Enhanced Random Number Generator Seeding
In previous releases, the system random number generator was performed on all platforms using entropy sources that were available directly to the kernel after boot, providing an acceptably high level of entropy. Best practices in the industry (for example, Common Criteria) have evolved to generally recommend that, when available, systems running on Intel architectures take advantage of Intel's Digital Random Number Generator (DRNG) software to provide additional entropy sources from the processor at boot time.
As of LoadMaster firmware version 7.2.52 (and LTS version 18.104.22.168), the LoadMaster has been enhanced to attempt to use the Intel DRNG architecture's RDSEED and RDRAND processor instructions to provide additional entropy for seeding the random number generator. This behavior is disabled by default; to enable:
1. In the LoadMaster User Interface (UI), navigate to Certificates & Security > Remote Access.
2. Set the Self-Signed Certificate Handling option to EC certs with an EC signature.
3. Reboot the LoadMaster (System Configuration > System Administration > System Reboot > Reboot).
On the next boot, the LoadMaster attempts to use RDSEED as an entropy source and, if that fails, RDRAND. If successful, the message sslproxy: Initial Random Vector appears in the system log.
All current LoadMaster hardware supports either RDSEED or RDRAND, as do many legacy hardware platforms. Whether or not this option can be used for a Virtual, Cloud, or Bare Metal LoadMaster deployment depends entirely on the processor of the hardware platform on which the hypervisor is running.
If the processor does not support RDSEED/RDRAND, then the LoadMaster becomes unavailable due to the lack of an "approved" entropy source. The following occurs:
- The UI displays only this message (no functionality): Could not start CC mode - system disabled.
- A CRITICAL log message is created in the messages file: Cannot initialize RNG, CC mode disabled.
- An authlog messages is created: Failed to start RNG, CC mode not started.
To get out of this mode, you must log into the system console, navigate to the Local Administration > Web Address screen, and select Confirm switch out of CC mode. Once the system restarts, you will be able to access the system as usual, but it will not be operating in Common Criteria mode - the kernel will generate entropy after boot as in previous releases. This is evidenced by the following authlog message:
User disabled CC mode.