CHAP authentication of iSCSI hosts
The MS-CHAP extension enables authentication of initiators (hosts) toSpectrum Accelerate and vice versa in unsecured environments.
When CHAP support is enabled, hosts are securely authenticated by Spectrum Accelerate. This increases overall system security by verifying that only authenticated parties are involved in host-storage interactions.
Definitions
The following definitions apply
to authentication procedures:
- CHAP
- Challenge Handshake Authentication Protocol
- CHAP authentication
- An authentication process of an iSCSI initiator by a target through comparing a secret hash that the initiator submits with a computed hash of that initiator's secret which is stored on the target.
- Initiator
- The host.
- Oneway (unidirectional CHAP)
- CHAP authentication where initiators are authenticated by the target, but not vice versa.
Supported configurations
- CHAP authentication type
- Oneway (unidirectional) authentication mode, meaning that the Initiator (host) has to be authenticated by the Spectrum Accelerate.
- MDS
- CHAP authentication utilizes the MDS hashing algorithm.
- Access scope
- CHAP-authenticated Initiators are granted access to the Spectrum Accelerate via mapping that may restrict access to some volumes.
Authentication modes
Spectrum Accelerate supports
the following authentication modes:
- None (default)
- In this mode, an initiator is not authenticated by the Spectrum Accelerate.
- CHAP (oneway)
- In this mode, an initiator is authenticated by the Spectrum Accelerate based on the pertinent initiator's submitted hash, which is compared to the hash computed from the initiator's secret stored on the IBM XIV Storage System.
Complying with RFC 3720
Spectrum Accelerate CHAP authentication
complies with the CHAP requirements as stated
in RFC 3720.
- Secret length
- The secret has to be between 96 bits and 128 bits; otherwise, the system fails the command, responding that the requirements are not fulfilled.
- Initiator secret uniqueness
- Upon defining or updating an initiator (host) secret, the system compares the entered secret's hash with existing secrets stored by the system and determines whether the secret is unique. If it is not unique, the system presents a warning to the user, but does not prevent the command from completing successfully.