In previous releases, seeding the system random number generator was performed on all platforms using entropy sources that were available directly to the kernel after boot, providing an acceptably high level of entropy. Best practices in the industry (e.g., Common Criteria) have evolved to generally recommend that, when available, systems running on Intel architectures take advantage of Intel's Digital Random Number Generator (DRNG) software to provide additional entropy sources from the processor at boot time.

LoadMaster has been enhanced to attempt to use the Intel DRNG architecture's RDSEED and RDRAND processor instructions to provide additional entropy for seeding the random number generator. This behavior is disabled by default; to enable:

  1. In the UI, navigate to Certificates & Security > Remote Access.
  2. Set the Self-Signed Certificate Handling option to EC certs with an EC signature.
  3. Reboot LoadMaster.

On the next boot, LoadMaster will attempt to use RDSEED as an entropy source and, if that fails, RDRAND. If successful, the message sslproxy: Initial Random Vector appears in the system log.

All current LoadMaster hardware supports either RDSEED or RDRAND, as do many legacy hardware platforms. Whether or not this option can be used for a Virtual, Cloud, or Bare Metal LoadMaster deployment depends entirely on the processor of the hardware platform on which the hypervisor is running.

If the processor does not support RDSEED/RDRAND, then LoadMaster becomes unavailable due to the lack of an "approved" entropy source. The following occurs:

  • The UI displays only this message (no functionality):

    Could not start CC mode - system disabled.

  • A CRITICAL log message is created in the messages file:

    Cannot initialize RNG, CC mode disabled.

  • An authlog messages is also created.

    Failed to start RNG, CC mode not started.

To get out of this mode, you have to log into the system console, navigate to the Local Administration > Web Address screen, and select Confirm switch out of CC mode. Once the system restarts, you will be able to access the system as usual, but it will not operating in Common Criteria mode -- the kernel will generate entropy after boot as in previous releases. This is evidenced by the following authlog message:

User disabled CC mode.