Setting Up Your iSCSI Storage Array 45
Understanding CHAP Authentication
Before proceeding to either Step 5: Configure CHAP Authentication on the Storage Array (optional) or
Step 6: Configure CHAP Authentication on the Host Server (optional), it would be useful to gain an
overview of how CHAP authentication works.
What is CHAP?
Challenge Handshake Authentication Protocol (CHAP) is an optional iSCSI authentication method
where the storage array (target) authenticates iSCSI initiators on the host server. Two types of CHAP are
supported: target CHAP and mutual CHAP.
Target CHAP
In target CHAP, the storage array authenticates all requests for access issued by the iSCSI initiator(s) on
the host server via a CHAP secret. To set up target CHAP authentication, you enter a CHAP secret on
the storage array, then configure each iSCSI initiator on the host server to send that secret each time it
attempts to access the storage array.
Mutual CHAP
In addition to setting up target CHAP, you can set up mutual CHAP in which both the storage array and
the iSCSI initiator authenticate each other. To set up mutual CHAP, you configure the iSCSI initiator
with a CHAP secret that the storage array must send to the host sever in order to establish a connection.
In this two-way authentication process, both the host server and the storage array are sending
information that the other must validate before a connection is allowed.
CHAP is an optional feature and is not required to use iSCSI. However, if you do not configure CHAP
authentication, any host server connected to the same IP network as the storage array can read from and
write to the storage array.
NOTE: If you elect to use CHAP authentication, you should configure it on both the storage array (using MD
Storage Manager) and the host server (using the iSCSI initiator) before preparing virtual disks to receive data.
If you prepare disks to receive data before you configure CHAP authentication, you will lose visibility to the
disks once CHAP is configured.