We need to enable TLSv1 and TLSv1.1 on our container gateway image, but  how to do it.

We know that we need to remove TLSv1, TLSv1.1 from the following line in

   /usr/lib/jvm/default-jvm/conf/security/java.security file:

   jdk.tls.disabledAlgorithms

But we don't know how to update this line in the container image.

Release : 10.1

You can use a  init container to update the file or use a  custom image with the updated config.

https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples

Another workaround could be to create a config map which contain the updated file .

1) Get the current  java.security file from  the container on openshift :

    oc rsync apigw-test-gateway-xxxxxxxx:/usr/lib/jvm/default-jvm/conf/security/java.security -c gateway .

2) In order to enable TLSv1 and TLSv1.1, run the following command:

   cat /usr/lib/jvm/default-jvm/conf/security/java.security | grep jdk.tls.disabledAlgorithms -A5

   jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \

   DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \

   include jdk.disabled.namedCurves

3) Create a new config map using the new file:

    oc create configmap java-security-custom --from-file=java.security=java.security

4)  Add the new config map to the gateway deployment and run the pod:

volumes:
        - name: apigw-test-gateway-java-security
          configMap:
            name: java-security-custom
            items:
              - key: java.security
                path: java.security
            defaultMode: 420
volumeMounts:
            - name: apigw-test-gateway-java-security
              mountPath: /usr/lib/jvm/default-jvm/conf/security/java.security
              subPath: java.security