tags:

views:

43

answers:

2
+1  Q: 

How to speedup Tomcat SSL init

I am doing development of a Tomcat webapp and need to be able to restart Tomcat to load code changes. However, sometimes Tomcat takes a long time to startup as the main thread is stalled in the following place:

java.lang.Thread.State: RUNNABLE
    at org.apache.tomcat.jni.SSL.initialize(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:214)
- locked <119e583> (a java.lang.Class)
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:83)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:770)
at org.apache.catalina.startup.Catalina.load(Catalina.java:530)
at org.apache.catalina.startup.Catalina.load(Catalina.java:550)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)

This stall is caused by the available entropy (as shown by running cat /proc/sys/kernel/random/entropy_avail) is too low.

When I am developing code I don't care if the SSL engine is initialised with a good random number.

Is there any way for me to dump some fake entropy into /dev/rnd or force Tomcat to use some fake entropy?

I can push up the entropy more quickly by running "find /" but this takes a while to produce enough entropy.

+2  A: 

You could use /dev/urandom in a development environment, as it is faster (and obviously less secure) than /dev/random.

Note - This does not work in Windows, and I would expect that it is not required on Windows as the problem only manifests with usage of /dev/random. Windows uses Microsoft Crypto API (CAPI) when the /dev/random string is used to state the required PRNG source (i.e. the securerandom.source property in the JRE_HOME/lib/security/java.security file).

EDIT

Based on the other answer which requires setting the RANDFILE environment variable, the solution described here is applicable when the non-native (i.e. JSSE) implementation is used for SSL in Tomcat.

Vineet Reynolds  2010-08-18 10:57:59
My Tomcat instance is running on Linux. Adding -Djava.security.egd=file:/dev/./urandom to my list of command line args seems to have no effect - startup is still very slow when the entropy pool is low. I am using Java HotSpot(TM) Server VM (build 10.0-b23, mixed mode). Is there any reason why a command line override of this property would be ignored by Java? In particular, my java.security file contains the line securerandom.source=file:/dev/urandom. Can the command line option override this?
mchr  2010-08-18 12:44:10
Setting securerandom.source=file:/dev/./urandom in java.security still seems to have no effect on startup times. Maybe tomcat.jni.SSL.initialize is hardcoded to use /dev/random?
mchr  2010-08-18 12:47:24
@mchr, can you try executing the following commands to verify that urandom is indeed faster than random on your installation: 1) cat /dev/random 2) cat /dev/urandom . On a test VMWare instance of mine, where random is meant to be slower than urandom, I can see a noticeable change in speed. It should be more or less the same for you.
Vineet Reynolds  2010-08-18 13:45:49
I have found a solution for this - I'll post it a bit later when I'm back at my pc :)
mchr  2010-08-18 16:40:42
+1  A: 

Setting the environment variable RANDFILE to "/dev/urandom" makes Tomcat use this source for SSL init.

mchr  2010-08-18 17:38:19
Ah well, it was OpenSSL then - http://www.openssl.org/support/faq.cgi#USER1 . I'm afraid I missed looking at the JNI call in the stacktrace that also contained references to the AprLifecycleListener. But that explains why setting java.security.egd did not work. Tomcat was using APR which uses OpenSSL and not JSSE.
Vineet Reynolds  2010-08-18 18:17:43

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java