You
can use the command-line interface (CLI) to configure the
system to authenticate with
iSCSI-attached hosts by using the Challenge-Handshake Authentication Protocol (CHAP). After the
CHAP is set for the system, all attached hosts must be configured to authenticate. When you are
troubleshooting a problem, you can delay your configuration of the CHAP authentication until after
you configure the first one or two hosts and test their connectivity.
To configure authentication between the
system and the
iSCSI-attached hosts, follow these steps:
- To configure CHAP authentication for an iSCSI host,
enter the following CLI command:
chhost -iscsiusername iscsi_username -chapsecret chap_secrethost_name
where iscsi_username is the user name,
chap_secret is the CHAP secret to be used to authenticate the system via iSCSI,
and host_name is the name of the iSCSI host. The chap_secret
value must be 12 characters. If you do not specify the iSCSI user name, the initiator's IQN is taken
as the user name for one-way CHAP authentication.
- To set the authentication method
for the iSCSI communications of the system, enter the following CLI
command:
chsystem -iscsiauthmethod chap -chapsecret chap_secret
where chap specifies that CHAP is the authentication method
and chap_secret is the CHAP secret to be used. The specified CHAP secret cannot
begin or end with a space.
- To clear all CHAP secrets for iSCSI authentication that were previously set, enter the
following CLI command:
chsystem -nochapsecret
The
nochapsecret parameter is not allowed if the
chapsecret
parameter is specified.
- Run the lsiscsiauth command to display the Challenge Handshake
Authentication Protocol (CHAP) secret that you configured.
After you configure the CHAP secret for the
system, ensure that the
system CHAP secret is added to each iSCSI-attached host. On all iSCSI-attached hosts, specify a CHAP
secret that the hosts use to authenticate to the
system.