This procedure assumes that you are logged in to the local system where you want to securely access the configured iSCSI target device.
The length of the CHAP secret key for the COMSTAR iSCSI target must be a minimum of 12 characters and a maximum of 255 characters. Some initiators support only a shorter maximum length for the secret key.
Each node identifying itself using CHAP must have both a user name and a password. In the Oracle Solaris OS, the CHAP user name is set to the initiator or target node name (that is, the iqn name) by default. The CHAP user name can be set to any length of text that is less than 512 bytes. The 512-byte length limit is an Oracle Solaris limitation. However, if you do not set the CHAP user name, it is set to the node name upon initialization.
You can simplify CHAP secret key management by using a third-party RADIUS server, which acts as a centralized authentication service. When you use RADIUS, the RADIUS server stores the set of node names and matching CHAP secret keys. The system performing the authentication forwards the node name of the requester and the supplied secret of the requester to the RADIUS server. The RADIUS server confirms whether the secret key is the appropriate key to authenticate the given node name. Both iSCSI and iSER support the use of a RADIUS server.
For more information about using a third-party RADIUS server, see Using a Third-Party RADIUS Server to Simplify CHAP Management in Your iSCSI Configuration.
For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
Unidirectional authentication, the default method, enables the target to validate the initiator. Complete steps 3–5 only.
Bidirectional authentication adds a second level of security by enabling the initiator to authenticate the target. Complete steps 3–9.
The following command initiates a dialogue to define the CHAP secret key:
initiator# iscsiadm modify initiator-node --CHAP-secret Enter CHAP secret: ************ Re-enter secret: ************
By default, the initiator's CHAP user name is set to the initiator node name.
Use the following command to use your own initiator CHAP user name:
initiator# iscsiadm modify initiator-node --CHAP-name new-CHAP-name
initiator# iscsiadm modify initiator-node --authentication CHAP
CHAP requires that the initiator node have both a user name and a password. The user name is typically used by the target to look up the secret key for the given user name.
Enable bidirectional CHAP for connections with the target.
initiator# iscsiadm modify target-param -B enable target-iqn
Disable bidirectional CHAP.
initiator# iscsiadm modify target-param -B disable target-iqn
initiator# iscsiadm modify target-param --authentication CHAP target-iqn
The following command initiates a dialogue to define the CHAP secret key:
initiator# iscsiadm modify target-param --CHAP-secret target-iqn
By default, the target's CHAP name is set to the target name.
You can use the following command to change the target's CHAP name:
initiator# iscsiadm modify target-param --CHAP-name target-CHAP-name