| Skip Navigation Links | |
| Exit Print View | |
|
Oracle® ZFS Storage Appliance Security Guide |
Oracle ZFS Storage Appliance Security Overview
NFS Authentication and Encryption Options
Active Directory (AD) Domain Mode Authentication
Administrative Operations via the Microsoft Management Console (MMC)
Delay Engine for Timing Attacks
Hypertext Transfer Protocol (HTTP)
Network Data Management Protocol (NDMP)
SSH File Transfer Protocol (SFTP)
When you configure a LUN on the ZFSSA you can export that volume over an Internet Small Computer System Interface (iSCSI) target. The iSCSI service lets iSCSI initiators access targets using the iSCSI protocol.
This service supports discovery, management, and configuration using the iSNS protocol. The iSCSI service supports both unidirectional (target authenticates initiator) and bidirectional (target and initiator authenticate each other) authentication using CHAP. Additionally, the service supports CHAP authentication data management in a RADIUS database.
The system first performs authentication and then authorization, in two independent steps. If the local initiator has a CHAP name and a CHAP secret, the system performs authentication. If the local initiator does not have CHAP properties, the system does not perform any authentication and therefore all initiators are eligible for authorization.
The iSCSI service lets you specify a global list of initiators that you can use within the initiator groups. When using iSCSI and CHAP authentication, RADIUS can be used as the iSCSI protocol that defers all CHAP authentications to the selected RADIUS server.
Remote Authentication Dial-In User Service (RADIUS) is a system for using a centralized server to perform CHAP authentication on behalf of the storage nodes. When you use iSCSI and CHAP authentication, you can select RADIUS for the iSCSI protocol, which applies both iSCSI and the iSCSI Extensions for RDMA (iSER), and sends all CHAP authentications to the selected RADIUS server.
To allow the ZFSSA to perform CHAP authentication using RADIUS, the following information must match:
The ZFSSA must specify the address of the RADIUS server and a secret to use when communicating with this RADIUS server.
The RADIUS server (for example, in its clients file) must have an entry that gives the address of the ZFSSA and specifies the same secret as above.
The RADIUS server (for example, in its users file) must have an entry that supplies the CHAP name and matching CHAP secret for each initiator.
If the initiator uses its IQN name as its CHAP name (this is the recommended configuration) and the ZFSSA does not need a separate Initiator entry for each Initiator box, the RADIUS server can perform all of the authentication steps.
If the initiator uses a separate CHAP name, the ZFSSA must have an Initiator entry for the initiator that specifies the mapping from an IQN name to the CHAP name. This Initiator entry does NOT need to specify the CHAP secret for the initiator.
|