You can use the CHAP protocol on hosts running Red Hat Enterprise Linux 5, 6, and 7 series and SUSE Linux Enterprise Server 10, 11, and 12 series to provide enhanced security. To set up CHAP, you must add CHAP user names and passwords to the /etc/iscsi/iscsid.conf file and then use the iscsi security command to set up the same user names and passwords on the storage system.
Steps
- Open the /etc/iscsi/iscsid.conf file with a text editor.
- Enable CHAP authentication: node.session.auth.authmethod = CHAP
The default is None.
- Provide a CHAP user name and password for the target to use when authenticating the initiator.
You must remove the comment indicators and supply values for the options username and password in the following configuration entries:
- node.session.auth.username = username
- node.session.auth.password = password
- Provide a CHAP user name and password for the initiator to use when authenticating the target.
You must remove the comment indicators and supply values for the options username_in and password_in in the following configuration entries:
- node.session.auth.username_in = username_in
- node.session.auth.password_in = password_in
- For a successful session discovery, enable discovery CHAP authentication by supplying the passwords in the discovery.sendtargets.auth. options.
The user name and password must match for both session and discovery on the host. Make sure that you use the same user names and passwords that you used when you set up CHAP on the storage system with the iscsi security command.
- discovery.sendtargets.auth.authmethod = CHAP
- discovery.sendtargets.auth.username = username
- discovery.sendtargets.auth.password = password
- discovery.sendtargets.auth.username_in = username_in
- discovery.sendtargets.auth.password_in = password_in
