티스토리 뷰
여기에서 가져옴
WebLogic Server and entropy
After input from Jacco H. Landlust and Edwin Biemond I have rewritten my post about entropy.
Overview
- Entropy pool
- Monitoring entropy
- Using /dev/urandom
- CONFIG_JVM_ARGS
- setDomainEnv.sh
- JRE – java.security
- rngd daemon
- Additional information
Entropy pool
In computing you often need random numbers. They are used for encrypting stuff but also for lots of other things.
For Linux servers random numbers are default provided by the /dev/random device. /dev/random is a pool of random bits and it is called the entropy pool. The bits are calculated from user-triggered events (keystroke, disk I/O, mouse clicks etc).
/dev/random is a blocking device. When there is not enough random bits left it will block and the process that are reading from it will hang until more random bits has been generated.
Sometimes you will experience that it takes ages to start a Node Manager or a WebLogic Server, this will often be because of low entropy.
I often experience this since I install WebLogic on a lot of new servers. It happens both for virtual servers and physical servers.
In the past I have been scratching my head for 10+ minutes for the initial start of the Node Manager on a powerful Blade without any load.
Monitoring entropy
The default size of the entropy pool is 4096 bits. You can see the size here.
1 | cat /proc/sys/kernel/random/poolsize |
You can see how much entropy is available via:
1 | cat /proc/sys/kernel/random/entropy_avail |
Or use watch if you want to display it every second:
1 | watch -n 1 cat /proc/sys/kernel/random/entropy_avail |
If you are testing and want to drain the server for entropy you can use this script.
Using /dev/urandom
A way to solve the problem with /dev/random is to use the /dev/urandom device instead. It does not block when it runs out of user-triggered data, instead it reuses the bits it have left.
This of cause means that it is not as random as /dev/random and therefore not as secure.
I never use /dev/urandom on production servers, but how big a security issue urandom is I don’t know. If the entropy pool is not depleted often I assume that it is not a big issue.
Here is mentioned that /dev/urandom is not recommended for generation of long-term keys. So you should probably not use it for SSL private keys etc.
You can use /dev/urandom in different places. Here are 4 examples.
CONFIG_JVM_ARGS
You can use urandom when you configure a new domain.
For example:
1 2 | export CONFIG_JVM_ARGS="-Djava.security.egd=file:/dev/./urandom"/u01/app/oracle/product/fmw/wlserver_12.1/common/bin/config.sh |
Notice that you need to obfuscate the path to /dev/urandom a bit by using /dev/./urandom. Java has a “feature” where it will default to use /dev/random if you use /dev/urandom.
I don’t understand why this is but it has apparently been the case since 1.5.
setDomainEnv.sh
This will cover all the WebLogic Servers in the domain.
1 2 3 4 5 | if [ "${USER_MEM_ARGS}" != "" ] ; then MEM_ARGS="${USER_MEM_ARGS} export MEM_ARGSfiMEM_ARGS="${MEM_ARGS} -Djava.security.egd=file:/dev/./urandom" |
JRE – java.security
The JRE contains a file we you can configure where it should get its entropy from. This will cover all the WebLogic domains that use the JRE, but you will have to remember to change the file every time you install a new JRE version/patch.
1 | $JAVA_HOME/jre/lib/security/java.security |
Default /dev/urandom is configured, but as mentioned this is ignored by Java.
1 2 | #securerandom.source=file:/dev/urandomsecurerandom.source=file:/dev/./urandom |
rngd daemon
You can use the rngd tool to feed random bits directly to the entropy pool. rngd is meant to be used to help out if you use a hardware random number generator, but can also help without one.
This will generate random bits via /dev/urandom and feed it to /dev/random.
1 | rngd -r /dev/urandom -o /dev/random -b |
It will keep adding bits to the entropy pool until the size is 2048 bits.
I use this if I have a production servers that is stuck because of low entropy.
rngd is from the rng-tools package and it has been installed by default on the Red Hat servers where I have used it.
You can also use rngd as service. It will continually monitor the entropy pool and add bits when needed.
You configure it by editing /etc/sysconfig/rngd.
1 | EXTRAOPTIONS="-i -r /dev/urandom -o /dev/random -b" |
This will every 60 seconds add bits to the entropy pool until the size is 2048. You can change the interval and size via the -t 60 and -W 2048 parameters. Notice that if you decrease the time or increase the size more of the entropy will come from /dev/urandom.
Add the service.
1 2 3 4 | cd /etc/init.dchkconfig --add rngdchkconfig --level 35 rngd onchkconfig --list rngd |
Start it.
1 2 | cd /etc/init.d./rngd start |
Additional information
“How to diagnose a Linux entropy issue on WebLogic Server instances? (Doc ID 1574979.1)”
“E1: OS: Linux Servers Hang or Have Delays on Any JAVA Process Affecting Performance (Doc ID 1525645.1)”
“Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is not Robust”
'WAS > WebLogic' 카테고리의 다른 글
| 서버 및 가상 서버 시작 (0) | 2017.08.14 |
|---|
- Total
- Today
- Yesterday
- yum
- 디스크 추가
- ld 옵션
- CMAKE_OSX_SYSROOT
- physicaldisk
- firewall-cmd service
- fielddata
- virtualbox
- pfctl
- 파티션 추가
- install
- _status
- mirrorlist
- update
- lvm 늘리기
- CLion
- Ignoring CMAKE_OSX_SYSROOT value
- lvremove
- postgresql11
- linux
- _stats
- noipath
- vgcreate
- aix ld
- fielddata=true
- aix compile
- firewalld
- 센트6
- 물리디스크
- pf.anchors
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |