CHAP Information and Implementation
This appendix provides additional information about Challenge Handshake Authentication Protocol (CHAP) and how to properly implement it for use with Internet Protocol (IP) replication.
General information on CHAP
CHAP is used in many different situations and products, and for the IBM System Storage SAN Volume Controller (SVC)/IBM Storwize family, it is used for both IP replication and Internet Small Computer System Interface (iSCSI)-attached host authentication.
CHAP works by first creating a shared secret on each system. Then, during the link establishment phase, one side sends a challenge to the other. The second side then combines the challenge and the secret and hashes it. After hashing, the second side sends the information back to the first side, which compares it against its own calculated value. If the calculation matches the sent value, the connection is completed. Otherwise, the connection
is rejected.
The next section will go into more detail regarding the specific setup of CHAP with the SVC/Storwize family of products.
Configuring CHAP for IP replication
There are only a few steps that are needed to properly configure CHAP with IP replication:
1. Modify the system-wide CHAP secret for both the source and destination systems.
2. Configure the partnership from the source to the destination to include the CHAP secret of the destination system.
3. Configure the partnership from the destination to the source to include the CHAP secret of the source system.
 
Tip: The CHAP secret used on each system does not have to be the same. The CHAP secret field in the partnership must match the CHAP secret of the system that it is connecting to.
Configure system-wide CHAP secret
Using the graphical user interface (GUI), there are many different paths to get to the Modify CHAP Configuration pane, which is needed to set up a system-wide CHAP secret for use with IP Replication. You can select any one of the following choices:
Copy Services → Partnerships → Actions  Modify CHAP Configuration
Monitoring → System Details → Actions  Modify CHAP Configuration
Settings → Network → iSCSI  Modify CHAP Configuration
After the Modify CHAP Configuration pane is opened, follow these steps:
1. Input the CHAP secret for the current system, select the box marked Use for IP partnerships, and press Modify.
 
Note 1: If you are modifying the CHAP secret on a system that is running an IP replication partnership, the partnership must be in a stopped state before modifying.
 
Note 2: If you are using the GUI to remove the CHAP secret on a system, clear the Use for IP partnerships box first, then remove the password. Click Modify to proceed.
2. Figure B-1 shows the pane that you should see when the system-wide CHAP is modified.
Figure B-1 Modify CHAP configuration
3. Repeat the previous procedure on the secondary system.
 
Information: Alternatively, you can use the following CLI command:
chsystem -chapsecret chap_secret
To remove a CHAP secret, you can use the following CLI command:
chsystem -nochapsecret
Configure partnership to use the CHAP secret
The CHAP secret can be added to a partnership either during initial creation, or during normal usage.
The CHAP secret of the destination system will be input into the Partner system’s CHAP secret field.
Alternatively, the partnership can be modified at any time by going to its properties, and adding or modifying the partner system’s CHAP secret.
 
Information: To make a partnership and include a CHAP secret using the CLI, use the following command:
mkippartnership -backgroundcopyrate 100 -chapsecret test -clusterip 9.71.50.133 -linkbandwidthmbits 1000 -type ipv4
To modify an existing partnership to include a CHAP secret, stop the partnership and use the following command:
chpartnership -chapsecret chap_secret clusterid
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.137.164.210