Idea Details

Policy Server on Unix should read from /dev/urandom by default

Last activity 12-17-2016 09:13 AM
Mark ODonohue's profile image
06-30-2016 07:25 PM

The Siteminder infrastructure (particularly the Policy Server) should default to using /dev/urandom rather than /dev/random. Or at least should provide a switch or registry setting to make it easy to switch between the two.

 

The availability of true random numbers has always been problematic, particularly on VM environments.

 

The normal /dev/random stream is a blocking stream and when run out of random data it blocks until more random data is available. This causes havoc for realtime systems, such as webservers and SM Policy Servers.

 

The current workaround isnt great, usually it is best add a pseudo-random generator to supplement the data in /dev/random.  The other suggestion is renaming to rename /dev/urandom to /dev/random (which I personally dont think is great way to do it).  As per our installation guide :

 

 

Slowness caused by lack of /dev/random data has also been the cause of several major escalations, and probably is behind a number of other slowness issues, and I expect there will be more to come.

 

Usage of /dev/urandom is fine, it embodies the pseudo-random generator solution that is the workaround.

Myths about /dev/urandom

 

So it would save a lot of trouble if the Policy Server and other SM components defaulted to using the /dev/urandom for their random data - and best if it was switchable via registry setting so the orignal setup can be restored if needed.

 

Cheers - Mark


Comments

07-08-2016 04:19 PM

Thank you for your contribution of an enhancement idea to the CA Community. CA is continually working to improve its software and services to best meet the needs of its customers. Your input is vital to that effort. The CA Single Sign-On Product Management team is reviewing your enhancement suggestion. The Community will continue to be able to vote on this enhancement idea.