On 27/01/2012 20:23, David Rees wrote: > I've been working on upgrading some Tomcat 5.5 servers to Tomcat 7 > since 5.5 will be EOL soon. > > One thing I noticed on one of my first upgrades is that TC7 can often > take a long time to start up due to slow initialization of the > SessionIdGenerator - it can take up to nearly 2 minutes! It appears > to take longer if I restart TC7 quickly which seems to confirm that a > lack of entropy is the issue. > > org.apache.catalina.util.SessionIdGenerator-: Creation of SecureRandom > instance for session ID generation using [SHA1PRNG] took [105,014] > milliseconds. > > Now, Tomcat 5.5 never had this issue - did this change in between versions? > > Google turns up lots of hits which suggest using > -Djava.security.egd=file:/dev/./urandom to work around the issue - but > I'd rather not give up security for start up speed. > > It seems that something on the production server is leaving > /dev/random with insufficient entropy to generate data quickly - the > development system initializes fast enough that no message is logged. > Any suggestions on how to improve startup times without reducing > security?
Yes, actually, Tomcat 7.0 included improvements to the session ID generator code. It now uses SecureRandom, which is /dev/urandom AFAIK. You can check, what does your %JAVA_HOME%/lib/security/java.security contain? E.g. securerandom.source=file:/dev/urandom Which version of 7.0 are you using? It's not directly relevant, but the the config is here: http://tomcat.apache.org/tomcat-7.0-doc/config/manager.html If your OS is Linux: cat /proc/sys/kernel/random/entropy_avail What is the output? p -- [key:62590808]
signature.asc
Description: OpenPGP digital signature
