Slow startup of the Policy SiteMinder Server on RedHat Linux 5.3 (2.6 kernel).

Document ID : KB000050722
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

On certain Redhat Linux 5.3 systems (2.6 kernel), the policy server takes a long time to start due to a call to the random method as part of the startup.

Solution:

The policy server during the startup process calls the random method on the server.

The RedHat OS distribution provides an RNG (random number generator). Two devices are available for this: /dev/random and /dev/urandom. The /dev/random will block and wait for more entropy when the entropy level (something like the 'amount of randomness) is too low while the /dev/urandom will not block, returning immediately. Entropy is generated by various ways (keystrokes, mouse moves, disk i/o etc). Unless used really heavily, /dev/random should NOT run out of entropy.

The delay can be verified by running the below command on the affected server.

dd if=/dev/random bs=1 count=200 > /dev/null  
dd if=/dev/urandom bs=1 count=200 > /dev/null  

There are a couple of workarounds to address this issue:

  1. Add a symbolic link for /dev/random to point to dev/urandom. This way the policy server will be forced to use /dev/urandom even when /dev/random is called. There is no question that using /dev/urandom is less secure, however, this vulnerability is only in theory and there is no known cases or ways to abuse this in the non classified literature.

  2. The 'rngd' daemon can be used to increase the source of randomness for the entropy pool.

    You can see the entropy value using following command.
    #cat /proc/sys/kernel/random/entropy_avail

    Now, start the 'rngd' daemon using following command and monitor the entropy on the system.
    #rngd -r /dev/urandom -o /dev/random -f -t 1
    #watch -n 1 cat /proc/sys/kernel/random/entropy_avail