2.5 Configuring iSCSI Initiators

NetWare iSCSI initiator software can be configured either at the server console using server console commands or remotely using NetWare Remote Manager. In order to configure an iSCSI initiator using NetWare Remote Manager, NetWare Remote Manager must be configured and working properly on a secure port. See Accessing Novell Remote Manager for NetWare in the OES 2: Novell Remote Manager for NetWare Administration Guide for more information.

2.5.1 Loading iSCSI Initiator Software and Connecting to an iSCSI Target

Using Server Console Commands

For each server that you want to function as an iSCSI initiator, do the following:

  1. Enter ion at the server console to load iSCSI initiator software.

    You can also enter ioff at the server console to unload iSCSI initiator software.

  2. Enter iscsinit connect a.b.c.d target_name at the server console.

    Replace a.b.c.d with the IP address of the iSCSI target device that is connected to the shared storage system.

    If the iSCSI target device is an iSCSI storage router, then this is the IP address of the storage router. If the iSCSI target device is a NetWare server, then this is the IP address of the NetWare server.

    Replace target_name with the iSCSI target name that is displayed after running the iscsinit discover a.b.c.dcommand. The iSCSI target name is case sensitive. You can leave the target name out to cause the initiator to connect to all available targets.

  3. (Optional) To use CHAP authentication when connecting to an iSCSI target, use the /CHAP command line option with the iscsinit connect command.

    For example, if you have configured a locally stored CHAP secret and you want CHAP to use it, you would enter iscsinit/chap connect a.b.c.d at the command line.

    If you want to use a user-supplied CHAP secret, you would enter iscsinit/chap=”sys:\system\chap.txt connect a.b.c.d at the command line.

    The chap.txt file must be created prior to running the command and must contain the following lines:

    OutgoingUsername=initiator name or agreed upon name

    OutgoingPassword=shared secret text

    You can configure and enable CHAP using NetWare Remote Manager. For more information on configuring and enabling CHAP, see Enabling and Configuring iSCSI Initiator Security.

If you want iSCSI initiator software to load automatically when servers start, you can add the commands in the above steps to the autoexec.ncf file of each initiator server.

Using NetWare Remote Manager

For each server that you want to function as an iSCSI initiator:

  1. Enter ion at the server to load iSCSI initiator software.

    You can do this either at the server console or remotely by using NetWare Remote Manager to access the server console.

  2. On the NetWare Remote Manager main page, click the iSCSI Services link at the bottom of the left column.

  3. Click Add Target and type the IP address of the iSCSI target device that is connected to the shared storage system.

    If the iSCSI target device is an iSCSI storage router, then this is the IP address of the storage router. If the iSCSI target device is a NetWare server, then this is the IP address of the NetWare server.

    Each target device can have multiple targets.

    If you want a list of possible target names for a given IP address, click Browse and type the IP address of the target device.

  4. Click Next, select the target name you want to establish a session with, then click Next.

2.5.2 Enabling and Configuring iSCSI Initiator Security

Configuring iSCSI initiator security consists of configuring the initiator-to-target authentication method. Challenge Handshake Authentication Protocol (CHAP) authentication is the method currently supported for initiator identity verification. CHAP protects against attacks and provides secure access between the iSCSI initiator and the target. If CHAP is not enabled, someone could potentially use the identity of a valid initiator to gain unauthorized access to iSCSI target devices. CHAP authentication is not enabled by default.

If your iSCSI target has CHAP enabled, you must enable CHAP on the initiators that will access that target, or target access will be denied. CHAP authentication is not currently supported on NetWare servers configured as iSCSI targets.

To enable and configure CHAP authentication using NetWare Remote Manager:

  1. On the NetWare Remote Manager main screen, click the iSCSI Services link at the bottom of the left column.

  2. Click the Security link.

    This brings up a page that lets you choose the initiator-to-target authentication method.

  3. Choose CHAP as the authentication method, then click Apply.

    If you choose CHAP, you must create a CHAP secret that will be used to ensure secure authentication between this initiator and the target.

  4. Click Create to bring up a page that lets you configure the CHAP secret.

    If you have already configured a locally stored CHAP secret, the Update, Delete, and Change To buttons appear to let you modify or delete your existing secret, or change it to a user supplied secret. If you have already chosen the user supplied secret option, a Change To button appears to let you change to a locally stored secret.

  5. Choose whether you want the CHAP secret to be locally stored or user supplied.

    A locally stored secret is encrypted and stored on the initiator server. The same locally stored secret is used each time a session is started between this initiator and the target. Selecting the Locally Stored Secret option brings up a page that lets you specify the CHAP username and secret.

    If you choose a user supplied CHAP secret, you will be prompted to create the CHAP secret each time you start a session between this initiator and the target. With this option, the CHAP secret is not stored on the initiator server, and it is not encrypted.

  6. (Conditional) If you chose to create a locally stored CHAP secret, view and if necessary edit the CHAP username and create a CHAP secret.

    The Initiator CHAP Username field is automatically filled in. It is the Internet Qualified Name (IQN) of this initiator. This field should not be changed unless you change the IQN of this initiator or you want to create or modify a CHAP locally stored secret for another initiator.

    The Initiator CHAP Secret can include any ASCII characters and should be at least 16 characters long. The secret is encrypted and stored locally on the initiator.

  7. Repeat the above steps to enable and configure CHAP authentication for each initiator server.