APIM v3 is also provided the same security features had in an earlier version of APIM. APIM earlier version had the capability to work with inbuilt Key Manager, external key manager as well as a third-party key manager. In a standalone pack APIM work with the key manager and identity features that are integrated to the default profile. But in a distributed environment key manager need to start in key manager profile. Also when you need to integrate with advanced security options like federation authentication, you many use WSO2 Is as a key manager.
Similar to the AM2x and earlier version, Idea is to provide the same capabilities to the AM v3. But it is in the early stage to above-mentioned security features. As first step APIM v3 is written based on the IS 5.4.0 and in order to work with it, you need to download and start IS 5.4.0 instance. So, up to AM3 M11, it is work only with IS 5.4.0 and compatible interface.
From M13 onward AM3 has built-in key manager features and AM can work alone. But still it is compatible with IS 5.4.0 and you can configure with it by providing necessary configuration to the deployment.yaml. By default AM is configured for the built-in Key manager and its configurations is as below.
keyManagerConfigs: # Key Manager Implementation class keyManagerImplClass: org.wso2.carbon.apimgt.core.impl.DefaultKeyManagerImpl # DCR Endpoint URL dcrEndpoint: https://localhost:9282/api/identity/oauth2/dcr/v1.0/register # Token Endpoint URL tokenEndpoint: https://localhost:9282/api/auth/oauth2/v1.0/token # Revoke Endpoint URL revokeEndpoint: https://localhost:9443/oauth2/revoke # Introspect Endpoint URL introspectEndpoint: https://localhost:9282/api/identity/oauth2/introspect/v1.0/introspect # Scope Registration Endpoint URL scopeRegistrationEndpoint: https://localhost:9443/api/identity/oauth2/v1.0/scopes # User Credentials keyManagerCredentials: # Username username: admin # Password password: admin # Alias of Key Manager Certificate in Client Trust Store keyManagerCertAlias: wso2carbon # OAuth app validity period defaultTokenValidityPeriod: 3600 # OpenId Connect Userinfo Response JWT Signing Algorithm oidcUserinfoJWTSigningAlgo: SHA256withRSA # Type of scope binding scopeBindingType: role # Type of scope binding productRestApiScopesKeyWord: 'apim:' # Identity Provider Configurations
In order to override default configurations and enable IS 5.4.0 key manager, configure the deployment.yaml like this.
keyManagerConfigs: # Key Manager Implementation class keyManagerImplClass: org.wso2.carbon.apimgt.core.impl.WSO2ISKeyManagerImpl # DCR Endpoint URL dcrEndpoint: http://localhost:9763/identity/connect/register # Token Endpoint URL tokenEndpoint: https://localhost:9443/oauth2/token # Revoke Endpoint URL revokeEndpoint: https://localhost:9443/oauth2/revoke # Introspect Endpoint URL introspectEndpoint: https://localhost:9282/api/identity/oauth2/introspect/v1.0/introspection # Scope Registration Endpoint URL scopeRegistrationEndpoint: https://localhost:9443/api/identity/oauth2/v1.0/scopes # User Credentials keyManagerCredentials: # Username username: admin # Password password: admin # Alias of Key Manager Certificate in Client Trust Store keyManagerCertAlias: wso2carbon # OAuth app validity period defaultTokenValidityPeriod: 3600 # OpenId Connect Userinfo Response JWT Signing Algorithm oidcUserinfoJWTSigningAlgo: SHA256withRSA # Type of scope binding scopeBindingType: role # Type of scope binding productRestApiScopesKeyWord: 'apim:' # Identity Provider Configurations
Add Comment
Comments (0)