Setting up authentication for Linux hosts

Edit online

You can set up one-way CHAP authentication for Linux® hosts. After you configure one-way authentication that is working for your host, you can optionally set up two-way authentication.

Before you begin

The system supports two Challenge Handshake Authentication Protocol (CHAP) methods:
  • One-way CHAP authentication (the system authenticates the host iSCSI initiator).
  • Two-way CHAP authentication (both the system and the initiator authenticate each other).
Note: CHAP secrets that you select for one-way authentication and two-way authentication must be different.

Procedure

To set up authentication for a Linux host, follow these steps:

  1. Open /etc/iscsi/iscsid.conf or /etc/iscsid.conf by using an appropriate editor.
  2. Go to the CHAP settings paragraph.

    The following example shows the output:

    Figure 1. CHAP settings for a Linux host
    #*************
#CHAP Settings
#*************

#To enable CHAP authentication set node.session.auth.authmethod
#to CHAP. The default is None.
#node.session.auth.authmethod = CHAP

#To set a CHAP username and password for initiator
#authentication by the target(s), uncomment the following lines:
#node.session.auth.username = username
#node.session.auth.password = password
node.session.auth.username = rhel_username
node.session.auth.password = xxxxxxxxxxxxx
#To set a CHAP username and password for target(s)
#authentication by the initiator, uncomment the following lines:
#node.session.auth.username_in = username_in
#node.session.auth.password_in = password_in
node.session.auth.username_in = clustername
node.session.auth.password_in = yyyyyyyyyyyyy
#To enable CHAP authentication for a discovery session to the target
#set discovery.sendtargets.auth.authmethod to CHAP. The default is None.
#discovery.sendtargets.auth.authmethod = CHAP
#To set a discovery session CHAP username and password for the initiator
#authentication by the target(s), uncomment the following lines:
#discovery.sendtargets.auth.username = username
#discovery.sendtargets.auth.password = password

#To set a discovery session CHAP username and password for target(s)
#authentication by the initiator, uncomment the following lines:
#discovery.sendtargets.auth.username_in = username_in
#discovery.sendtargets.auth.password_in = password_in
  3. Set up authentication.
    • Set up one-way authentication:
      1. Set a CHAP user name and password to your initiator name.
        1. node.session.auth.authmethod = CHAP
        2. node.session.auth.username = <initiator's user name>
        3. node.session.auth.password = <CHAP secret for host>
      2. Set a discovery session CHAP user name and password to your initiator name.
        1. discovery.sendtargets.auth.authmethod = CHAP
        2. discovery.sendtargets.auth.username = <initiator's user name>
        3. discovery.sendtargets.auth.password = <CHAP secret for host>
      3. Save these settings. You must log out of any current sessions and rediscover the system iSCSI target for the CHAP secret to be effective.
      Note: In the previous example, xxxxxxxxxxxxx is the CHAP secret for the host, and the rhel_username is the IQN name of the initiator. This user name must be the same value that you set with the chhost command (iscsiusername field) for this host.
    • Set up two-way authentication.
      Note: It is not mandatory to set up two-way authentication. Before you configure for two-way authentication, ensure that one-way authentication is configured and is working for your host.
      1. Edit the password_in to CHAP secret that you set up with the chsystem command on the system. Set the CHAP username as clustername. The clustername can be found by lssystem command on the system.
        1. Set a CHAP user name and password for the target or targets.
          • node.session.auth.username_in = clustername
          • node.session.auth.password_in = <CHAP secret for clustered system>
        2. Set a discovery session CHAP user name and password for the target or targets.
          • node.session.auth.username_in = clustername
          • discovery.sendtargets.auth.password_in = <CHAP secret for clustered system>
      2. Save these settings. You must log out of any current sessions and rediscover the system iSCSI target for the CHAP secret to be effective.
    Note: Before upgrading to 8.5.3.0, if the customer has configured two way chap authentication, they must first switch to one way chap and then back to two way chap once the upgrade is complete. This is required because clustername as a user name is not supported for two way chap secret in earlier releases.