Ensuring Sufficient Entropy to Avoid System Delays

  • 7025092
  • 28-Apr-2021
  • 09-Jul-2021

Environment

Headless server-based installations on Linux or UNIX platforms.

Host Access Management and Security Server (MSS) 12.7.2 or higher
Host Access for the Cloud 2.6.2 or higher

Situation

Installation does not complete on UNIX or Linux platforms.

The install program, server startup, or other operations may stall on UNIX or Linux systems, particularly headless ones. This delay is caused by an insufficient amount of entropy in the system.

The affected Micro Focus products include an updated version of the Bouncy Castle FIPS Java cryptographic module. This Bouncy Castle version generates prediction-resistant random numbers for cryptographic use by drawing from the operating system's live entropy source, such as /dev/random on Linux platforms.

In some environments, cryptographic operations can strain the Java Virtual Machine's entropy source. An insufficient pool of entropy can result in long delays during server startup and at other times while additional entropy is collected.

Determining if Entropy is Sufficient

Before you install on your Linux system, use the following diagnostic commands to verify proper entropy generation.  If desired results are not achieved, proceed with the Resolution.
  • To see how many bits of entropy are available, enter this command:
cat /proc/sys/kernel/random/entropy_avail
Desired result: The output value should be at least 1000.
  • To determine how quickly the entropy pool is replenished as entropy is consumed, use the command above along with this command to read from the entropy pool:
     hexdump /dev/random

Desired result: If the output streams continuously, the system should have a sufficient pool of entropy as dev/random is being constantly refilled.

However, if the output is only a short listing and then it stops, the MSS or HACloud cryptographic operations will perform poorly until more entropy is collected. Proceed with the Resolution.

Resolution

To resolve system delays that might be attributed to low entropy, install an entropy program.  

1.    Install a random number generator or an entropy daemon.
In a Linux/UNIX environment, we recommended installing either
  •     a hardware-based random number generator – or –
  •     a software-based entropy daemon, such as haveged   or  rng-tools
2.    Re-run the diagnostic commands (above) to verify that the entropy generator is installed and working and that the entropy pool is getting refilled sufficiently

If an external hardware or software source of entropy cannot be used, or if the delays persist, contact Support for an alternative solution.

Additional Information

Some Linux platforms already install and enable an entropy service by default.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.