Thursday, October 20, 2011

Managing iSCSI storage with vicfg-iscsi

Refer: http://www.vmware.com/pdf/vsphere4/r41/vsp4_41_vcli_inst_script.pdf 65 page.
iSCSI Storage Overview
With iSCSI, SCSI storage commands that your virtual machine issues to its virtual disk are converted into TCP/IP protocol packets and transmitted to a remote device, or target, on which the virtual disk is located. From the point of view of the virtual machine, the device appears as a locally attached SCSI drive. To access remote targets, the host uses iSCSI initiators. Initiators transport SCSI requests and responses between the host and the target storage device on the IP network. ESX/ESXi supports these types of initiators:

n Software iSCSI adapter. VMware code built into the VMkernel. Allows an ESX/ESXi host to connect to the iSCSI storage device through standard network adapters. The software initiator handles iSCSI processing while communicating with the network adapter.
n Hardware iSCSI adapter. Offloads all iSCSI and network processing from your host. Hardware iSCSI adapter are broken into two types.
  • Dependent hardware iSCSI adapter. Leverages the VMware iSCSI management and configuration interfaces.
  • Independent hardware iSCSI adapter. Leverages its own iSCSI management and configuration interfaces.


<Hosts using different types of iSCSI initiators>
n The host on the left uses an independent hardware iSCSI adapter to connect to the iSCSI storage system.
n The host on the right uses a thirdparty Ethernet NIC with iSCSI offload capabilities.
iSCSI storage devices from the storage system become available to the host. You can access the storage devices and create VMFS datastores for your storage needs.


Discovery Sessions
A discovery session is part of the iSCSI protocol. The discovery session returns the set of targets that you can access on an iSCSI storage system. ESX/ESXi systems support dynamic and static discovery.
n Dynamic discovery. Also known as Send Targets discovery. Each time the ESX/ESXi host contacts a specified iSCSI server, it sends a Send Targets request to the server. In response, the iSCSI server supplies a list of available targets to the ESX/ESXi host.

C:\>vicfg-iscsi.pl --server esx1 --username root --discovery --add --ip 172.16.140.155  vmhba33
Enter password:
Adding discovery address 172.16.140.155:3260 ...
A rescan of the host is recommended for this configuration change.

Check targets after discovering using ‘vicfg-iscsi –T’ command.
C:\>vicfg-iscsi.pl --server esx1 --username root -T  --list vmhba33
Enter password:

-----------------------------------------
NAME                              : iqn.2006-01.com.openfiler:tsn.b6998f7991b4
ALIAS                             :
DISCOVERY METHOD FLAGS            : 0
SEND TARGETS DISCOVERY SETTABLE   : 0
Portal 0                          : 172.16.140.155:3260

-----------------------------------------

C:\>vicfg-iscsi.pl --server esx2 --username root -T  --list vmhba33
Enter password:

-----------------------------------------
NAME                              : iqn.2006-01.com.openfiler:tsn.b6998f7991b4
ALIAS                             :
DISCOVERY METHOD FLAGS            : 0
SEND TARGETS DISCOVERY SETTABLE   : 0
Portal 0                          : 172.16.140.155:3260

-----------------------------------------


n Static discovery. The ESX/ESXi host does not have to perform discovery. Instead, the ESX/ESXi host uses the IP addresses or domain names and iSCSI target names (IQN or EUI format names) to communicate with the iSCSI target.

The vicfg-iscsi -D and -S options monitor and manage target discovery addresses. You can also use the vSphere Client to perform the same task.

For either case, you set up target discovery addresses so that the initiator can determine which storage resource on the network is available for access. You can do this setup with dynamic discovery or static discovery. With dynamic discovery, all targets associated with an IP address or host name and the iSCSI name are discovered. With static discovery, you must specify the IP address or host name and the iSCSI name of the target you want to access. The iSCSI HBA must be in the same VLAN as both ports of the iSCSI array.

Without providing name parameter, static discovery fails and display following error message.
C:\>vicfg-iscsi.pl --server esx2 --username root --static --add --ip 172.16.140.155  vmhba33
Enter password:
Discovery target iscsi name is required.
For a summary of command usage, type 'C:\Program Files (x86)\VMware\VMware vSphere CLI\bin\vicfg-iscsi.pl --help'.
For documentation, type 'perldoc C:\Program Files (x86)\VMware\VMware vSphere CLI\bin\vicfg-iscsi.pl'.

Let’s try again with name parameter.
C:\>vicfg-iscsi.pl --server esx2 --username root --static --add --ip 172.16.140.155  --name iqn.2006-01.com.openfiler:tsn.b6998f7991b4 vmhba33
Enter password:
Adding static discovery target 172.16.140.155:3260, iqn = iqn.2006-01.com.openfiler:tsn.b6998f7991b4,

You can list up LUNs discovered by using ‘vicfg-iscsi –L –list <vmhba>’ command.
C:\>vicfg-iscsi.pl --server esx1 --username root -L --list vmhba33
Enter password:
Target: iqn.2006-01.com.openfiler:tsn.b6998f7991b4:
-------------------------------------------
OS DEVICE NAME    : t10.F405E46494C45400259395867725D24567F444D253651786
BUS NUMBER        : 1
TARGET ID         : 0
LUN ID            : 0
LUN SIZE          : 40928 MB

-------------------------------------------

OS DEVICE NAME    : t10.F405E46494C45400A645A56644F6D23626A435D207248425
BUS NUMBER        : 1
TARGET ID         : 0
LUN ID            : 1
LUN SIZE          : 4096 MB

-------------------------------------------

OS DEVICE NAME    : t10.F405E46494C45400946563B6C664D284231674D233F485D6
BUS NUMBER        : 1
TARGET ID         : 0
LUN ID            : 2
LUN SIZE          : 4064 MB

-------------------------------------------

OS DEVICE NAME    : t10.F405E46494C45400C4C624C434A6D23376C647D215E4C403
BUS NUMBER        : 1
TARGET ID         : 0
LUN ID            : 3
LUN SIZE          : 4064 MB

-------------------------------------------

OS DEVICE NAME    : t10.F405E46494C45400259395867725D24567F444D253651786
BUS NUMBER        : 0
TARGET ID         : 0
LUN ID            : 0
LUN SIZE          : 40928 MB

-------------------------------------------

OS DEVICE NAME    : t10.F405E46494C45400A645A56644F6D23626A435D207248425
BUS NUMBER        : 0
TARGET ID         : 0
LUN ID            : 1
LUN SIZE          : 4096 MB

-------------------------------------------

OS DEVICE NAME    : t10.F405E46494C45400946563B6C664D284231674D233F485D6
BUS NUMBER        : 0
TARGET ID         : 0
LUN ID            : 2
LUN SIZE          : 4064 MB

-------------------------------------------

OS DEVICE NAME    : t10.F405E46494C45400C4C624C434A6D23376C647D215E4C403
BUS NUMBER        : 0
TARGET ID         : 0
LUN ID            : 3
LUN SIZE          : 4064 MB

-------------------------------------------


Discovery Target Names
The target name is either an IQN name or an EUI name.
n The IQN name uses the following format:
iqn.yyyy-mm.{reversed domain name}:id_string
For example: iqn.2007-05.com.mydomain:storage.tape.sys3.abc
The ESX/ESXi host generates an IQN name for software iSCSI and dependent hardware iSCSI adapters. You can change that default IQN name.
n The EUI name is described in IETF rfc3720 as follows:
The IEEE Registration Authority provides a service for assigning globally unique identifiers [EUI]. The EUI-64 format is used to build a global identifier in other network protocols. For example, Fibre Channel defines a method of encoding it into a WorldWideName.
The format is eui. followed by an EUI-64 identifier (16 ASCII-encoded hexadecimal digits). For example:
Type EUI-64 identifier (ASCII-encoded hexadecimal)
+--++--------------+
| || |
eui.02004567A425678D
The IEEE EUI-64 iSCSI name format can be used when a manufacturer is registered with the IEEE Registration Authority and uses EUI-64 formatted worldwide unique names for its products. Check in the UI of the storage array whether an array uses an IQN name or an EUI name.


Protecting an iSCSI SAN
When you plan your iSCSI configuration, take measures to improve the overall security of the iSCSI SAN. Your iSCSI configuration is only as secure as your IP network. By enforcing good security standards when you set up your network, you help safeguard your iSCSI storage.
Protecting Transmitted Data
A primary security risk in iSCSI SANs is that an attacker might sniff transmitted storage data. Neither the iSCSI adapter nor the ESX/ESXi host iSCSI initiator encrypts the data that it transmits to and from the targets, making the data vulnerable to sniffing attacks. You must therefore take additional measures to prevent attackers from easily seeing iSCSI data. Allowing your virtual machines to share virtual switches and VLANs with your iSCSI configuration potentially exposes iSCSI traffic to misuse by a virtual machine attacker. To help ensure that intruders cannot listen to iSCSI transmissions, make sure that none of your virtual machines can see the iSCSI storage network.
Protect your system by giving the iSCSI SAN a dedicated virtual switch.
n If you use an independent hardware iSCSI adapter, make sure that the iSCSI adapter and ESX/ESXi physical network adapter are not inadvertently connected outside the host. Such a connection might result from sharing a switch.
n If you configure iSCSI directly through the ESX/ESXi host, configure iSCSI storage through a different virtual switch than the one used by your virtual machines.
You can also configure your iSCSI SAN on its own VLAN to improve performance and security. Placing your iSCSI configuration on a separate VLAN ensures that no devices other than the iSCSI adapter can see transmissions within the iSCSI SAN. With a dedicated VLAN, network congestion from other sources cannot interfere with iSCSI traffic.


Securing iSCSI Ports
When you run iSCSI devices, the ESX/ESXi host does not open ports that listen for network connections. This measure reduces the chances that an intruder can break into the ESX/ESXi host through spare ports and gain control over the host. Therefore, running iSCSI does not present an additional security risks at the ESX/ESXi host end of the connection.
An iSCSI target device must have one or more open TCP ports to listen for iSCSI connections. If security vulnerabilities exist in the iSCSI device software, your data can be at risk through no fault of the ESX/ESXi system. To lower this risk, install all security patches that your storage equipment manufacturer provides and limit the devices connected to the iSCSI network.


Setting Up Software iSCSI
Software iSCSI setup requires a number of high-level tasks. For each task, see the discussion of the corresponding command-line option in this chapter, the manpage (Linux), or the reference information.
1 Determine the HBA type and retrieve the HBA ID.
vicfg-iscsi --adapter –list

C:\>vicfg-iscsi.pl  --server esx1 --username root --adapter --list
Enter password:

C:\>vicfg-iscsi.pl  --server esx2 --username root --adapter --list
Enter password:

vSphere Client shows no WWN with iSCSI software adapter as it is not yet enabled.



2 Enable software iSCSI for the HBA.
vicfg-iscsi --swiscsi --enable

C:\>vicfg-iscsi.pl  --server esx1 --username root --swiscsi --enable
Enter password:
Enabling software iSCSI...

C:\>vicfg-iscsi.pl  --server esx2 --username root --swiscsi --enable
Enter password:
Enabling software iSCSI...

Now iSCSI software adapter is listed
C:\>vicfg-iscsi.pl  --server esx1 --username root --adapter --list
Enter password:
vmhba33          iSCSI Software Adapter

C:\>vicfg-iscsi.pl  --server esx2 --username root --adapter --list
Enter password:
vmhba33          iSCSI Software Adapter

vSphere Client now shows IQN name as WWN for iSCSI software adapter.

 
3 (Optional) Check the status.
vicfg-iscsi --swiscsi --list
The system prints Software iSCSI is enabled or Software iSCSI is not enabled.

C:\>vicfg-iscsi.pl --server esx2 --username root --swiscsi  --list
Enter password:
Software iSCSI is enabled.

C:\>vicfg-iscsi.pl --server esx1 --username root --swiscsi  --list
Enter password:
Software iSCSI is enabled.


4 (Optional) Set the iSCSI name and alias.
vicfg-iscsi -I -n <iscsi_name> <adapter_name>
vicfg-iscsi --iscsiname --name <iscsi_name> <adapter_name>
vicfg-iscsi -I -a <alias_name> <adapter_name>
vicfg-iscsi --iscsiname --alias <alias_name> <adapter_name>

C:\>vicfg-iscsi.pl --server esx1 --username root --iscsiname --list vmhba33
Enter password:
iSCSI Node Name   : iqn.1998-01.com.vmware:esx1-0f770b14
iSCSI Node Alias  :

C:\>vicfg-iscsi.pl --server esx1 --username root --iscsiname --alias swiscsi1  vmhba33
Enter password:

C:\>vicfg-iscsi.pl --server esx1 --username root --iscsiname --list vmhba33
Enter password:
iSCSI Node Name   : iqn.1998-01.com.vmware:esx1-0f770b14
iSCSI Node Alias  : swiscsi1


C:\>vicfg-iscsi.pl --server esx2 --username root --iscsiname --list vmhba33
Enter password:
iSCSI Node Name   : iqn.1998-01.com.vmware:esx2-2e7127ab
iSCSI Node Alias  :

C:\>vicfg-iscsi.pl --server esx2 --username root --iscsiname --alias swiscsi1  vmhba33
Enter password:

C:\>vicfg-iscsi.pl --server esx2 --username root --iscsiname --list vmhba33
Enter password:
iSCSI Node Name   : iqn.1998-01.com.vmware:esx2-2e7127ab
iSCSI Node Alias  : swiscsi1


5 Add a dynamic discovery address or a static discovery address.
The two types of target differ as follows:
n With dynamic discovery, all storage targets associated with a host name or IP address are discovered.
You run the following command:
vicfg-iscsi <conn_options> --discovery --add --ip <ip_addr | domain_name> <adapter_name>

C:\>vicfg-iscsi.pl --server esx1 --username root --discovery --add --ip 172.16.140.155  vmhba33
Enter password:
Adding discovery address 172.16.140.155:3260 ...
A rescan of the host is recommended for this configuration change.

n With static discovery, you must specify the host name or IP address and the iSCSI name of the storage target. You run the following command:
vicfg-iscsi <conn_options> --static --add --ip <ip_addr | domain_name> --name <iscsi_name> <adapter_name>

When you later remove a discovery address, it might still be displayed as the parent of a static target. You can add the discovery address and rescan to display the correct parent for the static targets.

C:\>vicfg-iscsi.pl --server esx2 --username root --static --add --ip 172.16.140.155  vmhba33
Enter password:
Discovery target iscsi name is required.
For a summary of command usage, type 'C:\Program Files (x86)\VMware\VMware vSphere CLI\bin\vicfg-iscsi.pl --help'.
For documentation, type 'perldoc C:\Program Files (x86)\VMware\VMware vSphere CLI\bin\vicfg-iscsi.pl'.

C:\>vicfg-iscsi.pl --server esx2 --username root --static --add --ip 172.16.140.155  --name iqn.2006-01.com.openfiler:tsn.b6998f7991b4 vmhba33
Enter password:
Adding static discovery target 172.16.140.155:3260, iqn = iqn.2006-01.com.openfiler:tsn.b6998f7991b4,

6 (Optional) Set the authentication information for CHAP
vicfg-iscsi -A -c <level> -m <auth_method> -u <auth_u_name> -w <auth_password> [-i <stor_ip_addr|stor_hostname> [:<portnum>] [-n <iscsi_name]] <adapter_name> vicfg-iscsi --authentication --level <level> --method <auth_method> --auth_username <auth_u_name> --auth_password <auth_password> [--ip <stor_ip_addr|stor_hostname> [:<portnum>] [-name <iscsi_name]] <adapter_name>
The target (-i) and name (-n) option determine what the command applies to.


7 (Optional) Set the authentication information for mutual CHAP by running vicfg-iscsi -A again with the -b option and a different authentication user name and password.
For <level>, specify chapProhibited or chapRequired.
n chapProhibited – The host does not use CHAP authentication. If authentication is enabled, specify chapProhibited to disable it.
n chapRequired – The host requires successful CHAP authentication. The connection fails if CHAP negotiation fails. You can set this value for mutual CHAP only if CHAP is set to chapRequired.
For <auth_method>, CHAP is the only valid value.

8 (Optional) Set iSCSI parameters by running vicfg-iscsi -W.

C:\>vicfg-iscsi.pl --server esx1 --username root -W  --list vmhba33
Enter password:

iSCSI Parameters Setting:

- ErrorRecoveryLevel               : 0
- LoginRetryMax                    : 4
- MaxOutstandingR2T                : 1
- FirstBurstLength                 : 262144
- MaxBurstLength                   : 262144
- MaxRecvDataSegLen                : 131072
- MaxCommands                      : 128
- DefaultTimeToWait                : 2
- DefaultTimeToRetain              : 0
- LoginTimeout                     : 15
- LogoutTimeout                    : 15
- RecoveryTimeout                  : 10
- NoopTimeout                      : 10
- NoopInterval                     : 15
- InitR2T                          : OFF
- ImmediateData                    : ON
- DelayedAck                       : 1
- dataDigestType                   : digestProhibited
- headerDigestType                 : digestProhibited

C:\>vicfg-iscsi.pl --server esx2 --username root -W  --list vmhba33
Enter password:

iSCSI Parameters Setting:

- ErrorRecoveryLevel               : 0
- LoginRetryMax                    : 4
- MaxOutstandingR2T                : 1
- FirstBurstLength                 : 262144
- MaxBurstLength                   : 262144
- MaxRecvDataSegLen                : 131072
- MaxCommands                      : 128
- DefaultTimeToWait                : 2
- DefaultTimeToRetain              : 0
- LoginTimeout                     : 15
- LogoutTimeout                    : 15
- RecoveryTimeout                  : 10
- NoopTimeout                      : 10
- NoopInterval                     : 15
- InitR2T                          : OFF
- ImmediateData                    : ON
- DelayedAck                       : 1
- dataDigestType                   : digestProhibited
- headerDigestType                 : digestProhibited


9 After setup is complete, run vicfg-rescan to rescan all storage devices.
Before rescan, vSphere Client shows no LUNs.

C:\>vicfg-rescan.pl --server esx1 --username root vmhba33
Enter password:
Scan Operation Succeeded

C:\>vicfg-rescan.pl --server esx2 --username root  vmhba33
Enter password:
Scan operation succeeded.

Now vSphere Client shows LUNs scanned.


Setting Up Dependent Hardware iSCSI
Dependent hardware iSCSI setup requires a number of high-level tasks. For each task, see the discussion of the corresponding command-line option in this chapter, the manpage (Linux), or the reference information.
1 Determine the HBA type and retrieve the HBA ID.
vicf-iscsi --adapter --list

2 (Optional) Set the iSCSI name and alias.
vicfg-iscsi -I -n <iscsi_name> <adapter_name>
vicfg-iscsi --iscsiname --name <iscsi_name> <adapter_name>
vicfg-iscsi -I -a <alias_name> <adapter_name>
vicfg-iscsi --iscsiname --alias <alias_name> <adapter_name>

3 Set up port binding by following these steps:
A. Identify the VMkernel port of the dependent hardware iSCSI adapter.
esxcli <conn_options> swiscsi vmknic list -d <vmhba>

command tested in software iSCSI environment.
C:\>esxcli --server esx1 --username root swiscsi vmknic list -d vmhba33
Enter password:
vmk1
  vmknic name: vmk1
  mac address: 00:50:56:70:16:9a
  mac address settable: NO

vmk2
  vmknic name: vmk2
  mac address: 00:50:56:72:32:67
  mac address settable: NO

C:\>esxcli --server esx2 --username root swiscsi vmknic list -d vmhba33
Enter password:
vmk0
  vmknic name: vmk0
  mac address: 00:0c:29:b8:65:5c
  mac address settable: NO

vmk1
  vmknic name: vmk1
  mac address: 00:50:56:78:06:4d
  mac address settable: NO

vmk0
  vmknic name: vmk0
  mac address: 00:0c:29:b8:65:5c
  mac address settable: NO

vmk1
  vmknic name: vmk1
  mac address: 00:50:56:78:06:4d
  mac address settable: NO



B. Connect the dependent hardware iSCSI initiator to the iSCSI VMkernel ports by running the following command for each port.
esxcli <conn_options> swiscsi nic add -n <port_name> -d <vmhba>
[root@esx1 ~] # esxcli swiscsi nic add -n vmk1 -d vmhba33
[root@esx1 ~] # esxcli swiscsi nic add -n vmk2 -d vmhba33


esx2 host does not have software iSCSI initiator connected to the iSCSI VMkernel port. It use default VMkernel port.
C. Verify that the ports were added to the dependent hardware iSCSI initiator.
esxcli <conn_options> swiscsi nic list -d <vmhba>
C:\>esxcli --server esx1 --username root swiscsi nic list -d vmhba33
Enter password:
vmk1
  pNic name: vmnic0
  ipv4 address: 172.16.140.171
  ipv4 net mask: 255.255.255.0
  ipv6 addresses:
  mac address: 00:0c:29:f1:5a:5b
  mtu: 1500
  toe: false
  tso: true
  tcp checksum: false
  vlan: true
  vlanId: 0
  ethernet speed: 1000
  packets received: 87416
  packets sent: 33198
  NIC driver: e1000
  driver version: 8.0.3.2-1vmw-NAPI
  firmware version: N/A

vmk2
  pNic name: vmnic1
  ipv4 address: 172.16.140.172
  ipv4 net mask: 255.255.255.0
  ipv6 addresses:
  mac address: 00:0c:29:f1:5a:51
  mtu: 1500
  toe: false
  tso: true
  tcp checksum: false
  vlan: true
  vlanId: 0
  ethernet speed: 1000
  packets received: 113138
  packets sent: 7037
  NIC driver: e1000
  driver version: 8.0.3.2-1vmw-NAPI
  firmware version: N/A
<Network configuration of esx1 host>
C:\>esxcli --server esx2 --username root swiscsi nic list -d vmhba33
Enter password:
No nics found for this adapter.
<Network configuration of esx2 host>

D. Rescan the dependent hardware SCSI initiator.
vicfg-rescan <conn_options> <vmhba>

4 Add a dynamic discovery address or a static discovery address.
The two types of target differ as follows:
n With dynamic discovery, all storage targets associated with a host name or IP address are discovered.
You run the following command:
vicfg-iscsi <conn_options> --discovery --add --ip <ip_addr | domain_name> <adapter_name>
n With static discovery, you must specify the host name or IP address and the iSCSI name of the storage target. You run the following command:
vicfg-iscsi <conn_options> --static --add --ip <ip_addr | domain_name> --name <iscsi_name> <adapter_name>
When you later remove a discovery address, it might still be displayed as the parent of a static target. You can add the discovery address and rescan to display the correct parent for the static targets.

5 (Optional) Set the authentication information for CHAP.


vicfg-iscsi -A -c <level> -m <auth_method> -u <auth_u_name> -w <auth_password> [-i <stor_ip_addr|stor_hostname> [:<portnum>] [-n <iscsi_name]] <adapter_name> vicfg-iscsi --authentication --level <level> --method <auth_method> --auth_username <auth_u_name> --auth_password <auth_password> [--ip <stor_ip_addr|stor_hostname> [:<portnum>] [-name <iscsi_name]] <adapter_name>
The target (-i) and name (-n) option determine what the command applies to.


Setting iSCSI CHAP
iSCSI storage systems authenticate an initiator using a name and key pair. ESX/ESXi systems support Challenge Handshake Authentication Protocol (CHAP), which VMware recommends for your SAN implementation. The ESX/ESXi host and the iSCSI storage system must have CHAP enabled and must have common credentials. During iSCSI login, the iSCSI storage system exchanges its credentials with the ESX/ESXi system and checks them.
You can set up iSCSI authentication using the vSphere Client, as discussed in the iSCSI SAN Configuration Guide or using the vicfg-iscsi command, discussed in “Enabling iSCSI Authentication”.
To use CHAP authentication, you must enable CHAP on both the initiator side and the storage system side. After authentication is enabled, it applies for targets to which no connection has been established, but does not apply
to targets to which a connection is established. After the discovery address is set, the new volumes to which you add a connection are exposed and can be used.
For software iSCSI and dependent hardware iSCSI, ESX/ESXi hosts support per-discovery and per-target CHAP credentials. For independent hardware iSCSI, ESX/ESXi hosts support only one set of CHAP credentials per initiator. You cannot assign different CHAP credentials for different targets.
When you configure independent hardware iSCSI initiators, ensure that the CHAP configuration matches your iSCSI storage. If CHAP is enabled on the storage array, it must be enabled on the initiator. If CHAP is enabled, you must set up the CHAP authentication credentials on the ESX/ESXi host to match the credentials on the iSCSI storage.

Enabling iSCSI Authentication
The vicfg-iscsi -A -c options enable iSCSI authentication. Mutual authentication is supported for software iSCSI and dependent hardware iSCSI, but not for independent hardware iSCSI. See “Setting iSCSI CHAP”
To enable mutual authentication
1 Enable authentication on the ESX/ESXi host.
vicfg-iscsi -A -c <level> -m <auth_method> -u <auth_u_name> -w <auth_password> [-i <stor_ip_addr|stor_hostname> [:<portnum>] [-n <iscsi_name]] <adapter_name>
The specified user name and password must be supported on the storage side.

Supported CHAP Levels
To set CHAP levels with vicfg-iscsi, specify one of the values in below for <level>. Only two levels are supported for independent hardware iSCSI.

chapProhibited:  Host does not use CHAP authentication. If authentication is enabled, specify chapProhibited to disble it.
                           In vShpere Client, choose "Do not use CHAP".
                           Supported for
                           Software iSCSI
                           Independent hardware iSCSI
                           Dependent hardware iSCSI
     
chapDiscouraged: Host uses a non-CHAP connection, but aalows a CHAP connection as fallback.
                           In vSphere Client, choose "Do not use CHAP unless required by terget"
                           Supported for
                           Software iSCSI
                           Dependent hardware iSCSI

chapPreferred: Host uses CHAP if CHAP connection succeeds, but uses non-CHAP connection as fallback.
                          In vSphere Client, choose "Use CHAP unless prohibited by terget"
                           Software iSCSI
                           Independent hardware iSCSI
                           Dependent hardware iSCSI

chapRequired: Host requires successful CHAP authentication. The connection fails if CHAP negotiation fails.
                        In vShpere Client, choose "Use CHAP"
                           Supported for
                           Software iSCSI
                           Dependent hardware iSCSI

CHAP levels in vSphere Client interface.


C:\>vicfg-iscsi.pl --server esx1 --username root -A  --list vmhba33
Enter password:
---------------Inititator Authentication ------------

Supported Authentication Methods for Adapter vmhba33:
 IMA_AUTHMETHOD_NONE
 IMA_AUTHMETHOD_CHAP
---------------Mutual Authentication ------------

Supported Authentication Methods for Adapter vmhba33:
 IMA_AUTHMETHOD_NONE
 IMA_AUTHMETHOD_CHAP

2 Enable mutual authentication on the ESX/ESXi host.
vicfg-iscsi -A -c <level> -m <auth_method> -b -u <ma_username> -w <ma_password> [-i <stor_ip_addr|stor_hostname> [:<portnum>] [-n <iscsi_name]] <adapter_name>

C:\>vicfg-iscsi.pl --server esx1 --username root -A -c chapRequired -m CHAP -u openfiler -w password --ip 172.16.140.155  vmhba33
Enter password:

C:\>vicfg-iscsi.pl --server esx1 --username root -A -m CHAP --list vmhba33
Enter password:
Initiator CHAP:

CHAP Authentication Parameters for Adapter vmhba33
Chap Type:   chapRequired
Name:        openfiler
Secret:      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

C:\>



C:\>vicfg-iscsi.pl --server esx1 --username root -A  -m CHAP --reset_auth  --ip 172.16.140.155  vmhba33
Enter password:

3 Make sure the following requirements are met.
n CHAP authentication is already set up when you start setting up mutual CHAP.
n CHAP and mutual CHAP use different user names and passwords. The second user name and password are supported for mutual authentication on the storage side.
n CHAP and mutual CHAP use compatible CHAP levels.


C:\>vicfg-iscsi.pl --server esx1 --username root -A  --list --ip 172.16.140.155  vmhba33
Enter password:
---------------Inititator Authentication ------------

Supported Authentication Methods for Adapter vmhba33:
 IMA_AUTHMETHOD_NONE
 IMA_AUTHMETHOD_CHAP
---------------Mutual Authentication ------------

Supported Authentication Methods for Adapter vmhba33:
 IMA_AUTHMETHOD_NONE
 IMA_AUTHMETHOD_CHAP

C:\>vicfg-iscsi.pl --server esx1 --username root -A  --list --ip 172.16.140.155 --name swiscsi1 vmhba33
Enter password:
---------------Inititator Authentication ------------

Supported Authentication Methods for Adapter vmhba33:
 IMA_AUTHMETHOD_NONE
 IMA_AUTHMETHOD_CHAP
---------------Mutual Authentication ------------

Supported Authentication Methods for Adapter vmhba33:
 IMA_AUTHMETHOD_NONE
 IMA_AUTHMETHOD_CHAP

No comments: