2.4 Configuring iSCSI Targets

For information on configuring iSCSI targets that use iSCSI storage routers, refer to your iSCSI storage router documentation.

To configure an iSCSI target on a NetWare server, you must create an iSCSI partition, load iSCSI target software, configure access control to the target, and then create pools and volumes on the target from an iSCSI initiator.

In order to configure an iSCSI target using NetWare Remote Manager, NetWare Remote Manager must be configured and working properly on a secure port. See Accessing Novell Remote Manager for NetWare in the OES 2: Novell Remote Manager for NetWare Administration Guide for more information.

NOTE:iSCSI initiators cannot connect to NetWare servers functioning as iSCSI targets unless access control is configured.

2.4.1 Creating iSCSI Partitions

If you are using a NetWare server for an iSCSI target device, you can use either the NSSMU utility or NetWare Remote Manager to create iSCSI partitions.

Using NSSMU

  1. Start the NSSMU utility by entering nssmu at the target server console.

  2. Select Partitions from the Main menu.

  3. Press Insert and select the device where you want to create the partition.

  4. Select iSCSI as the partition type.

  5. Specify the partition size, then select Create to create the partition.

Using NetWare Remote Manager

  1. In the left column of the NetWare Remote Manager page under the Manage Server section, click Partition Disks.

    A screen appears displaying a list of devices that are currently accessible to servers in the cluster. For each device, the list displays the partitions, NSS pools, volumes, and free space on that device.

  2. Find the device where you want to create the iSCSI partition (on the iSCSI target), then click Create.

  3. Select Novell iSCSI as the partition type, then click Create a New Partition.

  4. Specify the desired partition size, then click Create to create the iSCSI partition.

2.4.2 Loading iSCSI Target Software

To load iSCSI Target software, you should set up your NetWare 6.5 server to load the Target software automatically. This can be done during the NetWare 6.5 server installation by choosing either the iSCSI SAN Storage Server option as part of a Pattern Installation, or the iSCSI Target component in the Customized NetWare Server installation. Choosing either installation option will automatically configure iSCSI target software on the server and cause the software to load automatically when the server starts.

Choosing either iSCSI installation option causes the following to happen automatically:

  1. TON.NCF is added to the autoexec.ncf file of the server.

    TON.NCF is used to start iSCSI target software on the server with access control enabled.

  2. TINIT.NCF runs iscsitar.nlm with the -l, -p, and -s parameters.

    NOTE:The command line switches referenced above are used with iscsitar.nlm, not TINIT.NCF. Because the above process happens automatically, there is no need to manually run TINIT.NCF.

    • -l is the fully distinguished LDAP name for admin.

    • -p is the admin password

    • -s is the fully distinguished LDAP name for the iSCSI target server.

    The admin name, target server name and the admin password are recorded during the NetWare 6.5 installation. They are then encrypted and saved in the sys:\etc\iscsi.lss file.

If you already have a NetWare 6.5 server that is not an iSCSI target installed and configured, you can make that server an iSCSI target by choosing the iSCSI Target component as part of a post-installation. For more information on NetWare 6.5 installation options and post-installation procedures, see the OES 2: NetWare Installation Guide.

iSCSI target software can be unloaded by entering toff at the target server console.

iSCSI target software can be manually reloaded by entering ton at the target server console.

2.4.3 Creating NSS Partitions, Pools, and Volumes

On an iSCSI initiator with target session running, initialize and partition the iSCSI partition on the target using NSSMU or NetWare Remote Manager.

After configuring an iSCSI initiator and creating an iSCSI target session, create pools and volumes on the iSCSI target from the initiator server using NSSMU or NetWare Remote Manager. See Section 2.5, Configuring iSCSI Initiators for information on configuring iSCSI initiators and creating iSCSI target sessions.

The iSCSI partition acts similar to a disk device (LUN). Servers running iSCSI initiator software see the iSCSI partition as a LUN. For this reason, it is still necessary to create an NSS partition on the iSCSI partition. The process for creating and configuring NSS partitions, pools, and volumes is the same for both iSCSI and fibre channel SANs. See the OES 2: Novell Cluster Services 1.8.3 for NetWare Administration Guide for more information.

2.4.4 Configuring Access Control to iSCSI Targets

If your iSCSI target service is running on a NetWare server, you can control or limit access to targets through LDAP access control. LDAP access control is enabled by default, and uses Novell eDirectory™ to provide the ability to control the initiators that can access your iSCSI targets. iSCSI initiators will not be able to connect to NetWare servers functioning as iSCSI targets until you configure access control for each initiator.

Controlling initiator access to your iSCSI targets is necessary to prevent data corruption. Data corruption can occur if two initiators attempt to access the same target device at the same time in an uncoordinated way. Novell Cluster Services software provides the necessary coordination for multi-initiator access. Multiple initiators accessing the same target device can occur if any of the following conditions applies:

  • Your iSCSI target server is accessible from multiple servers that do not have cluster software installed or running.

  • Your iSCSI target is accessible from multiple servers that have cluster software installed and running, but the servers are in separate or different clusters.

  • Your iSCSI target is accessible from multiple servers running different operating systems (NetWare, Linux*, etc.).

Because LDAP access control is enabled by default when iSCSI target software is installed and loaded, you just need to make the initiators that will access the iSCSI target, trustees of the Target object. Making iSCSI initiators trustees of an iSCSI target object is also necessary to properly secure iSCSI targets.

  1. If your iSCSI target is in the same eDirectory tree as the iSCSI initiators that will access it, make each initiator server that you want to access the target a trustee of the Target object.

    You don't need to assign specific access rights, you just need to make each Initiator object a trustee of the Target object.

    When iSCSI target software is first started on a server, an iSCSI target object for each iSCSI partition is automatically created in the same eDirectory context as the target server.

  2. (Conditional) If your iSCSI target is not in the same eDirectory tree as the iSCSI initiators that will access it, create initiator objects, and make them trustees of the Target object.

    1. In the eDirectory tree where the iSCSI target object resides, create a separate Initiator object to represent each iSCSI initiator that you want to access the iSCSI target.

      Use the same name for the Initiator object as the initiator server it represents.

      If a question mark (?) appears next to the Initiator objects that you create, it indicates that a snap-in is not present. This does not adversely affect the trustee assignments.

    2. Make each Initiator object a trustee of the Target object.

      Do not change any of the defaults while completing this step.

    3. At the server console of an iSCSI initiator server, enter iscsi list and record the initiator's Internet Qualified Name (IQN).

    4. Change the initiator server's IQN to correspond to the applicable Initiator object you just created in the target server's eDirectory tree by entering iscsi set InitiatorName=baseIQN:initiator_objectdn at the initiator server console.

      For example, if after entering iscsi list at the server console, the server's current IQN and distinguished name (dn) displays as

      InitiatorName=iqn.1984-08.com.novell:.SERV1.acme.ACMETREE.

      and the distinguished name of the initiator object you created in the eDirectory tree where the iSCSI target resides is

      SERV1.sales.SALESTREE

      then you would enter the following at the iSCSI initiator server console:

      iscsi set InitiatorName=iqn.1984-08.com.novell:.SERV1.sales.SALESTREE.

NOTE:As is illustrated in the above example, the eDirectory tree name is required when specifying the distinguished name of the iSCSI Initiator object.

NOTE:Do not user underscore characters when specifying the intitiator server's IQN, the eDirectory tree, or the distinguished name of the initiator object. Underscore characters are not RFC compliant.

LDAP access control ensures that only the initiators that are trustees of the Target object are able to access that target. Without LDAP access control, any initiator that could connect to a target could access the storage devices on that target.