Re: SecureRandom instance for session ID generation using [SHA1PRNG] took [510,962] milliseconds !

Fri, 03 Oct 2014 11:42:10 -0700 

Am 03.10.2014 um 14:01 schrieb Christopher Schultz:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Martin,

On 10/3/14 5:48 AM, Martin Hamant wrote:

Le 03/10/2014 11:26, Martin Hamant a écrit :



The virtual (qemu) server runs with 4GB RAM


Sorry, The hypervisor is KVM. The VM is running on top of
OpenStack So... This could lead somewhere as I am reading
http://blog.dustinkirkland.com/2012/10/entropy-or-lack-thereof-in-openstack.html


OpenStack



or not, running on a VM usually means that the underlying OS
is providing the source of entropy. If your physical machine is
heavily virtualized, you may have multiple entropy sinks constantly
draining your source(s() of entropy.

If you wait for a while, things will recover. If you find you are
constantly blocking waiting for more randomness to be available from
your random source, you basically have 3 options:

1. Suffer through it. Just keep waiting.

2. Use a poor source of randomness, like /dev/urandom on Linux.
    I wouldn't recommend this for any kind of production deployment,
    since the entropy source is "watered-down". You can't rely on it
    for important things like encryption (including SSL) and really
    anything that requires random numbers that are as random as
    possible (like session ids).

3. Get yourself a hardware entropy source. You can buy USB keys that
    do this kind of thing. Make sure whatever you get is compatible
    with your OS and accessible by Java (better yet, get one that will
    simply dump its randomness into /dev/random).
... and in case you are heading for the urandom solution and are sing JDK before 8, you should use e.g. 

-Djava.security.egd=file:/dev//urandom

and *not*

-Djava.security.egd=file:/dev/urandom

For background info look at

http://marc.info/?l=tomcat-dev&m=130182757504685&w=2

or more officially

http://bugs.java.com/view_bug.do?bug_id=6202721

and

http://openjdk.java.net/jeps/123

This has been fixed in JDK8 though (finally).

Regards,

Rainer


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to