[Apiman-user] apiman using external keycloak and elasticsearch
Eric Wittmann
eric.wittmann at redhat.com
Thu Mar 31 10:28:46 EDT 2016
Thanks for the feedback. I agree that we can definitely improve the
modularity to better help people get set up in production. Perhaps some
additional distributions that do not include all of the components.
That's actually what we're going to be doing when we turn apiman into a
Red Hat product (three separate ZIP distribuations: all-in-one,
gateway, manager).
As for your question - the secret that goes into standalone-apiman.xml
actually comes from Keycloak. When you create/configure the apiman
clients in the apiman keycloak realm, if you mark them as "confidential"
clients, then KC will generate a credential/secret for them. You have
to copy that secret from the KC admin console into the
standalone-apiman.xml file.
Alternatively you can define those secrets in your realm file so that
they are pre-configured when keycloak starts up and bootstraps the new
realm.
-Eric
On 3/31/2016 2:54 AM, jazz at sqmail.me wrote:
> I hit 'sent' too fast:
>
> My experience so far with apiman, it works great, but the modularity
> could be improved:
> 1. Option to disable elasticsearch
> 2. Don't include keycloak in overlay
> 3. use cli files (like keycloak-install.cli) --> keycloak install works
> like this, remove apiman-ds.xml files for the datasource
>
> I have on question: the standalone-apiman.xml file contains
> security-realms for each war. How do I know which credential secret is
> used for that particular war? It is not set in web.xml?
>
> Regards, Bart
>
> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
> <realm name="apiman">
>
> <realm-public-key>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxyG61ohrfJQKNmDA/ePZtqZVpPXjwn3k3T+iWiTvMsxW2+WlnqIEmL5qZ09DMhBH9r50WZRO2gVoCb657Er9x0vfD6GNf/47XU2y33TX8axhP+hSwkv/VViaDlu4jQrfgPWz/FXMjWIZxg1xQS+nOBF2ScCRYWNQ/ZnUNnvrq8dGC2/AlyeYcgDUOdwlJuvgkGlF0QoVPQiRPurR3RwlG+BjL8JB3hbaAZhdJqwqApmGQbcpgLj2tODnlrZnEAp5cPPU/lgqCE1OOp78BAEiE91ZLPl/+D8qDHk+Maz0Io3bkeRZMXPpvtbL3qN+3GlF8Yz264HDSsTNrH+nd19tFQIDAQAB</realm-public-key>
>
> <auth-server-url>/auth</auth-server-url>
> <ssl-required>none</ssl-required>
> <enable-cors>false</enable-cors>
> <principal-attribute>preferred_username</principal-attribute>
> </realm>
> <secure-deployment name="apiman.war">
> <realm>apiman</realm>
> <resource>apiman</resource>
> <credential
> name="secret">5af5458f-0a96-4251-8f92-08ebcc3a8aa2</credential>
> <disable-trust-manager>true</disable-trust-manager>
> <bearer-only>true</bearer-only>
> <enable-basic-auth>true</enable-basic-auth>
> </secure-deployment>
> <secure-deployment name="apimanui.war">
> <realm>apiman</realm>
> <resource>apimanui</resource>
> <credential
> name="secret">722557fd-a725-4cc0-9dff-7d09c0c47038</credential>
> <disable-trust-manager>true</disable-trust-manager>
> <public-client>true</public-client>
> </secure-deployment>
> <secure-deployment name="apiman-gateway-api.war">
> <realm>apiman</realm>
> <resource>apiman-gateway-api</resource>
> <credential
> name="secret">217b725d-7790-47a7-a3fc-5cf31f92a8db</credential>
> <disable-trust-manager>true</disable-trust-manager>
> <bearer-only>true</bearer-only>
> <enable-basic-auth>true</enable-basic-auth>
> </secure-deployment>
> </subsystem>
>
More information about the Apiman-user
mailing list