Tomcat需要太多时间才能启动 - Java SecureRandom [英] Tomcat takes too much time to start - Java SecureRandom
问题描述
请不要将其标记为重复。这是这两个问题的后续问题。
Please don't mark it as duplicate. It is a follow up question for both these questions.
- Tomcat7 starts too late on Ubuntu 14.04 x64 [Digitalocean]
- https://stackoverflow.com/a/2325109/6785908
据我所知,替换
securerandom.source=file:/dev/urandom
with
securerandom.source=file:/dev/./urandom
in $ JAVA_PATH /jre/lib/security/java.security 将解决这个问题。
in $JAVA_PATH/jre/lib/security/java.security will solve this problem.
我的问题是,在生产中这样做是否可以?这会对安全性产生什么影响(如会话ID变得可预测)?如果这不太安全,还有其他方法可以更快地提供足够的熵吗?
My question is, is it ok to do so in production? Will this have any impact on security (like Session ID becoming predictable)? If this is less secure, is there any other way to give enough entropy quicker?
我使用用于部署的openstack(或者只是说,使用AWS或GCP或任何其他云提供商)。因此,添加声卡等硬件设备对我来说不是一个选择。
I use openstack for deployment (or let's just say, uses AWS or GCP or any other cloud provider). So, adding a hardware device such as soundcard is not an option for me.
推荐答案
使用正确的搜索条件进行了一些广泛的Google搜索,我在 DigitalOcean 。我只是在这里引用相关部分。
After some extensive Googling with the right search terms, I came across this nice article on DigitalOcean. I am merely quoting the relevant part here.
Linux上有两种常规随机设备:/ dev / random和
/开发/ urandom的。最好的随机性来自/ dev / random,因为它是一个
阻塞设备,并将等到足够的熵可用
继续提供输出。假设你的熵足够,你b $ b应该从/ dev / urandom看到相同的随机性质;但是,
因为它是一个非阻塞设备,它将继续产生随机
数据,即使熵池耗尽也是如此。这可能导致较低的
质量随机数据,因为重复先前数据的可能性更大。
当
生产服务器上的可用熵低时,可能会发生很多不好的事情,特别是当此服务器执行加密的
函数时。
There are two general random devices on Linux: /dev/random and /dev/urandom. The best randomness comes from /dev/random, since it's a blocking device, and will wait until sufficient entropy is available to continue providing output. Assuming your entropy is sufficient, you should see the same quality of randomness from /dev/urandom; however, since it's a non-blocking device, it will continue producing "random" data, even when the entropy pool runs out. This can result in lower quality random data, as repeats of previous data are much more likely. Lots of bad things can happen when the available entropy runs low on a production server, especially when this server performs cryptographic functions.
因此,它存在潜在的安全风险。
So, its a potential security risk.
Linux已经从
不同的硬件源获得了非常优质的随机数据,但由于无头机器通常
没有键盘或鼠标,因此产生的熵少得多。磁盘
和网络I / O代表这些机器的大部分熵产生源
,这些产生非常稀疏的熵量。
由于很少有像服务器或云服务器/虚拟
机器这样的无头机器可以使用任何类型的专用硬件RNG解决方案,因此需要使用硬件生成多个用户空间解决方案来生成额外的熵
中断来自比硬盘
磁盘更嘈杂的设备,如视频卡,声卡等。这再次证明
不幸是服务器的问题,因为它们通常不包含
其中一个
Linux already gets very good quality random data from the different hardware sources, but since a headless machine usually has no keyboard or mouse, there is much less entropy generated. Disk and network I/O represent the majority of entropy generation sources for these machines, and these produce very sparse amounts of entropy. Since very few headless machines like servers or cloud servers/virtual machines have any sort of dedicated hardware RNG solution available, there exist several userland solutions to generate additional entropy using hardware interrupts from devices that are "noisier" than hard disks, like video cards, sound cards, etc. This once again proves to be an issue for servers unfortunately, as they do not commonly contain either one
解决方案:已经
Solution: haveged
基于HAVEGE原理,以前基于其关联的
库,hasged允许根据处理器上
代码执行时间的变化生成随机性。因为一块代码几乎不可能花费相同的时间来执行,即使在相同硬件上的
相同环境中,运行单个
或多个程序的时间也应该如此适合播种随机来源。在反复执行循环后,使用处理器时间戳计数器
(TSC)中的差异,
强制实现种子系统的随机源(通常为
/ dev / random)
Based on the HAVEGE principle, and previously based on its associated library, haveged allows generating randomness based on variations in code execution time on a processor. Since it's nearly impossible for one piece of code to take the same exact time to execute, even in the same environment on the same hardware, the timing of running a single or multiple programs should be suitable to seed a random source. The haveged implementation seeds your system's random source (usually /dev/random) using differences in your processor's time stamp counter (TSC) after executing a loop repeatedly
如何安装hasged
这篇关于Tomcat需要太多时间才能启动 - Java SecureRandom的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
