Creating a CHAP user and configuring CHAP authentication

Virtual Storage Platform One SDS Block System Administrator Guide

Version
1.16.x
Audience
anonymous
Part Number
MK-24VSP1SDS001-03

Challenge-Handshake Authentication Protocol (CHAP) authentication can be used to verify if a connection request to the storage system comes from a valid compute node.

You can use CHAP authentication only if the compute node uses iSCSI connection.

For each compute port, you can set whether CHAP authentication is used.

The procedure for creating a CHAP user and set CHAP authentication is as follows.

The following table lists the system requirements for CHAP authentication.

Item

Requirement

Remarks

Maximum number of CHAP users

1,024 per protection domain

Same number as the maximum number of compute nodes

Combination of a CHAP user name and a CHAP secret

The combination of a CHAP user name and a CHAP secret must be unique in the system.

CHAP user name

Number of characters: 1 to 223

Allowed character types: Numbers (0 to 9), upper-case alphabet (A to Z), lower-case alphabet (a to z), space, symbols (. - + @ _ = : [ ] ~)

The conventions apply to the following parameter settings:

  • TargetChapUserName(CLI: --target_chap_user_name)

  • initiatorChapUserName(CLI: --initiator_chap_user_name)

CHAP secret

Number of characters: 12 to 32

Allowed character types: Numbers (0 to 9), upper-case alphabet (A to Z), lower-case alphabet (a to z), space, symbols (. - + @ _ = : / [ ] ~)

The conventions apply to the following parameter settings:

  • targetChapSecret

  • initiatorChapSecret

CAUTION:
  • When changing the CHAP authentication setting, VSP One SDS Block forcibly disconnects iSCSI connection between the compute node and the compute port to discard the connection before the setting change for safety. It is recommended to disconnect the iSCSI connection between the compute node and the compute port according to the disconnection procedure of each OS in advance. After changing the CHAP authentication setting, establish the iSCSI connection according to the changed setting.

  • When a VPS is created, if you configure CHAP authentication, CHAP authentication must be performed for all connection requests to storage systems, including the connection requests from the compute node in the VPS to storage systems. For this reason, if you configure CHAP authentication, make sure that you notify the VPS administrator.

  • Required role: Security

  1. Create a CHAP user.

    Run either of the following commands with a CHAP user name and a CHAP secret specified.

    As required, specify a CHAP user name and a CHAP secret for mutual CHAP authentication.

    REST API: POST /v1/objects/chap-users

    CLI: chap_user_create

    Verify the job ID which is displayed after the command is run.

  2. Verify the state of the job by specifying the job ID.

    REST API: GET /v1/objects/jobs/<jobId>

    CLI: job_show

    If the job state is "Succeeded", the job is completed.

  3. Obtain a list of compute ports to verify the ID of the compute port to be specified.

    If you use the CLI to specify a compute port by iSCSI name, check the iSCSI name of the compute port.

    REST API: GET /v1/objects/ports

    CLI: port_list

  4. Edit the authentication settings of the intended compute port.

    Run the command with the following specified: ID of the compute port, authentication scheme of the compute port, whether CHAP authentication is enabled at the time of discovery in iSCSI connection, and whether mutual CHAP authentication is enabled.

    If you use the CLI, you can specify the iSCSI name instead of the compute port ID.

    The same CHAP user name cannot be created twice on the same compute port.

    REST API: PATCH /v1/objects/port-auth-settings/<id>

    CLI: port_auth_setting_set

    Verify the job ID which is displayed after the command is run.

  5. Verify the state of the job by specifying the job ID.

    REST API: GET /v1/objects/jobs/<jobId>

    CLI: job_show

    If the job state is "Succeeded", the job is completed.

  6. Allow the CHAP user to access the compute port.

    Run either of the following commands with the ID of the compute port and the IDs of the CHAP users who are allowed to access the compute port with CHAP authentication specified.

    If you use the CLI, you can specify the CHAP user name instead of the CHAP user's ID.

    REST API: POST /v1/objects/port-auth-settings/<id>/chap-users

    CLI: port_auth_setting_chap_user_create

    Verify the job ID which is displayed after the command is run.

  7. Verify the state of the job by specifying the job ID.

    REST API: GET /v1/objects/jobs/<jobId>

    CLI: job_show

    If the job state is "Succeeded", the job is completed.

  8. (Bare metal) Back up the configuration information.

    Perform this step by referring to Backing up the configuration information (Bare metal).

    If you continue operations with other procedures, you must back up the configuration information after you have completed all operations.