IBM System Storage DS3500 Introduction And Implementation Manual page 345

Draft Document for Review March 28, 2011 12:24 pm
Another type of authentication - the Mutual Authentication (also called
authentication
authenticates against the storage subsystem. If this is required, you have to also configure an
Initiator CHAP secret on the DS3500 by following the steps in next section 13.3.2, "Mutual
Authentication" on page 322.
To configure target authentication, follow these steps:
1. Select Storage Subsystem  iSCSI  Manage Settings, and the Target Authentication
tab (Figure 13-2) appears in a new window.
Figure 13-2 Manage iSCSI Settings - Target Authentication
2. This window with the Target Authentication tab selected, offers two options:
– None
– CHAP
This setting affects the connection between an iSCSI Initiator and a DS3500 iSCSI ports.
Option None allows any iSCSI Initiator to establish an iSCSI connection to this target.
When option CHAP is selected, an initiator is required to provide a CHAP password to get
a session established. CHAP needs to be enabled if mutual authentication is required by
an iSCSI Initiator. Both options (None and CHAP) can be enabled together, in this case,
initiators with and without a target secret can access the storage subsystem.
Note: Only one CHAP target secret can be defined. All initiators using Target
Authentication must use the same secret.
From a security perspective, we recommend that you enable CHAP. However, since the
configuration of CHAP adds some complexity, we suggest that you set up and test all
connections with no CHAP, and later implement the security.
3. If CHAP is enabled, you have to define the CHAP target secret. Click CHAP Secret.
) can only be configured on the iSCSI Initiator, when the initiator itself
7914Admin_iSCSI.fm
bi-directional
Chapter 13. Administration - iSCSI
321