[Apiman-user] Production deployment questions

Tue Dec 15 09:56:54 EST 2015

I've received a response from the Keycloak list about the credential in
the secure-deployment configuration for Keycloak; this looks like
something that should be part of the apiman deployment instructions. I've
included the response below:

On 12/9/15, 7:40 AM, "Juraci Paixão Kröhling" <juraci at kroehling.de> wrote:

> I don't know about the specifics of apiman, but this secret is not used
> only for direct access grants, in general. All in all, I'm not a big fan
> of shipping with a default secret/password (or any security "token").
>
> If that also makes you feel not comfortable, you might want to try to
> change the "credential" for the "apiman" client on the "apiman" realm
> via the Keycloak admin console:
>
> - login to the auth console (admin:admin are the default credentials)
> - select the apiman realm on the top-left
> - select "Clients" and then "apiman"
> - select the second tab, "Credentials"
> - "Regenerate secret"
>
> This new secret should go into the standalone.xml, as value for all
> "kc:credential[name=secret]" whose realm/resource are "apiman".
>
>- Juca.

On 12/7/15, 8:35 PM, "Eric Wittmann" <eric.wittmann at redhat.com> wrote:

>Hi Paul - answers inline below.
>
>> 1. Is "password" supposed to be replaced by some credential? This isn't
>> mentioned in the instructions; my guess is that this credential is used
>> only for applications that request REST Direct Access Grants, and that
>> apiman doesn't. Is that correct?
>
>Embarrassingly I'm not 100% sure what that setting is all about.  Here
>is the documentation from keycloak:
>
>----
>credentials
>Specify the credentials of the application. This is an object notation
>where the key is the credential type and the value is the value of the
>credential type. Currently only 'password' is supported. This is REQUIRED.
>----
>
>It would be a good question to ask on the keycloak mailing list.
>
>@msavy - any idea?
>
>> 2. If I'm configuring the gateway as a separate service, can I remove
>> the apimanui.war secure-deployment entry? Correspondingly, when I
>> configure the standalone API manager, do I remove the
>> apiman-gateway-api.war entry?
>
>Yep!  It's not *required* to remove them, but you can certainly remove
>them without ill effect.
>
>> 3. Is it possible to set properties that appear in apiman.properties by
>> way of Java system properties or in a <system-properties> configuration
>> in the standalone-apiman.xml file?
>
>Yes it is!  :)  Either of those approaches should work.  You can also
>use environment variables and eap/wildfly vaulted values if you like.
>It's also possible to encrypt values (using our AesEncrypter class) and
>put the encrypted value in the config.  Not really secure but it's
>better than having a password in clear text.
>
>-Eric
>
>