This content is translated. Below is my analysis.
file:/dev/urandom
I don't know what the author's jre is.
In the dev directory, there are only urandom and random files. Then /dev/./urandom is actually equal to /dev/urandom
In the java.security file of jdk1.8, the default is random, and then to solve the startup delay, it needs to be modified to /dev/urandom
The biggest hole is here,
if you put
securerandom.source=file:/dev/urandomThe problem that SessionIdGeneratorBase.createSecureRandom takes 5 minutes when tomcat starts
Normally, it takes only 2~3 seconds for tomcat to start up. Suddenly, one day, tomcat starts very slowly, it takes 5~6 minutes. After checking for a long time, I finally found the solution in this article, the blogger is awesome.
See the original text: http://blog.csdn.net/chszs/article/details/49494701
Tomcat 8 starts very slowly, and there are no errors in the log. The following information is found in the log:
Log4j:[2015-10-29 15:47:11] INFO ReadProperty:172 - Loading properties file from class path resource [resources/jdbc.properties]
Log4j:[2015-10-29 15:47:11] INFO ReadProperty:172 - Loading properties file from class path resource [resources/common.properties]
29-Oct-2015 15:52:53.587 INFO [localhost-startStop-1] org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [342,445] milliseconds.
reason
Tomcat 7/8 both use the org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom class to generate an instance of the secure random class SecureRandom as the session ID, which took 342 seconds, or nearly 6 minutes.
The SHA1PRNG algorithm is a pseudo-random number generator with strong confidentiality based on the SHA-1 algorithm.
In SHA1PRNG, there is a seed generator which performs various actions depending on the configuration.
1) If the Java .security.egd property or securerandom.source property specifies "file:/dev/random" or "file:/dev/urandom", then the JVM will use the native seed generator NativeSeedGenerator, which will call super( ) method, that is, call the SeedGenerator.URLSeedGenerator(/dev/random) method for initialization.
2) If the java.security.egd property or the securerandom.source property specifies other existing URLs, the SeedGenerator.URLSeedGenerator(url) method will be called for initialization.
That's why we set the value to "file:///dev/urandom" or the value to "file:/./dev/random" will work.
In this implementation, the generator evaluates the amount of noise in the entropy pool. Random numbers are created from an entropy pool. When read, the /dev/random device will only return random bytes of noise from the entropy pool. /dev/random is ideal for scenarios that require very high-quality randomness, such as one-time payments or key generation scenarios.
When the entropy pool is empty, reads from /dev/random will block until the entropy pool has collected enough ambient noise data. The purpose of this is to be a cryptographically secure pseudo-random number generator with the largest possible output from the entropy pool. Be sure to do this for generating high-quality encryption keys or for scenarios that require long-term protection.
So what is ambient noise?
A random number generator takes ambient noise data from device drivers and other sources and puts it into an entropy pool. The generator evaluates the amount of noisy data in the entropy pool. When the entropy pool is empty, the collection of this noisy data is time-consuming. This means that when Tomcat uses the entropy pool in a production environment, it will be blocked for a long time.
solve
There are two solutions:
1) Solve in the Tomcat environment
You can use the non-blocking Entropy Source by configuring the JRE.
Add such a line to catalina.sh: -Djava.security.egd=file:/dev/./urandom.
After joining and then starting Tomcat, the entire startup time is reduced to Server startup in 2912 ms.
2) Solve in the JVM environment
Open the file $JAVA_PATH/jre/lib/security/java.security and find the following content:
securerandom.source=file:/dev/urandom
replace with
securerandom.source=file:/dev/./urandom
Author: Lave Zhang
Source: http://www.cnblogs.com/lavezhang/
The copyright of this article belongs to the author and the blog garden. Reprints are welcome, but this statement must be retained without the author's consent, and the original text should be given in an obvious position on the article page. Connect, otherwise reserve the right to pursue legal responsibility.