Freedom Space: Managing iSCSI storage with vicfg-iscsi

Refer: http://www.vmware.com/pdf/vsphere4/r41/vsp4_41_vcli_inst_script.pdf 65 page.

iSCSI Storage Overview

With iSCSI, SCSI storage commands that your virtual machine issues to its virtual disk are converted into TCP/IP protocol packets and transmitted to a remote device, or target, on which the virtual disk is located. From the point of view of the virtual machine, the device appears as a locally attached SCSI drive. To access remote targets, the host uses iSCSI initiators. Initiators transport SCSI requests and responses between the host and the target storage device on the IP network. ESX/ESXi supports these types of initiators:

n Software iSCSI adapter. VMware code built into the VMkernel. Allows an ESX/ESXi host to connect to the iSCSI storage device through standard network adapters. The software initiator handles iSCSI processing while communicating with the network adapter.

n Hardware iSCSI adapter. Offloads all iSCSI and network processing from your host. Hardware iSCSI adapter are broken into two types.

Dependent hardware iSCSI adapter. Leverages the VMware iSCSI management and configuration interfaces.
Independent hardware iSCSI adapter. Leverages its own iSCSI management and configuration interfaces.

n The host on the left uses an independent hardware iSCSI adapter to connect to the iSCSI storage system.

n The host on the right uses a third‐party Ethernet NIC with iSCSI offload capabilities.

iSCSI storage devices from the storage system become available to the host. You can access the storage devices and create VMFS datastores for your storage needs.

Discovery Sessions

A discovery session is part of the iSCSI protocol. The discovery session returns the set of targets that you can access on an iSCSI storage system. ESX/ESXi systems support dynamic and static discovery.

n Dynamic discovery. Also known as Send Targets discovery. Each time the ESX/ESXi host contacts a specified iSCSI server, it sends a Send Targets request to the server. In response, the iSCSI server supplies a list of available targets to the ESX/ESXi host.

C:\>vicfg-iscsi.pl --server esx1 --username root --discovery --add --ip 172.16.140.155 vmhba33

Enter password:

Adding discovery address 172.16.140.155:3260 ...

A rescan of the host is recommended for this configuration change.

Check targets after discovering using ‘vicfg-iscsi –T’ command.

C:\>vicfg-iscsi.pl --server esx1 --username root -T --list vmhba33

Enter password:

-----------------------------------------

NAME : iqn.2006-01.com.openfiler:tsn.b6998f7991b4

ALIAS :

DISCOVERY METHOD FLAGS : 0

SEND TARGETS DISCOVERY SETTABLE : 0

Portal 0 : 172.16.140.155:3260

-----------------------------------------

C:\>vicfg-iscsi.pl --server esx2 --username root -T --list vmhba33

Enter password:

-----------------------------------------

NAME : iqn.2006-01.com.openfiler:tsn.b6998f7991b4

ALIAS :

DISCOVERY METHOD FLAGS : 0

SEND TARGETS DISCOVERY SETTABLE : 0

Portal 0 : 172.16.140.155:3260

-----------------------------------------

n Static discovery. The ESX/ESXi host does not have to perform discovery. Instead, the ESX/ESXi host uses the IP addresses or domain names and iSCSI target names (IQN or EUI format names) to communicate with the iSCSI target.

The vicfg-iscsi -D and -S options monitor and manage target discovery addresses. You can also use the vSphere Client to perform the same task.

For either case, you set up target discovery addresses so that the initiator can determine which storage resource on the network is available for access. You can do this setup with dynamic discovery or static discovery. With dynamic discovery, all targets associated with an IP address or host name and the iSCSI name are discovered. With static discovery, you must specify the IP address or host name and the iSCSI name of the target you want to access. The iSCSI HBA must be in the same VLAN as both ports of the iSCSI array.

Without providing name parameter, static discovery fails and display following error message.

C:\>vicfg-iscsi.pl --server esx2 --username root --static --add --ip 172.16.140.155 vmhba33

Enter password:

Discovery target iscsi name is required.

For a summary of command usage, type 'C:\Program Files (x86)\VMware\VMware vSphere CLI\bin\vicfg-iscsi.pl --help'.

For documentation, type 'perldoc C:\Program Files (x86)\VMware\VMware vSphere CLI\bin\vicfg-iscsi.pl'.

Let’s try again with name parameter.

C:\>vicfg-iscsi.pl --server esx2 --username root --static --add --ip 172.16.140.155 --name iqn.2006-01.com.openfiler:tsn.b6998f7991b4 vmhba33

Enter password:

Adding static discovery target 172.16.140.155:3260, iqn = iqn.2006-01.com.openfiler:tsn.b6998f7991b4,

You can list up LUNs discovered by using ‘vicfg-iscsi –L –list <vmhba>’ command.

C:\>vicfg-iscsi.pl --server esx1 --username root -L --list vmhba33

Enter password:

Target: iqn.2006-01.com.openfiler:tsn.b6998f7991b4:

-------------------------------------------

OS DEVICE NAME : t10.F405E46494C45400259395867725D24567F444D253651786

BUS NUMBER : 1

TARGET ID : 0

LUN ID : 0

LUN SIZE : 40928 MB

-------------------------------------------

OS DEVICE NAME : t10.F405E46494C45400A645A56644F6D23626A435D207248425

BUS NUMBER : 1

TARGET ID : 0

LUN ID : 1

LUN SIZE : 4096 MB

-------------------------------------------

OS DEVICE NAME : t10.F405E46494C45400946563B6C664D284231674D233F485D6

BUS NUMBER : 1

TARGET ID : 0

LUN ID : 2

LUN SIZE : 4064 MB

-------------------------------------------

OS DEVICE NAME : t10.F405E46494C45400C4C624C434A6D23376C647D215E4C403

BUS NUMBER : 1

TARGET ID : 0

LUN ID : 3

LUN SIZE : 4064 MB

-------------------------------------------

OS DEVICE NAME : t10.F405E46494C45400259395867725D24567F444D253651786

BUS NUMBER : 0

TARGET ID : 0

LUN ID : 0

LUN SIZE : 40928 MB

-------------------------------------------

OS DEVICE NAME : t10.F405E46494C45400A645A56644F6D23626A435D207248425

BUS NUMBER : 0

TARGET ID : 0

LUN ID : 1

LUN SIZE : 4096 MB

-------------------------------------------

OS DEVICE NAME : t10.F405E46494C45400946563B6C664D284231674D233F485D6

BUS NUMBER : 0

TARGET ID : 0

LUN ID : 2

LUN SIZE : 4064 MB

-------------------------------------------

OS DEVICE NAME : t10.F405E46494C45400C4C624C434A6D23376C647D215E4C403

BUS NUMBER : 0

TARGET ID : 0

LUN ID : 3

LUN SIZE : 4064 MB

-------------------------------------------

Discovery Target Names

The target name is either an IQN name or an EUI name.

n The IQN name uses the following format:

iqn.yyyy-mm.{reversed domain name}:id_string

For example: iqn.2007-05.com.mydomain:storage.tape.sys3.abc

The ESX/ESXi host generates an IQN name for software iSCSI and dependent hardware iSCSI adapters. You can change that default IQN name.

n The EUI name is described in IETF rfc3720 as follows:

The IEEE Registration Authority provides a service for assigning globally unique identifiers [EUI]. The EUI-64 format is used to build a global identifier in other network protocols. For example, Fibre Channel defines a method of encoding it into a WorldWideName.

The format is eui. followed by an EUI-64 identifier (16 ASCII-encoded hexadecimal digits). For example:

Type EUI-64 identifier (ASCII-encoded hexadecimal)

+--++--------------+

| || |

eui.02004567A425678D

The IEEE EUI-64 iSCSI name format can be used when a manufacturer is registered with the IEEE Registration Authority and uses EUI-64 formatted worldwide unique names for its products. Check in the UI of the storage array whether an array uses an IQN name or an EUI name.

Protecting an iSCSI SAN

When you plan your iSCSI configuration, take measures to improve the overall security of the iSCSI SAN. Your iSCSI configuration is only as secure as your IP network. By enforcing good security standards when you set up your network, you help safeguard your iSCSI storage.

Protecting Transmitted Data

A primary security risk in iSCSI SANs is that an attacker might sniff transmitted storage data. Neither the iSCSI adapter nor the ESX/ESXi host iSCSI initiator encrypts the data that it transmits to and from the targets, making the data vulnerable to sniffing attacks. You must therefore take additional measures to prevent attackers from easily seeing iSCSI data. Allowing your virtual machines to share virtual switches and VLANs with your iSCSI configuration potentially exposes iSCSI traffic to misuse by a virtual machine attacker. To help ensure that intruders cannot listen to iSCSI transmissions, make sure that none of your virtual machines can see the iSCSI storage network.

Protect your system by giving the iSCSI SAN a dedicated virtual switch.

n If you use an independent hardware iSCSI adapter, make sure that the iSCSI adapter and ESX/ESXi physical network adapter are not inadvertently connected outside the host. Such a connection might result from sharing a switch.

n If you configure iSCSI directly through the ESX/ESXi host, configure iSCSI storage through a different virtual switch than the one used by your virtual machines.

You can also configure your iSCSI SAN on its own VLAN to improve performance and security. Placing your iSCSI configuration on a separate VLAN ensures that no devices other than the iSCSI adapter can see transmissions within the iSCSI SAN. With a dedicated VLAN, network congestion from other sources cannot interfere with iSCSI traffic.

Securing iSCSI Ports

When you run iSCSI devices, the ESX/ESXi host does not open ports that listen for network connections. This measure reduces the chances that an intruder can break into the ESX/ESXi host through spare ports and gain control over the host. Therefore, running iSCSI does not present an additional security risks at the ESX/ESXi host end of the connection.

An iSCSI target device must have one or more open TCP ports to listen for iSCSI connections. If security vulnerabilities exist in the iSCSI device software, your data can be at risk through no fault of the ESX/ESXi system. To lower this risk, install all security patches that your storage equipment manufacturer provides and limit the devices connected to the iSCSI network.

Setting Up Software iSCSI

Software iSCSI setup requires a number of high-level tasks. For each task, see the discussion of the corresponding command-line option in this chapter, the manpage (Linux), or the reference information.

1 Determine the HBA type and retrieve the HBA ID.

vicfg-iscsi --adapter –list

C:\>vicfg-iscsi.pl --server esx1 --username root --adapter --list

Enter password:

C:\>vicfg-iscsi.pl --server esx2 --username root --adapter --list

Enter password:

vSphere Client shows no WWN with iSCSI software adapter as it is not yet enabled.

2 Enable software iSCSI for the HBA.

vicfg-iscsi --swiscsi --enable

C:\>vicfg-iscsi.pl --server esx1 --username root --swiscsi --enable

Enter password:

Enabling software iSCSI...

C:\>vicfg-iscsi.pl --server esx2 --username root --swiscsi --enable

Enter password:

Enabling software iSCSI...

Now iSCSI software adapter is listed

C:\>vicfg-iscsi.pl --server esx1 --username root --adapter --list

Enter password:

vmhba33 iSCSI Software Adapter

C:\>vicfg-iscsi.pl --server esx2 --username root --adapter --list

Enter password:

vmhba33 iSCSI Software Adapter

vSphere Client now shows IQN name as WWN for iSCSI software adapter.

3 (Optional) Check the status.

vicfg-iscsi --swiscsi --list

The system prints Software iSCSI is enabled or Software iSCSI is not enabled.

C:\>vicfg-iscsi.pl --server esx2 --username root --swiscsi --list

Enter password:

Software iSCSI is enabled.

C:\>vicfg-iscsi.pl --server esx1 --username root --swiscsi --list

Enter password:

Software iSCSI is enabled.

4 (Optional) Set the iSCSI name and alias.

vicfg-iscsi -I -n <iscsi_name> <adapter_name>

vicfg-iscsi --iscsiname --name <iscsi_name> <adapter_name>

vicfg-iscsi -I -a <alias_name> <adapter_name>

vicfg-iscsi --iscsiname --alias <alias_name> <adapter_name>

C:\>vicfg-iscsi.pl --server esx1 --username root --iscsiname --list vmhba33

Enter password:

iSCSI Node Name : iqn.1998-01.com.vmware:esx1-0f770b14

iSCSI Node Alias :

C:\>vicfg-iscsi.pl --server esx1 --username root --iscsiname --alias swiscsi1 vmhba33

Enter password:

C:\>vicfg-iscsi.pl --server esx1 --username root --iscsiname --list vmhba33

Enter password:

iSCSI Node Name : iqn.1998-01.com.vmware:esx1-0f770b14

iSCSI Node Alias : swiscsi1

C:\>vicfg-iscsi.pl --server esx2 --username root --iscsiname --list vmhba33

Enter password:

iSCSI Node Name : iqn.1998-01.com.vmware:esx2-2e7127ab

iSCSI Node Alias :

C:\>vicfg-iscsi.pl --server esx2 --username root --iscsiname --alias swiscsi1 vmhba33

Enter password:

C:\>vicfg-iscsi.pl --server esx2 --username root --iscsiname --list vmhba33

Enter password:

iSCSI Node Name : iqn.1998-01.com.vmware:esx2-2e7127ab

iSCSI Node Alias : swiscsi1

5 Add a dynamic discovery address or a static discovery address.

The two types of target differ as follows:

n With dynamic discovery, all storage targets associated with a host name or IP address are discovered.

You run the following command:

vicfg-iscsi <conn_options> --discovery --add --ip <ip_addr | domain_name> <adapter_name>

C:\>vicfg-iscsi.pl --server esx1 --username root --discovery --add --ip 172.16.140.155 vmhba33

Enter password:

Adding discovery address 172.16.140.155:3260 ...

A rescan of the host is recommended for this configuration change.

n With static discovery, you must specify the host name or IP address and the iSCSI name of the storage target. You run the following command:

vicfg-iscsi <conn_options> --static --add --ip <ip_addr | domain_name> --name <iscsi_name> <adapter_name>

When you later remove a discovery address, it might still be displayed as the parent of a static target. You can add the discovery address and rescan to display the correct parent for the static targets.

C:\>vicfg-iscsi.pl --server esx2 --username root --static --add --ip 172.16.140.155 vmhba33

Enter password:

Discovery target iscsi name is required.

For a summary of command usage, type 'C:\Program Files (x86)\VMware\VMware vSphere CLI\bin\vicfg-iscsi.pl --help'.

For documentation, type 'perldoc C:\Program Files (x86)\VMware\VMware vSphere CLI\bin\vicfg-iscsi.pl'.

C:\>vicfg-iscsi.pl --server esx2 --username root --static --add --ip 172.16.140.155 --name iqn.2006-01.com.openfiler:tsn.b6998f7991b4 vmhba33

Enter password:

Adding static discovery target 172.16.140.155:3260, iqn = iqn.2006-01.com.openfiler:tsn.b6998f7991b4,

6 (Optional) Set the authentication information for CHAP

vicfg-iscsi -A -c <level> -m <auth_method> -u <auth_u_name> -w <auth_password> [-i <stor_ip_addr|stor_hostname> [:<portnum>] [-n <iscsi_name]] <adapter_name> vicfg-iscsi --authentication --level <level> --method <auth_method> --auth_username <auth_u_name> --auth_password <auth_password> [--ip <stor_ip_addr|stor_hostname> [:<portnum>] [-name <iscsi_name]] <adapter_name>

The target (-i) and name (-n) option determine what the command applies to.

7 (Optional) Set the authentication information for mutual CHAP by running vicfg-iscsi -A again with the -b option and a different authentication user name and password.

For <level>, specify chapProhibited or chapRequired.

n chapProhibited – The host does not use CHAP authentication. If authentication is enabled, specify chapProhibited to disable it.

n chapRequired – The host requires successful CHAP authentication. The connection fails if CHAP negotiation fails. You can set this value for mutual CHAP only if CHAP is set to chapRequired.

For <auth_method>, CHAP is the only valid value.

8 (Optional) Set iSCSI parameters by running vicfg-iscsi -W.

C:\>vicfg-iscsi.pl --server esx1 --username root -W --list vmhba33

Enter password:

iSCSI Parameters Setting:

- ErrorRecoveryLevel : 0

- LoginRetryMax : 4

- MaxOutstandingR2T : 1

- FirstBurstLength : 262144

- MaxBurstLength : 262144

- MaxRecvDataSegLen : 131072

- MaxCommands : 128

- DefaultTimeToWait : 2

- DefaultTimeToRetain : 0

- LoginTimeout : 15

- LogoutTimeout : 15

- RecoveryTimeout : 10

- NoopTimeout : 10

- NoopInterval : 15

- InitR2T : OFF

- ImmediateData : ON

- DelayedAck : 1

- dataDigestType : digestProhibited

- headerDigestType : digestProhibited

C:\>vicfg-iscsi.pl --server esx2 --username root -W --list vmhba33

Enter password:

iSCSI Parameters Setting:

- ErrorRecoveryLevel : 0

- LoginRetryMax : 4

- MaxOutstandingR2T : 1

- FirstBurstLength : 262144

- MaxBurstLength : 262144

- MaxRecvDataSegLen : 131072

- MaxCommands : 128

- DefaultTimeToWait : 2

- DefaultTimeToRetain : 0

- LoginTimeout : 15

- LogoutTimeout : 15

- RecoveryTimeout : 10

- NoopTimeout : 10

- NoopInterval : 15

- InitR2T : OFF

- ImmediateData : ON

- DelayedAck : 1

- dataDigestType : digestProhibited

- headerDigestType : digestProhibited

9 After setup is complete, run vicfg-rescan to rescan all storage devices.

Before rescan, vSphere Client shows no LUNs.

C:\>vicfg-rescan.pl --server esx1 --username root vmhba33

Enter password:

Scan Operation Succeeded

C:\>vicfg-rescan.pl --server esx2 --username root vmhba33

Enter password:

Scan operation succeeded.

Now vSphere Client shows LUNs scanned.

Setting Up Dependent Hardware iSCSI

Dependent hardware iSCSI setup requires a number of high-level tasks. For each task, see the discussion of the corresponding command-line option in this chapter, the manpage (Linux), or the reference information.

1 Determine the HBA type and retrieve the HBA ID.

vicf-iscsi --adapter --list

2 (Optional) Set the iSCSI name and alias.

vicfg-iscsi -I -n <iscsi_name> <adapter_name>

vicfg-iscsi --iscsiname --name <iscsi_name> <adapter_name>

vicfg-iscsi -I -a <alias_name> <adapter_name>

vicfg-iscsi --iscsiname --alias <alias_name> <adapter_name>

3 Set up port binding by following these steps:

A. Identify the VMkernel port of the dependent hardware iSCSI adapter.

esxcli <conn_options> swiscsi vmknic list -d <vmhba>

command tested in software iSCSI environment.

C:\>esxcli --server esx1 --username root swiscsi vmknic list -d vmhba33

Enter password:

vmk1

vmknic name: vmk1

mac address: 00:50:56:70:16:9a

mac address settable: NO

vmk2

vmknic name: vmk2

mac address: 00:50:56:72:32:67

mac address settable: NO

C:\>esxcli --server esx2 --username root swiscsi vmknic list -d vmhba33

Enter password:

vmk0

vmknic name: vmk0

mac address: 00:0c:29:b8:65:5c

mac address settable: NO

vmk1

vmknic name: vmk1

mac address: 00:50:56:78:06:4d

mac address settable: NO

vmk0

vmknic name: vmk0

mac address: 00:0c:29:b8:65:5c

mac address settable: NO

vmk1

vmknic name: vmk1

mac address: 00:50:56:78:06:4d

mac address settable: NO

B. Connect the dependent hardware iSCSI initiator to the iSCSI VMkernel ports by running the following command for each port.

esxcli <conn_options> swiscsi nic add -n <port_name> -d <vmhba>

[root@esx1 ~] # esxcli swiscsi nic add -n vmk1 -d vmhba33
[root@esx1 ~] # esxcli swiscsi nic add -n vmk2 -d vmhba33

esx2 host does not have software iSCSI initiator connected to the iSCSI VMkernel port. It use default VMkernel port.

C. Verify that the ports were added to the dependent hardware iSCSI initiator.

esxcli <conn_options> swiscsi nic list -d <vmhba>

C:\>esxcli --server esx1 --username root swiscsi nic list -d vmhba33

Enter password:

vmk1

pNic name: vmnic0

ipv4 address: 172.16.140.171

ipv4 net mask: 255.255.255.0

ipv6 addresses:

mac address: 00:0c:29:f1:5a:5b

mtu: 1500

toe: false

tso: true

tcp checksum: false

vlan: true

vlanId: 0

ethernet speed: 1000

packets received: 87416

packets sent: 33198

NIC driver: e1000

driver version: 8.0.3.2-1vmw-NAPI

firmware version: N/A

vmk2

pNic name: vmnic1

ipv4 address: 172.16.140.172

ipv4 net mask: 255.255.255.0

ipv6 addresses:

mac address: 00:0c:29:f1:5a:51

mtu: 1500

toe: false

tso: true

tcp checksum: false

vlan: true

vlanId: 0

ethernet speed: 1000

packets received: 113138

packets sent: 7037

NIC driver: e1000

driver version: 8.0.3.2-1vmw-NAPI

firmware version: N/A

C:\>esxcli --server esx2 --username root swiscsi nic list -d vmhba33

Enter password:

No nics found for this adapter.
<Network configuration of esx2 host>

D. Rescan the dependent hardware SCSI initiator.

vicfg-rescan <conn_options> <vmhba>

4 Add a dynamic discovery address or a static discovery address.

The two types of target differ as follows:

n With dynamic discovery, all storage targets associated with a host name or IP address are discovered.

You run the following command:

vicfg-iscsi <conn_options> --discovery --add --ip <ip_addr | domain_name> <adapter_name>

n With static discovery, you must specify the host name or IP address and the iSCSI name of the storage target. You run the following command:

vicfg-iscsi <conn_options> --static --add --ip <ip_addr | domain_name> --name <iscsi_name> <adapter_name>

5 (Optional) Set the authentication information for CHAP.

The target (-i) and name (-n) option determine what the command applies to.

Setting iSCSI CHAP

iSCSI storage systems authenticate an initiator using a name and key pair. ESX/ESXi systems support Challenge Handshake Authentication Protocol (CHAP), which VMware recommends for your SAN implementation. The ESX/ESXi host and the iSCSI storage system must have CHAP enabled and must have common credentials. During iSCSI login, the iSCSI storage system exchanges its credentials with the ESX/ESXi system and checks them.

You can set up iSCSI authentication using the vSphere Client, as discussed in the iSCSI SAN Configuration Guide or using the vicfg-iscsi command, discussed in “Enabling iSCSI Authentication”.

To use CHAP authentication, you must enable CHAP on both the initiator side and the storage system side. After authentication is enabled, it applies for targets to which no connection has been established, but does not apply

to targets to which a connection is established. After the discovery address is set, the new volumes to which you add a connection are exposed and can be used.

For software iSCSI and dependent hardware iSCSI, ESX/ESXi hosts support per-discovery and per-target CHAP credentials. For independent hardware iSCSI, ESX/ESXi hosts support only one set of CHAP credentials per initiator. You cannot assign different CHAP credentials for different targets.

When you configure independent hardware iSCSI initiators, ensure that the CHAP configuration matches your iSCSI storage. If CHAP is enabled on the storage array, it must be enabled on the initiator. If CHAP is enabled, you must set up the CHAP authentication credentials on the ESX/ESXi host to match the credentials on the iSCSI storage.

Enabling iSCSI Authentication

The vicfg-iscsi -A -c options enable iSCSI authentication. Mutual authentication is supported for software iSCSI and dependent hardware iSCSI, but not for independent hardware iSCSI. See “Setting iSCSI CHAP”
To enable mutual authentication

1 Enable authentication on the ESX/ESXi host.

vicfg-iscsi -A -c <level> -m <auth_method> -u <auth_u_name> -w <auth_password> [-i <stor_ip_addr|stor_hostname> [:<portnum>] [-n <iscsi_name]] <adapter_name>

The specified user name and password must be supported on the storage side.

Supported CHAP Levels

To set CHAP levels with vicfg-iscsi, specify one of the values in below for <level>. Only two levels are supported for independent hardware iSCSI.

chapProhibited: Host does not use CHAP authentication. If authentication is enabled, specify chapProhibited to disble it.

In vShpere Client, choose "Do not use CHAP".

Supported for

Software iSCSI

Independent hardware iSCSI

Dependent hardware iSCSI

chapDiscouraged: Host uses a non-CHAP connection, but aalows a CHAP connection as fallback.

In vSphere Client, choose "Do not use CHAP unless required by terget"

Supported for

Software iSCSI

Dependent hardware iSCSI

chapPreferred: Host uses CHAP if CHAP connection succeeds, but uses non-CHAP connection as fallback.

In vSphere Client, choose "Use CHAP unless prohibited by terget"

Software iSCSI

Independent hardware iSCSI

Dependent hardware iSCSI

chapRequired: Host requires successful CHAP authentication. The connection fails if CHAP negotiation fails.

In vShpere Client, choose "Use CHAP"

Supported for

Software iSCSI

Dependent hardware iSCSI

CHAP levels in vSphere Client interface.

C:\>vicfg-iscsi.pl --server esx1 --username root -A --list vmhba33

Enter password:

---------------Inititator Authentication ------------

Supported Authentication Methods for Adapter vmhba33:

IMA_AUTHMETHOD_NONE

IMA_AUTHMETHOD_CHAP

---------------Mutual Authentication ------------

Supported Authentication Methods for Adapter vmhba33:

IMA_AUTHMETHOD_NONE

IMA_AUTHMETHOD_CHAP

2 Enable mutual authentication on the ESX/ESXi host.

vicfg-iscsi -A -c <level> -m <auth_method> -b -u <ma_username> -w <ma_password> [-i <stor_ip_addr|stor_hostname> [:<portnum>] [-n <iscsi_name]] <adapter_name>

C:\>vicfg-iscsi.pl --server esx1 --username root -A -c chapRequired -m CHAP -u openfiler -w password --ip 172.16.140.155 vmhba33

Enter password:

C:\>vicfg-iscsi.pl --server esx1 --username root -A -m CHAP --list vmhba33

Enter password:

Initiator CHAP:

CHAP Authentication Parameters for Adapter vmhba33

Chap Type: chapRequired

Name: openfiler

Secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

C:\>

C:\>vicfg-iscsi.pl --server esx1 --username root -A -m CHAP --reset_auth --ip 172.16.140.155 vmhba33

Enter password:

3 Make sure the following requirements are met.

n CHAP authentication is already set up when you start setting up mutual CHAP.

n CHAP and mutual CHAP use different user names and passwords. The second user name and password are supported for mutual authentication on the storage side.

n CHAP and mutual CHAP use compatible CHAP levels.

C:\>vicfg-iscsi.pl --server esx1 --username root -A --list --ip 172.16.140.155 vmhba33

Enter password:

---------------Inititator Authentication ------------

Supported Authentication Methods for Adapter vmhba33:

IMA_AUTHMETHOD_NONE

IMA_AUTHMETHOD_CHAP

---------------Mutual Authentication ------------

Supported Authentication Methods for Adapter vmhba33:

IMA_AUTHMETHOD_NONE

IMA_AUTHMETHOD_CHAP

C:\>vicfg-iscsi.pl --server esx1 --username root -A --list --ip 172.16.140.155 --name swiscsi1 vmhba33

Enter password:

---------------Inititator Authentication ------------

Supported Authentication Methods for Adapter vmhba33:

IMA_AUTHMETHOD_NONE

IMA_AUTHMETHOD_CHAP

---------------Mutual Authentication ------------

Supported Authentication Methods for Adapter vmhba33:

IMA_AUTHMETHOD_NONE

IMA_AUTHMETHOD_CHAP

Freedom Space

Thursday, October 20, 2011

Managing iSCSI storage with vicfg-iscsi

No comments: