Reference Guide
PowerStore does not support iSCSI CHAP Discovery mode. The following table shows the limitations of PowerStore related to
iSCSI CHAP Discovery mode.
Table 1. iSCSI CHAP Discovery mode limitations
CHAP Mode Single Mode (initiator enabled) Mutual Mode (initiator and target
enabled)
Discovery PowerStore will not authenticate
(challenge) the host. Authentication
cannot be used to preclude the
discovery of targets. This does not result
in unintended access to user data.
PowerStore will not respond to an
authentication request (challenge) from
a host, and discovery will fail if the host
challenges PowerStore.
Normal Works as expected. Credentials are
tested by PowerStore.
Works as expected. Credentials are
transferred by PowerStore.
For remote replication between a source and target appliance, the verify and update process detects changes in the local and
remote systems and reestablishes data connections, while also taking the CHAP settings into account.
Configuring CHAP
CHAP single (initiator enabled) or mutual (initiator and target) authentication can be enabled on a PowerStore cluster. CHAP
can be enabled for a cluster implementation of one appliance or multiple PowerStore appliances and external hosts.
When single authentication is enabled, the username and password for each initiator are required to be entered when external
hosts are added. When mutual authentication is enabled, the username and password for the cluster are also required to be
entered. When adding a host and adding initiators with CHAP enabled, the initiator password must be unique, you cannot use
the same password across the initiators of a host. Specific details on how to configure the CHAP configuration of an external
host varies. To utilize this capability, you need to be familiar with the operating system of the host and how to configure it.
NOTE:
Enabling CHAP once hosts are configured on the system is a disruptive action for the external hosts. It causes I/O
interruption until configurations are set up on both the external host and appliance. It is recommended that, before adding
external hosts to the appliance, you decide what type of CHAP configuration you want to implement, if any.
If you enable CHAP after hosts are added, update each host's initiators. If CHAP is enabled, you cannot add a host to a host
group that does not have CHAP credentials. Once CHAP is enabled and you add a host later, manually register the host in the
PowerStore Manager, under Compute select Hosts & Host Groups. You need to enter credentials at the iSCSI level for
authentication use. In this case, copy the IQN from the host and then add the related CHAP credentials for each initiator.
Configure CHAP for a cluster through any of the following means:
● CHAP - A CHAP settings page that you can access from the PowerStore Manager (click Settings and under Security
select CHAP).
● REST API server - Application interface that can receive REST API requests to configure CHAP settings. For more
information about the REST API, refer to the PowerStore REST API Reference Guide.
To determine the status of CHAP, in the PowerStore Manager, click Settings and under Security select CHAP.
External SSH access
Each appliance can optionally enable external secure shell (SSH) access to the SSH port of the appliance IP address, which
takes the user to the service feature on the primary node of an appliance. The appliance IP address floats between the two
nodes of the appliance as the primary designation changes. If external SSH is disabled, SSH access is disallowed.
When an appliance first comes up and is not configured, SSH is enabled by default so that the appliance can be serviced if
issues are encountered before it is added to a cluster. When a new cluster is created or for a join cluster operation, all appliances
should have SSH initially set to disabled.
Configuring external SSH access
Configure external SSH access to appliances within a cluster by using any of the following means:
16
Authentication and access