APIM v3 is also provided the same security features had in an earlier version of APIM. APIM earlier version had the capability to work with inbuilt Key Manager, external key manager as well as a third-party key manager. In a standalone pack APIM work with the key manager and identity features that are integrated to the default profile. But in a distributed environment key manager need to start in key manager profile. Also when you need to integrate with advanced security options like federation authentication, you many use WSO2 Is as a key manager.

Similar to the AM2x and earlier version, Idea is to provide the same capabilities to the AM v3. But it is in the early stage to above-mentioned security features. As first step APIM v3 is written based on the IS 5.4.0 and in order to work with it, you need to download and start IS 5.4.0 instance. So, up to AM3 M11, it is work only with IS 5.4.0 and compatible interface.

From M13 onward AM3 has built-in key manager features and AM can work alone. But still it is compatible with IS 5.4.0 and you can configure with it by providing necessary configuration to the deployment.yaml. By default AM is configured for the built-in Key manager and its configurations is as below.

keyManagerConfigs:
      # Key Manager Implementation class
    keyManagerImplClass: org.wso2.carbon.apimgt.core.impl.DefaultKeyManagerImpl
      # DCR Endpoint URL
    dcrEndpoint: https://localhost:9282/api/identity/oauth2/dcr/v1.0/register
      # Token Endpoint URL
    tokenEndpoint: https://localhost:9282/api/auth/oauth2/v1.0/token
      # Revoke Endpoint URL
    revokeEndpoint: https://localhost:9443/oauth2/revoke
      # Introspect Endpoint URL
    introspectEndpoint: https://localhost:9282/api/identity/oauth2/introspect/v1.0/introspect
      # Scope Registration Endpoint URL
    scopeRegistrationEndpoint: https://localhost:9443/api/identity/oauth2/v1.0/scopes
      # User Credentials
    keyManagerCredentials:
        # Username
      username: admin
        # Password
      password: admin
      # Alias of Key Manager Certificate in Client Trust Store
    keyManagerCertAlias: wso2carbon
      # OAuth app validity period
    defaultTokenValidityPeriod: 3600
      # OpenId Connect Userinfo Response JWT Signing Algorithm
    oidcUserinfoJWTSigningAlgo: SHA256withRSA
      # Type of scope binding
    scopeBindingType: role
      # Type of scope binding
    productRestApiScopesKeyWord: 'apim:'
    # Identity Provider Configurations

In order to override default configurations and enable IS 5.4.0 key manager, configure the deployment.yaml like this.

keyManagerConfigs:
      # Key Manager Implementation class
    keyManagerImplClass: org.wso2.carbon.apimgt.core.impl.WSO2ISKeyManagerImpl
      # DCR Endpoint URL
    dcrEndpoint: http://localhost:9763/identity/connect/register
      # Token Endpoint URL
    tokenEndpoint: https://localhost:9443/oauth2/token
      # Revoke Endpoint URL
    revokeEndpoint: https://localhost:9443/oauth2/revoke
      # Introspect Endpoint URL
    introspectEndpoint: https://localhost:9282/api/identity/oauth2/introspect/v1.0/introspection
      # Scope Registration Endpoint URL
    scopeRegistrationEndpoint: https://localhost:9443/api/identity/oauth2/v1.0/scopes
      # User Credentials
    keyManagerCredentials:
        # Username
      username: admin
        # Password
      password: admin
      # Alias of Key Manager Certificate in Client Trust Store
    keyManagerCertAlias: wso2carbon
      # OAuth app validity period
    defaultTokenValidityPeriod: 3600
      # OpenId Connect Userinfo Response JWT Signing Algorithm
    oidcUserinfoJWTSigningAlgo: SHA256withRSA
      # Type of scope binding
    scopeBindingType: role
      # Type of scope binding
    productRestApiScopesKeyWord: 'apim:'
    # Identity Provider Configurations