We need to enable TLSv1 and TLSv1.1 on our container gateway image, but how to do it.
We know that we need to remove TLSv1, TLSv1.1 from the following line in
/usr/lib/jvm/default-jvm/conf/security/java.security file:
jdk.tls.disabledAlgorithms
But we don't know how to update this line in the container image.
Release : 10.1
You can use a init container to update the file or use a custom image with the updated config.
https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples
Another workaround could be to create a config map which contain the updated file .
1) Get the current java.security file from the container on openshift :
oc rsync apigw-test-gateway-xxxxxxxx:/usr/lib/jvm/default-jvm/conf/security/java.security -c gateway .
2) In order to enable TLSv1 and TLSv1.1, run the following command:
cat /usr/lib/jvm/default-jvm/conf/security/java.security | grep jdk.tls.disabledAlgorithms -A5
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
3) Create a new config map using the new file:
oc create configmap java-security-custom --from-file=java.security=java.security
4) Add the new config map to the gateway deployment and run the pod:
volumes:
- name: apigw-test-gateway-java-security
configMap:
name: java-security-custom
items:
- key: java.security
path: java.security
defaultMode: 420
volumeMounts:
- name: apigw-test-gateway-java-security
mountPath: /usr/lib/jvm/default-jvm/conf/security/java.security
subPath: java.security