Menu
Please don't mark it as duplicate. It is a follow up question for both these questions.
I understand that, replacing
securerandom.source=file:/dev/urandom
with
securerandom.source=file:/dev/./urandom
in $JAVA_PATH/jre/lib/security/java.security will solve this problem.
My question is, is it ok to do so in production? Will this have any impact on security (like Session ID becoming predictable)? If this is less secure, is there any other way to give enough entropy quicker?
I use openstack for deployment (or let's just say, uses AWS or GCP or any other cloud provider). So, adding a hardware device such as soundcard is not an option for me.
781
If your Tomcat takes longer to start, it may be due to the random number generator that it is using. You might want to consider forcing it to use '/dev/urandom' rather than the default '/dev/random' that Tomcat uses.
Unfortunately, SecureRandom can be very slow. If it uses /dev/random on Linux, it can block waiting for sufficient entropy to build up.
For Tomcat itself to run slow would mean that the VM it's running in was severely starved for resources. So, for example, if Tomcat is running slow, you should check to make sure that the machine that Tomcat is running on has enough physical RAM that it isn't thrashing virtual memory.
After some extensive Googling with the right search terms, I came across this nice article on DigitalOcean. I am merely quoting the relevant part here.
There are two general random devices on Linux: /dev/random and /dev/urandom. The best randomness comes from /dev/random, since it's a blocking device, and will wait until sufficient entropy is available to continue providing output. Assuming your entropy is sufficient, you should see the same quality of randomness from /dev/urandom; however, since it's a non-blocking device, it will continue producing “random” data, even when the entropy pool runs out. This can result in lower quality random data, as repeats of previous data are much more likely. Lots of bad things can happen when the available entropy runs low on a production server, especially when this server performs cryptographic functions.
So, its a potential security risk.
Linux already gets very good quality random data from the different hardware sources, but since a headless machine usually has no keyboard or mouse, there is much less entropy generated. Disk and network I/O represent the majority of entropy generation sources for these machines, and these produce very sparse amounts of entropy. Since very few headless machines like servers or cloud servers/virtual machines have any sort of dedicated hardware RNG solution available, there exist several userland solutions to generate additional entropy using hardware interrupts from devices that are “noisier” than hard disks, like video cards, sound cards, etc. This once again proves to be an issue for servers unfortunately, as they do not commonly contain either one
Based on the HAVEGE principle, and previously based on its associated library, haveged allows generating randomness based on variations in code execution time on a processor. Since it's nearly impossible for one piece of code to take the same exact time to execute, even in the same environment on the same hardware, the timing of running a single or multiple programs should be suitable to seed a random source. The haveged implementation seeds your system's random source (usually /dev/random) using differences in your processor's time stamp counter (TSC) after executing a loop repeatedly
Follow the steps in this article. https://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged
171
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
