Three minutes to perform one step during startup.

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Three minutes to perform one step during startup.

paulhr
Tomee-Plume 1.7.4
Fedora 23
java -version
openjdk version "1.8.0_91"
OpenJDK Runtime Environment (build 1.8.0_91-b14)
OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

After adding SSL startup of Tomee takes an extra 3 - 6 minutes.

Jun 16, 2016 2:57:18 PM org.apache.tomee.catalina.TomcatWebAppBuilder deployWebApps
INFO: using context file /opt/apache-tomee-plume-1.7.4/webapps/Website03/META-INF/context.xml
Jun 16, 2016 2:57:18 PM org.apache.openejb.assembler.classic.Assembler createApplication
INFO: Deployed Application(path=/opt/apache-tomee-plume-1.7.4/webapps/Website03)

Notice the 3 minute gap between the last message and the next message.

Jun 16, 2016 3:01:18 PM org.apache.catalina.util.SessionIdGeneratorBase createSecureRandom
INFO: Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [239,662] milliseconds.
Reply | Threaded
Open this post in threaded view
|

Re: Three minutes to perform one step during startup.

paulhr
Make that 3 - 9 minutes.


Jun 16, 2016 3:14:47 PM org.apache.tomee.catalina.TomcatWebAppBuilder deployWebApps
INFO: using context file /opt/apache-tomee-plume-1.7.4/webapps/Website03/META-INF/context.xml
Jun 16, 2016 3:14:47 PM org.apache.openejb.assembler.classic.Assembler createApplication
INFO: Deployed Application(path=/opt/apache-tomee-plume-1.7.4/webapps/Website03)
Jun 16, 2016 3:23:11 PM org.apache.catalina.util.SessionIdGeneratorBase createSecureRandom
INFO: Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [503,268] milliseconds.
Reply | Threaded
Open this post in threaded view
|

Re: Three minutes to perform one step during startup.

Romain Manni-Bucau
Your computer seems to not have enough entropy. There are apps to generate
dome during boot
Le 16 juin 2016 21:26, "paulhr" <[hidden email]> a écrit :

> Make that 3 - 9 minutes.
>
>
> Jun 16, 2016 3:14:47 PM org.apache.tomee.catalina.TomcatWebAppBuilder
> deployWebApps
> INFO: using context file
> /opt/apache-tomee-plume-1.7.4/webapps/Website03/META-INF/context.xml
> Jun 16, 2016 *3:14:47* PM org.apache.openejb.assembler.classic.Assembler
> createApplication
> INFO: Deployed
> Application(path=/opt/apache-tomee-plume-1.7.4/webapps/Website03)
> Jun 16, 2016 *3:23:11* PM org.apache.catalina.util.SessionIdGeneratorBase
> createSecureRandom
> INFO: Creation of SecureRandom instance for session ID generation using
> [SHA1PRNG] took [503,268] milliseconds.
>
>
>
> --
> View this message in context:
> http://tomee-openejb.979440.n4.nabble.com/Three-minutes-to-perform-one-step-during-startup-tp4678934p4678936.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: Three minutes to perform one step during startup.

paulhr
Install of haveged fixed the issue.  It was even available on dnf.

The other option was audio-entroyd.  But I found it to be poorly documented and hard to find an audio source to feed the randomness that is needed.  


dnf install haveged.
Reply | Threaded
Open this post in threaded view
|

Re: Three minutes to perform one step during startup.

agumbrecht
I've found that this can help:

CATALINA_OPTS=-Djava.security.egd=file:/dev/./urandom

Your path might be different, but you get the idea.

Andy.

http://www.tomitribe.com - @AndyGeeDe - On a small screen device.
On 17 Jun 2016 19:16, "paulhr" <[hidden email]> wrote:

> Install of haveged fixed the issue.  It was even available on dnf.
>
> The other option was audio-entroyd.  But I found it to be poorly documented
> and hard to find an audio source to feed the randomness that is needed.
>
>
> *dnf install haveged.*
>
>
>
>
> --
> View this message in context:
> http://tomee-openejb.979440.n4.nabble.com/Three-minutes-to-perform-one-step-during-startup-tp4678934p4678946.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
    --
    Andy Gumbrecht

    http://www.tomitribe.com
    agumbrecht@tomitribe.com
    https://twitter.com/AndyGeeDe

    TomEE treibt Tomitribe ! | http://tomee.apache.org
Reply | Threaded
Open this post in threaded view
|

Re: Three minutes to perform one step during startup.

Romain Manni-Bucau
@Andy: it reduced the security compared to real random AFAIK

If you dont use session setting the fastsecurerandom would do it - makes
session id generator unsecured but if you dont use it it is fine
Le 17 juin 2016 19:37, "Andy Gumbrecht" <[hidden email]> a écrit :

> I've found that this can help:
>
> CATALINA_OPTS=-Djava.security.egd=file:/dev/./urandom
>
> Your path might be different, but you get the idea.
>
> Andy.
>
> http://www.tomitribe.com - @AndyGeeDe - On a small screen device.
> On 17 Jun 2016 19:16, "paulhr" <[hidden email]> wrote:
>
> > Install of haveged fixed the issue.  It was even available on dnf.
> >
> > The other option was audio-entroyd.  But I found it to be poorly
> documented
> > and hard to find an audio source to feed the randomness that is needed.
> >
> >
> > *dnf install haveged.*
> >
> >
> >
> >
> > --
> > View this message in context:
> >
> http://tomee-openejb.979440.n4.nabble.com/Three-minutes-to-perform-one-step-during-startup-tp4678934p4678946.html
> > Sent from the TomEE Users mailing list archive at Nabble.com.
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Three minutes to perform one step during startup.

Bjorn Danielsson
In reply to this post by agumbrecht
For Java 8, I believe using file:/dev/urandom is better since it
avoids SHA1PRNG and it avoids blocking even when seeding SecureRandom.
It simply uses /dev/urandom for everything.

Here is a good article explaining why /dev/urandom is the way to go:

http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/

--
Bjorn Danielsson
Cuspy Code AB


Andy Gumbrecht <[hidden email]> wrote:

> I've found that this can help:
>
> CATALINA_OPTS=-Djava.security.egd=file:/dev/./urandom
>
> Your path might be different, but you get the idea.
>
> Andy.
>
> http://www.tomitribe.com - @AndyGeeDe - On a small screen device.
> On 17 Jun 2016 19:16, "paulhr" <[hidden email]> wrote:
>
>> Install of haveged fixed the issue.  It was even available on dnf.
>>
>> The other option was audio-entroyd.  But I found it to be poorly documented
>> and hard to find an audio source to feed the randomness that is needed.
>>
>>
>> *dnf install haveged.*
>>
>>
>>
>>
>> --
>> View this message in context:
>> http://tomee-openejb.979440.n4.nabble.com/Three-minutes-to-perform-one-step-during-startup-tp4678934p4678946.html
>> Sent from the TomEE Users mailing list archive at Nabble.com.
>>
Reply | Threaded
Open this post in threaded view
|

Re: Three minutes to perform one step during startup.

Romain Manni-Bucau
Does it mean it is better cause faster? For crypto concern I suspect you
will get both point of views cause of the reseeding difference so up to you.

Fact are:
- ./jre/lib/security/java.security contains as default:
securerandom.source=file:/dev/random
- tomcat/tomee only rely on the JVM setup
- urandom is less secured than random on machines with a low entropy (check
the 2 paragraphs there
https://github.com/torvalds/linux/blob/5469dc270cd44c451590d40c031e6a71c1f637e8/drivers/char/random.c#L109)
but likely close if the entropy is good enough. Means if it blocks it is
less secured. If you go down in the code you see urandom can reuse the same
seeding where random shouldn't (
https://github.com/torvalds/linux/blob/5469dc270cd44c451590d40c031e6a71c1f637e8/drivers/char/random.c#L987
)

Of course the "is it the case for me" of the last point is the one you have
to decide against to know if urandom is fine or not. Point 1 shows the JVM
choice ;).

To make it even simpler: depends the OS, some just ln -s urandom on random
:)



Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>

2016-06-18 19:01 GMT+02:00 Bjorn Danielsson <
[hidden email]>:

> For Java 8, I believe using file:/dev/urandom is better since it
> avoids SHA1PRNG and it avoids blocking even when seeding SecureRandom.
> It simply uses /dev/urandom for everything.
>
> Here is a good article explaining why /dev/urandom is the way to go:
>
> http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/
>
> --
> Bjorn Danielsson
> Cuspy Code AB
>
>
> Andy Gumbrecht <[hidden email]> wrote:
> > I've found that this can help:
> >
> > CATALINA_OPTS=-Djava.security.egd=file:/dev/./urandom
> >
> > Your path might be different, but you get the idea.
> >
> > Andy.
> >
> > http://www.tomitribe.com - @AndyGeeDe - On a small screen device.
> > On 17 Jun 2016 19:16, "paulhr" <[hidden email]> wrote:
> >
> >> Install of haveged fixed the issue.  It was even available on dnf.
> >>
> >> The other option was audio-entroyd.  But I found it to be poorly
> documented
> >> and hard to find an audio source to feed the randomness that is needed.
> >>
> >>
> >> *dnf install haveged.*
> >>
> >>
> >>
> >>
> >> --
> >> View this message in context:
> >>
> http://tomee-openejb.979440.n4.nabble.com/Three-minutes-to-perform-one-step-during-startup-tp4678934p4678946.html
> >> Sent from the TomEE Users mailing list archive at Nabble.com.
> >>
>
Reply | Threaded
Open this post in threaded view
|

Re: Three minutes to perform one step during startup.

Bjorn Danielsson
Better because more secure and less unnecessary blocking:

On any normal Linux server, urandom is seeded from /dev/random at boot
time, and from there on it works like any randomly seeded PRNG, except
that it's better than SHA1PRNG since the Linux algorithm has been vetted
by the cryptographic community, and it's also better since urandom can
take advantage of any extra entropy that the kernel makes available as
time passes.

We all know that this is a JVM issue rather than anything to do with
Tomcat or TomEE, but the unnecessary blocking due to suboptimal
SecureRandom initialization tends to be a recurring question on all
kinds of Java platform forums, since many years. And I think the
/dev/./urandom thing is something that deserves to be put to sleep now.

--
Bjorn Danielsson
Cuspy Code AB


Romain Manni-Bucau <[hidden email]> wrote:

> Does it mean it is better cause faster? For crypto concern I suspect you
> will get both point of views cause of the reseeding difference so up to you.
>
> Fact are:
> - ./jre/lib/security/java.security contains as default:
> securerandom.source=file:/dev/random
> - tomcat/tomee only rely on the JVM setup
> - urandom is less secured than random on machines with a low entropy (check
> the 2 paragraphs there
> https://github.com/torvalds/linux/blob/5469dc270cd44c451590d40c031e6a71c1f637e8/drivers/char/random.c#L109)
> but likely close if the entropy is good enough. Means if it blocks it is
> less secured. If you go down in the code you see urandom can reuse the same
> seeding where random shouldn't (
> https://github.com/torvalds/linux/blob/5469dc270cd44c451590d40c031e6a71c1f637e8/drivers/char/random.c#L987
> )
>
> Of course the "is it the case for me" of the last point is the one you have
> to decide against to know if urandom is fine or not. Point 1 shows the JVM
> choice ;).
>
> To make it even simpler: depends the OS, some just ln -s urandom on random
> :)
>
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com> | JavaEE Factory
> <https://javaeefactory-rmannibucau.rhcloud.com>
>
> 2016-06-18 19:01 GMT+02:00 Bjorn Danielsson <
> [hidden email]>:
>
>> For Java 8, I believe using file:/dev/urandom is better since it
>> avoids SHA1PRNG and it avoids blocking even when seeding SecureRandom.
>> It simply uses /dev/urandom for everything.
>>
>> Here is a good article explaining why /dev/urandom is the way to go:
>>
>> http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/
>>
>> --
>> Bjorn Danielsson
>> Cuspy Code AB
>>
>>
>> Andy Gumbrecht <[hidden email]> wrote:
>> > I've found that this can help:
>> >
>> > CATALINA_OPTS=-Djava.security.egd=file:/dev/./urandom
>> >
>> > Your path might be different, but you get the idea.
>> >
>> > Andy.
>> >
>> > http://www.tomitribe.com - @AndyGeeDe - On a small screen device.
>> > On 17 Jun 2016 19:16, "paulhr" <[hidden email]> wrote:
>> >
>> >> Install of haveged fixed the issue.  It was even available on dnf.
>> >>
>> >> The other option was audio-entroyd.  But I found it to be poorly
>> documented
>> >> and hard to find an audio source to feed the randomness that is needed.
>> >>
>> >>
>> >> *dnf install haveged.*
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> View this message in context:
>> >>
>> http://tomee-openejb.979440.n4.nabble.com/Three-minutes-to-perform-one-step-during-startup-tp4678934p4678946.html
>> >> Sent from the TomEE Users mailing list archive at Nabble.com.
>> >>
>>
Reply | Threaded
Open this post in threaded view
|

Re: Three minutes to perform one step during startup.

Romain Manni-Bucau
Everyone will not agree cause of this reseeding latency - not only at boot
- but guess this thread is complete now ;)
Le 18 juin 2016 21:59, "Bjorn Danielsson" <[hidden email]>
a écrit :

> Better because more secure and less unnecessary blocking:
>
> On any normal Linux server, urandom is seeded from /dev/random at boot
> time, and from there on it works like any randomly seeded PRNG, except
> that it's better than SHA1PRNG since the Linux algorithm has been vetted
> by the cryptographic community, and it's also better since urandom can
> take advantage of any extra entropy that the kernel makes available as
> time passes.
>
> We all know that this is a JVM issue rather than anything to do with
> Tomcat or TomEE, but the unnecessary blocking due to suboptimal
> SecureRandom initialization tends to be a recurring question on all
> kinds of Java platform forums, since many years. And I think the
> /dev/./urandom thing is something that deserves to be put to sleep now.
>
> --
> Bjorn Danielsson
> Cuspy Code AB
>
>
> Romain Manni-Bucau <[hidden email]> wrote:
> > Does it mean it is better cause faster? For crypto concern I suspect you
> > will get both point of views cause of the reseeding difference so up to
> you.
> >
> > Fact are:
> > - ./jre/lib/security/java.security contains as default:
> > securerandom.source=file:/dev/random
> > - tomcat/tomee only rely on the JVM setup
> > - urandom is less secured than random on machines with a low entropy
> (check
> > the 2 paragraphs there
> >
> https://github.com/torvalds/linux/blob/5469dc270cd44c451590d40c031e6a71c1f637e8/drivers/char/random.c#L109
> )
> > but likely close if the entropy is good enough. Means if it blocks it is
> > less secured. If you go down in the code you see urandom can reuse the
> same
> > seeding where random shouldn't (
> >
> https://github.com/torvalds/linux/blob/5469dc270cd44c451590d40c031e6a71c1f637e8/drivers/char/random.c#L987
> > )
> >
> > Of course the "is it the case for me" of the last point is the one you
> have
> > to decide against to know if urandom is fine or not. Point 1 shows the
> JVM
> > choice ;).
> >
> > To make it even simpler: depends the OS, some just ln -s urandom on
> random
> > :)
> >
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > <https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
> > <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > <http://www.tomitribe.com> | JavaEE Factory
> > <https://javaeefactory-rmannibucau.rhcloud.com>
> >
> > 2016-06-18 19:01 GMT+02:00 Bjorn Danielsson <
> > [hidden email]>:
> >
> >> For Java 8, I believe using file:/dev/urandom is better since it
> >> avoids SHA1PRNG and it avoids blocking even when seeding SecureRandom.
> >> It simply uses /dev/urandom for everything.
> >>
> >> Here is a good article explaining why /dev/urandom is the way to go:
> >>
> >> http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/
> >>
> >> --
> >> Bjorn Danielsson
> >> Cuspy Code AB
> >>
> >>
> >> Andy Gumbrecht <[hidden email]> wrote:
> >> > I've found that this can help:
> >> >
> >> > CATALINA_OPTS=-Djava.security.egd=file:/dev/./urandom
> >> >
> >> > Your path might be different, but you get the idea.
> >> >
> >> > Andy.
> >> >
> >> > http://www.tomitribe.com - @AndyGeeDe - On a small screen device.
> >> > On 17 Jun 2016 19:16, "paulhr" <[hidden email]> wrote:
> >> >
> >> >> Install of haveged fixed the issue.  It was even available on dnf.
> >> >>
> >> >> The other option was audio-entroyd.  But I found it to be poorly
> >> documented
> >> >> and hard to find an audio source to feed the randomness that is
> needed.
> >> >>
> >> >>
> >> >> *dnf install haveged.*
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> View this message in context:
> >> >>
> >>
> http://tomee-openejb.979440.n4.nabble.com/Three-minutes-to-perform-one-step-during-startup-tp4678934p4678946.html
> >> >> Sent from the TomEE Users mailing list archive at Nabble.com.
> >> >>
> >>
>