Le 03/10/2014 20:41, Rainer Jung a écrit :
Am 03.10.2014 um 14:01 schrieb Christopher Schultz:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Martin,

On 10/3/14 5:48 AM, Martin Hamant wrote:
Le 03/10/2014 11:26, Martin Hamant a écrit :


The virtual (qemu) server runs with 4GB RAM

Sorry, The hypervisor is KVM. The VM is running on top of
OpenStack So... This could lead somewhere as I am reading
http://blog.dustinkirkland.com/2012/10/entropy-or-lack-thereof-in-openstack.html

OpenStack

or not, running on a VM usually means that the underlying OS
is providing the source of entropy. If your physical machine is
heavily virtualized, you may have multiple entropy sinks constantly
draining your source(s() of entropy.

If you wait for a while, things will recover. If you find you are
constantly blocking waiting for more randomness to be available from
your random source, you basically have 3 options:

1. Suffer through it. Just keep waiting.

2. Use a poor source of randomness, like /dev/urandom on Linux.
    I wouldn't recommend this for any kind of production deployment,
    since the entropy source is "watered-down". You can't rely on it
    for important things like encryption (including SSL) and really
    anything that requires random numbers that are as random as
    possible (like session ids).

3. Get yourself a hardware entropy source. You can buy USB keys that
    do this kind of thing. Make sure whatever you get is compatible
    with your OS and accessible by Java (better yet, get one that will
    simply dump its randomness into /dev/random).

... and in case you are heading for the urandom solution and are sing JDK before 8, you should use e.g.

Thanks both of you for your help.



-Djava.security.egd=file:/dev//urandom

and *not*

-Djava.security.egd=file:/dev/urandom

And what about using haveged (so no need to alter setenv.sh) in the VM VS using /dev/urandom ? I read about it here http://security.stackexchange.com/questions/34523/is-it-appropriate-to-use-haveged-as-a-source-of-entropy-on-virtual-machines The small C program returns values between 20-30 in my VM, but as specified it doesn't guarantee anything...

- Waiting 10min for a tomcat to start is a pain
- getting a USB hardware device for that is like walking on head.

So... I consider using haveged or urandom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to