vSphere Storage - ESXi 5.1 - Documentation - VMware
vSphere Storage - ESXi 5.1 - Documentation - VMware
vSphere Storage - ESXi 5.1 - Documentation - VMware
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>vSphere</strong> <strong>Storage</strong><br />
6 Rescan the iSCSI adapter.<br />
If the static target was dynamically discovered, you need to remove it from the storage system before<br />
performing the rescan. Otherwise, your host will automatically discover and add the target to the list of<br />
static targets when you rescan the adapter.<br />
Configuring CHAP Parameters for iSCSI Adapters<br />
Because the IP networks that the iSCSI technology uses to connect to remote targets do not protect the data<br />
they transport, you must ensure security of the connection. One of the protocols that iSCSI implements is the<br />
Challenge Handshake Authentication Protocol (CHAP), which verifies the legitimacy of initiators that access<br />
targets on the network.<br />
CHAP uses a three-way handshake algorithm to verify the identity of your host and, if applicable, of the iSCSI<br />
target when the host and target establish a connection. The verification is based on a predefined private value,<br />
or CHAP secret, that the initiator and target share.<br />
<strong>ESXi</strong> supports CHAP authentication at the adapter level. In this case, all targets receive the same CHAP name<br />
and secret from the iSCSI initiator. For software and dependent hardware iSCSI adapters, <strong>ESXi</strong> also supports<br />
per-target CHAP authentication, which allows you to configure different credentials for each target to achieve<br />
greater level of security.<br />
Choosing CHAP Authentication Method<br />
<strong>ESXi</strong> supports unidirectional CHAP for all types of iSCSI initiators, and bidirectional CHAP for software and<br />
dependent hardware iSCSI.<br />
Before configuring CHAP, check whether CHAP is enabled at the iSCSI storage system and check the CHAP<br />
authentication method the system supports. If CHAP is enabled, enable it for your initiators, making sure that<br />
the CHAP authentication credentials match the credentials on the iSCSI storage.<br />
<strong>ESXi</strong> supports the following CHAP authentication methods:<br />
Unidirectional CHAP In unidirectional CHAP authentication, the target authenticates the initiator,<br />
but the initiator does not authenticate the target.<br />
Bidirectional CHAP In bidirectional CHAP authentication, an additional level of security enables<br />
the initiator to authenticate the target. <strong>VMware</strong> supports this method for<br />
software and dependent hardware iSCSI adapters only.<br />
For software and dependent hardware iSCSI adapters, you can set unidirectional CHAP and bidirectional<br />
CHAP for each adapter or at the target level. Independent hardware iSCSI supports CHAP only at the adapter<br />
level.<br />
When you set the CHAP parameters, specify a security level for CHAP.<br />
NOTE When you specify the CHAP security level, how the storage array responds depends on the array’s<br />
CHAP implementation and is vendor specific. For information on CHAP authentication behavior in different<br />
initiator and target configurations, consult the array documentation.<br />
Table 11-4. CHAP Security Level<br />
CHAP Security Level Description Supported<br />
None The host does not use CHAP authentication. Select this<br />
option to disable authentication if it is currently enabled.<br />
Use unidirectional CHAP if<br />
required by target<br />
The host prefers a non-CHAP connection, but can use a<br />
CHAP connection if required by the target.<br />
Software iSCSI<br />
Dependent hardware iSCSI<br />
Independent hardware<br />
iSCSI<br />
Software iSCSI<br />
Dependent hardware iSCSI<br />
102 <strong>VMware</strong>, Inc.