You can set up one-way CHAP authentication for Linux® hosts. After you configure one-way authentication that is working for your host, you
can optionally set up two-way authentication.
Before you begin
The system supports two Challenge Handshake Authentication Protocol (CHAP) methods:
One-way CHAP authentication (the system authenticates the host iSCSI initiator).
Two-way CHAP authentication (both the system and the initiator authenticate each
other).
Note: CHAP secrets that you select for one-way authentication and two-way
authentication must be different.
Procedure
To set up authentication for a Linux host,
follow these steps:
Open /etc/iscsi/iscsid.conf or /etc/iscsid.conf
by using an appropriate editor.
Go to the CHAP settings paragraph.
The following example shows the output:
Figure 1. CHAP settings for a Linux host
#*************
#CHAP Settings
#*************
#To enable CHAP authentication set node.session.auth.authmethod
#to CHAP. The default is None.
#node.session.auth.authmethod = CHAP
#To set a CHAP username and password for initiator
#authentication by the target(s), uncomment the following lines:
#node.session.auth.username = username
#node.session.auth.password = password
node.session.auth.username = rhel_username
node.session.auth.password = xxxxxxxxxxxxx
#To set a CHAP username and password for target(s)
#authentication by the initiator, uncomment the following lines:
#node.session.auth.username_in = username_in
#node.session.auth.password_in = password_in
node.session.auth.password_in = yyyyyyyyyyyyy
#To enable CHAP authentication for a discovery session to the target
#set discovery.sendtargets.auth.authmethod to CHAP. The default is None.
#discovery.sendtargets.auth.authmethod = CHAP
discovery.sendtargets.auth.authmethod = CHAP
#To set a discovery session CHAP username and password for the initiator
#authentication by the target(s), uncomment the following lines:
#discovery.sendtargets.auth.username = username
#discovery.sendtargets.auth.password = password
#To set a discovery session CHAP username and password for target(s)
#authentication by the initiator, uncomment the following lines:
#discovery.sendtargets.auth.username_in = username_in
#discovery.sendtargets.auth.password_in = password_in
Set up authentication.
Set up one-way authentication:
Set a CHAP user name and password to your initiator name.
node.session.auth.authmethod = CHAP
node.session.auth.username = <initiator's user
name>
node.session.auth.password = <CHAP secret for
host>
Set a discovery session CHAP user name and password to your initiator name.
discovery.sendtargets.auth.authmethod = CHAP
discovery.sendtargets.auth.username = <initiator's user
name>
discovery.sendtargets.auth.password = <CHAP secret for
host>
Save these settings. You must log out of any current sessions and rediscover the system
iSCSI target for the CHAP secret to be effective.
Note: In the previous example, xxxxxxxxxxxxx is the CHAP secret for
the host, and the rhel_username is the IQN name of the initiator. This
user name must be the same value that you set with the chhost command
(iscsiusername field) for this host.
Set up two-way authentication.
Note: It is not mandatory to set up two-way
authentication. Before you configure for two-way authentication, ensure that one-way
authentication is configured and is working for your host.
Edit the password_in to CHAP secret that you set up with the
chsystem command on the system.
Set a CHAP user name and password for the target or targets.
node.session.auth.password_in = <CHAP secret for clustered
system>
Set a discovery session CHAP user name and password for the target or targets.
discovery.sendtargets.auth.password_in = <CHAP secret for
clustered system>
Save these settings. You must log out of any current sessions and rediscover the system
iSCSI target for the CHAP secret to be effective.