You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by David Rees <dr...@gmail.com> on 2012/01/27 21:23:53 UTC

TC7 very slow SessionIdGenerator SecureRandom initialization

I've been working on upgrading some Tomcat 5.5 servers to Tomcat 7
since 5.5 will be EOL soon.

One thing I noticed on one of my first upgrades is that TC7 can often
take a long time to start up due to slow initialization of the
SessionIdGenerator - it can take up to nearly 2 minutes!  It appears
to take longer if I restart TC7 quickly which seems to confirm that a
lack of entropy is the issue.

org.apache.catalina.util.SessionIdGenerator-: Creation of SecureRandom
instance for session ID generation using [SHA1PRNG] took [105,014]
milliseconds.

Now, Tomcat 5.5 never had this issue - did this change in between versions?

Google turns up lots of hits which suggest using
-Djava.security.egd=file:/dev/./urandom to work around the issue - but
I'd rather not give up security for start up speed.

It seems that something on the production server is leaving
/dev/random with insufficient entropy to generate data quickly - the
development system initializes fast enough that no message is logged.
Any suggestions on how to improve startup times without reducing
security?

Thanks

Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

[OT] Re: TC7 very slow SessionIdGenerator SecureRandom initialization

Posted by Pid <pi...@pidster.com>.

On 28/01/2012 14:23, Rainer Jung wrote:
> On 28.01.2012 00:38, Pid wrote:
>> On 27/01/2012 23:25, Caldarale, Charles R wrote:
>>>> From: David Rees [mailto:drees76@gmail.com]
>>>> Subject: Re: TC7 very slow SessionIdGenerator SecureRandom
>>>> initialization
>>>
>>>> Hmm, yes, the systems I've checked running Java 1.7.0_02 list
>>>> /dev/urandom as the securerandom.source.
>>>
>>> Unfortunately, there's a misguided part of the JRE that insists it's
>>> smarter than any sysadmin, so it checks for /dev/urandom and uses
>>> /dev/random instead - that's why the setting of /dev/./urandom is
>>> important, even though it would seem to be equivalent.
>>
>> So editing the file fixes this, or just using the system property?
> 
> I expect either will help.
> 
> Using /dev/random instead of the configured /dev/urandom IMHO is an
> implementation bug. Some more details at
> 
> http://marc.info/?l=tomcat-dev&m=130182757504685&w=2
> 
> http://search.oracle.com/search/search?search_p_main_operator=all&start=1&group=bugs.sun.com&q=%2Fdev%2Furandom
> 
> 
> The one bug closest to this topic is
> 
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6202721
> 
> but Oracle doesn't care :(.

I wonder if the OpenJDK project will be more responsive.


p


> Regards,
> 
> Rainer
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


-- 

[key:62590808]

Re: TC7 very slow SessionIdGenerator SecureRandom initialization

Posted by Rainer Jung <ra...@kippdata.de>.

On 28.01.2012 00:38, Pid wrote:
> On 27/01/2012 23:25, Caldarale, Charles R wrote:
>>> From: David Rees [mailto:drees76@gmail.com]
>>> Subject: Re: TC7 very slow SessionIdGenerator SecureRandom initialization
>>
>>> Hmm, yes, the systems I've checked running Java 1.7.0_02 list
>>> /dev/urandom as the securerandom.source.
>>
>> Unfortunately, there's a misguided part of the JRE that insists it's smarter than any sysadmin, so it checks for /dev/urandom and uses /dev/random instead - that's why the setting of /dev/./urandom is important, even though it would seem to be equivalent.
>
> So editing the file fixes this, or just using the system property?

I expect either will help.

Using /dev/random instead of the configured /dev/urandom IMHO is an 
implementation bug. Some more details at

http://marc.info/?l=tomcat-dev&m=130182757504685&w=2

http://search.oracle.com/search/search?search_p_main_operator=all&start=1&group=bugs.sun.com&q=%2Fdev%2Furandom

The one bug closest to this topic is

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6202721

but Oracle doesn't care :(.

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: TC7 very slow SessionIdGenerator SecureRandom initialization

Posted by David Rees <dr...@gmail.com>.

On Fri, Jan 27, 2012 at 3:42 PM, Caldarale, Charles R
<Ch...@unisys.com> wrote:
>> From: Pid [mailto:pid@pidster.com]
>> > that's why the setting of /dev/./urandom is important, even
>> > though it would seem to be equivalent.
>
>> So editing the file fixes this, or just using the system property?
>
> Good question; I suspect either would work, but I've only ever used the system property.
>
> However, we still don't know definitively that lack of entropy is the cause of the problem here.

I can confirm that adding the system property
-Djava.security.egd=file:/dev/./urandom eliminates the delay.

Watching /proc/sys/kernel/random/entropy_avail while Tomcat is
starting up shows that it drops from ~140-150 down to single digits
until Tomcat initializes.

-Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: TC7 very slow SessionIdGenerator SecureRandom initialization

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Pid [mailto:pid@pidster.com] 
> Subject: Re: TC7 very slow SessionIdGenerator SecureRandom initialization

> > that's why the setting of /dev/./urandom is important, even 
> > though it would seem to be equivalent.

> So editing the file fixes this, or just using the system property?

Good question; I suspect either would work, but I've only ever used the system property.

However, we still don't know definitively that lack of entropy is the cause of the problem here.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: TC7 very slow SessionIdGenerator SecureRandom initialization

Posted by Pid <pi...@pidster.com>.

On 27/01/2012 23:25, Caldarale, Charles R wrote:
>> From: David Rees [mailto:drees76@gmail.com] 
>> Subject: Re: TC7 very slow SessionIdGenerator SecureRandom initialization
> 
>> Hmm, yes, the systems I've checked running Java 1.7.0_02 list
>> /dev/urandom as the securerandom.source.
> 
> Unfortunately, there's a misguided part of the JRE that insists it's smarter than any sysadmin, so it checks for /dev/urandom and uses /dev/random instead - that's why the setting of /dev/./urandom is important, even though it would seem to be equivalent.

So editing the file fixes this, or just using the system property?


p

>  - Chuck
> 
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


-- 

[key:62590808]

RE: TC7 very slow SessionIdGenerator SecureRandom initialization

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: David Rees [mailto:drees76@gmail.com] 
> Subject: Re: TC7 very slow SessionIdGenerator SecureRandom initialization

> Hmm, yes, the systems I've checked running Java 1.7.0_02 list
> /dev/urandom as the securerandom.source.

Unfortunately, there's a misguided part of the JRE that insists it's smarter than any sysadmin, so it checks for /dev/urandom and uses /dev/random instead - that's why the setting of /dev/./urandom is important, even though it would seem to be equivalent.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: TC7 very slow SessionIdGenerator SecureRandom initialization

Posted by Pid <pi...@pidster.com>.

On 27/01/2012 23:00, David Rees wrote:
> On Fri, Jan 27, 2012 at 12:58 PM, Pid <pi...@pidster.com> wrote:
>> On 27/01/2012 20:23, David Rees wrote:
>>> Google turns up lots of hits which suggest using
>>> -Djava.security.egd=file:/dev/./urandom to work around the issue - but
>>> I'd rather not give up security for start up speed.
>>>
>>> It seems that something on the production server is leaving
>>> /dev/random with insufficient entropy to generate data quickly - the
>>> development system initializes fast enough that no message is logged.
>>> Any suggestions on how to improve startup times without reducing
>>> security?
>>
>> Yes, actually, Tomcat 7.0 included improvements to the session ID
>> generator code.  It now uses SecureRandom, which is /dev/urandom AFAIK.
>>
>> You can check, what does your %JAVA_HOME%/lib/security/java.security
>> contain?  E.g.
>>
>>  securerandom.source=file:/dev/urandom
> 
> Hmm, yes, the systems I've checked running Java 1.7.0_02 list
> /dev/urandom as the securerandom.source.
>
>> Which version of 7.0 are you using?  It's not directly relevant, but the
>> the config is here:
>>
>>  http://tomcat.apache.org/tomcat-7.0-doc/config/manager.html
> 
> The latest, 7.0.25.
> 
>> If your OS is Linux:
>>
>>  cat /proc/sys/kernel/random/entropy_avail
>>
>> What is the output?
> 
> Even on the affected and non-affected systems, it reads around 150.

Hmm, low.

So maybe an alternative is to try & increase the entropy available.
Finding the excessive consumer of entropy will be harder.

It's been a while since I had to address this: I think I installed
rng-tools, but I don't remember (& had to look that up).


p

> -Dave
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


-- 

[key:62590808]

Re: TC7 very slow SessionIdGenerator SecureRandom initialization

Posted by David Rees <dr...@gmail.com>.

On Fri, Jan 27, 2012 at 12:58 PM, Pid <pi...@pidster.com> wrote:
> On 27/01/2012 20:23, David Rees wrote:
>> Google turns up lots of hits which suggest using
>> -Djava.security.egd=file:/dev/./urandom to work around the issue - but
>> I'd rather not give up security for start up speed.
>>
>> It seems that something on the production server is leaving
>> /dev/random with insufficient entropy to generate data quickly - the
>> development system initializes fast enough that no message is logged.
>> Any suggestions on how to improve startup times without reducing
>> security?
>
> Yes, actually, Tomcat 7.0 included improvements to the session ID
> generator code.  It now uses SecureRandom, which is /dev/urandom AFAIK.
>
> You can check, what does your %JAVA_HOME%/lib/security/java.security
> contain?  E.g.
>
>  securerandom.source=file:/dev/urandom

Hmm, yes, the systems I've checked running Java 1.7.0_02 list
/dev/urandom as the securerandom.source.

> Which version of 7.0 are you using?  It's not directly relevant, but the
> the config is here:
>
>  http://tomcat.apache.org/tomcat-7.0-doc/config/manager.html

The latest, 7.0.25.

> If your OS is Linux:
>
>  cat /proc/sys/kernel/random/entropy_avail
>
> What is the output?

Even on the affected and non-affected systems, it reads around 150.

-Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: TC7 very slow SessionIdGenerator SecureRandom initialization

Posted by Pid <pi...@pidster.com>.

On 27/01/2012 20:23, David Rees wrote:
> I've been working on upgrading some Tomcat 5.5 servers to Tomcat 7
> since 5.5 will be EOL soon.
> 
> One thing I noticed on one of my first upgrades is that TC7 can often
> take a long time to start up due to slow initialization of the
> SessionIdGenerator - it can take up to nearly 2 minutes!  It appears
> to take longer if I restart TC7 quickly which seems to confirm that a
> lack of entropy is the issue.
> 
> org.apache.catalina.util.SessionIdGenerator-: Creation of SecureRandom
> instance for session ID generation using [SHA1PRNG] took [105,014]
> milliseconds.
> 
> Now, Tomcat 5.5 never had this issue - did this change in between versions?
> 
> Google turns up lots of hits which suggest using
> -Djava.security.egd=file:/dev/./urandom to work around the issue - but
> I'd rather not give up security for start up speed.
> 
> It seems that something on the production server is leaving
> /dev/random with insufficient entropy to generate data quickly - the
> development system initializes fast enough that no message is logged.
> Any suggestions on how to improve startup times without reducing
> security?

Yes, actually, Tomcat 7.0 included improvements to the session ID
generator code.  It now uses SecureRandom, which is /dev/urandom AFAIK.

You can check, what does your %JAVA_HOME%/lib/security/java.security
contain?  E.g.

 securerandom.source=file:/dev/urandom



Which version of 7.0 are you using?  It's not directly relevant, but the
the config is here:

 http://tomcat.apache.org/tomcat-7.0-doc/config/manager.html


If your OS is Linux:

 cat /proc/sys/kernel/random/entropy_avail

What is the output?





p




-- 

[key:62590808]

RE: TC7 very slow SessionIdGenerator SecureRandom initialization

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: David Rees [mailto:drees76@gmail.com] 
> Subject: TC7 very slow SessionIdGenerator SecureRandom initialization

> Google turns up lots of hits which suggest using
> -Djava.security.egd=file:/dev/./urandom to work around the issue - but
> I'd rather not give up security for start up speed.

I'd be extremely surprised if there were a real-world security impact due to using /dev/./urandom instead of /dev/random.  Does anyone have any evidence?

You should at least try the change to see if the startup time is affected, or if something else is going on.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org