger(__name__)
 
@@ -106,5 +107,4 @@ if CONF.tatu.use_pat_bastions:
     DRAGONFLOW = api_nb.NbApi.get_instance(False)
 
 # Create a context for use by Castellan
-CONTEXT = context.RequestContext(auth_token=auth.get_token(session),
-                                 tenant=auth.get_project_id(session))
+CONTEXT = castellan_utils.credential_factory(conf=CONF)