Introduction

iSCSI has long been valued for its cost-efficiency and simplicity, making it a popular choice for storage deployments where budget and ease of management are key considerations. In this whitepaper our emphasis would be on security considerations for iSCSI. In which we would be particularly discussing the authentication in iSCSI.

The iSCSI protocol specification laid the foundation for automated authentication mechanisms, such as CHAP, to secure iSCSI deployments. CHAP (Challenge-Handshake Authentication Protocol) is used in iSCSI to authenticate the initiator and optionally the target.

• When configured as one-way CHAP, only the initiator authenticates to the target.
• When configured as two-way CHAP, both initiator and target authenticate each other — i.e., mutual authentication.

This process is automated via challenge-response exchanges without manual intervention during each login.

Prerequisites

Prior to configuring CHAP, please follow the link below for instructions on configuring iSCSI in overall.

https://www.ibm.com/docs/en/flashsystem-9x00/9.1.0?topic=attachment-iscsi-ethernet-host

We expect the things below have been completed by referring to the above link: -

1. Identification of the storage node ports to interface with iSCSI host.
2. Configuring portset(s) of type ‘host’ at the storage cluster.
3. Assignment of correct IP addresses for the node ports participating in iSCSI host attachment

Configuring one-way CHAP

In one-way CHAP (also known as unidirectional CHAP), only the initiator authenticates to the target, not the other way around. This is the most common CHAP configuration in iSCSI environments. To configure one-way CHAP, you must define a username and secret (password) that the initiator will use to authenticate itself to the target during iSCSI session establishment. 

The username and password must match exactly on both sides. While it's common to use the initiator's IQN as the CHAP username, this is optional and not required by the CHAP specification.

Let us see how one-way CHAP is configured on the host. We are referring to a Linux host and Flashsystem hardware running the code 9.1.0.0.

1. Find out about the IQN on the iSCSI host. 
   • On a typical linux host, this information is contained in file /etc/iscsi/initiatorname.iscsi                              
     • This file has the IQN that appears to be similar to this, InitiatorName=iqn.1994-05.com.redhat:ec3ee0bf4fe1
2. Then you will have to edit the iscsi configuration file, /etc/iscsi/iscsid.conf such that it has entries looking similar to :-

• • node.session.auth.authmethod = CHAP
  • node.session.auth.username = tHostAdm
  • node.session.auth.password = tHost123
  • discovery.sendtargets.auth.authmethod = CHAP
  • discovery.sendtargets.auth.username = tHostAdm
  • discovery.sendtargets.auth.password = tHost123
• Where,
  • tHostAdm is the CHAP username for the host.
  • tHost123 is the CHAP password for the host.

3.  Save the file and restart the iSCSI service.

     [root@test-host ~]# systemctl stop iscsid

  [root@test-host ~]# systemctl start iscsid

After we correctly configured the iSCSI host to participate in iSCSI device discoveries using unidirectional CHAP, let us now see how to configure the CHAP on the storage cluster: -

1. Login to the storage cluster GUI

2. Browse to Hosts in left hand pane

3. Click on Add host

1. 1.  Check CHAP authentication check box.
   2.  Choose iSCSI in Host connections.
   3.  Input the < name of the host > in Host Name.
   4.  Select Unidirectional radio button.
   5.  Input < the password for CHAP > in the Host secret.
   6.  Input < the username for CHAP > in the Host username.
   7.  Input <IQN of the host> in the Host port (IQN). And
   8.  Select Generic as the Host type.

5.   Finally, click Add, and it will execute the instructions for creating the iSCSI host with unidirectional CHAP support.

Here are the set of CLIs to do the same :-

• svctask mkhost -force -iscsiname <IQN of the host > -name < name of the host > -protocol iscsi -type < type from the list explained above, generic by default>

e.g.

svctask mkhost -force -gui -iscsiname iqn.1994-05.com.redhat:ec3ee0bf4fe1 -name tHost-iscsi-1WChap -protocol iscsi -type generic

• svctask chhost -hostsecret <CHAP password for this host> -hostusername <CHAP username for this host> < id / name of the host created in above CLI >

          e.g.

          svctask chhost -gui -hostsecret #### -hostusername tHostAdm tHost-iscsi-1WChap

    This completes the CHAP configuration on the storage cluster. Now, that the CHAP has been configured on target and initiator, you may proceed  with iSCSI discoveries.

Configuring two-way CHAP

Two-way CHAP (also known as bidirectional CHAP) provides mutual authentication between the iSCSI initiator and the target. In this setup, both the initiator and the target authenticate each other using separate sets of credentials. If you are already familiar with configuring one-way CHAP, enabling two-way CHAP is a straightforward extension.

To configure two-way CHAP, you must define two sets of usernames and secrets (passwords):-

• One set for the initiator to authenticate to the target.
• Another set for the target to authenticate to the initiator.

Each set of credentials must be configured on both the initiator and the target, with the usernames and passwords matching exactly on both sides for their respective directions.

Important : The password used for the initiator’s CHAP authentication should be different from the password used for the target’s (storage) CHAP authentication.

Doing away with the host part first, finding IQN is the same, we will focus only on CHAP settings. You need to ensure the values point to something similar as below in iscsi configuration file:-

• node.session.auth.authmethod = CHAP
• node.session.auth.username = tHostAdm
• node.session.auth.password = thost123
• node.session.auth.username_in = tStgAdm
• node.session.auth.password_in = tStg123
• discovery.sendtargets.auth.authmethod = CHAP
• discovery.sendtargets.auth.username = tHostAdm
• discovery.sendtargets.auth.username = thost123
• discovery.sendtargets.auth.username_in = tStgAdm
• discovery.sendtargets.auth.password_in = tStg123

   where,

• tHostAdm is the CHAP username and thost123 is the CHAP password for the host
• tStgAdm is the CHAP username and tStg123 is the CHAP password for storage
• Also, note that the passwords used for initiator and target CHAP are different

Finally, save the file and restart the iSCSI service, with the same commands used above.

Now, let us see how it is done at the storage cluster …

1. Login to storage cluster

2.  Browse to Hosts

3.  Click Add host

4. Fill in the values ...

1. 1. Select iSCSI in Host connections
   2. Check CHAP authentication
   3. Input Host name
   4. Check Bidirectional radio button
   5. Input Host secret and Host username values, these should match what you have used at the host side
   6. Input Storage secret and Storage username values
   7. Input Host port (IQN), this should also match the value used in the host configuration
   8. Select Generic in Host type, and finally click Add

The CLIs to do the same are:-

• svctask mkhost -force -iscsiname < IQN of the host > -name <host name>  -protocol iscsi -type generic

e.g.

svctask mkhost -force -iscsiname iqn.1994-05.com.redhat:ec3ee0bf4fe1 -name tHost-iscsi-2WayChap -protocol iscsi -type generic

• svctask chhost -hostsecret < CHAP password for host > -hostusername < CHAP username for host > -storagesecret < CHAP password for storage > -storageusername < CHAP username for storage > <id / name of the host>

          e.g.

          svctask chhost -hostsecret ******** -hostusername tHostAdm -storagesecret ******* -storageusername tStgAdm tHost-iscsi-2WayChap

This completed bidirectional CHAP configuration, now, you can execute the iscsi and lun discoveries  as usual.