Fresh IdP - idp-process.log shows 15 min gap
Cameron Kerr
cameron.kerr at otago.ac.nz
Wed Mar 7 22:34:14 EST 2018
Users of Java stacks running in VMWare (no hardware RNG support exposed) would (should) know this issue well, which is due to a very long-standing bug and may or not be fixed somewhere in the Java 8 line (I still strike it, and I've learned to make it one of the first things I look at when looking at performance issues).
Just remember to set it to /dev/./urandom, and not just /dev/urandom (ie. something that does not strcmp to "/dev/urandom")
-Dsecurerandom.source=file:/dev/./urandom or put it in java.security (every time you update the JVM)
Another thing I do across our fleet is to increase the threshold (a sysctl) at which it starts refilling, as the default of 64 is too low for a virtual server, where the only remaining source of entropy is hard disk activity.
# FILE: /etc/sysctl.d/99-local-random.conf
# Use 'sysctl --system' for this to take affect.
#
# Cause the kernel to start collecting entropy earlier.
# This is a big win for VMWare VMs, particularly those
# running things like Java (lots of background crypto).
kernel.random.read_wakeup_threshold = 1024
Tip: useful for installer-type environments you can also set this on OS-process level using 'unshare' and bind-mounts. Might be of interest to people doing scripted deploys; been useful for my work in Ansible with systems that like to do things like generate keys. https://distracted-it.blogspot.co.nz/2017/03/installer-or-command-that-hangs-use.html
Hope that helps save someone day.
Cheers,
Cameron
> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor,
> Scott
> Sent: Thursday, 8 March 2018 16:03
> To: Shib Users <users at shibboleth.net>
> Subject: RE: Fresh IdP - idp-process.log shows 15 min gap
>
> > During this process I did a cat /proc/sys/kernel/random/entropy_avail
> > and it was at 21, now it is at 105. Not sure if that matters or not.
>
> I forgot the entropy issue, you've probably negelected to change the Java
> default to use a non-blocking random source. I believe that's documented.
>
> I'm fascinated that you would have thought to look, but having done so,
> you've answered your own question.
>
> -- Scott
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-
> unsubscribe at shibboleth.net
More information about the users
mailing list