When running CA Access Gateway (SPS), that uses VIP Authentication Hub for MFA, when the requests go back to the endpoint bctokencontroller, then the CA Access Gateway (SPS) becomes unresponsive.

It reports several seconds to return the response to the browser over SSL.

To illustrate, here the CA Access Gateway (SPS) takes 22 seconds to return the response to the browser:

sps.log:

[04/04/2025][10:40:30][][][ProxyValve.invoke() Setting HTTP status to 200 allowing this request to proceeed. Return Code from HLA = 4][][ProxyValve::invoke]
[04/04/2025][10:40:30][][][Setting response status = 200][][Tomcat5serializedAgentData::setStatus()]

[04/04/2025][10:40:30][][][The agent finished processing the request.][][ProxyValve::invoke]
[04/04/2025][10:40:52][][][Cookieless Federation is disabled. Returning without any processing.][][ProxyValve::processRedirect]

CA Access Gateway (SPS) on Linux;

Increase the entropy on the OS following the documentation recommendations to fix this issue (1):

  - (Most secure)
    
    # rngd -r /dev/device_name -o /dev/random -b

    device_name is character device in use.
    
  or

  - (Good security)

    # rngd -r /dev/urandom -o /dev/random -b

  or

  - (Least secure)

    # mv /dev/random /dev/random.org
    # ln -s /dev/urandom /dev/random

For each of these options, also make sure that the service or symlink will be set at boot time too.

Another option that has been reported to work fine, is to make the JVM to use urandom special file instead of random:

1. Stop CA Access Gateway (SPS);
2. Modify the JDK File: /{home_JDK}/jre/lib/security/java.security
   
   From
         securerandom.source=file:/dev/random
   To
         securerandom.source=file:/dev/urandom
   
   
3. Start CA Access Gateway (SPS);

1. Verify Prerequisites