User authentication (iscsi environments) – HP StorageWorks XP10000 Disk Array User Manual

Page 50

Advertising
background image

• When the Fibre Channel switch is not configured for mutual authentication, the Fibre

Channel switch connects to the array.

If the port's Fibre Channel switch is not configured for authentication with CHAP, the authentication

fails and the Fibre Channel switch cannot connect to the array.

• Case B: If the Fibre Channel switch's user information is registered on the port, but

authentication of the Fibre Channel switch is disabled
Each port does not perform authentication of the Fibre Channel switch. The Fibre Channel switch

connects to the array without authentication regardless of whether or not the Fibre Channel switch

is configured for authentication with CHAP.

• Case C: If the Fibre Channel switch's user information is not registered on the port

Regardless of the Fibre Channel switch's setting, the port performs authentication of the Fibre

Channel switch, but results in failure. The Fibre Channel switch cannot connect to the array.

Case D: When not performing authentication of Fibre Channel switches by ports
The Fibre Channel switch connects to the array without authentication of the host regardless of whether

or not the Fibre Channel switch is configured for authentication with CHAP.
In this case, although you do not need to register the Fibre Channel switch's user information on

the port, you can register the user information.

Authentication of ports (performing mutual authentication)

When authentication of a host succeeds, the host performs authentication of the port in reverse if the

host requires (mutual authentication). In authentication of ports, when the user information (user name

and secret) of the port specified on the port side matches the user information stored on the host, the

host allows the host group to connect.

User authentication (iSCSI environments)

When configuring iSCSI environments, use LUN Manager to set user authentication between ports on

the array and hosts. In iSCSI environments, ports and hosts use Challenge Handshake Authentication

Protocol (CHAP) as the authentication method. This section provides an overview of user authentication.

User authentication operations and settings (iSCSI environments)

User authentication operations in iSCSI environments consist of the following phases:

1.

An iSCSI target of the array authenticates a host attempting to connect (authentication of hosts).

2.

The host authenticates the connection-target iSCSI target of the array (authentication of iSCSI targets).

The array performs user authentication by iSCSI targets. Therefore, iSCSI targets and hosts must have their

own user information for performing user authentication.
When a host attempts to connect to the array, the authentication of hosts phase starts. In this phase, it is

first determined whether or not the iSCSI target requires authentication of the host. If the iSCSI target

does not require authentication of the host, the host connects to the array without authentication. If the

iSCSI target requires authentication of the host, authentication is performed for the host. When the host is

successfully authenticated, processing goes to the next phase.
After authentication of the host succeeds, if the host requires user authentication for the iSCSI target that

is the connection target, the authentication of iSCSI targets phase starts. In this way, iSCSI targets and

hosts authenticate with each other, that is, mutual authentication. In the authentication of iSCSI targets

phase, if the host does not require user authentication for the iSCSI target, the host connects to the

array without authentication of the iSCSI target.
The following explains the settings required for user authentication. The settings for authentication of

iSCSI targets are needed only when performing mutual authentication.

50

Overview of LUN Manager

Advertising