Setting up authentication for Linux hosts

You can set up one-way CHAP authentication for Linux hosts. After you configure one-way authentication that is working for your host, you can optionally set up two-way authentication.

The system supports two Challenge Handshake Authentication Protocol (CHAP) methods:

One-way CHAP authentication (the system authenticates the host iSCSI initiator).
Two-way CHAP authentication (both the system and the initiator authenticate each other).

Note: CHAP secrets that you select for one-way authentication and two-way authentication must be different.

To set up authentication for a Linux host, follow these steps:

Open /etc/iscsi/iscsid.conf or /etc/iscsid.conf by using an appropriate editor.

Go to the CHAP settings paragraph.

The following example shows the output:

Figure 1. CHAP settings for a Linux host

#*************
#CHAP Settings
#*************

#To enable CHAP authentication set node.session.auth.authmethod
#to CHAP. The default is None.
#node.session.auth.authmethod = CHAP

#To set a CHAP username and password for initiator
#authentication by the target(s), uncomment the following lines:
#node.session.auth.username = username
#node.session.auth.password = password
node.session.auth.username = rhel_username
node.session.auth.password = xxxxxxxxxxxxx
#To set a CHAP username and password for target(s)
#authentication by the initiator, uncomment the following lines:
#node.session.auth.username_in = username_in
#node.session.auth.password_in = password_in
node.session.auth.password_in = yyyyyyyyyyyyy
#To enable CHAP authentication for a discovery session to the target
#set discovery.sendtargets.auth.authmethod to CHAP. The default is None.
#discovery.sendtargets.auth.authmethod = CHAP
discovery.sendtargets.auth.authmethod = CHAP
#To set a discovery session CHAP username and password for the initiator
#authentication by the target(s), uncomment the following lines:
#discovery.sendtargets.auth.username = username
#discovery.sendtargets.auth.password = password

#To set a discovery session CHAP username and password for target(s)
#authentication by the initiator, uncomment the following lines:
#discovery.sendtargets.auth.username_in = username_in
#discovery.sendtargets.auth.password_in = password_in

Set up authentication.
- Set up one-way authentication:
  1. Set a CHAP user name and password to your initiator name.
    1. node.session.auth.authmethod = CHAP
    2. node.session.auth.username = <initiator's user name>
    3. node.session.auth.password = <CHAP secret for host>
  2. Set a discovery session CHAP user name and password to your initiator name.
    1. discovery.sendtargets.auth.authmethod = CHAP
    2. discovery.sendtargets.auth.username = <initiator's user name>
    3. discovery.sendtargets.auth.password = <CHAP secret for host>
  3. Save these settings. You must log out of any current sessions and rediscover the system iSCSI target for the CHAP secret to be effective.
  Note: In the previous example, xxxxxxxxxxxxx is the CHAP secret for the host, and the rhel_username is the IQN name of the initiator. This user name must be the same value that you set with the chhost command (iscsiusername field) for this host.
- Set up two-way authentication.
  Note: It is not mandatory to set up two-way authentication. Before you configure for two-way authentication, ensure that one-way authentication is configured and is working for your host.
  1. Edit the password_in to CHAP secret that you set up with the chsystem command on the system.
    1. Set a CHAP user name and password for the target or targets.
      - node.session.auth.password_in = <CHAP secret for clustered system>
    2. Set a discovery session CHAP user name and password for the target or targets.
      - discovery.sendtargets.auth.password_in = <CHAP secret for clustered system>
  2. Save these settings. You must log out of any current sessions and rediscover the system iSCSI target for the CHAP secret to be effective.