CHAP uses a three-way handshake algorithm to verify the identity of your host and, if applicable, of the iSCSI target when the host and target establish a connection. The verification is based on a predefined private value, or CHAP secret, that the initiator and target share.
ESXi supports CHAP authentication at the adapter level. In this case, all targets receive the same CHAP name and secret from the iSCSI initiator. For software and dependent hardware iSCSI adapters,
ESXi also supports per-target CHAP authentication, which allows you to configure different credentials for each target to achieve greater level of security.
ESXi supports one-way CHAP for all types of iSCSI initiators, and mutual CHAP for software and dependent hardware iSCSI.
Before configuring CHAP, check whether CHAP is enabled at the iSCSI storage system and check the CHAP authentication method the system supports. If CHAP is enabled, enable it for your initiators, making sure that the CHAP authentication credentials match the credentials on the iSCSI storage.
ESXi supports the following CHAP authentication methods:
|
In one-way CHAP authentication, also called unidirectional, the target authenticates the initiator, but the initiator does not authenticate the target.
|
|
In mutual CHAP authentication, also called bidirectional, an additional level of security enables the initiator to authenticate the target. VMware supports this method for software and dependent hardware iSCSI adapters only.
|
For software and dependent hardware iSCSI adapters, you can set one-way CHAP and mutual CHAP for each initiator or at the target level. Independent hardware iSCSI supports CHAP only at the initiator level.
When you set the CHAP parameters, specify a security level for CHAP.
Note
When you specify the CHAP security level, how the storage array responds depends on the array’s CHAP implementation and is vendor specific. For example, when you select
Use CHAP unless prohibited by target, some storage arrays use CHAP in response, while others do not. For information on CHAP authentication behavior in different initiator and target configurations, consult the array documentation.
CHAP Security Level
|
|
|
|
The host does not use CHAP authentication. Select this option to disable authentication if it is currently enabled.
|
Independent hardware iSCSI
|
Do not use CHAP unless required by target
|
The host prefers a non-CHAP connection, but can use a CHAP connection if required by the target.
|
|
Use CHAP unless prohibited by target
|
The host prefers CHAP, but can use non-CHAP connections if the target does not support CHAP.
|
Independent hardware iSCSI
|
|
The host requires successful CHAP authentication. The connection fails if CHAP negotiation fails.
|
|
You can set up all targets to receive the same CHAP name and secret from the iSCSI initiator at the initiator level. By default, all discovery addresses or static targets inherit CHAP parameters that you set up at the initiator level.
The CHAP name should not exceed 511 alphanumeric characters and the CHAP secret should not exceed 255 alphanumeric characters. Some adapters, for example the QLogic adapter, might have lower limits, 255 for the CHAP name and 100 for the CHAP secret.
Prerequisites
■
|
Before setting up CHAP parameters for software or dependent hardware iSCSI, determine whether to configure one-way or mutual CHAP. Independent hardware iSCSI adapters do not support mutual CHAP.
■
|
In one-way CHAP, the target authenticates the initiator.
|
■
|
In mutual CHAP, both the target and the initiator authenticate each other. Use different secrets for CHAP and mutual CHAP.
|
When you configure CHAP parameters, verify that they match the parameters on the storage side.
|
■
|
|
Procedure
1
|
Access the iSCSI Initiator Properties dialog box.
|
2
|
On the General tab, click CHAP.
|
3
|
To configure one-way CHAP, under CHAP specify the following:
a
|
Select the CHAP security level.
■
|
Do not use CHAP unless required by target (software and dependent hardware iSCSI only)
|
■
|
Use CHAP unless prohibited by target
|
■
|
Use CHAP (software and dependent hardware iSCSI only). To configure mutual CHAP, you must select this option.
|
|
b
|
Make sure that the name you specify matches the name configured on the storage side.
■
|
To set the CHAP name to the iSCSI initiator name, select Use initiator name.
|
■
|
To set the CHAP name to anything other than the iSCSI initiator name, deselect Use initiator name and type a name in the Name text box.
|
|
c
|
Enter a one-way CHAP secret to be used as part of authentication. Use the same secret that you enter on the storage side.
|
|
4
|
To configure mutual CHAP, first configure one-way CHAP by following the directions in Step 3.
Make sure to select Use CHAP as an option for one-way CHAP. Then, specify the following under Mutual CHAP:
a
|
|
b
|
Specify the mutual CHAP name.
|
c
|
Enter the mutual CHAP secret. Make sure to use different secrets for the one-way CHAP and mutual CHAP.
|
|
5
|
|
6
|
|
If you change the CHAP or mutual CHAP parameters, they are used for new iSCSI sessions. For existing sessions, new settings are not used until you log out and log in again.
For software and dependent hardware iSCSI adapters, you can configure different CHAP credentials for each discovery address or static target.
When configuring CHAP parameters, make sure that they match the parameters on the storage side. The CHAP name should not exceed 511 and the CHAP secret 255 alphanumeric characters.
Prerequisites
Before setting up CHAP parameters for software and dependent hardware iSCSI, determine whether to configure one-way or mutual CHAP.
■
|
In one-way CHAP, the target authenticates the initiator.
|
■
|
In mutual CHAP, both the target and initiator authenticate each other. Make sure to use different secrets for CHAP and mutual CHAP.
|
Procedure
1
|
Access the iSCSI Initiator Properties dialog box.
|
2
|
Select either Dynamic Discovery tab or Static Discovery tab.
|
3
|
From the list of available targets, select a target you want to configure and click .
|
4
|
Configure one-way CHAP in the CHAP area.
a
|
Deselect Inherit from parent.
|
b
|
Select one of the following options:
■
|
Do not use CHAP unless required by target
|
■
|
Use CHAP unless prohibited by target
|
■
|
Use CHAP. To be able to configure mutual CHAP, you must select this option.
|
|
c
|
Make sure that the name you specify matches the name configured on the storage side.
■
|
To set the CHAP name to the iSCSI initiator name, select Use initiator name.
|
■
|
To set the CHAP name to anything other than the iSCSI initiator name, deselect Use initiator name and enter a name in the Name field.
|
|
d
|
Enter a one-way CHAP secret to be used as part of authentication. Make sure to use the same secret that you enter on the storage side.
|
|
5
|
To configure mutual CHAP, first configure one-way CHAP by following directions in Step 4.
Make sure to select Use CHAP as an option for one-way CHAP. Then, specify the following in the Mutual CHAP area:
a
|
Deselect Inherit from parent.
|
b
|
|
c
|
Specify the mutual CHAP name.
|
d
|
Enter the mutual CHAP secret. Make sure to use different secrets for the one-way CHAP and mutual CHAP.
|
|
6
|
|
7
|
|
If you change the CHAP or mutual CHAP parameters, they are used for new iSCSI sessions. For existing sessions, new settings are not used until you log out and login again.
You can disable CHAP if your storage system does not require it.
If you disable CHAP on a system that requires CHAP authentication, existing iSCSI sessions remain active until you reboot your host, end the session through the command line, or the storage system forces a logout. After the session ends, you can no longer connect to targets that require CHAP.
Procedure
1
|
Open the CHAP Credentials dialog box.
|
2
|
For software and dependent hardware iSCSI adapters, to disable just the mutual CHAP and leave the one-way CHAP, select Do not use CHAP in the Mutual CHAP area.
|
3
|
To disable one-way CHAP, select Do not use CHAP in the CHAP area.
The mutual CHAP, if set up, automatically turns to Do not use CHAP when you disable the one-way CHAP.
|
4
|
Thanks to Vmware Documentation
|
No comments:
Post a Comment