Bug 1540907
Summary: | Use native SecureRandom implementation instead of SHA1PRNG | ||
---|---|---|---|
Product: | [oVirt] ovirt-engine | Reporter: | Martin Perina <mperina> |
Component: | AAA | Assignee: | Martin Perina <mperina> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Lukas Svaty <lsvaty> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | --- | CC: | bugs, lsvaty, lveyde, rgolan |
Target Milestone: | ovirt-4.2.2 | Keywords: | CodeChange |
Target Release: | --- | Flags: | rule-engine:
ovirt-4.2+
|
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ovirt-engine-4.2.2 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-03-29 11:12:52 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Martin Perina
2018-02-01 09:57:06 UTC
Running systems out there may benefit by simply setting the JRE to use /dev/urandom in java.security property file: $JAVA_HOME/jre/lib/security/java.security ... securerandom.source=file:/dev/urandom (In reply to Roy Golan from comment #1) > Running systems out there may benefit by simply setting the JRE to use > /dev/urandom in java.security property file: > > $JAVA_HOME/jre/lib/security/java.security > ... > securerandom.source=file:/dev/urandom I'd personally rather not change the platform default. And also I'm not sure if this will affect us, because AFAIK SHA1PRNG is custom Java implementation and not sure if it uses /dev/(u)random or not. That's why I think it's better to switch from SHA1PRNG to NativePRNG without changing JVM default. (In reply to Martin Perina from comment #2) > I'd personally rather not change the platform default. I mentioned this is for existing setups that may suffer from it. > And also I'm not sure > if this will affect us, because AFAIK SHA1PRNG is custom Java implementation > and not sure if it uses /dev/(u)random or not. According to the sources you mentioned in the patch and reading the oracle implementation it does look like they are using the device that is mentioned java.security > That's why I think it's > better to switch from SHA1PRNG to NativePRNG without changing JVM default. adding CodeChange moving to VERIFIED BZ1421472 is the original bug, I have found this issue when investigating it. So I think you can use the same reproducing steps to verify it. This bugzilla is included in oVirt 4.2.2 release, published on March 28th 2018. Since the problem described in this bug report should be resolved in oVirt 4.2.2 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report. |