My remote CentOS server is new and there's not a lot of usage on it so entropy is low. This is causing my java programs to lose connections (and increase execution time) when accessing Oracle 11G database on another Centos server.
I've read a lot about such problems, but I'm not experienced enough to piece together the solution. Here are some useful links:
http://serverfault.com/questions/298698/low-entropy-on-centos-5-after-new-mount
http://www.ghidinelli.com/2011/01/11/cold-fusion-slow-start-messagebrokerservlet
http://www.usn-it.de/index.php/2009/02/20/oracle-11g-jdbc-driver-hangs-blocked-by-devrandom-entropy-pool-empty/
How would I set up the server so that rngd feeds /dev/random with entropy from /dev/urandom, such that this modification sticks upon reboot (so I don't need to remember to execute some command line statement upon every reboot)?
I was thinking I could issue the following to try to increase entropy as a one-time deal:
# /etc/init.d/rngd start
# /etc/init.d/rngd -r /dev/urandom -o /dev/random -f -t 5
And if it helps, then make it stick upon server reboot by typing:
# /etc/init.d/rngd start
# /etc/init.d/rngd -r /dev/urandom -o /dev/random -t 5
But when I try to start rngd, it says:
# /etc/init.d/rngd start
Starting rngd: can't open entropy source(tpm or intel/amd rng)
Maybe RNG device modules are not loaded
[FAILED]
This is really out of my comfort zone. Any help much appreciated!
how to increase entropy in Centos 6.2?
-
pschaff
- Retired Moderator
- Posts: 18276
- Joined: 2006/12/13 20:15:34
- Location: Tidewater, Virginia, North America
- Contact:
how to increase entropy in Centos 6.2?
Try editing /etc/sysconfig/rngd to contain:
[code]# Add extra options here
EXTRAOPTIONS="-r /dev/urandom"[/code]
Then "service rngd start". If that works, then "chkconfig rngd on" will start it at boot.
[code]# Add extra options here
EXTRAOPTIONS="-r /dev/urandom"[/code]
Then "service rngd start". If that works, then "chkconfig rngd on" will start it at boot.
Re: how to increase entropy in Centos 6.2?
Hi Phil, I added the extra option then did the "service rngd start" and it works absolutely beautifully! Now there is plenty of entropy created when the java program runs, and I can repeatedly run the java program again and again and again and it completes instantly every time (virtually no wait), instead of taking minutes.
Before I get too overjoyed, can you help me understand what we just did? Does this solution enable rgnd to feed /dev/random with entropy from /dev/urandom? Or does it replace all of the entropy from /dev/random with entropy from /dev/urandom?
I *think* the former to be more secure than the later (based on the "Solving for production" section in this link: http://www.ghidinelli.com/2011/01/11/cold-fusion-slow-start-messagebrokerservlet ).
I know it's not a perfect solution, but I'm not aware of anything else I can do on the server unless I purchase an entropy device from somewhere like here: http://www.entropykey.co.uk/ . Would be interested in your opinion. I've heard some say the NIC card can be used for entropy device, or even the hard drive. But I'm not able to find details how to implement this.
Also, can you describe this statement a little more?
>If that works, then "chkconfig rngd on" will start it at boot.
That is, do I execute this from the command line (sitting at any directory)? Will this setting stick upon reboot if typed from command line? Or do I need to add that text to a file somewhere? In either case, I assume to undo this I just do something like "chkconfig rngd off" (?).
Before I get too overjoyed, can you help me understand what we just did? Does this solution enable rgnd to feed /dev/random with entropy from /dev/urandom? Or does it replace all of the entropy from /dev/random with entropy from /dev/urandom?
I *think* the former to be more secure than the later (based on the "Solving for production" section in this link: http://www.ghidinelli.com/2011/01/11/cold-fusion-slow-start-messagebrokerservlet ).
I know it's not a perfect solution, but I'm not aware of anything else I can do on the server unless I purchase an entropy device from somewhere like here: http://www.entropykey.co.uk/ . Would be interested in your opinion. I've heard some say the NIC card can be used for entropy device, or even the hard drive. But I'm not able to find details how to implement this.
Also, can you describe this statement a little more?
>If that works, then "chkconfig rngd on" will start it at boot.
That is, do I execute this from the command line (sitting at any directory)? Will this setting stick upon reboot if typed from command line? Or do I need to add that text to a file somewhere? In either case, I assume to undo this I just do something like "chkconfig rngd off" (?).
-
pschaff
- Retired Moderator
- Posts: 18276
- Joined: 2006/12/13 20:15:34
- Location: Tidewater, Virginia, North America
- Contact:
Re: how to increase entropy in Centos 6.2?
[quote]
gkdsp wrote:
Hi Phil, I added the extra option then did the "service rngd start" and it works absolutely beautifully! Now there is plenty of entropy created when the java program runs, and I can repeatedly run the java program again and again and again and it completes instantly every time (virtually no wait), instead of taking minutes.[/quote]
Good.
[quote]
Before I get too overjoyed, can you help me understand what we just did? Does this solution enable rgnd to feed /dev/random with entropy from /dev/urandom? Or does it replace all of the entropy from /dev/random with entropy from /dev/urandom? [/quote]
The man page, and [url=http://www.linuxfromscratch.org/hints/downloads/files/entropy.txt]this article[/url] explain it better than I can, but the /etc/sysconfig/rngd entry replaces the default input device /dev/hwrandom with the pseudo-device /dev/urandom, which in turn takes input from the default output device, /dev/random. Enough to make your head spin, but if you don't have a hardware random number generator it's generally good enough.
[quote]
...
>If that works, then "chkconfig rngd on" will start it at boot.
That is, do I execute this from the command line (sitting at any directory)? Will this setting stick upon reboot if typed from command line?[/quote]
Yes and yes.
[quote]
... In either case, I assume to undo this I just do something like "chkconfig rngd off" (?).[/quote]
Yes again.
gkdsp wrote:
Hi Phil, I added the extra option then did the "service rngd start" and it works absolutely beautifully! Now there is plenty of entropy created when the java program runs, and I can repeatedly run the java program again and again and again and it completes instantly every time (virtually no wait), instead of taking minutes.[/quote]
Good.
[quote]
Before I get too overjoyed, can you help me understand what we just did? Does this solution enable rgnd to feed /dev/random with entropy from /dev/urandom? Or does it replace all of the entropy from /dev/random with entropy from /dev/urandom? [/quote]
The man page, and [url=http://www.linuxfromscratch.org/hints/downloads/files/entropy.txt]this article[/url] explain it better than I can, but the /etc/sysconfig/rngd entry replaces the default input device /dev/hwrandom with the pseudo-device /dev/urandom, which in turn takes input from the default output device, /dev/random. Enough to make your head spin, but if you don't have a hardware random number generator it's generally good enough.
[quote]
...
>If that works, then "chkconfig rngd on" will start it at boot.
That is, do I execute this from the command line (sitting at any directory)? Will this setting stick upon reboot if typed from command line?[/quote]
Yes and yes.
[quote]
... In either case, I assume to undo this I just do something like "chkconfig rngd off" (?).[/quote]
Yes again.