You can set up one-way CHAP authentication for Linux® hosts. After you configure one-way authentication that is working for
your host, you can optionally set up two-way authentication.
Before you begin
The system supports two Challenge Handshake Authentication Protocol (CHAP)
methods:
One-way CHAP authentication (the system authenticates the host iSCSI initiator).
Two-way CHAP authentication (both the system and the initiator authenticate each other).
Note: CHAP secrets that you select for one-way authentication
and two-way authentication must be different.
Procedure
To set up authentication for a Linux host, follow these steps:
Open /etc/iscsi/iscsid.conf or /etc/iscsid.conf by
using an appropriate editor.
Go to the CHAP settings paragraph.
The following example shows the output:
Figure 1. CHAP settings for a Linux host
#*************
#CHAP Settings
#*************
#To enable CHAP authentication set node.session.auth.authmethod
#to CHAP. The default is None.
#node.session.auth.authmethod = CHAP
#To set a CHAP username and password for initiator
#authentication by the target(s), uncomment the following lines:
#node.session.auth.username = username
#node.session.auth.password = password
node.session.auth.username = rhel_username
node.session.auth.password = xxxxxxxxxxxxx
#To set a CHAP username and password for target(s)
#authentication by the initiator, uncomment the following lines:
#node.session.auth.username_in = username_in
#node.session.auth.password_in = password_in
node.session.auth.password_in = yyyyyyyyyyyyy
#To enable CHAP authentication for a discovery session to the target
#set discovery.sendtargets.auth.authmethod to CHAP. The default is None.
#discovery.sendtargets.auth.authmethod = CHAP
discovery.sendtargets.auth.authmethod = CHAP
#To set a discovery session CHAP username and password for the initiator
#authentication by the target(s), uncomment the following lines:
#discovery.sendtargets.auth.username = username
#discovery.sendtargets.auth.password = password
#To set a discovery session CHAP username and password for target(s)
#authentication by the initiator, uncomment the following lines:
#discovery.sendtargets.auth.username_in = username_in
#discovery.sendtargets.auth.password_in = password_in
Set up authentication.
Set up one-way authentication:
Set a CHAP user name and password to your initiator name.
node.session.auth.authmethod = CHAP
node.session.auth.username = <initiator's
user name>
node.session.auth.password = <CHAP secret for
host>
Set a discovery session CHAP user name and password to your initiator name.
discovery.sendtargets.auth.authmethod = CHAP
discovery.sendtargets.auth.username =
<initiator's user name>
discovery.sendtargets.auth.password = <CHAP secret for
host>
Save these settings. You must log out of any current sessions and rediscover the system iSCSI
target for the CHAP secret to be effective.
Note: In the
previous example, xxxxxxxxxxxxx is the CHAP secret for the host, and the
rhel_username is the IQN name of the initiator. This user name must be the
same value that you set with the chhost command (iscsiusername
field) for this host.
Set up two-way authentication.
Note: It is not mandatory to set up two-way authentication.
Before you configure for two-way authentication, ensure that one-way authentication is configured
and is working for your host.
Edit the password_in to CHAP secret that you set up with the
chsystem command on the system.
Set a CHAP user name and password for the target or targets.
node.session.auth.password_in = <CHAP secret for clustered
system>
Set a discovery session CHAP user name and password for the target or targets.
discovery.sendtargets.auth.password_in = <CHAP secret for clustered
system>
Save these settings. You must log out of any current sessions and rediscover the
system iSCSI target for the CHAP secret to be effective.