Siteminder Entropy on Linux 9.1 and Later
Article ID: 388133
Updated On:
Products
Issue/Introduction
In the Siteminder Product Documentation, the "Prepare for the Policy Server Installation" section includes a section entitled "Increase Entropy" where it describes one of several methods to increase entropy from default settings.
Examples:
rngd -r /dev/<device_name> -o /dev/random -b
rngd -r /dev/urandom -o /dev/random -b
As of Linux 9.1 entropy will not increase to above 256 MB. This is regardless of how you configure 'rngd'
Environment
PRODUCT: Siteminder
COMPONENTS: Policy Server; Access Gateway Server
VERSIONS: r12.8.8 and higher
OPERATING SYSTEMS: Red Hat Linux 9.1 and higher
Cause
Traditionally /dev/random has been blocking, while /dev/urandom was non-blocking. There have been two significant changes introduced to Red Hat 9.
1) RHEL 9 changed /dev/random to be non-blocking, much like /dev/urandom. This means /dev/random will not block, no matter how much randomness is requested from the system. This alleviates the need to change the input source and port it to /dev/random using 'rngd'. This process worked around the blocking of /dev/random by using either the non-blocking /dev/urandom or some hardware device to generate entropy.
rngd -r /dev/<device_name> -o /dev/random -b
rngd -r /dev/urandom -o /dev/random -b
2) RHEL 9.1 reduced the limit to the 'poolsize' from 4096 to a max of 256. This is a result of the changes to /dev/random making it non-blocking. Now there is no longer a bottleneck, which removes the need to increase the entropy source to handle that bottleneck.
Resolution
As of Red Hat Linux 9.0 there is no need to configure rngd to draw entropy from an alternate source such as a device or /dec/urandom. It is expected that entropy will not be above the Red Hat Linux hard-coded limit of 256.
This behavior and the entropy limit of 256 will not have an impact on Siteminder r12.8.8 and higher on RHEL 9 and higher.
Additional Information
Feedback
