HP P2000 HP P2000 G3 MSA System SMU Reference Guide - Page 23

The Configuration View panel lists hosts by name, or if they are unnamed, by ID. A storage system with iSCSI ports can be protected from unauthorized access via iSCSI by enabling Challenge Handshake Authentication Protocol (CHAP). CHAP authentication occurs during an attempt by a host to login to the system. This authentication requires an identifier for the host and a shared secret between the host and the system. Optionally, the storage system can also be required to authenticate itself to the host; this is called mutual CHAP. Steps involved in enabling CHAP include: • Decide on host node names (identifiers) and secrets. The host node name is typically, but not limited to, its IQN. A secret must have 12-16 characters. • Define CHAP entries in the storage system. If the node name is a host name, then it may be useful to display the hosts that are known to the system. • Enable CHAP on the storage system. Note that this applies to all iSCSI hosts, in order to avoid security exposures. • Define the CHAP secret(s) in the host iSCSI initiator. • Request host login to the storage system. The host should be displayable by the system, as well as the ports through which connections were made. If it becomes necessary to add more hosts after CHAP is enabled, additional CHAP node names and secrets can be added. If a host attempts to login to the storage system, it will become visible to the system, even if the full login is not successful due to incompatible CHAP definitions. This information may be useful in configuring CHAP entries for new hosts. This information becomes visible when an iSCSI discovery session is established, because the storage system does not require discovery sessions to be authenticated. Related topics • Using the Configuration Wizard on page 35 • Changing host interface settings on page 44 • Adding a host on page 72 • Removing hosts on page 72 • Changing a host's name or profile on page 73 • Changing host mappings on page 73 • Viewing information about a host (page 100) or all hosts (page 99) About volume mapping Each volume has default host-access settings that are set when the volume is created; these settings are called the default mapping. The default mapping applies to any host that has not been explicitly mapped using different settings. Explicit mappings for a volume override its default mapping. Default mapping enables all attached hosts to see a volume using a specified LUN and access permissions set by the administrator. This means that when the volume is first created, all connected hosts can immediately access the volume using the advertised default mapping settings. This behavior is expected by some operating systems, such as Microsoft Windows, which can immediately discover the volume. The advantage of a default mapping is that all connected hosts can discover the volume with no additional work by the administrator. The disadvantage is that all connected hosts can discover the volume with no restrictions. Therefore, this process is not recommended for specialized volumes that require restricted access. You can change a volume's default mapping, and create, modify, or delete explicit mappings. A mapping can specify read-write, read-only, or no access through one or more controller host ports to a volume. When a mapping specifies no access, the volume is masked. You can apply access privileges to one or more of the host ports on either controller. To maximize performance, map a volume to at least one host port on the controller that owns it. To sustain I/O in the event of controller failure, map to at least one host port on each controller. For example, a payroll volume could be mapped with read-write access for the Human Resources host and be masked for all other hosts. An engineering volume could be mapped with read-write access for the Engineering host and read-only access for other departments' hosts. HP P2000 G3 MSA System SMU Reference Guide 23