Intel Storage System SSR212PP User Guide 137
26
PRELIMINARY
Setting up CHAP Security for
iSCSI Storage Systems
Challenge Handshake Authentication Protocol (CHAP) is a method of authenticating
iSCSI users. The iSCSI storage system can use CHAP to authenticate initiators and
initiators can likewise authenticate targets such as the storage system.
CAUTION
If you do not configure CHAP security for the storage system, any host
connected to the same IP network as the storage-system iSCSI ports can read
from and write to the storage system. If the storage system is on a private
network, you can choose not to use CHAP security. If the storage system is on a
public network, we strongly recommend that you use CHAP security.
If you want to use CHAP security, you should set up and enable it on the storage
system before preparing virtual disks to receive data. If you prepare disks to receive
data before you set up and enable CHAP security, you lose visibility to the disks.
CHAP has two variants:
Initiator CHAP sets up accounts that iSCSI initiators use to connect to targets. The
target authenticates the initiator. Initiator CHAP is the primary CHAP authentication
method.
Navisphere Express provides
Basic and Advanced initiator CHAP options. Basic
CHAP specifies one secret (password) for all initiators that log in to a given target.
The
Advanced option allows you to specify a different secret for each initiator, and
also allows you to set up Mutual CHAP.
Mutual CHAP is applied in addition to advanced initiator CHAP, mutual CHAP sets
up an account that a target uses to connect to an initiator. The initiator authenticates
the target.
Setting up and enabling initiator CHAP is necessary for iSCSI security to work. Mutual
CHAP is an optional additional level of security. Only one mutual CHAP credential is
supported for each storage system.
The following steps are necessary to set up initiator CHAP:
On a server that uses NICs or iSCSI HBAs, log off and remove target portals.
On the storage system, configure and enable initiator CHAP (basic or advanced) by
entering the initiator user data for all initiators that are allowed to access the storage
system.
If you are setting up the optional mutual CHAP, you must enter the mutual CHAP user
data on each server; that is, the target user account data that the storage system sends
to initiators. The initiators compare this data with their stored user data when they
authenticate the storage system.