Use iSCSI to set up IP Storage Network iSCSI Security Settings

Advantages of iSCSI Technology

Compared with traditional SCSI technology, iSCSI technology has three revolutionary changes:

The original SCSI used only on the local machine is transmitted through the TCP/IP network, so that the connection distance can be extended in an unlimited region;

The number of connected servers is infinite (the upper limit of the original SCSI-3 is 15 );

Because it is a server architecture, online resizing and dynamic deployment can also be realized.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4C/C3/wKiom1RE97mzGA7mAAKsGOWWPtQ203.jpg "Title =" image 1.png "alt =" wkiom1re97mzga7maaksgowwptq203.jpg "/>

Necessity for authorizing access to iSCSI Disks

Only client host a is allowed to connect to disk partition 1 shared by target, while client host B is only allowed to connect to disk partition 2 shared by target.

Case:

There is a PC-structured iSCSI target server. The shared hard disk is identified as/dev/SDC and/dev/SDD. The size is 10 GB and 5 GB, respectively, share/dev/SDD to a Windows client host with the IP address 192.168.12.136, And/dev/SDC to a Linux client host with the IP address 192.168.12.235, the IP address of the iSCSI target server is 192.168.12.246.

Install iSCSI target software

Iscsitarget: http://iscsitarget.sourceforge.net

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4C/C5/wKioL1RFIWSQxxwrAANHAZgl9u8273.jpg "Title =" image 1.png "alt =" wkiol1rfiwsqxxwraanhazgl9u8273.jpg "/>

[[Email protected] iSCSI] # tar-xzvf iscsitarget-1.4.20.1.tar.gz

[[Email protected] iSCSI] # cd iscsitarget-1.4.20.1

[[Email protected] iscsitarget-1.4.20.1] # Make

[[Email protected] T iscsitarget-1.4.20.1] # make install

[[Email protected] iSCSI] # service iSCSI-target restart

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/4C/C5/wKioL1RFCuPxU5zQAAP64Ay_68s081.jpg "Title =" image 1.png "alt =" wkiol1rfcupxu5zqaap64ay_68s081.jpg "/>

2.Add/etc/TGT/targets. conf as follows:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/4C/C5/wKioL1RFC_3iqcHPAAFdhIyrm8k222.jpg "Title =" image 1.png "alt =" wkiol1rfc_3iqchpaafdhiyrm8k222.jpg "/>

3. Restart the tgtd service and set it to boot:

/Etc/init. d/tgtd restart
Chkconfig tgtd on

Client

Yum install iSCSI-initiator-utils

Iscsi shared volume of the server 192.168.12.246 found

Iscsiadm-M discovery-T sendtargets-P 192.168.12.246

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4C/C5/wKioL1RFFO2DARsyAAIe_cbBVd8410.jpg "Title =" image 1.png "alt =" wkiol1rffo2darsyaaie_cbbvd8410.jpg "/>

As long as the client can be connected, there are two ways to authorize access to the target server so that the target server can establish a regular connection.

1. IP-based

Modify the/etc/Iet/initiators. allow file

Iqn.2010-11.net. ixdba: SDC 192.168.12.235.

Iqn.2010-11.net. ixdba: SDD 192.168.12.136

3. The initiator host obtains iSCSI target resources through password authentication.

(1) modify the/etc/Iet/initiators. allow file. The modified content is as follows:

# Iqn.2010-11.net. ixdba: SDC 192.168.12.235

# Iqn.2010-11.net. ixdba: SDD 192.168.12.136

All all

3. The initiator host obtains iSCSI target resources through password authentication.

(2) modify the/etc/Iet/ietd. conf file. The modified content is as follows:

Incominguser discovery. Auth discoverysecret

The first "incominguser" is a global parameter used to specify the account and password used for discovery query authentication. It must be consistent with the username and password set in the initiator host.

Target iqn.2010-11.net. ixdba: SDD

Incominguser login. Windows. Auth windowssecret

Lun 0 Path =/dev/SDD, type = fileio

Target iqn.2010-11.net. ixdba: SDC

Incominguser login. Linux. Auth linuxsecret

Lun 0 Path =/dev/SDC, type = fileio

The initiator host obtains iSCSI target resources through password authentication.

(2) modify the/etc/Iet/ietd. conf file. The modified content is as follows:

Target iqn.2010-11.net. ixdba: SDD

Incominguser login. Windows. Auth windowssecret

Lun 0 Path =/dev/SDD, type = fileio

Target iqn.2010-11.net. ixdba: SDC

Incominguser login. Linux. Auth linuxsecret

Lun 0 Path =/dev/SDC, type = fileio

The second and third "incominguser" options are included in the corresponding target, which is used to specify the account password used when the Windows and Linux client hosts log on to the target/iqn/Lun. It must also be consistent with the username and password set in the initiator host.

(3) configure the Linux initiator host

Modify the/etc/iSCSI/iscsid. conf file and add the following options:

# The following three are for login

Node. session. Auth. authmethod = chap # indicates that chap verification is enabled in login.

Node. session. Auth. Username = login. Linux. Auth # verify the user name, which can be any character, but must be the same as the name configured in incominguse on the target end.

Node. session. Auth. Password = linuxsecret # verify the password, which must be consistent with the password set by the incominguse option of the target.

Configure Linux initiator host

# The following three are for the Discovery

Discovery. sendtargets. Auth. authmethod = chap # indicates that chap verification is enabled during discovery.

Discovery. sendtargets. Auth. Username = discovery. Auth # verify the user name. It can be any character, but it must be the same as the name configured for incominguse on the target end.

Discovery. sendtargets. Auth. Password = discoverysecret # verify the password, which must be consistent with the password set by the incominguse option on the target side.

After the configuration is complete, restart initiator and re-execute the discovery query as follows:

[[Email protected] initiator iSCSI] #/etc/init. d/iSCSI restart

[[Email protected] initiator iSCSI] # iscsiadm-M discovery-T sendtargets-P 192.168.12.246

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4C/C6/wKioL1RFKcfhgWTqAAKFx3F7bM0694.jpg "Title =" image 1.png "alt =" wkiol1rfkcfhgwtqaakfx3f7bm0694.jpg "/>

This article is from the "diaosi life" blog and will not be reproduced!

Use iSCSI to set up IP Storage Network iSCSI Security Settings