Alternatives to renaming /dev/random to /dev/urandom

book

Article ID: 38547

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Summary:

On certain Redhat Linux 5.3 systems (2.6 kernel), the policy server takes a long time to start due to a call to the random method as part of the startup. The process covered in the official documentation for CA Single-Sign on recommends renaming /dev/random to /dev/urandom in order to mitigate this behavior. However, in certain environments, this can cause security concerns in these specific use cases.

Instructions:

One specific way to address the security concerns is to increase the randomness and available entropy of the entropy pool, so that the chance of /dev/urandom running out of entropy is statistically insignificant.

You can do this by using the "rngd" entopy generation daemon to ensure that there is enough entropy available to /dev/random to prevent both the policy server startup entropy issue, as well as mitigating the security concerns that may be encountered with using /dev/urandom out-of-the-box.

1) Ensure that "rngd" is installed by checking the yum package manager application to ensure the components are installed to the OS and running.

2) Now, start the 'rngd' daemon using following command and monitor the entropy on the system. 

#rngd -r /dev/urandom -o /dev/random -f -t 1

This will configure rngd to act as the OS's random number generator, and also monitor for situations when the entropy pool is full and allow it to take appropriate action to generate new entropy.

If you wish, you can monitor the entropy available by using the following command.

#watch -n 1 cat /proc/sys/kernel/random/entropy_avail 

Additional Information:

http://linux.die.net/man/8/rngd

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component: