Using CHAP authentication
Creating a CHAP user and configuring CHAP authentication (CLI or REST API)
Challenge-Handshake Authentication Protocol (CHAP) authentication can be used to verify if a connection request to the storage system comes from a valid compute node.
You can use CHAP authentication only if the compute node uses iSCSI connection.
For each compute port, you can set whether CHAP authentication is used.
The procedure for creating a CHAP user and set CHAP authentication is as follows.
The following table lists the system requirements for CHAP authentication.
|
Item |
Requirement |
Remarks |
|
Maximum number of CHAP users |
1024 per protection domain |
Same number as the maximum number of compute nodes |
|
Combination of a CHAP user name and a CHAP secret |
The combination of a CHAP user name and a CHAP secret must be unique in the system. | |
|
CHAP user name |
Number of characters: 1 to 223 Allowed character types: Numbers (0 to 9), upper-case alphabet (A to Z), lower-case alphabet (a to z), space, symbols (. - + @ _ = : [ ] ~) |
The conventions apply to the following parameter settings:
|
|
CHAP secret |
Number of characters: 12 to 32 Allowed character types: Numbers (0 to 9), upper-case alphabet (A to Z), lower-case alphabet (a to z), space, symbols (. - + @ _ = : / [ ] ~) |
The conventions apply to the following parameter settings:
|
-
When changing the CHAP authentication setting, Virtual Storage Software block forcibly disconnects iSCSI connection between the compute node and the compute port to discard the connection before the setting change for safety. It is recommended to disconnect the iSCSI connection between the compute node and the compute port according to the disconnection procedure of each OS in advance. After changing the CHAP authentication setting, establish the iSCSI connection according to the changed setting.
-
When a VPS is created, if you configure CHAP authentication, CHAP authentication must be performed for all connection requests to storage systems, including the connection requests from the compute node in the VPS to storage systems. For this reason, if you configure CHAP authentication, make sure that you notify the VPS administrator.
Before you begin
Required role: Security
Procedure
Create a CHAP user.
Run either of the following commands with a CHAP user name and a CHAP secret specified.
As required, specify a CHAP user name and a CHAP secret for mutual CHAP authentication.
REST API: POST /v1/objects/chap-users
CLI: chap_user_create
Verify the job ID which is displayed after the command is run.
Verify the state of the job by specifying the job ID.
REST API: GET /v1/objects/jobs/<jobId>
CLI: job_show
If the job state is "Succeeded", the job is completed.
Obtain a list of compute ports to verify the ID of the compute port to be specified.
If you use the CLI to specify a compute port by WWN or iSCSI name, check the WWN or iSCSI name of the compute port.
REST API: GET /v1/objects/ports
CLI: port_list
Edit the authentication settings of the intended compute port.
Run the command with the following specified: ID of the compute port, authentication scheme of the compute port, whether CHAP authentication is enabled at the time of discovery in iSCSI connection, and whether mutual CHAP authentication is enabled.
If you use the CLI, you can specify the WWN or iSCSI name instead of the compute port ID.
The same CHAP user name cannot be created twice on the same compute port.
REST API: PATCH /v1/objects/port-auth-settings/<id>
CLI: port_auth_setting_set
Verify the job ID which is displayed after the command is run.
Verify the state of the job by specifying the job ID.
REST API: GET /v1/objects/jobs/<jobId>
CLI: job_show
If the job state is "Succeeded", the job is completed.
Allow the CHAP user to access the compute port.
Run either of the following commands with the ID of the compute port and the IDs of the CHAP users who are allowed to access the compute port with CHAP authentication specified.
If you use the CLI, you can specify the CHAP user name instead of the CHAP user's ID.
REST API: POST /v1/objects/port-auth-settings/<id>/chap-users
CLI: port_auth_setting_chap_user_create
Verify the job ID which is displayed after the command is run.
Verify the state of the job by specifying the job ID.
REST API: GET /v1/objects/jobs/<jobId>
CLI: job_show
If the job state is "Succeeded", the job is completed.
Back up the configuration information.
Perform this step by referring to Backing up the configuration information.
If you continue operations with other procedures, you must back up the configuration information after you have completed all operations.
Obtaining a list of CHAP user information (CLI or REST API)
Obtain a list of CHAP user information as follows. The following information can be obtained.
-
id: CHAP user ID (uuid)
-
targetChapUserName: CHAP user name used for CHAP authentication on the compute port (i.e., target side)
-
initiatorChapUserName: CHAP user name used for CHAP authentication on the initiator side of the compute node
Before you begin
Required role: Security
Procedure
Run either of the following commands to obtain a list of CHAP user information.
REST API: GET /v1/objects/chap-users
CLI: chap_user_list
Obtaining CHAP user information (CLI or REST API)
The following information can be obtained.
-
portIds: List of compute port IDs (uuid) which the CHAP user is allowed to access with CHAP authentication
-
id: CHAP user ID (uuid)
-
targetChapUserName: CHAP user name used for CHAP authentication on the compute port (i.e., target side)
-
initiatorChapUserName: CHAP user name used for CHAP authentication on the initiator side of the compute node
Before you begin
Required role: Security
Procedure
Verify the ID of the CHAP user.
If you use the CLI to specify a CHAP user with a CHAP user name, check the CHAP user name.
REST API: GET /v1/objects/chap-users
CLI: chap_user_list
Obtain CHAP user information with the ID of the CHAP user specified.
If you use the CLI, you can specify the CHAP user name instead of the CHAP user's ID.
REST API: GET /v1/objects/chap-users/<chapUserId>
CLI: chap_user_show
Editing CHAP user information (CLI or REST API)
Edit CHAP user information as follows.
Before you begin
Required role: Security
Procedure
Verify the ID of the CHAP user.
If you use the CLI to specify a CHAP user with a CHAP user name, check the CHAP user name.
REST API: GET /v1/objects/chap-users
CLI: chap_user_list
Edit CHAP user information.
Run either of the following commands with the ID of the CHAP user, CHAP user name, and a CHAP secret specified. As required, specify a CHAP user name and a CHAP secret for mutual CHAP authentication.
If you use the CLI, you can specify the CHAP user name instead of the CHAP user's ID.
REST API: PATCH /v1/objects/chap-users/<chapUserId>
CLI: chap_user_set
Verify the job ID which is displayed after the command is run.
Verify the state of the job by specifying the job ID.
REST API: GET /v1/objects/jobs/<jobId>
CLI: job_show
If the job state is "Succeeded", the job is completed.
Back up the configuration information.
Perform this step by referring to Backing up the configuration information.
If you continue operations with other procedures, you must back up the configuration information after you have completed all operations.
Deleting a CHAP user (CLI or REST API)
Delete a CHAP user as follows.
Before you begin
Required role: Security
Procedure
Verify the ID of the CHAP user to be deleted.
If you use the CLI to specify a CHAP user with a CHAP user name, check the CHAP user name.
REST API: GET /v1/objects/chap-users
CLI: chap_user_list
Delete a CHAP user.
Run either of the following commands with the ID of the CHAP user specified.
If you use the CLI, you can specify the CHAP user name instead of the CHAP user's ID.
REST API: DELETE /v1/objects/chap-users/<chapUserId>
CLI: chap_user_delete
Verify the job ID which is displayed after the command is run.
Verify the state of the job by specifying the job ID.
REST API: GET /v1/objects/jobs/<jobId>
CLI: job_show
If the job state is "Succeeded", the job is completed.
Back up the configuration information.
Perform this step by referring to Backing up the configuration information.
If you continue operations with other procedures, you must back up the configuration information after you have completed all operations.
Obtaining authentication settings for the compute port for the target operation (CLI or REST API)
The following information can be obtained.
-
id: Compute port ID (uuid)
-
authMode: Authentication scheme of the compute port
-
isDiscoveryChapAuth: Whether CHAP authentication is enabled at the time of discovery in iSCSI connection
-
isMutualChapAuth: Whether mutual CHAP authentication is enabled
Before you begin
Required role: Security
Procedure
Verify the ID of the intended compute port.
If you use the CLI to specify a compute port by WWN or iSCSI name, check the WWN or iSCSI name of the compute port.
REST API: GET /v1/objects/ports
CLI: port_list
Obtain the authentication settings of the compute port.
Run either of the following commands with the compute port ID specified.
If you use the CLI, you can specify the WWN or iSCSI name instead of the compute port ID.
REST API: GET /v1/objects/port-auth-settings/<id>
CLI: port_auth_setting_show
Editing the authentication settings for the compute port for the target operation (CLI or REST API)
Edit the authentication settings for the compute port for the target operation as follows.
-
When changing the CHAP authentication setting, Virtual Storage Software block forcibly disconnects iSCSI connection between the compute node and the compute port to discard the connection before the setting change for safety. It is recommended to disconnect the iSCSI connection between the compute node and the compute port according to the disconnection procedure of each OS in advance. After changing the CHAP authentication setting, establish the iSCSI connection according to the changed setting.
-
When a VPS is created, editing the authentication settings affects the status of connection from the compute node in the VPS to a storage system. For this reason, after you edit the authentication settings, make sure that you notify the VPS administrator.
Before you begin
Required role: Security
Procedure
Verify the ID of the compute port.
If you use the CLI to specify a compute port by WWN or iSCSI name, check the WWN or iSCSI name of the compute port.
REST API: GET /v1/objects/ports
CLI: port_list
Edit the authentication settings of the intended compute port.
Run either of the following commands with the compute port ID and parameters for setting compute port authentication specified.
If you use the CLI, you can specify the WWN or iSCSI name instead of the compute port ID.
REST API: PATCH /v1/objects/port-auth-settings/<id>
CLI: port_auth_setting_set
Verify the job ID which is displayed after the command is run.
Verify the state of the job by specifying the job ID.
REST API: GET /v1/objects/jobs/<jobId>
CLI: job_show
If the job state is "Succeeded", the job is completed.
Back up the configuration information.
Perform this step by referring to Backing up the configuration information.
If you continue operations with other procedures, you must back up the configuration information after you have completed all operations.
Allowing a CHAP user to access the compute port (CLI or REST API)
Allow the CHAP user to access the compute port through CHAP authentication as follows.
If you add a storage node after you grant access to the compute port of an existing storage node based on CHAP authentication, also grant CHAP users access to the compute port of the added storage node.
Before you begin
Required role: Security
Procedure
Verify the ID of the applicable compute port.
If you use the CLI to specify a compute port by WWN or iSCSI name, check the WWN or iSCSI name of the compute port.
REST API: GET /v1/objects/ports
CLI: port_list
Verify the ID of the CHAP user.
If you use the CLI to specify a CHAP user with a CHAP user name, check the CHAP user name.
REST API: GET /v1/objects/chap-users
CLI: chap_user_list
Allow the CHAP user to access the compute port.
Run either of the following commands with the ID of the compute port and the ID of the CHAP user specified.
If you use the CLI, you can specify the WWN or iSCSI name instead of the compute port ID, or the CHAP user name instead of the CHAP user's ID.
REST API: POST /v1/objects/port-auth-settings/<id>/chap-users
CLI: port_auth_setting_chap_user_create
Verify the job ID which is displayed after the command is run.
Verify the state of the job.
Run either of the following commands with the job ID specified.
REST API: GET /v1/objects/jobs/<jobId>
CLI: job_show
If the job state is "Succeeded", the job is completed.
Back up the configuration information.
Perform this step by referring to Backing up the configuration information.
If you continue operations with other procedures, you must back up the configuration information after you have completed all operations.
Obtaining a list of CHAP users who are allowed to access a compute port (CLI or REST API)
Obtain a list of information about CHAP users who are allowed to access a compute port as follows. The following information can be obtained.
-
id: ID (uuid) of each CHAP user who is allowed to access the compute port
-
targetChapUserName: CHAP user name used for CHAP authentication on the compute port (i.e., target side)
-
initiatorChapUserName: CHAP user name used for CHAP authentication on the initiator side of the compute node
Before you begin
Required role: Security
Procedure
Verify the ID of the intended compute port.
If you use the CLI to specify a compute port by WWN or iSCSI name, check the WWN or iSCSI name of the compute port.
REST API: GET /v1/objects/ports
CLI: port_list
Obtain a list of information about CHAP users who are allowed to access the compute port.
Run either of the following commands with the compute port ID specified.
If you use the CLI, you can specify the WWN or iSCSI name instead of the compute port ID.
REST API: GET /v1/objects/port-auth-settings/<id>/chap-users
CLI: port_auth_setting_chap_user_list
Obtaining information about individual CHAP users who are allowed to access a compute port (CLI or REST API)
Obtain information about a CHAP user who is allowed to access a compute port as follows. The following information can be obtained.
-
id: ID (uuid) of a CHAP user who is allowed to access the compute port
-
targetChapUserName: CHAP user name used for CHAP authentication on the compute port (i.e., target side)
-
initiatorChapUserName: CHAP user name used for CHAP authentication on the initiator side of the compute node
Before you begin
Required role: Security
Procedure
Verify the ID of the intended compute port.
If you use the CLI to specify a compute port by WWN or iSCSI name, check the WWN or iSCSI name of the compute port.
REST API: GET /v1/objects/ports
CLI: port_list
Verify the ID of the CHAP user.
If you use the CLI to specify a CHAP user with a CHAP user name, check the CHAP user name.
REST API: GET /v1/objects/chap-users
CLI: chap_user_list
Obtain information about the CHAP user who is allowed to access the compute port.
Run either of the following commands with the ID of the compute port and the ID of the CHAP user specified.
If you use the CLI, you can specify the WWN or iSCSI name instead of the compute port ID, or the CHAP user name instead of the CHAP user's ID.
REST API: GET /v1/objects/port-auth-settings/<id>/chap-users/<chapUserId>
CLI: port_auth_setting_chap_user_show
Canceling permission for a CHAP user to access a compute port (CLI or REST API)
Cancel permission for a CHAP user to access a compute port for target operation in CHAP authentication as follows.
-
When a VPS is created, editing the authentication settings affects the status of connection from the compute node in the VPS to a storage system. For this reason, after you edit the authentication settings, make sure that you notify the VPS administrator.
Before you begin
Required role: Security
Procedure
Verify the ID of the applicable compute port.
If you use the CLI to specify a compute port by WWN or iSCSI name, check the WWN or iSCSI name of the compute port.
REST API: GET /v1/objects/ports
CLI: port_list
Verify the ID of the CHAP user whose access permission is to be canceled.
If you use the CLI to specify a CHAP user with a CHAP user name, check the CHAP user name.
REST API: GET /v1/objects/chap-users
CLI: chap_user_list
Cancel permission for a CHAP user to access a compute port as follows.
Run either of the following commands with the ID of the compute port and the ID of the CHAP user specified.
If you use the CLI, you can specify the WWN or iSCSI name instead of the compute port ID, or the CHAP user name instead of the CHAP user's ID.
REST API: DELETE /v1/objects/port-auth-settings/<id>/chap-users/<chapUserId>
CLI: port_auth_setting_chap_user_delete
Verify the job ID which is displayed after the command is run.
Verify the state of the job by specifying the job ID.
REST API: GET /v1/objects/jobs/<jobId>
CLI: job_show
If the job state is "Succeeded", the job is completed.
Back up the configuration information.
Perform this step by referring to Backing up the configuration information.
If you continue operations with other procedures, you must back up the configuration information after you have completed all operations.