- Notes, cautions, and warnings
- Getting started
- System concepts
- Storage environment
- Virtual storage
- Linear storage
- Disk groups
- RAID levels
- ADAPT
- Disk group utilities
- SSDs
- Spares
- Pools
- Changing pool settings
- Volumes and volume groups
- Volume cache options
- Overcommitting volumes
- About automated tiered storage
- Initiators, hosts, and host groups
- CHAP
- Host ports
- Attaching volumes to hosts
- Operating with a single controller
- Snapshots
- Copying volumes or snapshots
- Reconstruction
- Quick rebuild
- Updating firmware
- Managed logs
- LDAP
- DNS settings
- Peer connections
- Replication
- Full disk encryption
- Rescanning disks
- Clearing disk metadata
- Data protection during failover to a single controller
- SupportAssist
- About CloudIQ
- Event history
- Audit logs
- System metrics
- Dashboard
- Provisioning
- Working with volumes
- Volumes table
- Data protection table
- Creating volumes
- Modifying volumes
- Deleting volumes and snapshots
- Attaching volumes to hosts
- Detaching volumes from hosts
- Expanding volumes
- Rolling back virtual volumes
- Creating snapshots
- Resetting snapshots
- Copying volumes or snapshots
- Aborting a volume copy
- Add data protection
- Creating a replication set
- Modifying a replication set
- Deleting a replication set
- Initiating or scheduling a replication
- Suspending a replication
- Aborting a replication set
- Resuming a replication
- Managing replication schedules
- Working with hosts
- Working with volumes
- Settings
- Maintenance
- Other management interfaces
- Administering a log-collection system
- Settings changed by restoring defaults
- System configuration limits
- Best practices
- Glossary of terms
Dell PowerVault ME5 Series Administrator's Guide
CHAP
A storage system with iSCSI ports can be protected from unauthorized access via iSCSI by enabling Challenge Handshake Authentication Protocol (CHAP).
CHAP authentication occurs during an attempt by a host to log in to the system. This authentication requires an identifier for the host and a shared secret between the host and the system. Optionally, the storage system can also be required to authenticate itself to the host. This is called mutual CHAP. You are prompted to optionally configure CHAP settings during the onboarding process. Once onboarding is complete, you can enable or disable CHAP and create new CHAP records from the Settings > iSCSI panel. Steps involved to enable CHAP include:
- Decide on host node names (identifiers) and secrets. The host node name is its IQN. A secret must have 12-16 characters, and include spaces and printable UTF-8 characters except: " or <
This authentication requires an identifier for the host and a shared secret between the host and the system. The CHAP secret is a text string that is known to both the initiator and the storage array before they negotiate a communication link. Mutual CHAP authenticates the target to the initiator. Without mutual CHAP, only the initiator is authenticated to the target.
- Define CHAP records in the storage system.
- Enable CHAP on the storage system (during onboarding or from the Settings > iSCSI > Configuration panel). Note that this applies to all iSCSI hosts, in order to avoid security exposures. Any current host connections will be terminated when CHAP is enabled and will need to be re-established using a CHAP login.
- Define a CHAP record for the host iSCSI initiator on the host.
- Establish a new connection to the storage system using CHAP. The host should be displayable by the storage system, as well as the ports through which connections were made.
CAUTION Changing iSCSI configuration settings after onboarding can invalidate CHAP settings. This could disrupt connectivity between the host and the storage system.
If it becomes necessary to add more hosts after CHAP is enabled, additional CHAP node names and secrets can be added. If a host attempts to log in to the storage system, it will become visible to the system, even if the full login is not successful due to incompatible CHAP definitions. This information may be useful in configuring CHAP entries for new hosts, and becomes visible when an iSCSI discovery session is established because the storage system does not require discovery sessions to be authenticated. CHAP authentication must succeed for normal sessions to access LUNs from the storage array. To use CHAP between peers in a replication set, see CHAP and replication.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\