Setting up authentication in AIX hosts

This section describes how to set up authentication in AIX® hosts.

CHAP settings are defined in the /etc/iscsi/targets file on the host. This file is specified in the Discovery Filename parameter.
  • The inbound password of the storage system must match the CHAPSecret of the initiator in the /etc/iscsi/targets file on the host.
  • The inbound user name of the storage system must match the initiator node name of the host.
  • The AIX initiator or HBA always uses its iSCSI node name as its CHAP user name.
The storage system recognizes two types of Challenge Handshake Authentication Protocol (CHAP) user names and passwords. These types of authentication indicate the direction of authentication relative to the storage system:
Inbound
The storage system authenticates the initiator or host bus adapter (HBA). Inbound settings are required if you are using CHAP authentication.
Outbound
The AIX software initiator or HBA does not support authentication of the storage system using CHAP. Do not specify outbound settings for AIX hosts.

To set up authentication on an AIX host, perform the following steps:

  1. Open the /etc/iscsi/targets file with any editor.
  2. Add one line for one interface on each storage system. Be sure to use an interface that is enabled for iSCSI traffic. Each entry for a target is like the following entry: 
    HostNameOrAddress PortNumber iSCSIName [CHAPSecret]
    1. HostNameOrAddress is the host name or IP address of a gigabit Ethernet interface on the storage system. Specify an interface that is enabled for iSCSI communication.
    2. PortNumber is always 3260.
    3. iSCSIName is the iSCSI target node name of the storage system.
    4. CHAPSecret is the optional CHAP password for the host. Enclose the text string in quotation marks. This value must match the valueconfigured on the storage system for this initiator. For example, add the following line to the end of the file: 
      192.168.2.175 3260 iqn.1986-03.com.ibm:2145.moscow.dvt110706 "svcchapsecret"

      CHAPSecret is the string enclosed in quotation marks. The quotation marks are required, but they are not part of the secret.

      You can also use a continuation of the line as shown in the following example:
      192.168.2.175 3260 iqn.1986-03.com.ibm:2145.moscow.dvt110706 \
           "svcchapsecret"

      The backwards slash (\) indicates that the line is continued.

      An example of the file entries is shown in Figure 1.
      Figure 1. CHAP settings for an AIX host
      # iscsiNameChars = 1*alphanum *{allowedPunc alphanum }
                         ; includes alphanumeric. dot. dash. underbar. colon.
#
#alphanum               = %x30-39 / %41-5a / %x61-7a
#
#allowedPunc            = %x2d / %x2e /%x5f / %x58
                        ; dash, dot, underbar, colon
#
#dot                    = %x2e
#                       ; "."
#
#ChapSecret             = %x22 *( any character ) %x22
#                       ;   "                      "
#                       ; ChapSecret is a string enclosed in double quotes. The
#                       ; quotes are required, but are not part of the secret.
#
#EXAMPLE 1: iSCSI Target without CHAP(MD5) authentication
#      Assume the target is at address 192.168.3.2,
#      the valid port is 5003
#      the name of the target is iqn.com.ibm-4125-23WTT26
#The target line would look like:
#192.168.3.2 5003 iqn.com.ibm-4125-23WWT26
#
#EXAMPLE 2: iSCSI Target with CHAP(MD5) authentication
#      Assume the target is at address 10.2.1.105,
#      the valid port is 3260
#      the name of the target is iqn.com.ibm-x167-42.fc1a
#      the CHAP secret is "This is my password."
#The target line would look like:
#10.2.1.105 3260 iqn.com.ibm-x167-42.fc1a "This is my password."
#
#EXAMPLE 3: iSCSI Target with CHAP(MD5) authentication and line continuation
#      Assume the target is at address 10.2.1.106,
#      the valid port is 3260
#      the name of the target is iqn.com.ibm:00.fcd0ab21.shark128
#      the CHAP secret is "123isaysecretpassword.fc1b"
#The target line would look like:
#10.2.1.105 3260 iqn.com.ibm:00.fcd0ab21.shark128 \
#              "123isaysecretpassword.fc1b"


192.168.1.10 3260 iqn.1986-03.com.ibm:2145.pahar.dvt110702
192.168.2.175 3260 iqn.1986-03.com.ibm:2145.moscow.dvt110706 "svcchapsecret"
      At the end of the example, you see that the two targets are listed.
      • Target iqn.1986-03.com.ibm:2145.pahar.dvt110702 is not configured to have authentication; therefore, the CHAPSecret field is blank.
      • Target iqn.1986-03.com.ibm:2145.moscow.dvt110706 is configured for authentication; therefore, the CHAPSecret field contains a value.
Parent topic: Configuring the AIX iSCSI software initiator
Related tasks
Configuring cluster iSCSI authentication
Configuring cluster iSCSI authentication using the CLI
Library | Support | Terms of use | Feedback
© Copyright IBM Corporation 2003, 2009. All Rights Reserved.