You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by David Rees <dr...@gmail.com> on 2012/01/27 21:23:53 UTC
TC7 very slow SessionIdGenerator SecureRandom initialization
I've been working on upgrading some Tomcat 5.5 servers to Tomcat 7
since 5.5 will be EOL soon.
One thing I noticed on one of my first upgrades is that TC7 can often
take a long time to start up due to slow initialization of the
SessionIdGenerator - it can take up to nearly 2 minutes! It appears
to take longer if I restart TC7 quickly which seems to confirm that a
lack of entropy is the issue.
org.apache.catalina.util.SessionIdGenerator-: Creation of SecureRandom
instance for session ID generation using [SHA1PRNG] took [105,014]
milliseconds.
Now, Tomcat 5.5 never had this issue - did this change in between versions?
Google turns up lots of hits which suggest using
-Djava.security.egd=file:/dev/./urandom to work around the issue - but
I'd rather not give up security for start up speed.
It seems that something on the production server is leaving
/dev/random with insufficient entropy to generate data quickly - the
development system initializes fast enough that no message is logged.
Any suggestions on how to improve startup times without reducing
security?
Thanks
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[OT] Re: TC7 very slow SessionIdGenerator SecureRandom initialization
Posted by Pid <pi...@pidster.com>.
On 28/01/2012 14:23, Rainer Jung wrote:
> On 28.01.2012 00:38, Pid wrote:
>> On 27/01/2012 23:25, Caldarale, Charles R wrote:
>>>> From: David Rees [mailto:drees76@gmail.com]
>>>> Subject: Re: TC7 very slow SessionIdGenerator SecureRandom
>>>> initialization
>>>
>>>> Hmm, yes, the systems I've checked running Java 1.7.0_02 list
>>>> /dev/urandom as the securerandom.source.
>>>
>>> Unfortunately, there's a misguided part of the JRE that insists it's
>>> smarter than any sysadmin, so it checks for /dev/urandom and uses
>>> /dev/random instead - that's why the setting of /dev/./urandom is
>>> important, even though it would seem to be equivalent.
>>
>> So editing the file fixes this, or just using the system property?
>
> I expect either will help.
>
> Using /dev/random instead of the configured /dev/urandom IMHO is an
> implementation bug. Some more details at
>
> http://marc.info/?l=tomcat-dev&m=130182757504685&w=2
>
> http://search.oracle.com/search/search?search_p_main_operator=all&start=1&group=bugs.sun.com&q=%2Fdev%2Furandom
>
>
> The one bug closest to this topic is
>
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6202721
>
> but Oracle doesn't care :(.
I wonder if the OpenJDK project will be more responsive.
p
> Regards,
>
> Rainer
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
[key:62590808]
Re: TC7 very slow SessionIdGenerator SecureRandom initialization
Posted by Rainer Jung <ra...@kippdata.de>.
On 28.01.2012 00:38, Pid wrote:
> On 27/01/2012 23:25, Caldarale, Charles R wrote:
>>> From: David Rees [mailto:drees76@gmail.com]
>>> Subject: Re: TC7 very slow SessionIdGenerator SecureRandom initialization
>>
>>> Hmm, yes, the systems I've checked running Java 1.7.0_02 list
>>> /dev/urandom as the securerandom.source.
>>
>> Unfortunately, there's a misguided part of the JRE that insists it's smarter than any sysadmin, so it checks for /dev/urandom and uses /dev/random instead - that's why the setting of /dev/./urandom is important, even though it would seem to be equivalent.
>
> So editing the file fixes this, or just using the system property?
I expect either will help.
Using /dev/random instead of the configured /dev/urandom IMHO is an
implementation bug. Some more details at
http://marc.info/?l=tomcat-dev&m=130182757504685&w=2
http://search.oracle.com/search/search?search_p_main_operator=all&start=1&group=bugs.sun.com&q=%2Fdev%2Furandom
The one bug closest to this topic is
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6202721
but Oracle doesn't care :(.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: TC7 very slow SessionIdGenerator SecureRandom initialization
Posted by David Rees <dr...@gmail.com>.
On Fri, Jan 27, 2012 at 3:42 PM, Caldarale, Charles R
<Ch...@unisys.com> wrote:
>> From: Pid [mailto:pid@pidster.com]
>> > that's why the setting of /dev/./urandom is important, even
>> > though it would seem to be equivalent.
>
>> So editing the file fixes this, or just using the system property?
>
> Good question; I suspect either would work, but I've only ever used the system property.
>
> However, we still don't know definitively that lack of entropy is the cause of the problem here.
I can confirm that adding the system property
-Djava.security.egd=file:/dev/./urandom eliminates the delay.
Watching /proc/sys/kernel/random/entropy_avail while Tomcat is
starting up shows that it drops from ~140-150 down to single digits
until Tomcat initializes.
-Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: TC7 very slow SessionIdGenerator SecureRandom initialization
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Pid [mailto:pid@pidster.com]
> Subject: Re: TC7 very slow SessionIdGenerator SecureRandom initialization
> > that's why the setting of /dev/./urandom is important, even
> > though it would seem to be equivalent.
> So editing the file fixes this, or just using the system property?
Good question; I suspect either would work, but I've only ever used the system property.
However, we still don't know definitively that lack of entropy is the cause of the problem here.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: TC7 very slow SessionIdGenerator SecureRandom initialization
Posted by Pid <pi...@pidster.com>.
On 27/01/2012 23:25, Caldarale, Charles R wrote:
>> From: David Rees [mailto:drees76@gmail.com]
>> Subject: Re: TC7 very slow SessionIdGenerator SecureRandom initialization
>
>> Hmm, yes, the systems I've checked running Java 1.7.0_02 list
>> /dev/urandom as the securerandom.source.
>
> Unfortunately, there's a misguided part of the JRE that insists it's smarter than any sysadmin, so it checks for /dev/urandom and uses /dev/random instead - that's why the setting of /dev/./urandom is important, even though it would seem to be equivalent.
So editing the file fixes this, or just using the system property?
p
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
[key:62590808]
RE: TC7 very slow SessionIdGenerator SecureRandom initialization
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: David Rees [mailto:drees76@gmail.com]
> Subject: Re: TC7 very slow SessionIdGenerator SecureRandom initialization
> Hmm, yes, the systems I've checked running Java 1.7.0_02 list
> /dev/urandom as the securerandom.source.
Unfortunately, there's a misguided part of the JRE that insists it's smarter than any sysadmin, so it checks for /dev/urandom and uses /dev/random instead - that's why the setting of /dev/./urandom is important, even though it would seem to be equivalent.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: TC7 very slow SessionIdGenerator SecureRandom initialization
Posted by Pid <pi...@pidster.com>.
On 27/01/2012 23:00, David Rees wrote:
> On Fri, Jan 27, 2012 at 12:58 PM, Pid <pi...@pidster.com> wrote:
>> On 27/01/2012 20:23, David Rees wrote:
>>> Google turns up lots of hits which suggest using
>>> -Djava.security.egd=file:/dev/./urandom to work around the issue - but
>>> I'd rather not give up security for start up speed.
>>>
>>> It seems that something on the production server is leaving
>>> /dev/random with insufficient entropy to generate data quickly - the
>>> development system initializes fast enough that no message is logged.
>>> Any suggestions on how to improve startup times without reducing
>>> security?
>>
>> Yes, actually, Tomcat 7.0 included improvements to the session ID
>> generator code. It now uses SecureRandom, which is /dev/urandom AFAIK.
>>
>> You can check, what does your %JAVA_HOME%/lib/security/java.security
>> contain? E.g.
>>
>> securerandom.source=file:/dev/urandom
>
> Hmm, yes, the systems I've checked running Java 1.7.0_02 list
> /dev/urandom as the securerandom.source.
>
>> Which version of 7.0 are you using? It's not directly relevant, but the
>> the config is here:
>>
>> http://tomcat.apache.org/tomcat-7.0-doc/config/manager.html
>
> The latest, 7.0.25.
>
>> If your OS is Linux:
>>
>> cat /proc/sys/kernel/random/entropy_avail
>>
>> What is the output?
>
> Even on the affected and non-affected systems, it reads around 150.
Hmm, low.
So maybe an alternative is to try & increase the entropy available.
Finding the excessive consumer of entropy will be harder.
It's been a while since I had to address this: I think I installed
rng-tools, but I don't remember (& had to look that up).
p
> -Dave
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
[key:62590808]
Re: TC7 very slow SessionIdGenerator SecureRandom initialization
Posted by David Rees <dr...@gmail.com>.
On Fri, Jan 27, 2012 at 12:58 PM, Pid <pi...@pidster.com> wrote:
> On 27/01/2012 20:23, David Rees wrote:
>> Google turns up lots of hits which suggest using
>> -Djava.security.egd=file:/dev/./urandom to work around the issue - but
>> I'd rather not give up security for start up speed.
>>
>> It seems that something on the production server is leaving
>> /dev/random with insufficient entropy to generate data quickly - the
>> development system initializes fast enough that no message is logged.
>> Any suggestions on how to improve startup times without reducing
>> security?
>
> Yes, actually, Tomcat 7.0 included improvements to the session ID
> generator code. It now uses SecureRandom, which is /dev/urandom AFAIK.
>
> You can check, what does your %JAVA_HOME%/lib/security/java.security
> contain? E.g.
>
> securerandom.source=file:/dev/urandom
Hmm, yes, the systems I've checked running Java 1.7.0_02 list
/dev/urandom as the securerandom.source.
> Which version of 7.0 are you using? It's not directly relevant, but the
> the config is here:
>
> http://tomcat.apache.org/tomcat-7.0-doc/config/manager.html
The latest, 7.0.25.
> If your OS is Linux:
>
> cat /proc/sys/kernel/random/entropy_avail
>
> What is the output?
Even on the affected and non-affected systems, it reads around 150.
-Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: TC7 very slow SessionIdGenerator SecureRandom initialization
Posted by Pid <pi...@pidster.com>.
On 27/01/2012 20:23, David Rees wrote:
> I've been working on upgrading some Tomcat 5.5 servers to Tomcat 7
> since 5.5 will be EOL soon.
>
> One thing I noticed on one of my first upgrades is that TC7 can often
> take a long time to start up due to slow initialization of the
> SessionIdGenerator - it can take up to nearly 2 minutes! It appears
> to take longer if I restart TC7 quickly which seems to confirm that a
> lack of entropy is the issue.
>
> org.apache.catalina.util.SessionIdGenerator-: Creation of SecureRandom
> instance for session ID generation using [SHA1PRNG] took [105,014]
> milliseconds.
>
> Now, Tomcat 5.5 never had this issue - did this change in between versions?
>
> Google turns up lots of hits which suggest using
> -Djava.security.egd=file:/dev/./urandom to work around the issue - but
> I'd rather not give up security for start up speed.
>
> It seems that something on the production server is leaving
> /dev/random with insufficient entropy to generate data quickly - the
> development system initializes fast enough that no message is logged.
> Any suggestions on how to improve startup times without reducing
> security?
Yes, actually, Tomcat 7.0 included improvements to the session ID
generator code. It now uses SecureRandom, which is /dev/urandom AFAIK.
You can check, what does your %JAVA_HOME%/lib/security/java.security
contain? E.g.
securerandom.source=file:/dev/urandom
Which version of 7.0 are you using? It's not directly relevant, but the
the config is here:
http://tomcat.apache.org/tomcat-7.0-doc/config/manager.html
If your OS is Linux:
cat /proc/sys/kernel/random/entropy_avail
What is the output?
p
--
[key:62590808]
RE: TC7 very slow SessionIdGenerator SecureRandom initialization
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: David Rees [mailto:drees76@gmail.com]
> Subject: TC7 very slow SessionIdGenerator SecureRandom initialization
> Google turns up lots of hits which suggest using
> -Djava.security.egd=file:/dev/./urandom to work around the issue - but
> I'd rather not give up security for start up speed.
I'd be extremely surprised if there were a real-world security impact due to using /dev/./urandom instead of /dev/random. Does anyone have any evidence?
You should at least try the change to see if the startup time is affected, or if something else is going on.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org