Skip to main content
Close

We've Moved!

Product Documentation has moved to docs.hitachivantara.com
Hitachi Vantara Knowledge

Configuring iSCSI security (mutual authentication)

  1. Last updated
  2. Save as PDF

The storage server uses the Challenge Handshake Authentication Protocol (CHAP) to authenticate iSCSI initiators. CHAP requires a “shared secret” known by the initiator and the target. The server also supports mutual authentication where, in addition to the initiator authenticating against the target on the server, the server must also authenticate against the initiator.

To facilitate the mutual authentication process, the server must maintain a list of the initiators with which it can authenticate and the shared secret for each initiator.

Parent Topic
  • File Services Administration Guide

    This guide explains about file system formats, and provides information about creating and managing file systems, and enabling and configuring file services (file service protocols).

Child Topics

Configuring the storage server for mutual authentication
You can configure the storage server for mutual authentication in the NAS Manager.

Procedure

  1. Navigate to Home File Services iSCSI Initiator Authentication.

    Field/Item Description
    EVS Displays the EVS on which to configure Initiator Authentication. Click change to select a different EVS.
    Initiator Name Identifies the initiator with a globally unique name.
    Secret Password used to secure the Initiator from any unauthorized access. The secret should be from 12 to 17 characters in length, but may be between 1-255 characters in length.
    details Click to display the iSCSI Initiator Details page for the selected initiator.
    Check All Click to fill the check box of all initiators in the list.
    Clear All Click to empty the check box of all initiators in the list.
    add Click to display the Add iSCSI Initiator page.
    delete Click to delete the selected iSCSI initiator.
    iSCSI Targets Click to display the iSCSI Targets page.

  2. Ensure that the required EVS is selected.

    Check the EVS name listed at the top of the page. If this is not the EVS that you want the iSCSI initiator to connect with, click change and select the required EVS.

  3. Click add to add an iSCSI intitiator.

    Add iSCSI Initiator page

    Field/Item Description
    EVS

    The EVS on which to configure Initiator Authentication.

    Initiator Name Identifies the initiator with a globally unique name. This name is display in the Change Initiator node name dialog of the Microsoft iSCSI initiator.
    Secret The Secret for the Initiator. This is the secret which will be entered in the Chap Secret Setup dialog of the iSCSI Initiator. This secret is a password which is used to secure the Initiator from unauthorized access. The secret should be from 12 to 17 characters in length, but may be between 1-255 characters in length.
    iSCSI Targets Opens the iSCSI Targets page.

  4. Enter the iSCSI initiator name.

  5. Enter the initiator secret (password).

  6. Save the configuration.

    Verify your settings, then click OK to save or cancel to return to the iSCSI Initiator Authentication page without adding the initiator.
Parent Topic
Child Topics

Changing the storage server’s mutual authentication configuration

Once the storage server's iSCSI initiator configuration has been set up, you can either change an initiator's secret or delete it entirely.

Procedure

  1. Navigate to Home File Services iSCSI Initiators.

    Field/Item Description
    EVS Displays the EVS on which to configure Initiator Authentication. Click change to select a different EVS.
    Initiator Name Identifies the initiator with a globally unique name.
    Secret Password used to secure the Initiator from any unauthorized access. The secret should be from 12 to 17 characters in length, but may be between 1-255 characters in length.
    details Click to display the iSCSI Initiator Details page for the selected initiator.
    Check All Click to fill the check box of all initiators in the list.
    Clear All Click to empty the check box of all initiators in the list.
    add Click to display the Add iSCSI Initiator page.
    delete Click to delete the selected iSCSI initiator.
    iSCSI Targets Click to display the iSCSI Targets page.

  2. Ensure that the required EVS is selected.

    Check the EVS name listed at the top of the page. If this is not the EVS that you want the iSCSI initiator to connect with, click change and select the required EVS.

  3. You can now either delete the initiator or change the initiator's secret.

    • To delete an iSCSI initiator:

    1. Select the check box for the initiator you want to remove.

    2. Click delete to delete the selected initiator.

      A confirmation dialog appears, and you can click OK to delete the iSCSI Initiator, or cancel to return to the iSCSI Initiators page without deleting the Initiator.
    • To change the initiator's secret:

    1. Select the check box for the initiator you want to change.

    2. Click details to display the iSCSI Initiator Details page for the selected initiator.

      Field/Item Description
      Initiator Name The initiator's globally unique name. This name is displayed in the Change Initiator node name dialog of the Microsoft iSCSI initiator or from a file located in the /etc/iscsi directory for a Linux iSCSI initiator.
      Secret The Secret for the Initiator. This is the secret which will be entered in the Chap Secret Setup dialog of the iSCSI Initiator. This secret is a password which is used to secure the Initiator from unauthorized access. The secret should be from 12 to 17 characters in length, but may be between 1-255 characters in length.
      iSCSI Targets Click to display the iSCSI Targets page.

    3. In the Secret field, type the new secret.

      The secret should be between 12 and 17 characters in length, but can be between 1-255 characters in length.

    4. Click OK to save the changed secret, or click cancel to return to the iSCSI Initiator Authentication page.

  4. Click OK to save the changed secret, or click cancel to return to the iSCSI Initiator Authentication page.

  5. Click details to display the iSCSI Initiator Details page.

Parent Topic

Configuring the Microsoft iSCSI initiator for mutual authentication
Note
  • For the latest version of Microsoft iSCSI Software Initiator, visit: http://www.microsoft.com/.
  • The visible screens depend on the operating system version.

To configure the Microsoft iSCSI Initiator for mutual authentication:

Procedure

  1. Navigate to the iSCSI Initiator Properties on your Windows system:

    1. Start the Microsoft iSCSI Initiator.

    2. Open the iSCSI Initiator Properties dialog.

    3. Select the General tab.

    4. Click Secret to display the CHAP Secret Setup dialog.

      NoteThe shared secret is used to authenticate an initiator with a server, and it should be different from the secret specified when setting up the target.

    5. Enter a secret.

      In the field, enter the secret which allows the target to authenticate with initiators when performing mutual CHAP.

    6. Click OK to save the secret and return to the General tab of the iSCSI Initiator Properties dialog.

  2. If necessary, change the initiator node name.

    If necessary, you can change the initiator node name.

    1. Click Change to display the Initiator Node Name Change dialog.

    2. Change the name as necessary.

      The initiator node name is the name which should be used as the initiator name on the storage server's iSCSI Initiator Authentication page (Home File Services iSCSI Initiators).

  3. Verify the configuration settings.

  4. Click OK to save the changes.

Parent Topic

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Reference
    Page Type
    Documentation Article
  2. Tags
    1. administrator
    2. HNAS 13.9