Apache HTTPD Server, OpenSSL, and GPG support using EGD as an alternative for
Unix systems which do not support the /dev/random device.
EGD is written in perl (Entropy Gathering Daemon - http://egd.sourceforge.net/).
PRNGD is written in C (Pseudo Random Number Generator Daemon -
http://prngd.sourceforge.net/).
The java.security.SecureRandom bundled with the JDK can use PRNG.
http://download.oracle.com/javase/6/docs/api/java/security/SecureRandom.html
See:
http://stackoverflow.com/questions/137212/how-to-solve-performance-problem-with-java-securerandom
There is a ColdFusion blog about using EGD in the java environment. That is
using /dev/./urandom instead of /dev/random. See middle section of blog post.
See a little further down for a production resolution.
ColdFusion hangs or slow on startup due to MessageBrokerServlet
http://www.ghidinelli.com/2011/01/11/cold-fusion-slow-start-messagebrokerservlet
This blog post recommends "-Djava.security.egd=file:/dev/./urandom", but then it
goes on to suggest how to tune the EGD on your linux system for production.
-RG
On 08/18/2011 10:47 AM, Kevan Miller wrote:
On Aug 18, 2011, at 1:06 AM, Shawn Jiang wrote:
This could increase the linux start up speed significantly. Does anyone know is it safe
to add "-Djava.security.egd=file:/dev/./urandom" to our startup script
directly.
Don't know if it will break something on other linux/unix platforms.
IIRC, some unix variants don't have a /dev/urandom. I don't think these
environments are very popular. I would expect these environments would have
fairly obvious failures and could be diagnosed, fairly easily.
I suppose that there is some possibility that urandom will generate a less
secure seed for the SSL server socket. I've never heard of any concerns about
this, but that doesn't mean it doesn't exist.
This is a long standing problem. And Java has not chosen to do anything about
it. I know some servers have used a similar approach. Others, e.g. Tomcat, have
left it up to users/admins.
Given the number of times we bump into this issue, I'd say that setting
"-Djava.security.egd=file:/dev/./urandom" is likely to do more good than harm.
--kevan