Managing SAN Devices and Multipathing in Oracle® Solaris 11.2

Exit Print View

Updated: December 2014

How to Configure CHAP Authentication for Your iSCSI Initiator

This procedure assumes that you are logged in to the local system where you want to securely access the configured iSCSI target device.

  • The length of the CHAP secret key for the COMSTAR iSCSI target must be a minimum of 12 characters and a maximum of 255 characters. Some initiators support only a shorter maximum length for the secret key.

  • Each node identifying itself using CHAP must have both a user name and a password. In the Oracle Solaris OS, the CHAP user name is set to the initiator or target node name (that is, the iqn name) by default. The CHAP user name can be set to any length of text that is less than 512 bytes. The 512-byte length limit is an Oracle Solaris limitation. However, if you do not set the CHAP user name, it is set to the node name upon initialization.

You can simplify CHAP secret key management by using a third-party RADIUS server, which acts as a centralized authentication service. When you use RADIUS, the RADIUS server stores the set of node names and matching CHAP secret keys. The system performing the authentication forwards the node name of the requester and the supplied secret of the requester to the RADIUS server. The RADIUS server confirms whether the secret key is the appropriate key to authenticate the given node name. Both iSCSI and iSER support the use of a RADIUS server.

For more information about using a third-party RADIUS server, see Using a Third-Party RADIUS Server to Simplify CHAP Management in Your iSCSI Configuration.

  1. Become an administrator.

    For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  2. Determine whether you want to configure unidirectional or bidirectional CHAP.
    • Unidirectional authentication, the default method, enables the target to validate the initiator. Complete steps 3–5 only.

    • Bidirectional authentication adds a second level of security by enabling the initiator to authenticate the target. Complete steps 3–9.

  3. Unidirectional CHAP: Set the secret key on the initiator.

    The following command initiates a dialogue to define the CHAP secret key:

    initiator# iscsiadm modify initiator-node --CHAP-secret
    Enter CHAP secret: ************
    Re-enter secret: ************
  4. (Optional) Unidirectional CHAP: Set the CHAP user name on the initiator.

    By default, the initiator's CHAP user name is set to the initiator node name.

    Use the following command to use your own initiator CHAP user name:

    initiator# iscsiadm modify initiator-node --CHAP-name new-CHAP-name
  5. Unidirectional CHAP – Enable CHAP authentication on the initiator.
    initiator# iscsiadm modify initiator-node --authentication CHAP

    CHAP requires that the initiator node have both a user name and a password. The user name is typically used by the target to look up the secret key for the given user name.

  6. Select one of the following to enable or disable bidirectional CHAP.
    • Enable bidirectional CHAP for connections with the target.

      initiator# iscsiadm modify target-param -B enable target-iqn
    • Disable bidirectional CHAP.

      initiator# iscsiadm modify target-param -B disable target-iqn
  7. Bidirectional CHAP: Set the authentication method to CHAP for the target.
    initiator# iscsiadm modify target-param --authentication CHAP target-iqn
  8. Bidirectional CHAP: Set the target device secret key that identifies the target.

    The following command initiates a dialogue to define the CHAP secret key:

    initiator# iscsiadm modify target-param --CHAP-secret target-iqn
  9. Bidirectional CHAP: If the target uses an alternate CHAP user name, set the CHAP name that identifies the target.

    By default, the target's CHAP name is set to the target name.

    You can use the following command to change the target's CHAP name:

    initiator# iscsiadm modify target-param --CHAP-name target-CHAP-name