[Apiman-user] apiman using external keycloak and elasticsearch

Thu Mar 31 10:28:46 EDT 2016

Thanks for the feedback.  I agree that we can definitely improve the 
modularity to better help people get set up in production.  Perhaps some 
additional distributions that do not include all of the components. 
That's actually what we're going to be doing when we turn apiman into a 
Red Hat product (three separate ZIP distribuations:  all-in-one, 
gateway, manager).

As for your question - the secret that goes into standalone-apiman.xml 
actually comes from Keycloak.  When you create/configure the apiman 
clients in the apiman keycloak realm, if you mark them as "confidential" 
clients, then KC will generate a credential/secret for them.  You have 
to copy that secret from the KC admin console into the 
standalone-apiman.xml file.

Alternatively you can define those secrets in your realm file so that 
they are pre-configured when keycloak starts up and bootstraps the new 
realm.

-Eric

On 3/31/2016 2:54 AM, jazz at sqmail.me wrote:
> I hit 'sent' too fast:
>
> My experience so far with apiman, it works great, but the modularity
> could be improved:
> 1. Option to disable elasticsearch
> 2. Don't include keycloak in overlay
> 3. use cli files (like keycloak-install.cli) --> keycloak install works
> like this, remove apiman-ds.xml files for the datasource
>
> I have on question: the standalone-apiman.xml file contains
> security-realms for each war. How do I know which credential secret is
> used for that particular war? It is not set in web.xml?
>
> Regards, Bart
>
>   <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>            <realm name="apiman">
>
> <realm-public-key>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxyG61ohrfJQKNmDA/ePZtqZVpPXjwn3k3T+iWiTvMsxW2+WlnqIEmL5qZ09DMhBH9r50WZRO2gVoCb657Er9x0vfD6GNf/47XU2y33TX8axhP+hSwkv/VViaDlu4jQrfgPWz/FXMjWIZxg1xQS+nOBF2ScCRYWNQ/ZnUNnvrq8dGC2/AlyeYcgDUOdwlJuvgkGlF0QoVPQiRPurR3RwlG+BjL8JB3hbaAZhdJqwqApmGQbcpgLj2tODnlrZnEAp5cPPU/lgqCE1OOp78BAEiE91ZLPl/+D8qDHk+Maz0Io3bkeRZMXPpvtbL3qN+3GlF8Yz264HDSsTNrH+nd19tFQIDAQAB</realm-public-key>
>
>              <auth-server-url>/auth</auth-server-url>
>              <ssl-required>none</ssl-required>
>              <enable-cors>false</enable-cors>
>              <principal-attribute>preferred_username</principal-attribute>
>            </realm>
>            <secure-deployment name="apiman.war">
>              <realm>apiman</realm>
>              <resource>apiman</resource>
>              <credential
> name="secret">5af5458f-0a96-4251-8f92-08ebcc3a8aa2</credential>
>              <disable-trust-manager>true</disable-trust-manager>
>              <bearer-only>true</bearer-only>
>              <enable-basic-auth>true</enable-basic-auth>
>            </secure-deployment>
>            <secure-deployment name="apimanui.war">
>              <realm>apiman</realm>
>              <resource>apimanui</resource>
>              <credential
> name="secret">722557fd-a725-4cc0-9dff-7d09c0c47038</credential>
>              <disable-trust-manager>true</disable-trust-manager>
>              <public-client>true</public-client>
>            </secure-deployment>
>            <secure-deployment name="apiman-gateway-api.war">
>              <realm>apiman</realm>
>              <resource>apiman-gateway-api</resource>
>              <credential
> name="secret">217b725d-7790-47a7-a3fc-5cf31f92a8db</credential>
>              <disable-trust-manager>true</disable-trust-manager>
>              <bearer-only>true</bearer-only>
>              <enable-basic-auth>true</enable-basic-auth>
>            </secure-deployment>
>          </subsystem>
>