User authentication (iscsi environments) – HP StorageWorks XP10000 Disk Array User Manual
Page 50
• When the Fibre Channel switch is not configured for mutual authentication, the Fibre
Channel switch connects to the array.
If the port's Fibre Channel switch is not configured for authentication with CHAP, the authentication
fails and the Fibre Channel switch cannot connect to the array.
• Case B: If the Fibre Channel switch's user information is registered on the port, but
authentication of the Fibre Channel switch is disabled
Each port does not perform authentication of the Fibre Channel switch. The Fibre Channel switch
connects to the array without authentication regardless of whether or not the Fibre Channel switch
is configured for authentication with CHAP.
• Case C: If the Fibre Channel switch's user information is not registered on the port
Regardless of the Fibre Channel switch's setting, the port performs authentication of the Fibre
Channel switch, but results in failure. The Fibre Channel switch cannot connect to the array.
•
Case D: When not performing authentication of Fibre Channel switches by ports
The Fibre Channel switch connects to the array without authentication of the host regardless of whether
or not the Fibre Channel switch is configured for authentication with CHAP.
In this case, although you do not need to register the Fibre Channel switch's user information on
the port, you can register the user information.
Authentication of ports (performing mutual authentication)
When authentication of a host succeeds, the host performs authentication of the port in reverse if the
host requires (mutual authentication). In authentication of ports, when the user information (user name
and secret) of the port specified on the port side matches the user information stored on the host, the
host allows the host group to connect.
User authentication (iSCSI environments)
When configuring iSCSI environments, use LUN Manager to set user authentication between ports on
the array and hosts. In iSCSI environments, ports and hosts use Challenge Handshake Authentication
Protocol (CHAP) as the authentication method. This section provides an overview of user authentication.
User authentication operations and settings (iSCSI environments)
User authentication operations in iSCSI environments consist of the following phases:
1.
An iSCSI target of the array authenticates a host attempting to connect (authentication of hosts).
2.
The host authenticates the connection-target iSCSI target of the array (authentication of iSCSI targets).
The array performs user authentication by iSCSI targets. Therefore, iSCSI targets and hosts must have their
own user information for performing user authentication.
When a host attempts to connect to the array, the authentication of hosts phase starts. In this phase, it is
first determined whether or not the iSCSI target requires authentication of the host. If the iSCSI target
does not require authentication of the host, the host connects to the array without authentication. If the
iSCSI target requires authentication of the host, authentication is performed for the host. When the host is
successfully authenticated, processing goes to the next phase.
After authentication of the host succeeds, if the host requires user authentication for the iSCSI target that
is the connection target, the authentication of iSCSI targets phase starts. In this way, iSCSI targets and
hosts authenticate with each other, that is, mutual authentication. In the authentication of iSCSI targets
phase, if the host does not require user authentication for the iSCSI target, the host connects to the
array without authentication of the iSCSI target.
The following explains the settings required for user authentication. The settings for authentication of
iSCSI targets are needed only when performing mutual authentication.
50
Overview of LUN Manager