Setting up authentication for AIX hosts

AIX hosts can be correctly set up for authentication on the system by following certain guidelines and tasks.

Although the system supports both one-way authentication and two-way authentication for iSCSI, the AIX software initiator currently supports only one-way authentication. The system target authenticates the initiator.

CHAP settings are defined in the /etc/iscsi/targets file on the host. The AIX initiator or host bus adapter (HBA) always uses its iSCSI qualified name (IQN) as the CHAP user name.

To set up authentication on an AIX host, complete the following steps:

  1. Open the /etc/iscsi/targets file with any editor.
  2. For each line that contains a target definition, append the CHAP secret of the initiator in quotation marks:
    192.168.1.7      3260     iqn.1986-03.com.ibm:2145.sahyadri.node1 "secret"

    The CHAP secret value that you set here must match the value that was configured on the system for the host object that is associated with this host. Because the system authenticates on a per-initiator basis, the CHAP secret is the same for all the targets on a particular clustered system.

    An example of the /etc/iscsi/targets file is shown in Figure 1.
    Figure 1. CHAP settings for an AIX host
    #ChapSecret             = %x22*( any character ) %x22
    #                       ;   "                      "
    #                       ; ChapSecret is a string enclosed in double quotes. The
    #                       ; quotes are required, but are not part of the secret.
    #
    #EXAMPLE 1: iSCSI Target without CHAP(MD5) authentication
    #      Assume the target is at address 192.168.3.2,
    #      the valid port is 5003
    #      the name of the target is iqn.com.ibm-4125-23WTT26
    #The target line would look like:
    #192.168.3.2 5003 iqn.com.ibm-4125-23WWT26
    #
    #EXAMPLE 2: iSCSI Target with CHAP(MD5) authentication
    #      Assume the target is at address 10.2.1.105,
    #      the valid port is 3260
    #      the name of the target is iqn.com.ibm-K167-42.fc1a
    #      the CHAP secret is "This is my password."
    #The target line would look like:
    #10.2.1.105 3260 iqn.com.ibm-K167-42.fc1a "This is my password."
    #
    #EXAMPLE 3: iSCSI Target with CHAP(MD5) authentication and line continuation
    #      Assume the target is at address 10.2.1.106,
    #      the valid port is 3260
    #      the name of the target is iqn.com.ibm:00.fcd0ab21.shark128
    #      the CHAP secret is "123ismysecretpassword.fc1b"
    #The target line would look like:
    #10.2.1.105 3260 iqn.2003-01.com.ibm:00.fcd0ab21.shark128
    
    
    192.168.1.41 3260 iqn.1986-03.com.ibm:2145.pahar.dvt110702
    192.168.2.43 3260 iqn.1986-03.com.ibm:2145.moscow.dvt110706 "svcchapsecret"

    The two targets in the previous example are members of different clustered systems. One target is configured to authenticate the initiator, and the other target is not configured to authenticate the initiator.

    Target iqn.1986-03.com.ibm:2076.pahar.dvt110702 is not configured for authentication; therefore, the CHAP secret field is blank. Target iqn.1986-03.com.ibm:2076.moscow.dvt110706 is configured for authentication; therefore, the CHAP secret field is set to svcchapsecret for authentication.