geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: low entropy on linux systems
Date Fri, 15 Jul 2011 14:03:05 GMT
On 15.07.2011 15:56, Rainer Jung wrote:
> On 15.07.2011 04:19, Kevan Miller wrote:
>> From time to time I encounter a problem starting a Geronimo server on a Linux system
(I've always seen it on Ubuntu -- but the problem could exist on other distributions). The
server start seems to hang. However, if you're patient, which I rarely am, the server will
eventually start. If you're inquisitive, and dump the stack traces of the java process, you'll
see something like:
>>
>> "main" prio=10 tid=0x0000000040c0d800 nid=0xa79 runnable [0x00007f57a04fb000]
>>    java.lang.Thread.State: RUNNABLE
>> 	at java.io.FileInputStream.readBytes(Native Method)
>> 	at java.io.FileInputStream.read(FileInputStream.java:220)
>> 	at sun.security.provider.NativePRNG$RandomIO.readFully(NativePRNG.java:185)
>> 	at sun.security.provider.NativePRNG$RandomIO.implGenerateSeed(NativePRNG.java:202)
>> 	- locked <0x00000000daad63e0> (a java.lang.Object)
>> 	at sun.security.provider.NativePRNG$RandomIO.access$300(NativePRNG.java:108)
>> 	at sun.security.provider.NativePRNG.engineGenerateSeed(NativePRNG.java:102)
>> 	at java.security.SecureRandom.generateSeed(SecureRandom.java:495)
>> 	at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.getSalt(PKCS12KeyStore.java:477)
>> 	at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.calculateMac(PKCS12KeyStore.java:834)
>> 	at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineStore(PKCS12KeyStore.java:788)
>> 	- locked <0x00000000d3b5a768> (a com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore)
>> 	at java.security.KeyStore.store(KeyStore.java:1117)
>> ...
>>
>> This problem isn't Geronimo specific. But since I see it from time to time, thought
it would be worth passing along to the community...
>>
>> The Sun/Oracle-based JVM is attempting to generate a pseudo-random number to be used
as a seed for an SSL server socket. To generate the pseudo-random number, the JVM is reading
from the /dev/random device to obtain some random information for the seed. The problem is
that reads from the /dev/random device will block if the system does not have a good source
of random events. So, the Geronimo server startup is blocked waiting for enough random information
to be returned from /dev/random. This article may be help understand the basic issue -- http://en.wikipedia.org/wiki//dev/random#Linux
>>
>>  I'm no security expert. And I don't know the potential implications, but the simplest
way that I've found to avoid the problem is to use the /dev/urandom device, instead of /dev/random.
Do this by specifying the following java property '-Djava.security.egd=file:/dev/./urandom'.
So, the following should work well:
>>
>> $ GERONIMO_OPTS="-Djava.security.egd=file:/dev/./urandom" ./geronimo run --long
>>
>> Note to self -- would be nice to record this on our Wiki somewhere. Anyway, hope
this is useful...
> 
> And note that due to a bug in the JDK you really need to use
> 
> /dev/./urandom
> 
> or
> 
> /dev//urandom
> 
> and not
> 
> /dev/urandom.
> 
> Oracle themselves already internally use "dev/urandom, but later they
> switch from /dev/urandom to /dev/random if the setting is trsingwise
> identical to /dev/random. That's why you need to use some different
> string that's equivalent to /dev/urandom after path normalization.
> 
> We had the same problem for Tomcat, mostly when starting two instances
> in parallel.

... and a bit more detail available at:

http://marc.info/?l=tomcat-dev&m=130182757504685&w=2

Regards,

Rainer


Mime
View raw message