Setting Up Authentication; Hp Mpio Dsm Manager With Iscsi Devices - HP StorageWorks 6100 - Enterprise Virtual Array User Manual
Hp storageworks mpx200 multifunction router user guide (5697-0306, january 2010)
Hide thumbs
Also See for StorageWorks 6100 - Enterprise Virtual Array:
- User manual (462 pages) ,
- User manual (232 pages) ,
- User manual (186 pages)
Table of Contents
Advertisement
Figure 55 HP MPIO DSM Manager with iSCSI devices
.
Setting up authentication
CHAP is an authentication protocol used for secure login between the iSCSI initiator and iSCSI target.
CHAP uses a challenge-response security mechanism to verify the identity of an initiator without
revealing the secret password shared by the two entities. It is also referred to as a three-way handshake.
With CHAP, the initiator must prove to the target that it knows the shared secret without actually
revealing the secret.
NOTE:
Setting up authentication for your iSCSI devices is optional. If you require authentication, HP
recommends that you configure it after you have properly verified installation and operation of the
iSCSI implementation without authentication.
In a secure environment, authentication may not be required—access to targets is limited to trusted
initiators. In a less secure environment, the target cannot determine if a connection request is from a
certain host. In this case, the target can use CHAP to authenticate an initiator.
When an initiator contacts a target that uses CHAP, the target (called the authenticator) responds by
sending the initiator a challenge. The challenge consists of information that is unique to the
authentication session. The initiator encrypts this information using a previously issued password that
is shared by both the initiator and the target. The encrypted information is then returned to the target.
The target has the same password and uses it as a key to encrypt the information that it originally
sent to the initiator. The target compares its results with the encrypted results sent by the initiator; if
they are the same, the initiator is considered authentic. These steps are repeated throughout the
authentication session to verify that the correct initiator is still connected.
These schemes are called proof-of-possession protocols. The challenge requires that an entity prove
possession of a shared key or one of the key pairs in a public-key scheme.
See the following RFCs for detailed information about CHAP:
•
RFC 1994 (PPP Challenge Handshake Authentication Protocol, August 1996)
•
RFC 2433 (Microsoft PPP CHAP Extensions, October 1998)
•
RFC 2759 (Microsoft PPP CHAP Extensions version 2, January 2000)
88
MPX200 iSCSI configuration rules and guidelines
Advertisement
Table of Contents
Troubleshooting
