Skip to end of metadata
Go to start of metadata

Problem

JS7 - Credential Store can be used in a number of places. If access to a Credential Store is slow then you probably are hit by a problem with your entropy pool settings. This problem preferably can occur with Unix operating systems. This problem is not related to JS7.

The article explains why this happens and what you can do about it.

Entropy Pool Issues

The connection to a Credential Store requires random numbers to encrypt the connection. Java releases before 12 use the /dev/random file for high quality of randomness. However, when the entropy pool falls below the number of 64 units then /dev/random will block while reading random numbers.

Java can be configured to read from the file /dev/urandom to get random numbers. The difference to the /dev/random file is that /dev/urandom does not block if random numbers are not immediately available.

Check Entropy Pool Issues (Unix)

Check Entropy Pool Configuration

You can check available entropy pool units with the command:

Check entropy availability on Unix
cat /proc/sys/kernel/random/entropy_avail

If the "entropy_avail" result is too small (assume that some 40 bytes of secure random numbers are required) then you have to increase the pool by producing some environmental noise. This could be a hurdle, when you operate a headless server (no console) as the noise is produced by keyboard, mouse, login etc.

Check the entropy pool size (normally 4096) with the command:

Check entropy pool size on Unix
cat /proc/sys/kernel/random/poolsize

The /dev/random file will deliver the next random number when the pool has reached more than 64 entropy units and otherwise blocks any application accessing the entropy pool. Such blocks can substantially delay access to a Credential Store.

Check Temporary Resolution

To verify the entropy pool being the root cause of this issue try (requires root permission):

Make /dev/random symlink to /dev/urandom
rm /dev/random
ln -s /dev/urandom /dev/random

If this solves your problem then the connection to the Credential Store was not able to get random numbers from the OS in good time. Please note that the effect of the given commands is reverted on reboot.

Monitor Entropy Pool Use

You can check use of random numbers by running the following commands in two separate console windows:

Monitor use of random numbers with Unix
while true
do
    cat /proc/sys/kernel/random/entropy_avail
    sleep 1
done
Run test for random numbers with Unix
# initial test
dd if=/dev/random of=/dev/null bs=1024 count=1 iflag=fullblock 

# full test (should rngtest be available)
rngtest -c 100 </dev/random

Resolve Entropy Pool Issues

There are two alternative solutions: modifying the Java security settings or modifying the Java options in use.

Both solutions apply to Unix and Windows operating systems.

Modify Java Security Configuration

Java holds the security configuration for example with the ./jre/lib/security/java.security or ./conf/security/java.security files. Specific locations depend on the Java version in use. You can modify this file to point to /dev/urandom instead of /dev/random like this:

Modification to java.security file
# original configuration
# securerandom.source=file:/dev/random

# updated configuration
securerandom.source=file:/dev/urandom

Modify Java Options

Modify the JAVA_OPTIONS environment variable for use with an Agent like this:

Set JAVA_OPTIONS
JAVA_OPTIONS="-Djava.security.egd=file:///dev/urandom"


Further information can be found in the JS7 - How To - Apply Java Options article.