use Null DH-CHAP or CHAP (Challenge Handshake Authentication Protocol with a Null
Diffie-Hellmann algorithm) as the authentication method.
User authentication is performed in a fibre channel environment in three phases:
1.
A host group of the storage system authenticates a host that attempts to connect (authentication
of hosts).
2.
The host authenticates the connection-target host group of the storage system (authentication
of host groups).
CAUTION:
Because the host bus adapters at present do not support this function, this
authentication phase is unusable in the fibre channel environment.
3.
A target port of the storage system authenticates a fabric switch that attempts to connect
(authentication of fabric switches).
The storage system performs user authentication by host groups. Therefore, the host groups and
hosts need to have their own user information for performing user authentication.
When a host attempts to connect to the storage system, the authentication of hosts phase starts. In
this phase, first it is determined whether the host group requires authentication of the host. If it does
not, the host connects to the storage system without authentication. If it does, authentication is
performed for the host, and when the host is authenticated successfully, processing goes on to the
next phase.
After successful authentication of the host, if the host requires user authentication for the host group
that is the connection target, the authentication of host groups phase starts. In this way, the host
groups and hosts authenticate with each other, that is, mutual authentication. In the authentication
of host groups phase, if the host does not require user authentication for the host group, the host
connects to the storage system without authentication of the host group.
The settings for authentication of host groups are needed only when you want to perform mutual
authentication. The following topics explain the settings required for user authentication.
•
“Settings for authentication of hosts” (page 187)
•
“Settings for authentication of ports (required if performing mutual authentication)” (page 187)
Settings for authentication of hosts
On the storage system, use LUN Manager to specify whether to authenticate hosts on each host
group.
On a host group that performs authentication, register user information (group name, user name,
and secret) of the hosts that are allowed to connect to the host group. A secret is a password used
in CHAP authentication. When registering user information, you can also specify whether to enable
or disable authentication on a host basis.
On hosts, configure the operating system and fibre channel host bus adapter driver for authentication
by host groups with CHAP. You need to specify the user name and secret of the host used for
CHAP. For details, see the documentation of the operating system and fibre channel host bus
adapter driver in your environment.
Settings for authentication of ports (required if performing mutual authentication)
On the storage system, use LUN Manager to specify user information (user name and secret) of
each host group.
On hosts, configure the operating system and fibre channel host bus adapter driver for authenticating
host groups with CHAP. You need to specify the user name and secret of the host group that is the
connection target. For details, see the documentation of the operating system and fibre channel
host bus adapter driver in your environment.
Setting fibre channel authentication
187