修改
$JAVA_HOME/jre/lib/security/java.security
修改securerandom.source=file:/dev/./urandom
In this Document
APPLIES TO:Oracle SOA Suite - Version 11.1.1.1.0 and laterOracle HTTP Server - Version 12.1.3.0.0 and later Oracle WebLogic Server - Version 8.1 and later Linux x86 Linux x86-64 SYMPTOMSIt is observed on some Linux boxes that WebLogic server startup takes several minutes and hangs for a while. Similar behavior happens during the domain creation, when the security information gets populated. If you take a thread dump on the troubled process you will observe that WebLogic is waiting for random data generation since the OS is running out of entropy.
- locked <0x00000000e061f4b8> (a java.lang.Object)
at sun.security.provider.NativePRNG$RandomIO.access$300(NativePRNG.java:108) at sun.security.provider.NativePRNG.engineGenerateSeed(NativePRNG.java:102) at java.security.SecureRandom.generateSeed(SecureRandom.java:495) at com.bea.security.utils.random.AbstractRandomData.ensureInittedAndSeeded(AbstractRandomData.java:91) - locked <0x00000000f8c7d7b8> (a com.bea.security.utils.random.SecureRandomData) at com.bea.security.utils.random.AbstractRandomData.getRandomBytes(AbstractRandomData.java:105) - locked <0x00000000f8c7d7b8> (a com.bea.security.utils.random.SecureRandomData) at com.bea.security.utils.random.AbstractRandomData.getRandomBytes(AbstractRandomData.java:100) at com.bea.console.utils.CSRFUtils.getSecret(CSRFUtils.java:56) at jsp_servlet._jsp._changemgmt.__changemanager._jspService(__changemanager.java:156) CAUSEAccording to the official Kernel documentation, Linux has two devices to provide random data at any time:/dev/random and /dev/urandom. Both ways should be secure enough to use them in generating PGP keys, ssh challenges, and other applications where secure random numbers are required. Starting on kernel 2.6, default entropy is 4096 bits and problem arises when the entropy available on the system is minimum (around 100 bits or less). The main difference between those two devices is that /dev/random runs out of random bits and makes you wait for more to be accumulated. Note that on some systems, it can block for a long time waiting for new user-generated entropy to be entered into the system. Why a system could be running out of entropy? You have to consider that an Operating System performs cryptographic operations frequently (on ssh challenges, https connections, etc.) so the /dev/random pool gets consumed quite quickly. OS also expects to feed that pool with I/O operations coming from disk, network, mouse or keyboard but that situation does not happen as quickly. This is a common pattern on virtualized environments or headless boxes. Is important to mention that Java uses /dev/random by default as entropy generator device. How to verify if you are encountering this issue?
The following links explain in detail how Entropy affects Java on Linux Environments: bug 6202721 and6521844. SOLUTIONChoose one of the following approaches. 2.1 Long term solution a) WebLogic Server Scope i. Edit the Weblogic startup script ($DOMAIN_HOME/bin/startWebLogic.sh) b) JDK Scope securerandom.source=file:/dev/urandom iii. Save changes and start the WebLogic Server instances. 2.2 Temporary solution (usually applied for testing purposes) i. Override the JAVA_OPTIONS environment variable before starting WebLogic Server via shell scripts. ii. Start WebLogic instances. |