Unable to change DNS TTL for Layer 7 container edition
search cancel

Unable to change DNS TTL for Layer 7 container edition

book

Article ID: 412368

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

There is a need to increase the Layer 7 Gateway DNS TTL from the default 30s to 120s.

The following articles regarding DNS TTL settings for Layer 7 API Gateway works for appliance gateway only:

API Gateway: Adjusting the DNS cache (or TTL) to avoid failed requests/lookups

Also, there is a need to be able to change the DNS TTL for the container edition in AWS EKS which is deployed via the Broadcom CAAPIM gateway Helm chart.

Environment

API Gateway 11.X

Resolution

For a container gateway, you can add the setting to the javaArgs section in the helm values file like this:

javaArgs:
    - -Dcom.l7tech.bootstrap.autoTrustSslKey=trustAnchor,TrustedFor.SSL,TrustedFor.SAML_ISSUER
    - -Dcom.l7tech.server.audit.message.saveToInternal=false
    - -Dcom.l7tech.server.audit.admin.saveToInternal=false
    - -Dcom.l7tech.server.audit.system.saveToInternal=false
    - -Dcom.l7tech.server.audit.log.format=json
    - -Djava.util.logging.config.file=/opt/SecureSpan/Gateway/node/default/etc/conf/log-override.properties
    - -Dcom.l7tech.server.pkix.useDefaultTrustAnchors=true
    - -Dcom.l7tech.security.ssl.hostAllowWildcard=false
    - -Dsun.net.inetaddr.ttl=120
  log:

This will add another entry for the sun.net.inetaddr.ttl to the java arguments on startup off the container. If you look into the container process list, you will see the sun.net.inetaddr.ttl  twice but the last one is the one which is the active one. 

1 /usr/local/bin/dumb-init -- /opt/docker/entrypoint.sh
23243 /bin/bash
7 java -Xms2g -Xmx2g -XX:+TieredCompilation -Dcom.l7tech.disklessConfig=true -Dcom.l7tech.server.sm.noSecurityManager=true -Dcom.l7tech.server.log.console=true -Dcom.l7tech.server.log.console.extraCats=AUDIT,LOG -Dfile.encoding=UTF-8 -Djava.net.preferIPv4Stack=true -Djava.security.egd=file:/dev/./urandom -Dcom.l7tech.server.defaultClusterHostname=xxxxxxxxx -Dcom.l7tech.gateway.remoting.connectionTimeout=500 -classpath /usr/lib/jvm/default-jvm/lib/ext/*:/opt/SecureSpan/Gateway/runtime/lib/ext/*:/opt/SecureSpan/Gateway/runtime/Gateway.jar:/opt/SecureSpan/Gateway/runtime/bc/* -Dcom.l7tech.server.components=uddi -Dcom.l7tech.bootstrap.env.sslkey.enable=true -Dcom.l7tech.bootstrap.license.require=true -Dcom.l7tech.server.disableFileLogsinks=true -Dsun.net.inetaddr.ttl=30 -Djava.util.Arrays.useLegacyMergesort=true -Djava.security.properties=/opt/SecureSpan/Gateway/runtime/etc/ssg.security --add-opens jdk.crypto.ec/sun.security.ec=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED --add-exports java.security.jgss/sun.security.jgss=ALL-UNNAMED --add-exports java.security.jgss/sun.security.jgss.krb5=ALL-UNNAMED --add-exports java.security.jgss/sun.security.krb5=ALL-UNNAMED --add-exports java.security.jgss/sun.security.krb5.internal=ALL-UNNAMED --add-exports java.security.jgss/sun.security.krb5.internal.ktab=ALL-UNNAMED --add-exports java.xml/com.sun.org.apache.xerces.internal.jaxp=ALL-UNNAMED --add-exports java.base/sun.security.internal.spec=ALL-UNNAMED --add-exports java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-exports java.base/sun.security.provider.certpath=ALL-UNNAMED --add-exports java.base/sun.security.ssl=ALL-UNNAMED --add-exports java.base/sun.security.util=ALL-UNNAMED --add-modules java.se --add-exports java.base/jdk.internal.ref=ALL-UNNAMED --add-opens java.base/java.nio=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.management/sun.management=ALL-UNNAMED --add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED -Dhazelcast.ignoreXxeProtectionFailures=true -Xlog:gc*:/opt/SecureSpan/Gateway/node/default/var/logs/ssg_gc.log -Dcom.l7tech.bootstrap.autoTrustSslKey=trustAnchor,TrustedFor.SSL,TrustedFor.SAML_ISSUER -Dcom.l7tech.server.audit.message.saveToInternal=false -Dcom.l7tech.server.audit.admin.saveToInternal=false -Dcom.l7tech.server.audit.system.saveToInternal=false -Dcom.l7tech.server.audit.log.format=json -Djava.util.logging.config.file=/opt/SecureSpan/Gateway/node/default/etc/conf/log-override.properties -Dcom.l7tech.server.pkix.useDefaultTrustAnchors=true -Dcom.l7tech.security.ssl.hostAllowWildcard=false -Dsun.net.inetaddr.ttl=120 com.l7tech.server.boot.GatewayMain

You can check the effective setting in the java runtime using jcmd:

bash-5.1$ jcmd 7 VM.system_properties |grep ttl
sun.net.inetaddr.ttl=120
sun.io.unicode.encoding=UnicodeLittle
sun.cpu.endian=little

It only picked up the value from the javaArgs section.

Powered by Wolken Software