Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Devices and File Systems Oracle Solaris 10 1/13 Information Library |
1. Managing Removable Media (Overview/Tasks)
2. Writing CDs and DVDs (Tasks)
4. Dynamically Configuring Devices (Tasks)
5. Managing USB Devices (Tasks)
6. Using InfiniBand Devices (Overview/Tasks)
9. Administering Disks (Tasks)
10. SPARC: Setting Up Disks (Tasks)
11. x86: Setting Up Disks (Tasks)
12. Configuring Oracle Solaris iSCSI Targets (Tasks)
Oracle Solaris iSCSI Technology (Overview)
Identifying Solaris iSCSI Software and Hardware Requirements
Configuring Solaris iSCSI Target Devices (Tasks)
Oracle Solaris iSCSI Terminology
Configuring Dynamic or Static Target Discovery
Configuring and Managing Solaris iSCSI Target Devices
How to Configure iSCSI Target Discovery
How to Configure iSNS Discovery for the Solaris iSCSI Target
How to Access iSCSI Disks Upon Reboot
How to Remove Discovered iSCSI Targets
Configuring Authentication in Your iSCSI-Based Storage Network
How to Configure CHAP Authentication for Your iSCSI Initiator
How to Configure CHAP Authentication for Your iSCSI Target
Using a Third-Party RADIUS Server to Simplify CHAP Management in Your iSCSI Configuration
Setting Up Solaris iSCSI Multipathed Devices
How to Enable Multiple iSCSI Sessions for a Target
Monitoring Your iSCSI Configuration
Monitoring Your iSCSI Configuration
Modifying iSCSI Initiator and Target Parameters
How to Modify iSCSI Initiator and Target Parameters
Troubleshooting iSCSI Configuration Problems
No Connections to the iSCSI Target From the Local System
How to Troubleshoot iSCSI Connection Problems
iSCSI Device or Disk Is Not Available on the Local System
How to Troubleshoot iSCSI Device or Disk Unavailability
Use LUN Masking When Using the iSNS Discovery Method
13. The format Utility (Reference)
14. Managing File Systems (Overview)
15. Creating and Mounting File Systems (Tasks)
16. Configuring Additional Swap Space (Tasks)
17. Checking UFS File System Consistency (Tasks)
18. UFS File System (Reference)
19. Backing Up and Restoring UFS File Systems (Overview/Tasks)
20. Using UFS Snapshots (Tasks)
21. Copying Files and File Systems (Tasks)
22. Managing Tape Drives (Tasks)
Setting up authentication for your iSCSI devices is optional.
In a secure environment, authentication is not required because only trusted initiators can access the targets.
In a less secure environment, the target cannot determine if a connection request is truly from a given host. In that case, the target can authenticate an initiator by using the Challenge-Handshake Authentication Protocol (CHAP).
CHAP authentication uses the notion of a challenge and response, which means that the target challenges the initiator to prove its identity. For the challenge/response method to work, the target must know the initiator's secret key, and the initiator must be set up to respond to a challenge. Refer to the array vendor's documentation for instructions on setting up the secret key on the array.
iSCSI supports unidirectional and bidirectional authentication:
Unidirectional authentication enables the target to authenticate the identity of the initiator.
Bidirectional authentication adds a second level of security by enabling the initiator to authenticate the identity of the target.
This procedure assumes that you are logged in to the local system where you want to securely access the configured iSCSI target device.
Unidirectional authentication, the default method, enables the target to validate the initiator. Complete steps 3–5 only.
Bidirectional authentication adds a second level of security by enabling the initiator to authenticate the target. Complete steps 3–9.
For example, the following command initiates a dialogue to define the CHAP secret key.
initiator# iscsiadm modify initiator-node --CHAP-secret
Note - The CHAP secret length must be a minimum of 12 characters and a maximum of 16 characters.
By default, the initiator's CHAP name is set to the initiator node name.
You can use the following command to change the initiator's CHAP name.
initiator# iscsiadm modify initiator-node --CHAP-name new-CHAP-name
In the Solaris environment, the CHAP name is always set to the initiator node name by default. The CHAP name can be set to any length text that is less than 512 bytes. The 512-byte length limit is a Solaris limitation. However, if you do not set the CHAP name, it is set to the initiator node name upon initialization.
initiator# iscsiadm modify initiator-node --authentication CHAP
CHAP requires that the initiator node have both a user name and a password. The user name is typically used by the target to look up the secret for the given username.
Bidirectional CHAP – Enable bidirectional authentication parameters on the target.
For example:
initiator# iscsiadm modify target-param -B enable eui.5000ABCD78945E2B
Disable bidirectional CHAP. For example:
initiator# iscsiadm modify target-param -B disable eui.5000ABCD78945E2B
For example:
initiator# iscsiadm modify target-param --authentication CHAP eui.5000ABCD78945E2B
For example, the following command initiates a dialogue to define the CHAP secret key:
initiator# iscsiadm modify target-param --CHAP-secret eui.5000ABCD78945E2B
By default, the target's CHAP name is set to the target name.
You can use the following command to change the target's CHAP name:
initiator# iscsiadm modify target-param --CHAP-name target-CHAP-name
This procedure assumes that you are logged in to the local system that contains the iSCSI targets.
A convention is to use the host name for the secret name. For example:
target# iscsitadm modify admin -H stormpike
The CHAP secret must be between 12 and 16 characters. For example:
target# iscsitadm modify admin -C Enter secret: xxxxxx Re-enter secret: xxxxxx
This step is done so that you can associate a friendly name (normally the host name, in this case monster620) with the IQN value, instead of typing it in every time. For example:
# iscsitadm create initiator -n iqn.1986-03.com.sun: 01:00e081553307.4399f40e monster620
This name can be different from the friendly name that was used for the initiator object. For example:
target# iscsitadm modify initiator -H monster620 monster620
For example:
target# iscsitadm modify initiator -C monster620 Enter secret: xxxxxx Re-enter secret: xxxxxx
For example:
target# iscsitadm modify target -l monster620 sandbox
You can use a third-party RADIUS server to simplify CHAP secret management. A RADIUS server is a centralized authentication service. While you must still specify the initiator's CHAP secret, you are no longer required to specify each target's CHAP secret on each initiator when using bidirectional authentication with a RADIUS server.
For more information, see:
This procedure assumes that you are logged in to the local system where you want to securely access the configured iSCSI target device.
For example:
initiator# iscsiadm modify initiator-node --radius-server 10.0.0.72:1812
initiator# iscsiadm modify initiator-node --radius-shared-secret
Note - The Solaris iSCSI implementation requires that the RADIUS server is configured with a shared secret before the Solaris iSCSI software can interact with the RADIUS server.
initiator# iscsiadm modify initiator-node --radius-access enable
This section describes the error messages that are related to a Solaris iSCSI and RADIUS server configuration, along with potential solutions for recovery.
empty RADIUS shared secret
Cause: The RADIUS server is enabled on the initiator, but the RADIUS shared secret is not set.
Solution: Configure the initiator with the RADIUS shared secret. For more information, see How to Configure RADIUS for Your iSCSI Configuration.
WARNING: RADIUS packet authentication failed
Cause: The initiator failed to authenticate the RADIUS data packet. This error can occur if the shared secret configured on the initiator node is different from the shared secret on the RADIUS server.
Reconfigure the initiator with the correct RADIUS shared secret. For more information, see How to Configure RADIUS for Your iSCSI Configuration.