使用keytool时如何避免使用/ dev / urandom

时间:2014-06-12 01:28:32

标签: ssl keytool

我们在Linux,Solaris和AIX平台上使用tomcat,weblogic,websphere,apache(基本上是java)。对于encyption,我们使用SSL。要生成私有/公共密钥对,我们使用keytool。围绕java keytool的文章表明我们避免使用/ dev / urandom作为熵设备。鉴于/ dev / urandom是默认值,我们如何在不使用/ dev / urandom的情况下创建私有/公共密钥对?

1 个答案:

答案 0 :(得分:0)

感兴趣的文件位于您的JRE lib/security文件夹中,名为java.security。在其中您将找到以下行:

securerandom.source=file:/dev/urandom

文件中有评论描述其行为。您可以将其切换为使用/dev/random代替(如果您需要,则更安全,但由于熵问题可能需要很长时间):

#
# Select the source of seed data for SecureRandom. By default an
# attempt is made to use the entropy gathering device specified by 
# the securerandom.source property. If an exception occurs when
# accessing the URL then the traditional system/thread activity 
# algorithm is used. 
#
# On Solaris and Linux systems, if file:/dev/urandom is specified and it
# exists, a special SecureRandom implementation is activated by default.
# This "NativePRNG" reads random bytes directly from /dev/urandom.
#
# On Windows systems, the URLs file:/dev/random and file:/dev/urandom
# enables use of the Microsoft CryptoAPI seed functionality.
#
securerandom.source=file:/dev/urandom
#
# The entropy gathering device is described as a URL and can also
# be specified with the system property "java.security.egd". For example,
#   -Djava.security.egd=file:/dev/urandom
# Specifying this system property will override the securerandom.source 
# setting.

您可以查看有关Java policy files here in the Oracle docs

的更多信息

以下是overriding default Java security的简短教程