Tomcat 8 entropy Pool congestion slow down detailed

Tomcat 8 entropy pool congestion slow down detailed Author: Chszs, reprint should be indicated. Blog home: Http://blog.csdn.net/chszs

Tomcat 8 is slow to start and there are no errors on the log, and the following information is found in the log:

log4j:[2015-10-29 15:47:11]  INFO readproperty:172-loading properties file from class path resource [Resources/jdbc. Properties]
log4j:[2015-10-29 15:47:11]  INFO readproperty:172-loading properties file from class path resource [Resources/common.properties]
29-oct-2015 15:52:53.587 INFO [localhost-startstop-1] Org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom creation of SecureRandom instance for session ID Generation using [Sha1prng] took [342,445] milliseconds.

reason

Tomcat 7/ 8 uses the Org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom class to generate a secure random class SecureRandom instance as the session ID, where it takes 342 seconds, or nearly 6 minutes.

The SHA1PRNG algorithm is a pseudo random number generator based on SHA-1 algorithm and strong secrecy.

In Sha1prng, there is a seed generator that performs various operations according to the configuration.

1 if the Java.security.egd property or the Securerandom.source property specifies "File:/dev/random" or "File:/dev/urandom", The JVM then uses the local seed generator Nativeseedgenerator, which calls the super () method, which calls the Seedgenerator.urlseedgenerator (/dev/random) method for initialization.

2 if the Java.security.egd property or the Securerandom.source property specifies a different URL that already exists, the Seedgenerator.urlseedgenerator (URL) method is invoked for initialization.

That's why we set the value to "File:///dev/urandom" or the value "File:/./dev/random" will work.

In this implementation, the generator evaluates the amount of noise in the entropy pool (entropy pool). Random numbers are created from the entropy pool. When read, the/dev/random device returns only random bytes of noise in the entropy pool. /dev/random is ideal for scenarios that require very high quality randomness, such as one-time payments or the generation of keys.

When the entropy pool is empty, read operations from/dev/random will be blocked until the entropy pool collects enough ambient noise data. The goal is to become a password-safe pseudo-random number generator, and the entropy pool should have as much output as possible. Be sure to do so for a high quality encryption key or for a scenario that requires long-term protection.

So what is ambient noise.

The random number generator will be the mobile phone from the device driver and other sources of ambient noise data, and into the entropy pool. The generator evaluates the amount of noise data in the entropy pool. When the entropy pool is empty, the collection of noise data is more time-consuming. This means that Tomcat is blocked for a long time when it uses the entropy pool in a production environment. Solve

There are two ways to solve this problem:

1) in the Tomcat environment to resolve

You can configure the JRE to use non-blocking entropy Source.

Join this line in catalina.sh:-djava.security.egd=file:/dev/./urandom.

After adding tomcat, the entire boot time is reduced to server startup in 2912 Ms.

2 Solution in JVM Environment

Open $java_path/jre/lib/security/java.security This file and find the following:

Securerandom.source=file:/dev/urandom

Replace into

Securerandom.source=file:/dev/./urandom