tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <...@pidster.com>
Subject Re: TC7 very slow SessionIdGenerator SecureRandom initialization
Date Fri, 27 Jan 2012 23:37:00 GMT
On 27/01/2012 23:00, David Rees wrote:
> On Fri, Jan 27, 2012 at 12:58 PM, Pid <pid@pidster.com> wrote:
>> On 27/01/2012 20:23, David Rees wrote:
>>> Google turns up lots of hits which suggest using
>>> -Djava.security.egd=file:/dev/./urandom to work around the issue - but
>>> I'd rather not give up security for start up speed.
>>>
>>> It seems that something on the production server is leaving
>>> /dev/random with insufficient entropy to generate data quickly - the
>>> development system initializes fast enough that no message is logged.
>>> Any suggestions on how to improve startup times without reducing
>>> security?
>>
>> Yes, actually, Tomcat 7.0 included improvements to the session ID
>> generator code.  It now uses SecureRandom, which is /dev/urandom AFAIK.
>>
>> You can check, what does your %JAVA_HOME%/lib/security/java.security
>> contain?  E.g.
>>
>>  securerandom.source=file:/dev/urandom
> 
> Hmm, yes, the systems I've checked running Java 1.7.0_02 list
> /dev/urandom as the securerandom.source.
>
>> Which version of 7.0 are you using?  It's not directly relevant, but the
>> the config is here:
>>
>>  http://tomcat.apache.org/tomcat-7.0-doc/config/manager.html
> 
> The latest, 7.0.25.
> 
>> If your OS is Linux:
>>
>>  cat /proc/sys/kernel/random/entropy_avail
>>
>> What is the output?
> 
> Even on the affected and non-affected systems, it reads around 150.

Hmm, low.

So maybe an alternative is to try & increase the entropy available.
Finding the excessive consumer of entropy will be harder.

It's been a while since I had to address this: I think I installed
rng-tools, but I don't remember (& had to look that up).


p

> -Dave
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


-- 

[key:62590808]


Mime
View raw message