Slow startup on Tomcat 7.0.57 because of SecureRandom

Question

I\'m using Tomcat 7.0.57 on CentOS 6.6 32 bit and openJDK7. When I start 14 different instances of Tomcat on my server(production environment), many of them take too much ti

Answer 1

Here are some specific instructions to adjust just tomcat as per Henry's answer

create /etc/tomcat/fastersecurerandom.properties

securerandom.source=file:/dev/urandom

edit JAVA_OPTS inside /etc/tomcat/tomcat.conf

JAVA_OPTS="-Djava.security.properties=/etc/tomcat/fastersecurerandom.properties"

FYI I found I could not set multiple JAVA_OPTS with JAVA_OPTS="$JAVA_OPTS ..." despite the commented out examples. Poor old confused tomcat 7 wouldn't start as per a warning in /var/log/messages

On different versions/flavours you may find variations on where is best to set the environment variables for tomcat. The best way to debug if they are taking affect is is to check the command running like this:

$ ps aux | grep java
tomcat    4821  4.7 13.9 2626888 263396 ?      Ssl  22:31   0:23 /usr/lib/jvm/jre/bin/java -DJENKINS_HOME=/opt/jenkins/ -Xmx512m -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true -Djava.security.properties=/etc/tomcat/fastersecurerandom.properties -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start

Answer 2

Instead of changing the file java.security directly, at least with Java 8 it documents to support the following system property already:

-Djava.security.egd=file:/dev/random

In the context of Tomcat, that can be used to create a file bin/setenv.sh containing the following line:

CATALINA_OPTS=-Djava.security.egd=file:///dev/urandom

Answer 3

The secure random calls may be blocking as there is not enough entropy to feed them in /dev/random.

If you have the line

securerandom.source=file:/dev/random

in /jre/lib/security/java.security, changing this to urandom may improve things (although this is probably already the default).

Alternatively there are some suggestions on how to feed the pool here

https://security.stackexchange.com/questions/89/feeding-dev-random-entropy-pool

Answer 4

I changed /jre/lib/security/java.security, below: securerandom.source=file:/dev/./urandom

Answer 5

I faced same issue of tomcat being too slow to start. I followed this article on DigitalOcean and installed haveged instead of using urandom.

haveged is a solution which will not compromise on security.

haveged allows generating randomness based on variations in code execution time on a processor. Since it's nearly impossible for one piece of code to take the same exact time to execute, even in the same environment on the same hardware, the timing of running a single or multiple programs should be suitable to seed a random source. The haveged implementation seeds your system's random source (usually /dev/random) using differences in your processor's time stamp counter (TSC) after executing a loop repeatedly

How to install haveged

Follow the steps in this article. https://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged

I have posted it here

Answer 6

@KCD s answer above almost worked for me, I needed to massage it a bit - as follows:

1) my tomcat was tomcat7 , so I created my fastersecurerandom.properties file in the /etc/tomcat7 directory,

2) As per another page, I had to change contents of fastersecurerandom.properties from

securerandom.source=file:/dev/urandom

to

securerandom.source=file:/dev/./urandom

3) I didn't have a tomcat.conf file, so I added to my /etc/init.d/tomcat7 (tomcat's startup script - I know) , just before the line - catalina_sh() {

JAVA_OPTS="$JAVA_OPTS -Djava.security.properties=/etc/tomcat7/fastersecurerandom.properties"

Note I added 7 to tomcat here too.

It was worthwhile doing a ps -deaf | grep tomcat to first confirm that the new -D setting was getting through to the command, and also to check that it was referring to the correct file, and that the file was there. This is when I noticed the missing 7.

I was on Java 1.7, and on Ubuntu 14.04.1.