CHAP authentication of iSCSI hosts

The MS-CHAP extension enables authentication of initiators (hosts) toSpectrum Accelerate and vice versa in unsecured environments.

When CHAP support is enabled, hosts are securely authenticated by Spectrum Accelerate. This increases overall system security by verifying that only authenticated parties are involved in host-storage interactions.

Definitions

The following definitions apply to authentication procedures:

CHAP: Challenge Handshake Authentication Protocol
CHAP authentication: An authentication process of an iSCSI initiator by a target through comparing a secret hash that the initiator submits with a computed hash of that initiator's secret which is stored on the target.
Initiator: The host.
Oneway (unidirectional CHAP): CHAP authentication where initiators are authenticated by the target, but not vice versa.

Supported configurations

CHAP authentication type: Oneway (unidirectional) authentication mode, meaning that the Initiator (host) has to be authenticated by the Spectrum Accelerate.
MDS: CHAP authentication utilizes the MDS hashing algorithm.
Access scope: CHAP-authenticated Initiators are granted access to the Spectrum Accelerate via mapping that may restrict access to some volumes.

Authentication modes

Spectrum Accelerate supports the following authentication modes:

None (default): In this mode, an initiator is not authenticated by the Spectrum Accelerate.
CHAP (oneway): In this mode, an initiator is authenticated by the Spectrum Accelerate based on the pertinent initiator's submitted hash, which is compared to the hash computed from the initiator's secret stored on the IBM XIV Storage System.

Changing the authentication mode from None to CHAP requires an authentication of the host. Changing the mode from CHAP to None doesn't require an authentication.

Complying with RFC 3720

Spectrum Accelerate CHAP authentication complies with the CHAP requirements as stated in RFC 3720.

Secret length: The secret has to be between 96 bits and 128 bits; otherwise, the system fails the command, responding that the requirements are not fulfilled.
Initiator secret uniqueness: Upon defining or updating an initiator (host) secret, the system compares the entered secret's hash with existing secrets stored by the system and determines whether the secret is unique. If it is not unique, the system presents a warning to the user, but does not prevent the command from completing successfully.