Setting up authentication for Linux hosts

You can set up one-way CHAP authentication for Linux hosts. After you configure one-way authentication that is working for your host, you can optionally set up two-way authentication.

The system supports two Challenge Handshake Authentication Protocol (CHAP) methods:
  • One-way CHAP authentication (the system authenticates the host iSCSI initiator).
  • Two-way CHAP authentication (both the system and the initiator authenticate each other).
Note: CHAP secrets that you select for one-way authentication and two-way authentication must be different.

To set up authentication for a Linux host, follow these steps:

  1. Open /etc/iscsi/iscsid.conf or /etc/iscsid.conf by using an appropriate editor.
  2. Go to the CHAP settings paragraph.

    The following example shows the output:

    Figure 1. CHAP settings for a Linux host
    #*************
    #CHAP Settings
    #*************
    
    #To enable CHAP authentication set node.session.auth.authmethod
    #to CHAP. The default is None.
    #node.session.auth.authmethod = CHAP
    
    #To set a CHAP username and password for initiator
    #authentication by the target(s), uncomment the following lines:
    #node.session.auth.username = username
    #node.session.auth.password = password
    node.session.auth.username = iqn.suse.nmp.com
    node.session.auth.password = xxxxxxxxxxxxx
    #To set a CHAP username and password for target(s)
    #authentication by the initiator, uncomment the following lines:
    #node.session.auth.username_in = username_in
    #node.session.auth.password_in = password_in
    node.session.auth.password_in = yyyyyyyyyyyyy
    #To enable CHAP authentication for a discovery session to the target
    #set discovery.sendtargets.auth.authmethod to CHAP. The default is None.
    #discovery.sendtargets.auth.authmethod = CHAP
    discovery.sendtargets.auth.authmethod = CHAP
    #To set a discovery session CHAP username and password for the initiator
    #authentication by the target(s), uncomment the following lines:
    #discovery.sendtargets.auth.username = username
    #discovery.sendtargets.auth.password = password
    
    #To set a discovery session CHAP username and password for target(s)
    #authentication by the initiator, uncomment the following lines:
    #discovery.sendtargets.auth.username_in = username_in
    #discovery.sendtargets.auth.password_in = password_in
  3. Set up authentication.
    • Set up one-way authentication:
      1. Set a CHAP user name and password to your initiator name.
        1. node.session.auth.authmethod = CHAP
        2. node.session.auth.username = <initiator IQN name>
        3. node.session.auth.password = <CHAP secret for host>
      2. Set a discovery session CHAP user name and password to your initiator name.
        1. discovery.sendtargets.auth.authmethod = CHAP
        2. discovery.sendtargets.auth.username = <initiator IQN name>
        3. discovery.sendtargets.auth.password = <CHAP secret for host>
      3. Save these settings. You must log out of any current sessions and rediscover the system iSCSI target for the CHAP secret to be effective.
      Note: In the previous example, xxxxxxxxxxxxx is the CHAP secret for the host, and the iqn.suse.nmp.com is the IQN name of the initiator. The IQN name must be the same name that is used to create a host object on the system by using the mkhost command.
    • Set up two-way authentication.
      Note: It is not mandatory to set up two-way authentication. Before you configure for two-way authentication, ensure that one-way authentication is configured and is working for your host.
      1. Edit the password_in to CHAP secret that you set up with the chsystem command on the system.
        1. Set a CHAP user name and password for the target or targets.
          • node.session.auth.password_in = <CHAP secret for clustered system>
        2. Set a discovery session CHAP user name and password for the target or targets.
          • discovery.sendtargets.auth.password_in = <CHAP secret for clustered system>
      2. Save these settings. You must log out of any current sessions and rediscover the system iSCSI target for the CHAP secret to be effective.