There are several levels of iSCSI security available with Storage Manager for SANs. The basic level is based on the Challenge Handshake Authentication Protocol (CHAP). CHAP is a protocol that is used to authenticate the peer of a connection and is based upon the peers sharing a secret (a security key that is similar to a password). IP security (IPsec) is a protocol that enforces authentication and data encryption at the IP packet layer, which provides an added level of security.

Important

This feature enables you to perform a select subset of the tasks that relate to iSCSI configuration and administration. You can also perform these and other tasks using the Microsoft iSCSI Initiator, which is included in Windows Server 2008 in Administrative Tools. Additionally, vendors of networking and storage solutions provide similar tools to perform iSCSI configuration and administration tasks. For more information about iSCSI, see http://go.microsoft.com/fwlink/?LinkId=102299.

You must choose the security level that best fits the security policies of your organization:

Caution

At a minimum, use one-way CHAP authentication between iSCSI initiators and targets.
Note

The level of security that you can set for a storage subsystem depends on the hardware manufacturer. Not all subsystems support all levels of iSCSI security. You should contact your hardware manufacturer to verify what level of security is supported.

For more information about iSCSI, see http://go.microsoft.com/fwlink/?LinkId=93543.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

To manage iSCSI security

  1. In the console tree, click LUN Management.

  2. In the Actions pane, click Manage iSCSI Security.

  3. To configure one-way CHAP authentication, in the Manage iSCSI Security dialog box, configure the following settings on the Targets tab:

    1. If you want to configure different CHAP secrets for different targets, in the list of targets, select a target that you want to set the CHAP secret for, and click Set Secret.

      -Or-

      To use the same CHAP secret for a group of targets, select the targets from the list and click Set Secret.

    2. In the Set Secret dialog box, type and confirm the target CHAP secret.

    3. Optionally, select Remember secret on local initiator if you want to automatically pass the new secret to the local initiator.

    4. To set the new secret, click OK.

  4. To configure mutual CHAP authentication, you must first configure one-way CHAP authentication by following step 3. Then, enter the following configuration on the Local Initiator tab:

    1. Type and confirm the CHAP secret for the local initiator.

    2. Under mutual CHAP authentication, the initiator will only be able to log on to targets that know the initiator secret. To share the initiator secret with the targets that the server needs to access, in the list of targets, select each target that you want to authenticate on the initiator.

    3. To set the new secret for the local initiator and to share it with the selected targets, click Apply Secret.

  5. To configure IPsec, in the Manage iSCSI Security dialog box, configure the following settings on the Portals tab:

    1. If you want to use different IPsec keys for different portals, in the list of portals, select a portal and click Set IPsec Key.

      -Or-

      To use the same IPsec key for a group of portals, select the portals from the list, and click Set IPsec Key.

    2. In the Set IPsec Key dialog box, type and confirm a new IPsec key.

    3. Optionally, select Remember the IPsec key on local initiator if you want to automatically pass the new key to the local initiator.

    4. To set the new IPsec key, click OK.

  6. When you are done configuring iSCSI security, click Close.

Additional references

  • Remove an iSCSI Target
  • Log On to iSCSI Targets