Slow startup on Tomcat 7.0.57 because of SecureRandom

Question

I'm using Tomcat 7.0.57 on CentOS 6.6 32 bit and openJDK7. When I start 14 different instances of Tomcat on my server(production environment), many of them take too much time to start.

This is part of the startup log, which tells me where is taking all the time

Jan 28, 2015 2:49:41 PM org.apache.catalina.util.SessionIdGenerator createSecureRandom
INFO: Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [199,620] milliseconds.

What's the best practice/solution for this problem?

Thanks!

Answer 1

I faced same issue of tomcat being too slow to start. I followed this article on DigitalOcean and installed haveged instead of using urandom.

haveged is a solution which will not compromise on security.

haveged allows generating randomness based on variations in code execution time on a processor. Since it's nearly impossible for one piece of code to take the same exact time to execute, even in the same environment on the same hardware, the timing of running a single or multiple programs should be suitable to seed a random source. The haveged implementation seeds your system's random source (usually /dev/random) using differences in your processor's time stamp counter (TSC) after executing a loop repeatedly

How to install haveged

Follow the steps in this article. https://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged

I have posted it here

Answer 2

The secure random calls may be blocking as there is not enough entropy to feed them in /dev/random.

If you have the line

securerandom.source=file:/dev/random

in /jre/lib/security/java.security, changing this to urandom may improve things (although this is probably already the default).

Alternatively there are some suggestions on how to feed the pool here

https://security.stackexchange.com/questions/89/feeding-dev-random-entropy-pool

Answer 3

Here are some specific instructions to adjust just tomcat as per Henry's answer

create /etc/tomcat/fastersecurerandom.properties

securerandom.source=file:/dev/urandom

edit JAVA_OPTS inside /etc/tomcat/tomcat.conf

JAVA_OPTS="-Djava.security.properties=/etc/tomcat/fastersecurerandom.properties"

FYI I found I could not set multiple JAVA_OPTS with JAVA_OPTS="$JAVA_OPTS ..." despite the commented out examples. Poor old confused tomcat 7 wouldn't start as per a warning in /var/log/messages

On different versions/flavours you may find variations on where is best to set the environment variables for tomcat. The best way to debug if they are taking affect is is to check the command running like this:

$ ps aux | grep java
tomcat    4821  4.7 13.9 2626888 263396 ?      Ssl  22:31   0:23 /usr/lib/jvm/jre/bin/java -DJENKINS_HOME=/opt/jenkins/ -Xmx512m -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true -Djava.security.properties=/etc/tomcat/fastersecurerandom.properties -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start

Answer 4

Instead of changing the file java.security directly, at least with Java 8 it documents to support the following system property already:

-Djava.security.egd=file:/dev/random

In the context of Tomcat, that can be used to create a file bin/setenv.sh containing the following line:

CATALINA_OPTS=-Djava.security.egd=file:///dev/urandom

Answer 5

I changed /jre/lib/security/java.security, below: securerandom.source=file:/dev/./urandom

Answer 6

@KCD s answer above almost worked for me, I needed to massage it a bit - as follows:

1. my tomcat was tomcat7 , so I created my fastersecurerandom.properties file in the /etc/tomcat7 directory,

2. As per another page, I had to change the contents of fastersecurerandom.properties from securerandom.source=file:/dev/urandom
   to
   securerandom.source=file:/dev/./urandom

3. I didn't have a tomcat.conf file, so I added to my /etc/init.d/tomcat7 (tomcat's startup script - I know) , just before the line - catalina_sh() {
JAVA_OPTS="$JAVA_OPTS -Djava.security.properties=/etc/tomcat7/fastersecurerandom.properties"

Note: I added 7 to tomcat here too.

It was worthwhile doing a ps -deaf | grep tomcat to first confirm that the new -D setting was getting through to the command, and also to check that it was referring to the correct file, and that the file was there. This is when I noticed the missing 7.

I was on Java 1.7, and on Ubuntu 14.04.1.

Answer 7

configuration spring boot

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .cors().and().csrf().disable()

            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS) //using JWT
                .and()
            .authorizeRequests()
                .antMatchers(PUBLIC_ENDPOINTS).permitAll()
                .anyRequest().authenticated()
                .and()
            .addFilterBefore(authFilter(), UsernamePasswordAuthenticationFilter.class);
}

.cors().and().csrf().disable()

Answer 8

Background info

This is not an answer in itself. But it's some background info, in case you're wondering where this log line comes from.

This log line gets triggered when generation takes longer than a tenth of a second (100 miliseconds)

This line used to be level INFO in 2014...

• https://github.com/apache/tomcat/blame/fdd86cf2e0b851aced2f460c765fea5293a30940/java/org/apache/catalina/util/SessionIdGeneratorBase.java#L273

... but got changed to level WARN in 2017...

• https://github.com/apache/tomcat/commit/d0fc016424c2110fdf40fd02fb90b23a6bba150c

...to make it stand out more in the logs. The motivation for that change was this bug report here:

• Bug 61180 - Change log level of sessionIdGeneratorBase.createRandom to warn rather than info

Source

The message is triggered here: https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/util/SessionIdGeneratorBase.java#L272

long t2 = System.currentTimeMillis();
if ((t2 - t1) > 100) {
log.warn(sm.getString("sessionIdGeneratorBase.createRandom",
        result.getAlgorithm(), Long.valueOf(t2 - t1)));
}

And the human readable English text comes from here: https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/util/LocalStrings.properties#L46

sessionIdGeneratorBase.createRandom=Creation of SecureRandom instance for session ID generation using [{0}] took [{1}] milliseconds.

Answer 9

if in case you are using spring security add web security class.

@EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // ...
        http.cors();
     //other configure params.
        http.csrf().disable();
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();

        CorsConfiguration corsConfiguration = new CorsConfiguration().applyPermitDefaultValues();
        corsConfiguration.addAllowedHeader("*");
        corsConfiguration.addAllowedMethod("*");
        corsConfiguration.addAllowedOrigin("*");
        corsConfiguration.setAllowCredentials(true);
        source.registerCorsConfiguration("/**", corsConfiguration);

        return source;
    }
}

Answer 10

In spring boot, u can use this code block:

   @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.csrf().csrfTokenRepository(new CookieCsrfTokenRepository())
            .requireCsrfProtectionMatcher(httpServletRequest -> httpServletRequest.getMethod().equals("none"));
    return http.build();
}

its ok for me!!