User authentication (iscsi environments) – HP StorageWorks XP Remote Web Console Software User Manual
Page 48
48
Overview of LUN Manager
Each port does not perform authentication of the Fibre Channel switch. The Fibre Channel switch
connects to the array without authentication regardless of whether or not the Fibre Channel switch
is configured for authentication with CHAP.
• Case C: If the Fibre Channel switch’s user information is not registered on the port
Regardless of the Fibre Channel switch’s setting, the port performs authentication of the Fibre
Channel switch, but results in failure. The Fibre Channel switch cannot connect to the array.
•
Case D: When not performing authentication of Fibre Channel switches by ports
The Fibre Channel switch connects to the array without authentication of the host regardless of whether
or not the Fibre Channel switch is configured for authentication with CHAP.
In this case, although you do not need to register the Fibre Channel switch’s user information on the
port, you can register the user information.
Authentication of ports (performing mutual authentication)
When authentication of a host succeeds, the host performs authentication of the port in reverse if the host
requires (mutual authentication). In authentication of ports, when the user information (user name and
secret) of the port specified on the port side matches the user information stored on the host, the host
allows the host group to connect.
User authentication (iSCSI environments)
When configuring iSCSI environments, use LUN Manager to set user authentication between ports on the
array and hosts. In iSCSI environments, ports and hosts use Challenge Handshake Authentication Protocol
(CHAP) as the authentication method. This section provides an overview of user authentication.
User authentication operations and settings (iSCSI environments)
User authentication operations in iSCSI environments consist of the following phases:
1.
An iSCSI target of the array authenticates a host attempting to connect (authentication of hosts).
2.
The host authenticates the connection-target iSCSI target of the array (authentication of iSCSI targets).
The array performs user authentication by iSCSI targets. Therefore, iSCSI targets and hosts must have their
own user information for performing user authentication.
When a host attempts to connect to the array, the authentication of hosts phase starts. In this phase, it is
first determined whether or not the iSCSI target requires authentication of the host. If the iSCSI target does
not require authentication of the host, the host connects to the array without authentication. If the iSCSI
target requires authentication of the host, authentication is performed for the host. When the host is
successfully authenticated, processing goes to the next phase.
After authentication of the host succeeds, if the host requires user authentication for the iSCSI target that is
the connection target, the authentication of iSCSI targets phase starts. In this way, iSCSI targets and hosts
authenticate with each other, that is, mutual authentication. In the authentication of iSCSI targets phase, if
the host does not require user authentication for the iSCSI target, the host connects to the array without
authentication of the iSCSI target.
The following explains the settings required for user authentication. The settings for authentication of iSCSI
targets are needed only when performing mutual authentication.
•
Settings for authentication of hosts
• On the array:
Use LUN Manager to specify whether authentication of hosts is performed on each iSCSI target.
On an iSCSI target that performs authentication, register user information (iSCSI name, user name,
and secret) of hosts allowed to connect to the iSCSI target. A secret is a password used in CHAP
authentication. When registering user information, you can also enable or disable authentication
on a host basis. For more information about the settings, see ”
authentication of hosts on iSCSI targets
Registering a host’s user information
• On hosts: