1. Is "password" supposed to be replaced by some credential? This isn't mentioned in the instructions; my guess is that this credential is used only for applications that request REST Direct Access Grants, and that apiman doesn't. Is that correct?

2. If I'm configuring the gateway as a separate service, can I remove the apimanui.war secure-deployment entry? Correspondingly, when I configure the standalone API manager, do I remove the apiman-gateway-api.war entry?

3. Is it possible to set properties that appear in apiman.properties by way of Java system properties or in a <system-properties> configuration in the standalone-apiman.xml file?

I've received a response from the Keycloak list about the credential in the secure-deployment configuration for Keycloak; this looks like something that should be part of the apiman deployment instructions. I've included the response below: On 12/9/15, 7:40 AM, "Juraci Paixão Kröhling" <juraci(a)kroehling.de&gt; wrote: > I don't know about the specifics of apiman, but this secret is not used > only for direct access grants, in general. All in all, I'm not a big fan > of shipping with a default secret/password (or any security "token"). > > If that also makes you feel not comfortable, you might want to try to > change the "credential" for the "apiman" client on the "apiman" realm > via the Keycloak admin console: > > - login to the auth console (admin:admin are the default credentials) > - select the apiman realm on the top-left > - select "Clients" and then "apiman" > - select the second tab, "Credentials" > - "Regenerate secret" > > This new secret should go into the standalone.xml, as value for all > "kc:credential[name=secret]" whose realm/resource are "apiman". > > - Juca. On 12/7/15, 8:35 PM, "Eric Wittmann" <eric.wittmann(a)redhat.com&gt; wrote: > Hi Paul - answers inline below. > >> 1. Is "password" supposed to be replaced by some credential? This isn't >> mentioned in the instructions; my guess is that this credential is used >> only for applications that request REST Direct Access Grants, and that >> apiman doesn't. Is that correct? > > Embarrassingly I'm not 100% sure what that setting is all about. Here > is the documentation from keycloak: > > ---- > credentials > Specify the credentials of the application. This is an object notation > where the key is the credential type and the value is the value of the > credential type. Currently only 'password' is supported. This is REQUIRED. > ---- > > It would be a good question to ask on the keycloak mailing list. > > @msavy - any idea? > >> 2. If I'm configuring the gateway as a separate service, can I remove >> the apimanui.war secure-deployment entry? Correspondingly, when I >> configure the standalone API manager, do I remove the >> apiman-gateway-api.war entry? > > Yep! It's not *required* to remove them, but you can certainly remove > them without ill effect. > >> 3. Is it possible to set properties that appear in apiman.properties by >> way of Java system properties or in a <system-properties> configuration >> in the standalone-apiman.xml file? > > Yes it is! :) Either of those approaches should work. You can also > use environment variables and eap/wildfly vaulted values if you like. > It's also possible to encrypt values (using our AesEncrypter class) and > put the encrypted value in the config. Not really secure but it's > better than having a password in clear text. > > -Eric > >