How Can We Help?
You are here:
Print

StorTrends CHAP Configuration Guide

The data residing on your StorTrends SAN is invaluable and sensitive. It would be very advantageous to implement the security measures offered by your StorTrends SAN and by the standard iSCSI protocols. This guide will walk you through three different options for implementing security measures on your LUNs, depending on the level of security that you require. Please take a minute to read through each of the following sections and make a decision on which form of security is right for you.

Initiator Masking

  1. The first and simplest form of implementing security for your LUNs is a concept called initiator masking. With this implementation, one can set the target for each LUN to be discoverable by only a specific list of initiators. This way, only the initiators you delegate will have access to your LUNs. Follow the steps below in order to implement this form of security.

  1. Click on the radio button next to “Add Initiator manually” and enter the initiator’s IQN name that you want to delegate access to in the box shown below. You can find the initiator’s IQN name by opening up the iSCSI Initiator and going to the Configuration tab. Once complete, click “Add”. This will make it to where only the initiator specified (and any others that you choose to add to the list) will be able to discover the specific target.

  1. Go to your initiator and open up Microsoft iSCSI Initiator. Go to the Discovery tab and click on “Discover Portal…”.

  1. Type in the target’s IP and click on “Advanced…”.

  1. For “Local adapter:” be sure to choose “Microsoft iSCSI Initiator” from the dropdown list. Also, under “Initiator IP”, be sure to choose the IP on the initiator that is on the same subnet as the target’s IP. Click OK on this window and the one afterwards as well.

  1. Go to the Targets tab and you should see all your targets from your SAN. Choose the target that you just applied the initiator masking to and click “Connect”. Be sure that the checkbox is marked to add this connection to the list of Favorite Targets. This will ensure that the target is reconnected automatically in the case of a reboot on the initiator. Click on the “Advanced…” button.

  1. Similarly to Step 5, choose “Microsoft iSCSI Initiator” for “Local adapter:” and the initiator IP on the same subnet as the target’s IP for “Initiator IP”. Also, be sure to choose the target’s IP under “Target portal IP”. Finally, make sure the checkbox for “Enable CHAP log on” is marked and fill in the “Name” and “Target Secret” with the user name and target secret you set up in Step 2. Click OK until you are back at the Targets tab of the iSCSI Initiator.

  1. Repeat these steps for all the targets you would like to configure with initiator masking.

CHAP Authentication

The second form of security that will be covered is single-direction CHAP authentication. This is similar to initiator masking, except that it adds an extra layer in which you add a user name and a target secret to a specific target in order to require those two fields to be able to log in to the target. Follow the steps below in order to implement this form of security.

  1. Log in to your SAN through ManageTrends and click on the “Targets” section in the left panel. This will bring up a list of available targets for your LUNs. Choose the target you would like to implement security on. Once on the target’s page, click on “Security” to bring up the security options.

  1. Click on the radio button next to “Add Initiator manually” and enter the initiator’s IQN name that you want to delegate access to. You can find the initiator’s IQN name by opening up the iSCSI Initiator and going to the Configuration tab. Make sure the checkbox for “CHAP Logon Information” is marked and setup a username and target secret (NOTE: target secret must be 12-16 characters long and not include any special characters). Once complete, click “Add”. This will make it to where only the initiator specified (and any others that you choose to add to the list) will be able to discover the specific target.

 

  1. Go to your initiator and open up Microsoft iSCSI Initiator. Go to the Discovery tab and click on “Discover Portal…”.

  1. Type in the target’s IP and click on “Advanced…”.

  1. For “Local adapter:” be sure to choose “Microsoft iSCSI Initiator” from the dropdown list. Also, under “Initiator IP”, be sure to choose the IP on the initiator that is on the same subnet as the target’s IP. Click OK on this window and the one afterwards as well.

  1. Go to the Targets tab and you should see all your targets from your SAN. Choose the target that you just applied the initiator masking to and click “Connect”. Be sure that the checkbox is marked to add this connection to the list of Favorite Targets. This will ensure that the target is reconnected automatically in the case of a reboot on the initiator. Click on the “Advanced…” button.

  1. Similarly to Step 5, choose “Microsoft iSCSI Initiator” for “Local adapter:” and the initiator IP on the same subnet as the target’s IP for “Initiator IP”. Also, be sure to choose the target’s IP under “Target portal IP”. Finally, make sure the checkbox for “Enable CHAP log on” is marked and fill in the “Name” and “Target Secret” with the user name and target secret you set up in Step 2. Click OK until you are back at the Targets tab of the iSCSI Initiator.

  1. Repeat these steps for all the targets you would like to configure with CHAP authentication.

Bi-directional CHAP Authentication

The final form of security that will be covered takes CHAP authentication one step further. With bi-directional CHAP authentication, there will be a target secret from the target to the initiator as well as from the initiator to the target. This adds another level of security if you feel your environment truly needs it. With this form of security, the SAN needs to know the initiator’s target secret as well before log in to a target can occur. Follow the steps below in order to setup this form of security properly.

  1. Log in to your SAN through ManageTrends and click on the “Targets” section in the left panel. This will bring up a list of available targets for your LUNs. Choose the target you would like to implement security on. Once on the target’s page, click on “Security” to bring up the security options.

  1. Click on the radio button next to “Add Initiator manually” and enter the initiator’s IQN name that you want to delegate access to. You can find the initiator’s IQN name by opening up the iSCSI Initiator and going to the Configuration tab. Make sure the checkbox for “CHAP Logon Information” is marked and setup a username and target secret (NOTE: target secret must be 12-16 characters long and not include any special characters). Once complete, click “Add”. This will make it to where only the initiator specified (and any others that you choose to add to the list) will be able to discover the specific target.

  1. Go back to the iSCSI Initiator and make sure you are still under the Configuration tab. Click on “CHAP…”.

  1. Type in the Initiator CHAP secret and click OK. Be mindful that this secret should be different then the target secret, otherwise authentication errors will occur when trying to log in to the specific target. (NOTE: the initiator secret must be at least 12 characters long and have no special characters).

  1. Go back to ManageTrends and click on the “Dashboard” (or “Control Panel” if on a release of iTX 2.7) and click on “Authentication” under the iSCSI section.

  1. Select the same target that you enabled security on from the dropdown menu and click on “Get Initiator List”. The list of allowed initiators should populate. Choose the initiator that you just set an initiator secret on and type it in under “Password”. Confirm the password and click on “Set Password”.Click on the “Advanced…” button.

  1. Go to your initiator and open up Microsoft iSCSI Initiator. Go to the Discovery tab and click on “Discover Portal…”.

  1. Type in the target’s IP and click on “Advanced…”.

  1. For “Local adapter:” be sure to choose “Microsoft iSCSI Initiator” from the dropdown list. Also, under “Initiator IP”, be sure to choose the IP on the initiator that is on the same subnet as the target’s IP. Click OK on this window and the one afterwards as well.

  1. Go to the Targets tab and you should see all your targets from your SAN. Choose the target that you just applied the initiator masking to and click “Connect”. Be sure that the checkbox is marked to add this connection to the list of Favorite Targets. This will ensure that the target is reconnected automatically in the case of a reboot on the initiator. Click on the “Advanced…” button.

  1. Similarly to Step 5, choose “Microsoft iSCSI Initiator” for “Local adapter:” and the initiator IP on the same subnet as the target’s IP for “Initiator IP”. Also, be sure to choose the target’s IP under “Target portal IP”. Finally, make sure the checkbox for “Enable CHAP log on” is marked and fill in the “Name” and “Target Secret” with the user name and target secret you set up in Step 2. Also, be sure that the checkbox for “Perform mutual authentication” is marked. Click OK until you are back at the Targets tab of the iSCSI Initiator.

  1. Repeat these steps for all the targets you would like to configure with bi-directional CHAP Authentication.
Was this article helpful?
0 out Of 5 Stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
5
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.
Table of Contents
Top