tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <...@pidster.com>
Subject Re: TC7 very slow SessionIdGenerator SecureRandom initialization
Date Fri, 27 Jan 2012 20:58:07 GMT
On 27/01/2012 20:23, David Rees wrote:
> I've been working on upgrading some Tomcat 5.5 servers to Tomcat 7
> since 5.5 will be EOL soon.
> 
> One thing I noticed on one of my first upgrades is that TC7 can often
> take a long time to start up due to slow initialization of the
> SessionIdGenerator - it can take up to nearly 2 minutes!  It appears
> to take longer if I restart TC7 quickly which seems to confirm that a
> lack of entropy is the issue.
> 
> org.apache.catalina.util.SessionIdGenerator-: Creation of SecureRandom
> instance for session ID generation using [SHA1PRNG] took [105,014]
> milliseconds.
> 
> Now, Tomcat 5.5 never had this issue - did this change in between versions?
> 
> Google turns up lots of hits which suggest using
> -Djava.security.egd=file:/dev/./urandom to work around the issue - but
> I'd rather not give up security for start up speed.
> 
> It seems that something on the production server is leaving
> /dev/random with insufficient entropy to generate data quickly - the
> development system initializes fast enough that no message is logged.
> Any suggestions on how to improve startup times without reducing
> security?

Yes, actually, Tomcat 7.0 included improvements to the session ID
generator code.  It now uses SecureRandom, which is /dev/urandom AFAIK.

You can check, what does your %JAVA_HOME%/lib/security/java.security
contain?  E.g.

 securerandom.source=file:/dev/urandom



Which version of 7.0 are you using?  It's not directly relevant, but the
the config is here:

 http://tomcat.apache.org/tomcat-7.0-doc/config/manager.html


If your OS is Linux:

 cat /proc/sys/kernel/random/entropy_avail

What is the output?





p




-- 

[key:62590808]


Mime
View raw message