iscsi chap 单向和双向认证


target:172.16.0.111

initiator:172.16.0.112


配置initiator单向认证

设置initiator单向认证,要现在target端新建一个账号以及密码,并把这个账号绑定到特定的target上,

然后再在initiator端的iscsd.conf文件中配置这个账号和密码。

1.在target端创建redhat账号,密码是redhat

tgtadm --lld iscsi --mode account --op new --user redhat --password redhat

2. 在target端将账号绑定到指定的target

tgtadm --lld iscsi --mode account --op bind --tid 1 --user redhat

tgtadm --lld iscsi --mode target --op show

Account information:

redhat

[root@master ~]# tgtadm --lld iscsi --mode target --op show

Account information:

redhat

[root@master ~]# tgt-admin --show

Target 1: iqn.2013-07.net.test:target1

System information:

Driver: iscsi

State: ready

I_T nexus information:

I_T nexus: 6

Initiator: iqn.1994-05.com.redhat:695a58551382

Connection: 0

IP Address: 172.16.0.112

LUN information:

LUN: 0

Type: controller

SCSI ID: IET 00010000

SCSI SN: beaf10

Size: 0 MB, Block size: 1

Online: Yes

Removable media: No

Prevent removal: No

Readonly: No

Backing store type: null

Backing store path: None

Backing store flags:

LUN: 1

Type: disk

SCSI ID: IET 00010001

SCSI SN: beaf11

Size: 21468 MB, Block size: 512

Online: Yes

Removable media: No

Prevent removal: No

Readonly: No

Backing store type: rdwr

Backing store path: /dev/sdb1

Backing store flags:

Account information:

redhat

ACL information:

172.16.0.112

注:可以看到,redhat这个账号已经绑定到我们刚刚建立的target上了

客户端:

1.在initiator端配置iscsid.conf文件

注:用户名和密码要上服务端设置的一致,造成不能写错。

vim /etc/iscsi/iscsid.conf

node.startup = automatic

node.session.auth.authmethod = CHAP #启用CHAP

node.session.auth.username = redhat #用户名

node.session.auth.password = redhat #密码

node.session.timeo.replacement_timeout = 20 #设置超时时间

2.重启iscsid服务

/etc/init.d/iscsid restar

错误提示:

Starting iscsi: iscsiadm: Could not login to [iface: default, target: iqn.2013-07.net.test:target1, portal: 172.16.0.111,3260].

iscsiadm: initiator reported error (24 - iSCSI login failed due to authorization failure)


解决方案:重新发现,重新登陆,再重启这个服务。重启前最好先退出target(logout)

3.登录到target

iscsiadm --mode discoverydb --type sendtargets --portal 172.16.0.111 --discover

iscsiadm --mode node --targetname iqn.2013-07.net.test:target1 --portal 172.16.0.111:3260 --login


扩展:

删除一个账号

tgtadm --lld iscsi --mode account --op delete --user redhat


双向认证(也称为mutul认证、相互认证、双向认证)

1.在target端创建outgoing账号

tgtadm --lld iscsi --op new --mode account --user out_redhat --password out_redhat

2. 在target端将账号绑定到相应的target

tgtadm --lld iscsi --mode account --op bind --tid 1 --user out_redhat --outgoing

tgtadm --lld iscsi --mode target --op show

tgt-admin --show

Account information:

redhat

out_redhat (outgoing)

3.在initiator端配置iscsid.conf文件

vim /etc/iscsi/iscsid.conf

node.session.auth.username_in = out_redhat

node.session.auth.password_in = out_redhat

4.登录到target

iscsiadm --mode discoverydb --type sendtargets --portal 172.16.0.111 --discover

iscsiadm --mode node --targetname iqn.2013-07.net.test:target1 --portal 172.16.0.111:3260 --login


扩展:

(1)解绑定incoming账号redhat

tgtadm --lld iscsi --mode account --op unbind --tid 1 --user redhat

(2)解绑定outgoing账号out_redhat

tgtadm --lld iscsi --mode account --op unbind --tid 1 --user out_redhat --outgoing