Setting up authentication for Linux hosts

You can set up one-way CHAP authentication for Linux hosts. After you configure one-way authentication that is working for your host, you can optionally set up two-way authentication.

The system supports two Challenge Handshake Authentication Protocol (CHAP) methods:
  • One-way CHAP authentication (the system authenticates the host iSCSI initiator).
  • Two-way CHAP authentication (both the system and the initiator authenticate each other).
Note: CHAP secrets that you select for one-way authentication and two-way authentication must be different.

To set up authentication for a Linux host, follow these steps:

  1. Open /etc/iscsi/iscsid.conf or /etc/iscsid.conf by using an appropriate editor.
  2. Go to the CHAP settings paragraph.

    The following example shows the output:

    Figure 1. CHAP settings for a Linux host
    #*************
    #CHAP Settings
    #*************
    
    #To enable CHAP authentication set node.session.auth.authmethod
    #to CHAP. The default is None.
    #node.session.auth.authmethod = CHAP
    
    #To set a CHAP username and password for initiator
    #authentication by the target(s), uncomment the following lines:
    #node.session.auth.username = username
    #node.session.auth.password = password
    node.session.auth.username = rhel_username
    node.session.auth.password = xxxxxxxxxxxxx
    #To set a CHAP username and password for target(s)
    #authentication by the initiator, uncomment the following lines:
    #node.session.auth.username_in = username_in
    #node.session.auth.password_in = password_in
    node.session.auth.password_in = yyyyyyyyyyyyy
    #To enable CHAP authentication for a discovery session to the target
    #set discovery.sendtargets.auth.authmethod to CHAP. The default is None.
    #discovery.sendtargets.auth.authmethod = CHAP
    discovery.sendtargets.auth.authmethod = CHAP
    #To set a discovery session CHAP username and password for the initiator
    #authentication by the target(s), uncomment the following lines:
    #discovery.sendtargets.auth.username = username
    #discovery.sendtargets.auth.password = password
    
    #To set a discovery session CHAP username and password for target(s)
    #authentication by the initiator, uncomment the following lines:
    #discovery.sendtargets.auth.username_in = username_in
    #discovery.sendtargets.auth.password_in = password_in
  3. Set up authentication.
    • Set up one-way authentication:
      1. Set a CHAP user name and password to your initiator name.
        1. node.session.auth.authmethod = CHAP
        2. node.session.auth.username = <initiator's user name>
        3. node.session.auth.password = <CHAP secret for host>
      2. Set a discovery session CHAP user name and password to your initiator name.
        1. discovery.sendtargets.auth.authmethod = CHAP
        2. discovery.sendtargets.auth.username = <initiator's user name>
        3. discovery.sendtargets.auth.password = <CHAP secret for host>
      3. Save these settings. You must log out of any current sessions and rediscover the system iSCSI target for the CHAP secret to be effective.
      Note: In the previous example, xxxxxxxxxxxxx is the CHAP secret for the host, and the rhel_username is the IQN name of the initiator. This user name must be the same value that you set with the chhost command (iscsiusername field) for this host.
    • Set up two-way authentication.
      Note: It is not mandatory to set up two-way authentication. Before you configure for two-way authentication, ensure that one-way authentication is configured and is working for your host.
      1. Edit the password_in to CHAP secret that you set up with the chsystem command on the system.
        1. Set a CHAP user name and password for the target or targets.
          • node.session.auth.password_in = <CHAP secret for clustered system>
        2. Set a discovery session CHAP user name and password for the target or targets.
          • discovery.sendtargets.auth.password_in = <CHAP secret for clustered system>
      2. Save these settings. You must log out of any current sessions and rediscover the system iSCSI target for the CHAP secret to be effective.