[Apiman-user] Production deployment questions

[Eric Wittmann]

You are right - we need to update the production guide.  Thanks!

-Eric

On 12/15/2015 9:56 AM, Paul Blair wrote:
> I've received a response from the Keycloak list about the credential in
> the secure-deployment configuration for Keycloak; this looks like
> something that should be part of the apiman deployment instructions. I've
> included the response below:
>
>
> On 12/9/15, 7:40 AM, "Juraci Paixão Kröhling" <juraci at kroehling.de> wrote:
>
>> I don't know about the specifics of apiman, but this secret is not used
>> only for direct access grants, in general. All in all, I'm not a big fan
>> of shipping with a default secret/password (or any security "token").
>>
>> If that also makes you feel not comfortable, you might want to try to
>> change the "credential" for the "apiman" client on the "apiman" realm
>> via the Keycloak admin console:
>>
>> - login to the auth console (admin:admin are the default credentials)
>> - select the apiman realm on the top-left
>> - select "Clients" and then "apiman"
>> - select the second tab, "Credentials"
>> - "Regenerate secret"
>>
>> This new secret should go into the standalone.xml, as value for all
>> "kc:credential[name=secret]" whose realm/resource are "apiman".
>>
>> - Juca.
>
>
>
>
> On 12/7/15, 8:35 PM, "Eric Wittmann" <eric.wittmann at redhat.com> wrote:
>
>> Hi Paul - answers inline below.
>>
>>> 1. Is "password" supposed to be replaced by some credential? This isn't
>>> mentioned in the instructions; my guess is that this credential is used
>>> only for applications that request REST Direct Access Grants, and that
>>> apiman doesn't. Is that correct?
>>
>> Embarrassingly I'm not 100% sure what that setting is all about.  Here
>> is the documentation from keycloak:
>>
>> ----
>> credentials
>> Specify the credentials of the application. This is an object notation
>> where the key is the credential type and the value is the value of the
>> credential type. Currently only 'password' is supported. This is REQUIRED.
>> ----
>>
>> It would be a good question to ask on the keycloak mailing list.
>>
>> @msavy - any idea?
>>
>>> 2. If I'm configuring the gateway as a separate service, can I remove
>>> the apimanui.war secure-deployment entry? Correspondingly, when I
>>> configure the standalone API manager, do I remove the
>>> apiman-gateway-api.war entry?
>>
>> Yep!  It's not *required* to remove them, but you can certainly remove
>> them without ill effect.
>>
>>> 3. Is it possible to set properties that appear in apiman.properties by
>>> way of Java system properties or in a <system-properties> configuration
>>> in the standalone-apiman.xml file?
>>
>> Yes it is!  :)  Either of those approaches should work.  You can also
>> use environment variables and eap/wildfly vaulted values if you like.
>> It's also possible to encrypt values (using our AesEncrypter class) and
>> put the encrypted value in the config.  Not really secure but it's
>> better than having a password in clear text.
>>
>> -Eric
>>
>>
>