Comments on: Tomcat Startup Issues

By: frederic sidler

frederic sidler — Wed, 19 Mar 2008 15:03:30 +0000

I’m really interested to know how you use iptables to forward connection on port 80 and 443 to tomcat
I’m looking for a solution to redirect port to another IP address (in EC2), but I couldn’t figure out how ?

By: Jeremy Portzer

Jeremy Portzer — Thu, 15 Nov 2007 21:43:11 +0000

If you are using the Sun JDK 1.5.x (or 1.6 I think), you may also be encountering an issue where you think you’ve configured the JDK to use /dev/urandom, but it’s really not. For details on this see http://bugs.sun.com/view_bug.do?bug_id=6202721 . I’ve had success with the workaround of “-Djava.security.egd=file:/dev/./urandom” as a Java option. To clarify: I wasn’t using Tomcat’s SSL but rather direct application of the SecureRandom class.

By: Adrian Sutton

Adrian Sutton — Tue, 21 Aug 2007 12:05:38 +0000

You can actually go one step better - set RANDFILE to /dev/urandom and ignore the openssl step. Works like a charm.

By: Jaba

Jaba — Tue, 21 Aug 2007 11:54:50 +0000

No problem!

By: Adrian Sutton

Adrian Sutton — Tue, 21 Aug 2007 11:24:58 +0000

Jaba,
You’re right, it was the SSL libraries not getting enough entropy. rng-tools failed to start the daemon on this particular Debian install but the Tomcat users list pointed me to http://marc.info/?l=tomcat-user&m=118209169008472&w=2 which lets you generate a random seed with openssl. I wound up having to set the RANDFILE environment variable to get it to be found but it solved the problem.

Thanks for your help.

By: Anonymous

Anonymous — Tue, 21 Aug 2007 10:24:46 +0000

Jaba, worth a look as best I can tell Tomcat *should* be using /dev/urandom but having APR in the mix perhaps it’s not. The other complication is that it’s the HTTP listener that takes forever and the HTTPS listener starts immediately. I’ll make sure rngd is installed though.

For the record, it’s a Debian Etch server.

By: Jaba

Jaba — Tue, 21 Aug 2007 09:33:57 +0000

… and the actual path for checking the entropy is /proc/sys/kernel/random/entropy_avail, and even that only under Linux …

By: Jaba

Jaba — Tue, 21 Aug 2007 09:32:36 +0000

Perhaps the kernel is running out of entropy and is desperately trying to generate it? See if /proc/sys/kernel/entropy_avail is more than 0. If it’s 0, your system is out of entropy.

In that case you might want to install rngd, at least in Gentoo it can be found in rng-tools package. rngd generates semi-real entropy by fetching numbers from /dev/urandom and feeding them to /dev/random. Another option is to switch Tomcat to use /dev/urandom instead of /dev/random. How that can be done, I have no idea and of course if you really need that uber-secure tamper-proof entropy /dev/random creates, then you just need to generate more real entropy…

And with my luck your problem isn’t about this issue at all. Well, at least I tried. :-)