Resolve slow start and connection timeout after Tomcat 8 or SpringBoot integration Tomcat 8 starts

Posted by myflashstore on Tue, 14 May 2019 21:02:14 +0200

After Tomcat 8 or SpringBook integration Tomcat 8 is started, the request connection has been timed out and there is no log output on the back end, as follows:

09:34:24.654 [main] INFO  org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer - Tomcat started on port(s): 8888 (http)
09:34:24.658 [main] INFO  com.woooooody.Application - Started Application in 14.332 seconds (JVM running for 14.991)

09:35:54.005 [http-nio-8888-exec-2] INFO  org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/] - Initializing Spring FrameworkServlet 'dispatcherServlet'
09:35:54.006 [http-nio-8888-exec-2] INFO  org.springframework.web.servlet.DispatcherServlet - FrameworkServlet 'dispatcherServlet': initialization started
09:35:54.018 [http-nio-8888-exec-2] INFO  org.springframework.web.servlet.DispatcherServlet - FrameworkServlet 'dispatcherServlet': initialization completed in 12 ms

After a few minutes, the request finally returned to normal. The log is as follows:

09:19:08.349 [http-nio-8888-exec-1] INFO  org.apache.catalina.util.SessionIdGeneratorBase - Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [149,216] milliseconds.
09:19:08.349 [http-nio-8888-exec-3] INFO  org.apache.catalina.util.SessionIdGeneratorBase - Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [128,673] milliseconds.
09:19:08.350 [http-nio-8888-exec-2] INFO  org.apache.catalina.util.SessionIdGeneratorBase - Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [140,384] milliseconds.
09:19:08.351 [http-nio-8888-exec-4] INFO  org.apache.catalina.util.SessionIdGeneratorBase - Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [118,125] milliseconds.

When all cases are excluded, the query data shows that the reason is "Tomcat 8 Entropy Pool Blocking Slows", referring to https://blog.csdn.net/chszs/article/details/49494701

The following is reproduced:

Reason

Tomcat 7/8 uses the org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom class to generate an instance of the secure random class SecureRandom as the session ID, which takes 342 seconds, or nearly 6 minutes.

SHA1PRNG algorithm is a pseudo-random number generator based on SHA-1 algorithm and has strong secrecy.

In SHA1PRNG, there is a seed generator that performs various operations according to configuration.

1) If the java.security.egd attribute or the securerandom.source attribute specifies "file:/dev/random" or "file:/dev/urandom", then the JVM will use the native seed generator NativeSeedGenerator, which will call the super() method, that is, the SeedGenerator. URLSeedGenerator(/dev/random) method for initialization.

2) If the java.security.egd attribute or the securerandom.source attribute specifies other existing URLs, the SeedGenerator.URLSeedGenerator(url) method is invoked for initialization.

That's why setting a value of "file://dev/urandom" or "file:/./dev/random" works.

In this implementation, the generator evaluates the amount of noise in the entropy pool. Random numbers are created from the entropy pool. When reading, the / dev/random device returns only random bytes of noise in the entropy pool. / dev/random is well suited for scenarios that require very high quality randomness, such as one-time payment or key generation.

When the entropy pool is empty, the read operation from / dev/random will be blocked until the entropy pool collects enough environmental noise data. The aim of this method is to be a password-safe pseudo-random number generator, and the entropy pool should output as much as possible. This is a must for generating high quality encryption keys or scenarios requiring long-term protection.

So what is environmental noise?

Random Number Generator (RNP) puts the mobile phone's ambient noise data from device drivers and other sources into the entropy pool. The generator evaluates the amount of noise data in the entropy pool. When the entropy pool is empty, it takes time to collect the noise data. This means that Tomcat will be blocked for a long time when using the entropy pool in the production environment.

Solve

There are two solutions:

1) Solution in Tomcat environment

Non-blocking Entropy Source can be used by configuring JRE.

Add a line in catalina.sh: - Djava.security.egd=file:/dev/./urandom.

After joining Tomcat, the whole starting time is reduced to Server startup in 2912 ms.

2) Solution in JVM environment

Open the file $JAVA_PATH/jre/lib/security/java.security and find the following:

securerandom.source=file:/dev/urandom

replace with

securerandom.source=file:/dev/./urandom

The following is my supplement:

How to find the Java installation path in linux to modify the java.security file:

# which java
/usr/bin/java

# ls -lrt /usr/bin/java
lrwxrwxrwx 1 root root 22 May  7 13:13 /usr/bin/java -> /etc/alternatives/java

# ls -lrt /etc/alternatives/java
lrwxrwxrwx 1 root root 73 May  7 13:13 /etc/alternatives/java -> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64/jre/bin/java

# cd /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64/jre/

# vim lib/security/java.security 

Topics: Java Tomcat Apache jvm