Policy Server on Unix should read from /dev/urandom by default

Idea created by Mark.ODonohue Employee on Jun 30, 2016
    Under review
    Score15

    The Siteminder infrastructure (particularly the Policy Server) should default to using /dev/urandom rather than /dev/random. Or at least should provide a switch or registry setting to make it easy to switch between the two.

     

    The availability of true random numbers has always been problematic, particularly on VM environments.

     

    The normal /dev/random stream is a blocking stream and when run out of random data it blocks until more random data is available. This causes havoc for realtime systems, such as webservers and SM Policy Servers.

     

    The current workaround isnt great, usually it is best add a pseudo-random generator to supplement the data in /dev/random.  The other suggestion is renaming to rename /dev/urandom to /dev/random (which I personally dont think is great way to do it).  As per our installation guide :

     

     

    Slowness caused by lack of /dev/random data has also been the cause of several major escalations, and probably is behind a number of other slowness issues, and I expect there will be more to come.

     

    Usage of /dev/urandom is fine, it embodies the pseudo-random generator solution that is the workaround.

    Myths about /dev/urandom

     

    So it would save a lot of trouble if the Policy Server and other SM components defaulted to using the /dev/urandom for their random data - and best if it was switchable via registry setting so the orignal setup can be restored if needed.

     

    Cheers - Mark