Setting up authentication for AIX hosts

Edit online

AIX® hosts can be correctly set up for authentication on the system by following certain guidelines and tasks.

Before you begin

Although the system supports both one-way authentication and two-way authentication for iSCSI, the AIX software initiator currently supports only one-way authentication. The system target authenticates the initiator.

CHAP settings are defined in the /etc/iscsi/targets file on the host. The AIX initiator or host bus adapter (HBA) always uses its iSCSI qualified name (IQN) as the CHAP user name.

About this task

To set up authentication on an AIX host, complete the following steps:

Procedure

  1. Open the /etc/iscsi/targets file with any editor.
  2. For each line that contains a target definition, append the CHAP secret of the initiator in quotation marks: 
    192.168.1.7      3260     iqn.1986-03.com.ibm:2145.sahyadri.node1 "secret"

    The CHAP secret value that you set here must match the value that was configured on the system for the host object that is associated with this host. Because the system authenticates on a per-initiator basis, the CHAP secret is the same for all the targets on a particular clustered system.

    Note: When setting up authentication for two way chap username and password, the node.session.auth.username_in value must be clustername. The clustername can be found by lssystem command.
    An example of the /etc/iscsi/targets file is shown in Figure 1.
    Figure 1. CHAP settings for an AIX host
    #ChapSecret             = %x22*( any character ) %x22
#                       ;   "                      "
#                       ; ChapSecret is a string enclosed in double quotes. The
#                       ; quotes are required, but are not part of the secret.
#
#EXAMPLE 1: iSCSI Target without CHAP(MD5) authentication
#      Assume the target is at address 192.168.3.2,
#      the valid port is 5003
#      the name of the target is iqn.com.ibm-4125-23WTT26
#The target line would look like:
#192.168.3.2 5003 iqn.com.ibm-4125-23WWT26
#
#EXAMPLE 2: iSCSI Target with CHAP(MD5) authentication
#      Assume the target is at address 10.2.1.105,
#      the valid port is 3260
#      the name of the target is iqn.com.ibm-K167-42.fc1a
#      the CHAP secret is "This is my password."
#The target line would look like:
#10.2.1.105 3260 iqn.com.ibm-K167-42.fc1a "This is my password."
#
#EXAMPLE 3: iSCSI Target with CHAP(MD5) authentication and line continuation
#      Assume the target is at address 10.2.1.106,
#      the valid port is 3260
#      the name of the target is iqn.com.ibm:00.fcd0ab21.shark128
#      the CHAP secret is "123ismysecretpassword.fc1b"
#The target line would look like:
#10.2.1.105 3260 iqn.2003-01.com.ibm:00.fcd0ab21.shark128


192.168.1.41 3260 iqn.1986-03.com.ibm:2145.pahar.dvt110702
192.168.2.43 3260 iqn.1986-03.com.ibm:2145.moscow.dvt110706 "svcchapsecret"

    The two targets in the previous example are members of different clustered systems. One target is configured to authenticate the initiator, and the other target is not configured to authenticate the initiator.

    Note: Before upgrading to 8.5.3.0, if the customer has configured two way chap authentication, they must first switch to one way chap and then back to two way chap once the upgrade is complete. This is required because clustername as a user name is not supported for two way chap secret in earlier releases .