https://community.hpe.com/t5/operating-system-hp-ux/openssl-prngd-configuration/m-p/3435638#M206529 In my experience prngd must be running at all times and I don't think that openssl will start it automatically.<BR /><BR />Sample startup script can be found in /opt/openssl/prngd/prngd.rc. This script can be copied to /sbin/init.d. You also need to create /sbin/rc?.d links and create /etc/rc.config.d/prngd with PRNGD_START=1.<BR /><BR />You don't need /etc/services lines unless you want prngd to listen on TCP ports (in addition to /var/run/egd-pool). Thu, 02 Dec 2004 20:37:06 GMT Ermin Borovac 2004-12-02T20:37:06Z https://community.hpe.com/t5/operating-system-hp-ux/openssl-prngd-configuration/m-p/3435637#M206528 We recently downloaded and installed HP's openSSL depot, OpenSSL_A.00.09.07-d.006_HP-UX_B.11.11_32+64.depot. The install was clean and apparently error free, but now we're having some issues. Our problem may just be a lack of thorough documentation from HP but we're not sure. Please read through this scenario, our questions appear at the end.<BR /><BR />Overview:<BR />When attempting to generate a certificate with openssl, the program returned the error message,<BR /><BR />"unable to load 'random state' This means that the random number generator has not been seeded with much data."<BR /><BR />Since openssl is using prngd as its random number generator (/dev/random is not installed) the error seemed to indicate an initialization problem with that program. prngd was installed (and configured?) by HP's swinstall process for openssl. A review of the prngd related documentation we could locate, web sources, man pages, etc lead us to try the following<BR /><BR />1) The man page for prngd seemed to indicate that the following lines needed to be added to /etc/services. We added them.<BR /><BR />prngd 708/tcp # prngd/EGD system service<BR />prngd-user 4840/tcp # prngd/EGD user service<BR /><BR />2) According to web sources, prngd will start without an initial seed and will collect entropy as fast as it can on startup. If you can supply an initial seed however it works better. To generate an initial seed you can cat some logfiles together into /etc/prngd-seed. This step is only relevant before the first time you start prngd.<BR /><BR />cat /var/adm/syslog/mail.log /var/adm/syslog/syslog.log &gt; /etc/prngd-seed<BR />ls -l /etc/prngd-seed<BR />-rw-rw---- 1 root sys 217832 Dec 2 09:34 /etc/prngd-seed<BR /><BR /><BR />3) Once the seed file was been created, we ran prngd using /var/run/egd-pool as the full path to its socket. Before attemping to start prngd the socket looked as follows:<BR /><BR />ls -l /var/run/egd-pool<BR />srwxrwxrwx 1 root sys 0 Nov 20 08:58 egd-pool<BR /><BR />It appears that the HP prngd install is not in the default open source location, therefore when launching it from the command line we needed to specify the full path to the HP installed command file<BR /><BR />/opt/openssl/prngd/prngd -c /opt/openssl/prngd/prngd.conf /var/run/egd-pool<BR /><BR />Once prngd was started with the above command, the daemon could be seen running with ps.<BR /><BR />ps -ef | grep prng<BR /> root 15895 10225 0 10:12:23 pts/0 0:00 grep prng<BR /> root 15845 1 0 10:12:02 ? 0:00 /opt/openssl/prngd/prngd -c /opt/openssl/prngd/prngd.conf /var/<BR /><BR />4) After prngd was allowed to run for a short while we shut it down with the following command, see man page prngd(1).<BR /><BR />/opt/openssl/prngd/prngd -k /var/run/egd-pool<BR /><BR />5) A review showed that both the socket and the seed file were updated by the run. Prior to the run "file" reported that /etc/prngd-seed contained ascii text. After the run it contained a control character sequence that "file" reported as "awk program text."<BR /><BR /># ls -l /var/run/egd-pool<BR />srwxrwxrwx 1 root sys 0 Dec 2 09:45 /var/run/egd-pool<BR /># ls -l /etc/prngd-seed<BR />-rw------- 1 root sys 4096 Dec 2 09:50 /etc/prngd-seed<BR /><BR />6) At this point we made another attempt to generate an ssl certificate using the command:<BR /><BR />openssl req -newkey rsa:1024 -keyout /opt/openssl/ca/ca.key \<BR />&gt; -out /opt/openssl/ca/ca.csr<BR /><BR />This attempt again failed miserably with the same error described in the overview.<BR /><BR />7) As a next step we decided to launch the prngd daemon and leave it running prior to the openssl call. This scenario resulted in an apparantly successful certificate generation.<BR /><BR />QUESTIONS:<BR /><BR />1) HP's documentation for openssl seems to indicate that openssl will call prngd without any prior configuration, is there something awry?<BR /><BR />2) Is openssl supposed to start prngd on demand or must prngd already be running?<BR /><BR />3) If prngd must run as a daemon, what should the startup script look like?<BR /><BR />4) Are the prngd lines in /etc/services needed for prngd to function with openssl?<BR /><BR />Any and all feedbak will be appreciated<BR /> Thu, 02 Dec 2004 18:47:43 GMT https://community.hpe.com/t5/operating-system-hp-ux/openssl-prngd-configuration/m-p/3435637#M206528 Donald W. Healey 2004-12-02T18:47:43Z https://community.hpe.com/t5/operating-system-hp-ux/openssl-prngd-configuration/m-p/3435638#M206529 In my experience prngd must be running at all times and I don't think that openssl will start it automatically.<BR /><BR />Sample startup script can be found in /opt/openssl/prngd/prngd.rc. This script can be copied to /sbin/init.d. You also need to create /sbin/rc?.d links and create /etc/rc.config.d/prngd with PRNGD_START=1.<BR /><BR />You don't need /etc/services lines unless you want prngd to listen on TCP ports (in addition to /var/run/egd-pool). Thu, 02 Dec 2004 20:37:06 GMT https://community.hpe.com/t5/operating-system-hp-ux/openssl-prngd-configuration/m-p/3435638#M206529 Ermin Borovac 2004-12-02T20:37:06Z