Fresh IdP - idp-process.log shows 15 min gap

Cameron Kerr cameron.kerr at
Wed Mar 7 22:34:14 EST 2018

Users of Java stacks running in VMWare (no hardware RNG support exposed) would (should) know this issue well, which is due to a very long-standing bug and may or not be fixed somewhere in the Java 8 line (I still strike it, and I've learned to make it one of the first things I look at when looking at performance issues).

Just remember to set it to /dev/./urandom, and not just /dev/urandom (ie. something that does not strcmp to "/dev/urandom")

-Dsecurerandom.source=file:/dev/./urandom   or put it in (every time you update the JVM)

Another thing I do across our fleet is to increase the threshold (a sysctl) at which it starts refilling, as the default of 64 is too low for a virtual server, where the only remaining source of entropy is hard disk activity.

# FILE: /etc/sysctl.d/99-local-random.conf
# Use 'sysctl --system' for this to take affect.
# Cause the kernel to start collecting entropy earlier.
# This is a big win for VMWare VMs, particularly those
# running things like Java (lots of background crypto).
kernel.random.read_wakeup_threshold = 1024

Tip: useful for installer-type environments you can also set this on OS-process level using 'unshare' and bind-mounts. Might be of interest to people doing scripted deploys; been useful for my work in Ansible with systems that like to do things like generate keys. 

Hope that helps save someone day.


> -----Original Message-----
> From: users [mailto:users-bounces at] On Behalf Of Cantor,
> Scott
> Sent: Thursday, 8 March 2018 16:03
> To: Shib Users <users at>
> Subject: RE: Fresh IdP - idp-process.log shows 15 min gap
> > During this process I did a cat /proc/sys/kernel/random/entropy_avail
> > and it was at 21, now it is at 105. Not sure if that matters or not.
> I forgot the entropy issue, you've probably negelected to change the Java
> default to use a non-blocking random source. I believe that's documented.
> I'm fascinated that you would have thought to look, but having done so,
> you've answered your own question.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to users-
> unsubscribe at

More information about the users mailing list