Setting up authentication for Linux hosts

You can set up unidirectional (one-way) CHAP authentication for Linux® hosts. After you configure unidirectional (one-way) authentication that is working for your host, you can optionally set up bidirectional (two-way) authentication.

Before you begin

The system supports two Challenge Handshake Authentication Protocol (CHAP) methods:
  • Unidirectional (one-way) CHAP authentication (the system authenticates the host iSCSI initiator).
  • Bidirectional (two-way) CHAP authentication (both the system and the initiator authenticate each other).
Note: CHAP secrets that you select for unidirectional (one-way) authentication and bidirectional (two-way) authentication must be different.

Procedure

To set up authentication for a Linux host, follow these steps:

  1. Open /etc/iscsi/iscsid.conf or /etc/iscsid.conf by using an appropriate editor.
  2. Go to the CHAP settings paragraph.
    The following example shows the output of CHAP settings for a Linux host:
    #*************
#CHAP Settings
#*************

#To enable CHAP authentication set node.session.auth.authmethod
#to CHAP. The default is None.
#node.session.auth.authmethod = CHAP

#To set a CHAP username and password for initiator
#authentication by the target(s), uncomment the following lines:
#node.session.auth.username = username
#node.session.auth.password = password
node.session.auth.username = rhel_username
node.session.auth.password = xxxxxxxxxxxxx
#To set a CHAP username and password for target(s)
#authentication by the initiator, uncomment the following lines:
#node.session.auth.username_in = username_in
#node.session.auth.password_in = password_in
node.session.auth.username_in = clustername
node.session.auth.password_in = yyyyyyyyyyyyy
#node.session.auth.chap_algs = SHA3-256,SHA256,SHA1,MD5
#To enable CHAP authentication for a discovery session to the target
#set discovery.sendtargets.auth.authmethod to CHAP. The default is None.
#discovery.sendtargets.auth.authmethod = CHAP
#To set a discovery session CHAP username and password for the initiator
#authentication by the target(s), uncomment the following lines:
#discovery.sendtargets.auth.username = username
#discovery.sendtargets.auth.password = password

#To set a discovery session CHAP username and password for target(s)
#authentication by the initiator, uncomment the following lines:
#discovery.sendtargets.auth.username_in = username_in
#discovery.sendtargets.auth.password_in = password_in
  3. Set up authentication.
    • Set up unidirectional (one-way) authentication:
      1. Set a CHAP username and password to your initiator name.
        1. node.session.auth.authmethod = CHAP
        2. node.session.auth.username = <initiator's user name>
        3. node.session.auth.password = <CHAP secret for host>
        4. (Optionally) node.session.auth.chap_algs = SHA3-256,SHA256,SHA1,MD5
          Note: When iSCSI host authentication mode is enabled, only SHA3-256 and SHA256 hashing algorithms are accepted.
      2. Set a discovery session CHAP username and password to your initiator name.
        1. discovery.sendtargets.auth.authmethod = CHAP
        2. discovery.sendtargets.auth.username = <initiator's user name>
        3. discovery.sendtargets.auth.password = <CHAP secret for host>
      3. Save these settings. Log out of any current sessions and rediscover the system iSCSI target for the CHAP secret to be effective.
      Note: In the previous example, xxxxxxxxxxxxx is the CHAP secret for the host, and the rhel_username is the IQN name of the initiator. This username must be the same value that you set with the chhost command (hostusername field) for this host.
    • Set up bidirectional (two-way) authentication.
      Note: It is not mandatory to set up two-way authentication. Before you configure for bidirectional (two-way) authentication, ensure that unidirectional (one-way) authentication is configured and is working for your host.
      1. Edit the password_in to CHAP secret that you set up with the chhost command on the system. Set the CHAP username as storage_username which can be found by lshost command.
        1. Set a CHAP username and password for the target or targets.
          • node.session.auth.username_in = <storage_username>
          • node.session.auth.password_in = <CHAP secret for clustered system>
        2. Set a discovery session CHAP username and password for the target or targets.
          • discovery.sendtargets.auth.username_in = <storage_username>
          • discovery.sendtargets.auth.password_in = <CHAP secret for clustered system>
      2. Save these settings. Log out of any current sessions and rediscover the system iSCSI target for the CHAP secret to be effective.
    Note: Before upgrading to 8.5.3.0, if the customer has configured two-way chap authentication, they must first switch to unidirectional (one-way) chap and then back to bidirectional (two-way) chap once the upgrade is complete. This is required because clustername as a username is not supported for two-way chap secret in earlier releases.