Challenge-Handshake Authentication Protocol (CHAP) authentication can be used to verify if a connection request to the storage system comes from a valid compute node.
You can use CHAP authentication only if the compute node uses iSCSI connection.
For each compute port, you can set whether CHAP authentication is used.
The procedure for creating a CHAP user and set CHAP authentication is as follows.
The following table lists the system requirements for CHAP authentication.
Item |
Requirement |
Remarks |
---|---|---|
Maximum number of CHAP users |
1,024 per protection domain |
Same number as the maximum number of compute nodes |
Combination of a CHAP user name and a CHAP secret |
The combination of a CHAP user name and a CHAP secret must be unique in the system. |
|
CHAP user name |
Number of characters: 1 to 223 Allowed character types: Numbers (0 to 9), upper-case alphabet (A to Z), lower-case alphabet (a to z), space, symbols (. - + @ _ = : [ ] ~) |
The conventions apply to the following parameter settings:
|
CHAP secret |
Number of characters: 12 to 32 Allowed character types: Numbers (0 to 9), upper-case alphabet (A to Z), lower-case alphabet (a to z), space, symbols (. - + @ _ = : / [ ] ~) |
The conventions apply to the following parameter settings:
|
-
When changing the CHAP authentication setting, VSP One SDS Block forcibly disconnects iSCSI connection between the compute node and the compute port to discard the connection before the setting change for safety. It is recommended to disconnect the iSCSI connection between the compute node and the compute port according to the disconnection procedure of each OS in advance. After changing the CHAP authentication setting, establish the iSCSI connection according to the changed setting.
-
When a VPS is created, if you configure CHAP authentication, CHAP authentication must be performed for all connection requests to storage systems, including the connection requests from the compute node in the VPS to storage systems. For this reason, if you configure CHAP authentication, make sure that you notify the VPS administrator.
-
Required role: Security