Configuring Authentication in Your iSCSI-Based Storage Network

Setting up authentication for your iSCSI devices is optional.

In a secure environment, authentication is not required because only trusted initiators can access the targets.

In a less secure environment, the target cannot determine if a connection request is truly from a given host. In that case, the target can authenticate an initiator by using the Challenge-Handshake Authentication Protocol (CHAP).

CHAP authentication uses the notion of a challenge and response, which means that the target challenges the initiator to prove its identity. For the challenge/response method to work, the target must know the initiator's secret key, and the initiator must be set up to respond to a challenge. Refer to the array vendor's documentation for instructions on setting up the secret key on the array.

iSCSI supports unidirectional and bidirectional authentication:

• Unidirectional authentication enables the target to authenticate the identity of the initiator.

• Bidirectional authentication adds a second level of security by enabling the initiator to authenticate the identity of the target.

How to Configure CHAP Authentication for Your iSCSI Initiator

This procedure assumes that you are logged in to the local system where you want to securely access the configured iSCSI target device.

1. Become superuser.

2. Determine whether you want to configure unidirectional or bidirectional CHAP.

   • Unidirectional authentication, the default method, enables the target to validate the initiator. Complete steps 3–5 only.

   • Bidirectional authentication adds a second level of security by enabling the initiator to authenticate the target. Complete steps 3–9.

3. Unidirectional CHAP – Set the secret key on the initiator.

   For example, the following command initiates a dialogue to define the CHAP secret key.

   initiator# iscsiadm modify initiator-node --CHAP-secret

   ---

   Note –

   The CHAP secret length must be a minimum of 12 characters and a maximum of 16 characters.

   ---

4. (Optional) Unidirectional CHAP – Set the CHAP name on the initiator.

   By default, the initiator's CHAP name is set to the initiator node name.

   You can use the following command to change the initiator's CHAP name.

   initiator# iscsiadm modify initiator-node --CHAP-name new-CHAP-name

   In the Solaris environment, the CHAP name is always set to the initiator node name by default. The CHAP name can be set to any length text that is less than 512 bytes. The 512-byte length limit is a Solaris limitation. However, if you do not set the CHAP name, it is set to the initiator node name upon initialization.

5. Unidirectional CHAP – Enable CHAP authentication on the initiator after the secret has been set.

   initiator# iscsiadm modify initiator-node --authentication CHAP

   CHAP requires that the initiator node have both a user name and a password. The user name is typically used by the target to look up the secret for the given username.

6. Select one of the following to enable or disable Bidirectional CHAP.

   • Bidirectional CHAP – Enable bidirectional authentication parameters on the target.

     For example:

     initiator# iscsiadm modify target-param -B enable eui.5000ABCD78945E2B

   • Disable bidirectional CHAP. For example:

     initiator# iscsiadm modify target-param -B disable eui.5000ABCD78945E2B

7. Bidirectional CHAP – Set the authentication method to CHAP on the target.

   For example:

   initiator# iscsiadm modify target-param --authentication CHAP eui.5000ABCD78945E2B

8. Bidirectional CHAP – Set the target device secret key on the target.

   For example, the following command initiates a dialogue to define the CHAP secret key:

   initiator# iscsiadm modify target-param --CHAP-secret eui.5000ABCD78945E2B

9. Bidirectional CHAP - Set the CHAP name on the target.

   By default, the target's CHAP name is set to the target name.

   You can use the following command to change the target's CHAP name:

   initiator# iscsiadm modify target-param --CHAP-name target-CHAP-name

How to Configure CHAP Authentication for Your iSCSI Target

This procedure assumes that you are logged in to the local system that contains the iSCSI targets.

1. Become superuser.

2. Set the CHAP secret name for the target.

   A convention is to use the host name for the secret name. For example:

   target# iscsitadm modify admin -H stormpike

3. Specify the CHAP secret.

   The CHAP secret must be between 12 and 16 characters. For example:

   target# iscsitadm modify admin -C Enter secret: xxxxxx Re-enter secret: xxxxxx

4. Create an initiator object that will be associated with one or more targets.

   This step is done so that you can associate a friendly name (normally the host name, in this case monster620) with the IQN value, instead of typing it in every time. For example:

   # iscsitadm create initiator -n iqn.1986-03.com.sun: 01:00e081553307.4399f40e monster620

5. Provide the same CHAP name that was used on the initiator.

   This name can be different from the friendly name that was used for the initiator object. For example:

   target# iscsitadm modify initiator -H monster620 monster620

6. Use the same CHAP secret that was used on the initiator.

   For example:

   target# iscsitadm modify initiator -C monster620 Enter secret: xxxxxx Re-enter secret: xxxxxx

7. Associate the initiator object with one or more targets.

   For example:

   target# iscsitadm modify target -l monster620 sandbox