HPE Community
Operating System - HP-UX
1833786 Members
2763 Online
110063 Solutions
New Discussion

Re: openssl prngd configuration

 
Donald W. Healey
Occasional Advisor

‎12-02-2004 10:47 AM

‎12-02-2004 10:47 AM

openssl prngd configuration

We recently downloaded and installed HP's openSSL depot, OpenSSL_A.00.09.07-d.006_HP-UX_B.11.11_32+64.depot. The install was clean and apparently error free, but now we're having some issues. Our problem may just be a lack of thorough documentation from HP but we're not sure. Please read through this scenario, our questions appear at the end.

Overview:
When attempting to generate a certificate with openssl, the program returned the error message,

"unable to load 'random state' This means that the random number generator has not been seeded with much data."

Since openssl is using prngd as its random number generator (/dev/random is not installed) the error seemed to indicate an initialization problem with that program. prngd was installed (and configured?) by HP's swinstall process for openssl. A review of the prngd related documentation we could locate, web sources, man pages, etc lead us to try the following

1) The man page for prngd seemed to indicate that the following lines needed to be added to /etc/services. We added them.

prngd 708/tcp # prngd/EGD system service
prngd-user 4840/tcp # prngd/EGD user service

2) According to web sources, prngd will start without an initial seed and will collect entropy as fast as it can on startup. If you can supply an initial seed however it works better. To generate an initial seed you can cat some logfiles together into /etc/prngd-seed. This step is only relevant before the first time you start prngd.

cat /var/adm/syslog/mail.log /var/adm/syslog/syslog.log > /etc/prngd-seed
ls -l /etc/prngd-seed
-rw-rw---- 1 root sys 217832 Dec 2 09:34 /etc/prngd-seed


3) Once the seed file was been created, we ran prngd using /var/run/egd-pool as the full path to its socket. Before attemping to start prngd the socket looked as follows:

ls -l /var/run/egd-pool
srwxrwxrwx 1 root sys 0 Nov 20 08:58 egd-pool

It appears that the HP prngd install is not in the default open source location, therefore when launching it from the command line we needed to specify the full path to the HP installed command file

/opt/openssl/prngd/prngd -c /opt/openssl/prngd/prngd.conf /var/run/egd-pool

Once prngd was started with the above command, the daemon could be seen running with ps.

ps -ef | grep prng
root 15895 10225 0 10:12:23 pts/0 0:00 grep prng
root 15845 1 0 10:12:02 ? 0:00 /opt/openssl/prngd/prngd -c /opt/openssl/prngd/prngd.conf /var/

4) After prngd was allowed to run for a short while we shut it down with the following command, see man page prngd(1).

/opt/openssl/prngd/prngd -k /var/run/egd-pool

5) A review showed that both the socket and the seed file were updated by the run. Prior to the run "file" reported that /etc/prngd-seed contained ascii text. After the run it contained a control character sequence that "file" reported as "awk program text."

# ls -l /var/run/egd-pool
srwxrwxrwx 1 root sys 0 Dec 2 09:45 /var/run/egd-pool
# ls -l /etc/prngd-seed
-rw------- 1 root sys 4096 Dec 2 09:50 /etc/prngd-seed

6) At this point we made another attempt to generate an ssl certificate using the command:

openssl req -newkey rsa:1024 -keyout /opt/openssl/ca/ca.key \
> -out /opt/openssl/ca/ca.csr

This attempt again failed miserably with the same error described in the overview.

7) As a next step we decided to launch the prngd daemon and leave it running prior to the openssl call. This scenario resulted in an apparantly successful certificate generation.

QUESTIONS:

1) HP's documentation for openssl seems to indicate that openssl will call prngd without any prior configuration, is there something awry?

2) Is openssl supposed to start prngd on demand or must prngd already be running?

3) If prngd must run as a daemon, what should the startup script look like?

4) Are the prngd lines in /etc/services needed for prngd to function with openssl?

Any and all feedbak will be appreciated
0 Kudos
Reply
1 REPLY 1
Ermin Borovac
Honored Contributor

‎12-02-2004 12:37 PM

‎12-02-2004 12:37 PM

Re: openssl prngd configuration

In my experience prngd must be running at all times and I don't think that openssl will start it automatically.

Sample startup script can be found in /opt/openssl/prngd/prngd.rc. This script can be copied to /sbin/init.d. You also need to create /sbin/rc?.d links and create /etc/rc.config.d/prngd with PRNGD_START=1.

You don't need /etc/services lines unless you want prngd to listen on TCP ports (in addition to /var/run/egd-pool).
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.