current position:Home>007. ISCSI server chap bidirectional authentication configuration

007. ISCSI server chap bidirectional authentication configuration

2022-05-15 07:34:31Mu er

One iSCSI and CHAP Introduce

1.1 iSCSI disk

  • iSCSI Back end storage supports multiple device types , There are mainly :
  • file
  • Single partition (partition)
  1. disk
  2. Array
  3. RAID
  4. LVM

This manual recommends using bare disks vdb As an example , Other types of configuration reference 《002.iSCSI Server side multi type configuration 》.

At the same time, this manual is based on the safety consideration of production environment , combination CHAP Perform configuration authentication .

1.2 CHAP Introduce

be based on IP The certification of is rough , For environments with high security requirements , Use CHAP Certification is more secure .

CHAP(Challenge-Handshake Authentication Protocol), It is called Challenge Handshake Authentication Protocol , It's two-way authentication , Of course, it also supports one-way Authentication .

about iscsi for , stay CHAP There are two ways of authentication mechanism :initiator authentication and target authentication.

1.2.1 initiator authentication authentication

stay initiator Try connecting to a target When ,initator You need to provide a user name and password to target By target authentication .

in other words initiator Need to be target authentication , It is to target The account and password provided by the client are target The specified .

This account and password are for target It's the incoming account and password , use incoming Express .

Call this account number and password :incoming Account number and incoming password .

namely ,incoming Account number is initiator End supply target End , By target End authenticated account number .

1.2.2 target authentication authentication

stay initiator Try connecting to a target When ,target Sometimes it needs to be initiator authentication , To make sure that target It's legal, not disguised target, This requires that target Provide a user name and password to initiator By initiator authentication .

target towards initiator The account and password provided are for target It's an outflow , So it's called outgoing.

Call this account number and password :outgoing Account number and outgoing password .

And for initiator It is incoming Of , So in initiator In the configuration file, it is called in.

in other words outgoing Account number is target End supply initiator End , By initiator Certified account number , But nonetheless , The account and password are still in target End created and bound .

1.2.3 single / Two-way authentication

The two authentication methods are hierarchical .

Generally speaking , When authentication is required, the server verifies whether the client has permission ,iscsi It's the same thing .

initiator authentication Can exist alone , It can be in the absence of target authentication In the case of , By this time CHAP Authentication is one-way authentication (target authentication initiator Legitimacy ).

but target authentication Only in initiator authentication On the basis of . in other words target Certification and initiator Certification must exist at the same time . namely initiator and target Mutual authentication is required to realize two-way authentication CHAP authentication .

Be careful : Both discovery authentication and login authentication support single / Two-way authentication .

Two iSCSI Creating steps

  1. Create a disk for sharing
  2. Create a backup disk
  3. Create the corresponding IQN
  4. Create corresponding rules
  5. Create a backup disk LUN
  6. Create a two-way authentication account and password
  7. Specifies the number of listeners IP And port
  8. Check and save the configuration
  9. Firewall rules are open
  10. service ( Turn it on ) start-up

3、 ... and Lead to

3.1 Environmental preparation

Host name

IP

remarks

iscsi

172.24.8.72

iSCSI The server

client

172.24.8.71

iSCSI client

3.2 View raw disk

[[email protected] ~]# fdisk -l

Disk /dev/sdb: 1073 MB, 1073741824 bytes, 2097152 sectors

Four Create fallback storage

4.1 Install related software

[[email protected] ~]# yum -y install targetcli

4.2 Interactive settings

[[email protected] ~]# targetcli	                                                 # Get into targetcli Interactive configuration view 
  • block: Defined block device , disc drive 、 Disk partition 、LVM etc.
  • fileio: Create a file of the specified size , Such as dd if=/dev/zero of=…… Created by
  • pscsi: Physics SCSI, This type is not usually used
  • ramdisk: A specified size created in memory ramdisk equipment
targetcli shell version 2.1.53
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.
 
/> /backstores/block create block1 /dev/sdb                              # Create a raw disk as a backup disk 
/> /iscsi create wwn=iqn.2022-11.com.imxhy:disk01 # Create a matching name IQN
/> /iscsi/iqn.2022-11.com.imxhy:disk01/tpg1/luns create /backstores/block/block1        # The backup disk that will be created block1 Create a LUN
/> /iscsi/iqn.2022-11.com.imxhy:disk01/tpg1/acls create iqn.2021-11.com.imxhy:client      # Only configuration iqn.2021-11.com.imxhy:client Of key To use this iSCSI Disk services provided 
/> /iscsi/iqn.2021-11.com.imxhy:disk01/tpg1/portals/ delete 0.0.0.0 3260                     # Delete all default listeners 
/> /iscsi/iqn.2022-11.com.imxhy:disk01/tpg1/portals/ create 172.24.8.72 3260                 # Specifies the local to listen for client connections IP
 
/> /iscsi/ set discovery_auth enable=1 userid=discover password=discoverps                   # Optional , This experiment adds discovery Certification of 
/> /iscsi/ get discovery_auth
DISCOVERY_AUTH CONFIG GROUP
===========================
enable=True
-----------
The enable discovery_auth parameter.
 
mutual_password=
----------------
The mutual_password discovery_auth parameter.
 
mutual_userid=
--------------
The mutual_userid discovery_auth parameter.
 
password=discoverps
-------------------
The password discovery_auth parameter.
 
userid=discover
---------------
The userid discovery_auth parameter.
 
/> /iscsi/iqn.2022-11.com.imxhy:disk01/tpg1/acls/iqn.2021-11.com.imxhy:client/ set auth userid=user01 password=u1pass mutual_userid=muser01 mutual_password=m1pass
/> /iscsi/iqn.2022-11.com.imxhy:disk01/tpg1/acls/iqn.2021-11.com.imxhy:client/ get auth       # Check the configuration 
AUTH CONFIG GROUP
=================
mutual_password=m1pass
----------------------
The mutual_password auth parameter.
 
mutual_userid=muser01
---------------------
The mutual_userid auth parameter.
 
password=u1pass
---------------
The password auth parameter.
 
userid=user01
-------------
The userid auth parameter.
 
/> ls /
o- / ......................................................................................................................... [...]
o- backstores .............................................................................................................. [...]
| o- block .................................................................................................. [Storage Objects: 1]
| | o- block1 ........................................................................... [/dev/sdb (1.0GiB) write-thru activated]
| | o- alua ................................................................................................... [ALUA Groups: 1]
| | o- default_tg_pt_gp ....................................................................... [ALUA state: Active/optimized]
| o- fileio ................................................................................................. [Storage Objects: 0]
| o- pscsi .................................................................................................. [Storage Objects: 0]
| o- ramdisk ................................................................................................ [Storage Objects: 0]
o- iscsi ........................................................................................... [1-way disc auth, Targets: 1]
| o- iqn.2022-11.com.imxhy:disk01 ...................................................................................... [TPGs: 1]
| o- tpg1 ............................................................................................... [no-gen-acls, no-auth]
| o- acls .......................................................................................................... [ACLs: 1]
| | o- iqn.2021-11.com.imxhy:client ......................................................................... [Mapped LUNs: 1]
| | o- mapped_lun0 ................................................................................ [lun0 block/block1 (rw)]
| o- luns .......................................................................................................... [LUNs: 1]
| | o- lun0 ..................................................................... [block/block1 (/dev/sdb) (default_tg_pt_gp)]
| o- portals .................................................................................................... [Portals: 1]
| o- 172.24.8.72:3260 ................................................................................................. [OK]
o- loopback ......................................................................................................... [Targets: 0]
 
/> exit

Tips : The above operation :

1: Created ACL Assign to each LUN.

2: establish LUN Must be in TPG Next .

3: If no port is specified, the default port will be used 3260

4: If not specified IP, Connections on all network interfaces defined on the server will be allowed

5: establish LUN Must be in TPG Next

5、 ... and Firewall opening

[[email protected] ~]# firewall-cmd --add-port=3260/tcp --permanent                  # Firewall add iSCSI The port of 
[[email protected] ~]# firewall-cmd --add-service=iscsi-target --permanent              # The firewall is unblocked iSCSI target service 
[[email protected] ~]# firewall-cmd --reload

6、 ... and Opening service

[[email protected] ~]# systemctl enable target --now

7、 ... and Client configuration

[[email protected] ~]# yum -y install iscsi-initiator-utils                             # Install client 
[[email protected] ~]# vim /etc/iscsi/initiatorname.iscsi                              # To configure CHAP authentication 
InitiatorName=iqn.2021-11.com.imxhy:client

[[email protected] ~]# vim /etc/iscsi/iscsid.conf
……
node.session.auth.authmethod = CHAP
node.session.auth.username = user01
node.session.auth.password = u1pass
node.session.auth.username_in = muser01
node.session.auth.password_in = m1pass
discovery.sendtargets.auth.authmethod = CHAP
discovery.sendtargets.auth.username = discover
discovery.sendtargets.auth.password = discoverps
……

[[email protected] ~]# systemctl restart iscsid

8、 ... and Client login

8.1 Finding goals

[[email protected] ~]# iscsiadm -m discovery -t sendtargets -p 172.24.8.72                        # Finding goals 
172.24.8.72:3260,1 iqn.2022-11.com.imxhy:disk01

8.2 Log in to

[[email protected] ~]# iscsiadm -m node -T iqn.2022-11.com.imxhy:disk01 -p 172.24.8.72 -l            # Log in to 

8.3 Query information

[[email protected] ~]# iscsiadm -m session -o show
tcp: [23] 172.24.8.72:3260,1 iqn.2022-11.com.imxhy:disk01 (non-flash)
[[email protected] ~]# iscsiadm -m session -P 3        # Query information 
iSCSI Transport Class version 2.0-870
version 6.2.0.874-22
Target: iqn.2022-11.com.imxhy:disk01 (non-flash)
        Current Portal: 172.24.8.72:3260,1
        Persistent Portal: 172.24.8.72:3260,1
                **********
                Interface:
                **********
                Iface Name: default
                Iface Transport: tcp
                Iface Initiatorname: iqn.2021-11.com.imxhy:client
                Iface IPaddress: 172.24.8.71
                Iface HWaddress: <empty>
                Iface Netdev: <empty>
                SID: 1
                iSCSI Connection State: LOGGED IN
                iSCSI Session State: LOGGED_IN
                Internal iscsid Session State: NO CHANGE
                *********
                Timeouts:
                *********
                Recovery Timeout: 120
                Target Reset Timeout: 30
                LUN Reset Timeout: 30
                Abort Timeout: 15
                *****
                CHAP:
                *****
                username: user01
                password: ********
                username_in: muser01
                password_in: ********
                ************************
                Negotiated iSCSI params:
                ************************
                HeaderDigest: None
                DataDigest: None
                MaxRecvDataSegmentLength: 262144
                MaxXmitDataSegmentLength: 262144
                FirstBurstLength: 65536
                MaxBurstLength: 262144
                ImmediateData: Yes
                InitialR2T: Yes
                MaxOutstandingR2T: 1
                ************************
                Attached SCSI devices:
                ************************
                Host Number: 3  State: running
                scsi3 Channel 00 Id 0 Lun: 0
                        Attached scsi disk sdb          State: running

[[email protected] ~]# iscsiadm -m node -o show
# BEGIN RECORD 6.2.0.874-22
node.name = iqn.2022-11.com.imxhy:disk01
node.tpgt = 1
node.startup = automatic
……
iface.transport_name = tcp
……
node.discovery_address = 172.24.8.72
node.discovery_port = 3260
node.discovery_type = send_targets
node.session.initial_cmdsn = 0
node.session.initial_login_retry_max = 8
node.session.xmit_thread_priority = -20
node.session.cmds_max = 128
node.session.queue_depth = 32
node.session.nr_sessions = 1
node.session.auth.authmethod = CHAP
node.session.auth.username = user01
node.session.auth.password = ********
node.session.auth.username_in = muser01
node.session.auth.password_in = ********
……
node.session.scan = auto
node.conn[0].address = 172.24.8.72
node.conn[0].port = 3260
……

# END RECORD

[[email protected] ~]# fdisk -l                # Discovered iSCSI The three servers share 

Nine Format and mount

9.1 Format and mount

Be careful :

1: At this time, it can be used as a local disk , Partition formatting and other operations ;

2: You can use RAID or LVM To operate ,LVM Can be formatted later LV.

[[email protected] ~]# mkfs.ext4 /dev/sdb                 # Format related iSCSI disk 
[[email protected] ~]# mkdir -p /iscsdisk/sdb01            # Create for mounting sdd Mount point of disk         
[[email protected] ~]# mkdir -p /iscsdisk/lv01             # Create for mounting LVM The mount point of the partition 
[[email protected] ~]# mount /dev/sdb /iscsdisk/sdb01/      # Can be mounted directly 
[[email protected] ~]# vi /etc/fstab                      # Automatically mount 
……
/dev/sdb /iscsdisk/lv01    ext4    defaults    0 0

copyright notice
author[Mu er],Please bring the original link to reprint, thank you.
https://en.chowdera.com/2022/131/202205102135065368.html

Random recommended