Last Modified: Wed, 13 Apr 2011 23:08:07 +0000 ; Created: Wed, 13 Apr 2011 23:05:38 +0000
|I discovered that since Java 1.5 Sun decided to make some hack that always ignores /dev/urandom as a possible device for SHA1PRNG.
Perhaps a good choice for security reasons, but if you have Tomcat in a development environment, and you wanted to test SSL it can take Tomcat forever to startup due to it waiting on entropy.
The recommended solutions online must have been written back in Java 1.4 with Tomcat days where you could set RANDFILE or -Djava.security.egd=file:/dev/urandom, etc. to fix it. However using "/dev/urandom" is ignored as per http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6202721.
Some people like to use /dev/./urandom to fool Java into not overridding it with /dev/random. Others even use /dev/zero. Annoying that Sun decided this isn't a bug and didn't ever bother to document this anywhere like in the java.security file.
Options to fix:
#1 is your best option to get real security. The other options are useful for test/dev environments where you aren't using real SSL certificates and security doesn't matter.