Intel SSR212PP manual Setting up Chap Security for iSCSI Storage Systems

Challenge Handshake Authentication Protocol (CHAP) is a method of authenticating iSCSI users. The iSCSI storage system can use CHAP to authenticate initiators and initiators can likewise authenticate targets such as the storage system.

CAUTION

If you do not configure CHAP security for the storage system, any host connected to the same IP network as the storage-system iSCSI ports can read from and write to the storage system. If the storage system is on a private network, you can choose not to use CHAP security. If the storage system is on a public network, we strongly recommend that you use CHAP security.

If you want to use CHAP security, you should set up and enable it on the storage system before preparing virtual disks to receive data. If you prepare disks to receive data before you set up and enable CHAP security, you lose visibility to the disks.

CHAP has two variants:

Initiator CHAP sets up accounts that iSCSI initiators use to connect to targets. The target authenticates the initiator. Initiator CHAP is the primary CHAP authentication method.

Navisphere Express provides Basic and Advanced initiator CHAP options. Basic CHAP specifies one secret (password) for all initiators that log in to a given target. The Advanced option allows you to specify a different secret for each initiator, and also allows you to set up Mutual CHAP.

Mutual CHAP is applied in addition to advanced initiator CHAP, mutual CHAP sets up an account that a target uses to connect to an initiator. The initiator authenticates the target.

Setting up and enabling initiator CHAP is necessary for iSCSI security to work. Mutual CHAP is an optional additional level of security. Only one mutual CHAP credential is supported for each storage system.

The following steps are necessary to set up initiator CHAP:

On a server that uses NICs or iSCSI HBAs, log off and remove target portals.

On the storage system, configure and enable initiator CHAP (basic or advanced) by entering the initiator user data for all initiators that are allowed to access the storage system.

If you are setting up the optional mutual CHAP, you must enter the mutual CHAP user data on each server; that is, the target user account data that the storage system sends to initiators. The initiators compare this data with their stored user data when they authenticate the storage system.