Policy Server startup is slow.

book

Article ID: 51086

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

Every time the policy server starts or a connection to the Policy store needs to be opened (e.g. with test connection function of smconsole) the policy server pauses for a couple of minutes and no connections are opened.

[22721/4124649152][Thu Nov 18 2010 12:04:00][CSmRadiusLogger.cpp:50][INFO] RADIUS server is disabled
[22721/4124649152][Thu Nov 18 2010 12:06:05][CServer.cpp:3739][INFO] Policy Server employing classic SiteMinder and FIPS-140 cryptographic algorithms.

Solution:

The RedHat OS distribution provides an RNG (random number generator). Two devices are available for this:

/dev/random and
/dev/urandom

The /dev/random will block and wait for more entropy when the entropy level (something like the 'amount of randomness) is too low while the /dev/urandom will not block, returning immediately. There is no question that using /dev/urandom is less secure, however, this vulnerability is only in theory and there is no known cases or ways to abuse this in the non classified literature.
See for example the following page on the Red Hat Academy web site (1). As mentioned there, "though not truly random, the numbers generated by /dev/urandom are still thought to be cryptographically secure. "

Entropy is generated by various ways (keystrokes, mouse moves, disk i/o etc). Unless used really heavily, /dev/random should NOT run out of entropy. There have been many bugs in this area with RedHat releases over the years (2).

To apply the workaround (change RNG), do as follow:

mv /dev/random /dev/origrandom
ln -s /dev/urandom /dev/random

Links:

  1. https://osu.redhat.com/content/courses/rha250-50-trial1/tag_data/tag_lessons/tag_intro/tag_discussion/section_0003
  2. http://www.google.com/search?q=random+entropy+urandom&sitesearch=bugzilla.redhat.com

Environment

Release:
Component: SMPLC