When an application is deployed using webMethods Asset Build Environment (ABE) and webMethods Deployer from one API Gateway to another, the Application is deployed but its API Key is missing.
In the server.log some exceptions about passman.cnf are logged and they are the key of this issue.
The master password was different between the source and target API Gateway. Since while building ABE assets passman data are included, it is always recommended to keep identical master passwords across stages and instances of API Gateway.
The same has been mentioned in the documentation –
During export or import of assets, ensure that the master password is identical across stages and on different instances of API Gateway.
Reference link - Reverb
Security question here: in this case are the source and target systems both non-production? Or is the target production? If the latter, I wonder about the advisability of non-prod and prod using the same master password (product limitation) and the application defined in API GW using the same API key (process concern). Non-prod credentials are often less complex and less “protected.” If an API key is compromised in non-prod, then they potentially have access to prod too.
I do share @reamon 's concerns. Even if both environments are non-prod, secrets should be different, although the issue is a bit less pronounced there.
To share passwords might be technically feasible, but it is certainly an issue for any audit, security or otherwise. And depending on industry regulations it might even be a legal problem.