About Data Resilience and Security : Using CHAP to secure iSCSI connectivity
  
Using CHAP to secure iSCSI connectivity
Challenge-Handshake Authentication Protocol (CHAP) is a convenient and well-known security mechanism that can be used with iSCSI configurations. This section provides an overview with an example configuration. Both types of CHAP are supported on Core and Edge.
For more details about configuring CHAP on either Core or Edge, see the corresponding Management Console user guide.
Within an iSCSI deployment both initiator and target have their own passwords. In CHAP terminology these are called secrets. These passwords are shared between initiator and target in order for them to authenticate with each other.
Configuring one-way CHAP in a Core deployment
With one-way CHAP, the iSCSI target (server) authenticates the iSCSI initiator (client).
This process is analogous to logging in to a website. The Initiator needs to provide a username and secret when logging in to the target. The username is usually the IQN (but can be any free-form string) and the password is the target secret.
1. Configure a target secret on the backend storage array portal.
2. Log in to the Core Management Console.
3. Add a CHAP User on the Core. The username is something descriptive or even the IQN of the Core. For example, username=cuser2. The password is the target secret configured on the backend array.
4. Select the CHAP User. When the iSCSI initiator on the Core connects to the backend storage array, it uses the credentials from the CHAP user that was created.
CHAP credentials are created and stored separately. They are then used when the Core initiates an iSCSI session and logs in to the storage array portal.
Configuring mutual CHAP in a Core deployment
The difference between one-way CHAP and mutual CHAP is that the iSCSI target authenticates the iSCSI initiator and additionally the iSCSI initiator also authenticates the iSCSI target.
Mutual CHAP incorporates two separate sequences. The first sequence is the iSCSI target authenticating the iSCSI initiator and is the exact same procedure as for one-way CHAP. The second sequence is the initiator authenticating the target, which is the reverse of the previous authentication procedure.
1. Configure an initiator CHAP User on the Core Management Console. For example: username = cuser1 and password = abcd1234.
2. Select the Enable Mutual CHAP Authentication setting on the Core and chooses cuser1 from the drop-down menu.
The Core now requires all iSCSI targets to specify the password (or secret) abcd1234 before the target is trusted by the Core.
3. On the backend storage array, add the CHAP user details from the Core. For example, the storage array CHAP user has username=cuser1 and password=abcd1234. The target now knows the secret (username and password) of the initiator.
4. On the backend storage array, configure a target CHAP user. For example: username = cuser2 and password = wxyz5678.
5. Log in to the Core Management Console and add the target CHAP User on the Core. For example: username = cuser2 and password = wxyz5678
When adding the portal of the backend storage array to the Core configuration, select the target CHAP user (cuser2).
When the iSCSI initiator of the Core connects to the iSCSI target of the backend storage array, it uses the credentials from the CHAP user (cuser2) that you created.
Because of mutual CHAP, the iSCSI target uses the credentials cuser1/abcd1234 to connect to the iSCSI initiator of the Core.