Date post: | 08-Feb-2018 |
Category: |
Documents |
Upload: | phungduong |
View: | 223 times |
Download: | 0 times |
HOWTO: Securing ISCSI LUNs with Mutual CHAP on Windows
This document covers enabling Mutual CHAP to secure iSCSI LUNs presented by a NetApp controller. The hosts
mounting the LUNs will be Windows 2003, Windows 2008 and Window 2012.
Assumptions:
1) You have installed and fully patched Windows 2003, 2008, 2012.
2) You have a NetApp controller or ONTAP Simulator with iSCSI licensed and running.
3) The LUNs in this document will be small simply to demonstrate the configuration steps. NetApp LUN
management software, such as SnapDrive for Windows, will not be used in order to keep the configuration
simple. Note that SnapDrive does support Mutual CHAP so use it if you have licenses. SnapDrive makes LUN
management very easy.
4) The native DSM MPIO feature of Windows 2008 and 2012 will be enabled. On Windows 2003, the NetApp DSM
MPIO will be used because Windows 2003 is quite lame.
5) In a Production environment, you should have a separate vlan to isolate your storage traffic (iSCSI and NFS) and
send that traffic over a dedicated NIC or multiple Teamed/Bonded NICs. You don’t have to set it up this way but
it is a best practice.
6) Your iSCSI NIC has an IP address configured and you can ping the storage array. You should not route your iSCSI
traffic so a default gateway is not needed on the iSCSI NIC; only an IP and default mask.
7) Your NetApp volume(s) are already created were the LUNs will reside.
8) Determine in advance and a strong CHAP secret (think of a strong password) for the iSCSI Initiator on the server
and a different one for the NetApp Controller.
Install MPIO and the iSCSI Service in Windows
This step loads the prerequisites and allows you to capture the iSCSI iqn of the hosts that will be mapped to the LUNs.
Windows 2003
1) Install the Microsoft iSCSI initiator. Download it free from the URL below.
a. http://www.microsoft.com/en-us/download/details.aspx?id=18986
b. Double-click the Initiator-2.08-build3825-x86fre.exe file > Next > select all options and click Next > I
agree with the license and click Next > Finish > the server will automatically reboot.
2) Install Microsoft KB patches: KB919117, KB945119, KB982109, KB931300 and KB937382.
a. For the patches listed above, be care to select the proper platform (x86 or x64). Sometimes they only list
x86 patches and you have to click the “show hotfixes for all platforms” or “expand all” to see the other
OS options.
b. Note - in the next step to install the DSM MPIO, if any patches are missing on your server it will tell what
patches it needs.
3) Install NetApp DSM MPIO. Download it from the URL below. You need a NOW account and a license.
a. https://support.netapp.com/NOW/download/software/mpio_win/4.0/
b. Double-click ntap_win_mpio_4.0_setup_x86.msi > Next > click OK on the ALUA message > accept the
license and click Next > enter the license and click Next (check the NetApp support site for your licenses)
> use the default system account and click Next > do not install HyperV utilities and click Next > Next >
Next > Next > Install > ignore the no FC adapter message, click OK (you aren’t using fiber channel) >
Finish > Yes to reboot.
4) Launch the Microsoft iSCSI Initiator and capture the iqn name.
a. Double-click the Microsoft iSCSI Initiator icon on the desktop.
b. You can get the iSCSI Initiator iqn
on the General tab.
c. You can also get the initiator by typing the iscsicli command in a cmd prompt window. The iqn is listed in
brackets. Press CTRL+C to break out of the command. Copy the iqn for this host to a text file because
you will need it when configuring Mutual CHAP on the NetApp controller.
i. For example: iqn.1991-05.com.microsoft:2003test1.lab.slice2.com
Windows 2008
1) On Windows 2008, the iSCSI Initiator is already installed by default but MPIO is not.
2) In Server Manager, select Features. On the far right click Add Features.
3) In the center of the Features screen, select Multipath I/O and click Next > Install > Close.
4) Enable the iSCSI initiator. Click Start > Administrative Tools > iSCSI Initiator. The first time this is run, the service
must be started. Click Yes.
5) Launch the iSCSI Initiator by clicking Start | Administrative Tools > iSCSI Initiator.
6) You can get the iSCSI Initiator iqn on the Configuration tab or by simply typing the iscsicli command in a cmd
prompt window. The iqn is listed in brackets. Press CTRL+C to break out of the command. Copy the iqn for this
host to a text file because you will need it when configuring Mutual CHAP on the NetApp controller.
a. For example: iqn.1991-05.com.microsoft:netapptools.lab.slice2.com
Windows 2012
1) On the main Server Manager Dashboard, in the center select #2 to Add roles and features.
2) On the Roles and Features Wizard, click Next > Next > Next > Next. On the Select Features screen select
Multipath I/O and click Next > Install > click Close when done.
3) Enable the iSCSI initiator. In Server Manager in the upper right, click Tools > iSCSI Initiator. The first time this is
run, the service must be started. Click Yes.
4) You can get the iSCSI Initiator iqn on the Configuration tab or by simply typing the iscsicli command in a cmd
prompt window. The iqn is listed in brackets. Press CTRL+C to break out of the command. Copy the iqn for this
host to a text file because you will need it when configuring Mutual CHAP on the NetApp controller.
a. For example: iqn.1991-05.com.microsoft:win2012std01.lab.slice2.com
Configure the iSCSI NIC
This step eliminates features and options that are not required for
iSCSI. Keep it simple right? You should have at least two NICs; one for
regular network traffic and one or more for storage traffic. You should
have already configured an IP address with no gateway for this NIC. If
not, do so before you continue.
Windows 2003
1) Right-click the NIC designated for iSCSI traffic and select rename. Rename it iSCSI NIC 01 or something
descriptive and press Enter to save the change. Note that numbering the NICs is helpful if you are going to Team
multiple NICs.
2) Right-click iSCSI NIC 01 and select Properties. Deselect Client
for Microsoft Networks and File and Printer Sharing. iSCSI does
not use or need them. At the bottom, select both options
(Show icon and Notify me). Select Internet protocol (TCP/IP)
and click Properties.
3) On the General tab, click Advanced. Note that no gateway or
DNS IP addresses are defined.
4) On the DNS tab, deselect Append parent suffix and Register
this connection and click OK > OK and then Close to save the
changes. There is no need to engage DNS for the iSCSI
sessions on this NIC.
5) Right-click the iSCSI NIC 01 and select properties. On the
General tab click Configure.
6) On the Power Management tab deselect Allow the computer
to turn off this device to save power and click OK.
7) For reference: On the Advanced tab, you have tuning options
that can be configured such as the Offload variables and
Jumbo Packets (or frames). If budget allows, sending your
storage traffic over 10 gigabit Ethernet with jumbo frames
enabled would provide the best performance. This is where
you would set that option if you had the ability to do so.
8) Perform the same steps above for Windows 2008 and 2012.
Note that on 2008 and 2012, deselect IPv6 on the Networking
tab.
Create the Initiator Groups and LUNs on the NetApp controller
1) I’ll use the NetApp OnCommand System Manager v2.2 LUN Wizard to create the LUNs. Click Start > All Programs
> NetApp > OnCommand System Manager > NetApp OnCommand System Manager 2.2. Double-click the
controller were you will create the LUNs.
2) Expand Storage and select LUNs.
On the right, select the Initiator
Group tab and click Create.
3) On the General tab,
enter a descriptive
name and select
Windows from the OS
drop-down menu.
4) On the Initiators tab, click Add and
enter the server’s iqn (initiator) that
you recorded in the earlier steps.
Click Create when done. In this case,
it’s a Windows 2003 server so the
Initiator Group has WIN2003 in its
name. You can call it whatever you
want.
5) On the LUN Management tab click Create.
6) The Wizard will launch. Click Next on the Welcome Screen. On the General properties screen, enter a
descriptive name for the LUN, a solid description of the LUN (like SQL db lun 01 or SPS index lun 01, etc.), set the
type to Windows (for Win2003 only), enter your LUN size, select whether you want a Thin provisioned LUN or
not and click Next. For Windows 2008 and 2012 select Type: Windows 2008.
7) Click Select an existing volume
(you should have already
created the volume), enter
the path and volume name
and click Next. Or click Browse
and select the volume.
8) On the Initiator Mapping
screen, under Map on the left,
check the
iSCSI_MCHAP_WIN2003
Initiator Group. On the right
under LUN ID, enter 0 and click
Next > Next > Finish.
a. The LUN ID number
can start at whatever
you want. Just be
sequential as you
create LUNs so it’s
easier to manage (for
example LUN ID 0, 1,
2, 3, 4, 5, 6 etc.).
b. Note: the Initiator
Group and LUN Wizard
for Win 2008 and Win
2012 is exactly the
same except on the LUN properties screen, make sure you select Windows 2008 Type from the drop-
down menu for Windows 2008 and Windows 2012.
9) When done, you should have three LUNs mapped to the correct host based on iqn.
Configure Mutual CHAP on the NetApp Controller
This step is done for each initiator that you want to use Mutual CHAP on the NetApp controller. For this document a
simple password will be used. Make sure you have a strong password of at least 12 characters.
1) Obtain the storage controller’s iqn and verify the Portal.
a. Login to the controller and enter the following command.
> iscsi nodename
iSCSI target nodename: iqn.1992-08.com.netapp:sn.84167939
> iscsi portal show
Network portals: IP address TCP Port TPGroup Interface 10.10.10.11 3260 1000 e0a
b. Verify that the LUNS are mapped properly and online.
> lun show
/vol/MCHAPVOL/2003_iSCSI_MCHAP_01 5.0g (5371107840) (r/w, online, mapped) /vol/MCHAPVOL/2008_iSCSI_MCHAP_01 5.0g (5371107840) (r/w, online, mapped) /vol/MCHAPVOL/2012_iSCSI_MCHAP_01 5.0g (5371107840) (r/w, online, mapped)
c. Verify the Initiator Group (iGroup). Note that they are listed as not logged in. They will be after you complete the MPIO and CHAP configuration on the host.
> igroup show iSCSI_MCHAP_WIN
iSCSI_MCHAP_WIN (iSCSI) (ostype: windows): iqn.1991-05.com.microsoft:win2012std01.lab.slice2.com (not logged in) iqn.1991-05.com.microsoft:netapptools.lab.slice2.com (not logged in) iqn.1991-05.com.microsoft:2003test1.lab.slice2.com (not logged in)
2) Using the list of iqn’s from the Windows hosts run the following commands to configure Mutual CHAP. Note that
it’s a common practice to use the iqn of the host as the inname and the iqn of the controller as the outname.
This way there is no possible way to get confused, especially in an environment with large numbers of iSCSI
LUNs deployed. The downside is that the command to configure Mutual CHAP on the controller is very long and
quite ugly.
The syntax is as follows:
> iscsi security add -i initiator -s chap -p inpassword -n inname -o outpassword -m outname
-i initiator – this is the iqn or initiator you want to configure for Mutual CHAP (Host iqn).
inpassword - is the inbound password for CHAP authentication. The storage system uses the inbound password
to authenticate the initiator (Host passwd).
inname - is a user name for inbound CHAP authentication. The storage system uses the inbound user name to
authenticate the initiator (Host iqn).
outpassword - is a password for outbound CHAP authentication. The storage system uses this password for
authentication by the initiator (NetApp passwd).
outname - is a user name for outbound CHAP authentication. The storage system uses this user name for
authentication by the initiator (NetApp iqn).
For the Windows 2003 host:
> iscsi security add -i iqn.1991-05.com.microsoft:2003test1.lab.slice2.com -s chap -p MUTUALCHAP2003 -n
iqn.1991-05.com.microsoft:2003test1.lab.slice2.com -o NETAPPMUTUALCHAP -m iqn.1992-
08.com.netapp:sn.84167939
For the Windows 2008 host:
> iscsi security add -i iqn.1991-05.com.microsoft:netapptools.lab.slice2.com -s chap -p MUTUALCHAP2008 -n
iqn.1991-05.com.microsoft:netapptools.lab.slice2.com -o NETAPPMUTUALCHAP -m iqn.1992-
08.com.netapp:sn.84167939
For the Windows 2012 host:
> iscsi security add -i iqn.1991-05.com.microsoft:win2012std01.lab.slice2.com -s chap -p MUTUALCHAP2012 -n
iqn.1991-05.com.microsoft:win2012std01.lab.slice2.com -o NETAPPMUTUALCHAP -m iqn.1992-
08.com.netapp:sn.84167939
3) Verify the security configuration on the initiators.
> iscsi security show
Default sec is None
init: iqn.1991-05.com.microsoft:2003test1.lab.slice2.com auth: CHAP Inbound password: **** Inbound
username: iqn.1991-05.com.microsoft:2003test1.lab.slice2.com Outbound password: **** Outbound
username: iqn.1992-08.com.netapp:sn.84167939
init: iqn.1991-05.com.microsoft:netapptools.lab.slice2.com auth: CHAP Inbound password: **** Inbound
username: iqn.1991-05.com.microsoft:netapptools.lab.slice2.com Outbound password: **** Outbound
username: iqn.1992-08.com.netapp:sn.84167939
init: iqn.1991-05.com.microsoft:win2012std01.lab.slice2.com auth: CHAP Inbound password: **** Inbound
username: iqn.1991-05.com.microsoft:win2012std01.lab.slice2.com Outbound password: **** Outbound
username: iqn.1992-08.com.netapp:sn.84167939
Configure MPIO, iSCSI Mutual CHAP and format the LUN
This step enables multi-path and configures iSCSI Mutual CHAP with the server’s iSCSI Initiator and the NetApp
controller. Finally you will initialize the Disk and format with NTFS.
Windows 2003
1) On the Desktop, double-click the Microsoft iSCSI Initiator. On
the General tab, click Secret.
2) Enter the NetApp controller’s CHAP secret and
click OK. For reference in this document, the
secret is NETAPPMUTUALCHAP (from the
NetApp command in the previous section).
3) On the Discovery tab click Add.
4) Enter the IP address of your NetApp
controller’s NIC that is responsible for iSCSI
traffic and click Advanced.
5) On the General tab, perform the following:
a. Local Adapter: select Microsoft
iSCSI Initiator
b. Source IP: select the IP associated
with the storage traffic on the
server (iSCSI NIC 01).
c. Select CHAP login information
d. The username should be the
server’s iqn.
e. Target secret is the hosts CHAP
password: MUTUALCHAP2003
f. Select Perform mutual
authentication.
g. Click OK > OK. Note that if you fat
fingered a password or something
is not configured properly, when
you click OK it will fail.
6) The controller console will spit out a message similar to:
Sat Jun 1 18:01:48 EDT [iscsi.notice:notice]: ISCSI: New session from initiator iqn.1991-
05.com.microsoft:2003test1.lab.slice2.com at IP addr 10.10.10.80.
7) On the Targets tab, select the Inactive
target and click Log On.
8) On the Log On to Target window, select both
Automatically restore this connection and
Enable multi-path and click Advanced.
9) On the General tab, perform the following:
a. Local adapter: select Microsoft
iSCSI Initiator.
b. Source IP: select the IP associated
with the storage traffic on the
server (iSCSI NIC 01).
c. Target Portal: select the NetApp
IP/port pairing.
d. Select CHAP login information
e. The username should be the
server’s iqn.
f. Target secret is the hosts CHAP
password: MUTUALCHAP2003
g. Select Perform mutual
authentication.
h. Click OK > OK > OK to close the
Microsoft iSCSI Initiator
completely.
10) Launch Computer
Management, expand
Storage and select Disk
Management. The Disk
initialization wizard will
automatically launch. Click
Next > Select Disk 1 and
complete the Wizard.
11) In Disk Manager, right-click Disk 1 and
select New Volume.
12) Click Next > select Simple and click Next > Next > assign a drive letter and click Next > Next > Finish. You now
have a new disk.
13) Right-click the new disk and select Properties. On
the Hardware tab you should see a NetApp multi-
path disk.
Windows 2008
1) Click Start > All Programs >
Administrative Tools | ISCSI
Initiator. Click Yes to the first
time start pop-up message if
it appears. On the right,
select the Configuration tab
and click CHAP.
2) Enter the NetApp controller’s
CHAP secret and click OK. For
reference, the secret is
NETAPPMUTUALCHAP (from
the command in the previous
section).
3) On the Discovery tab click
Discover Portal.
4) Enter the IP address of your storage array and
click Advanced.
5) On the General tab, perform the following:
a. Local Adapter: select Microsoft
iSCSI Initiator
b. Initiator IP: select the IP associated
with the storage traffic on the
server (iSCSI NIC 01).
c. Select Enable CHAP log on
d. The Name should be the server’s
iqn
e. Target secret is the hosts CHAP
password: MUTUALCHAP2008
f. Select Perform mutual
authentication
g. Click OK > OK. Note that if you fat
fingered the password or
something is not configured
properly, when you click OK it will
fail.
6) On the Targets tab, select the Inactive
target and click Connect.
7) On the Connect to Target window, select
both Add this connection and Enable
multi-path and click Advanced.
8) On the General tab, perform the following:
a. Local adapter: select Microsoft
iSCSI Initiator.
b. Initiator IP: select the IP associated
with the storage traffic on the
server (iSCSI NIC 01).
c. Target Portal: select the NetApp
IP/port pairing.
d. Select Enable CHAP log on
e. The Name should be the server’s
iqn.
f. Target secret is the hosts CHAP
password: MUTUALCHAP2008
g. Select Perform mutual
authentication
h. Click OK > OK > OK to close the
Microsoft iSCSI Initiator completely.
9) Setup MPIO. Click Start > Administrative
Tools > MPIO. On the Discover Multi-Paths
tab select Add support for iSCSI devices,
click Add and when prompted click Yes to
reboot the server.
10) After the reboot, verify that MPIO changes
were successful. Start > Administrative Tool
> MPIO. Make sure the
MSFT2005iSCSIBusType_0x9 Hardware ID
is present on the MPIO Devices tab. If so,
click Cancel to close. If not, repeat the step
above.
11) Launch the iSCSI Initiator. Start >
Administrative Tool > iSCSI Initiator. On
the Targets tab click properties. On the
Sessions tab, in the Session Information
section you should see Authentication:
Mutual CHAP. Click Devices.
12) On the Devices window click MPIO.
13) This is where you set the MPIO policy. It
defaults to Round Robin which is fine. Click
Cancel and exit out of all windows.
14) In Server Manager expand
Storage and select Disk
Management. Right-click Disk 1
and select Online.
15) Right-click Disk 1 again and
select Initialize Disk.
16) Select Disk 1 and the partition style and
click OK. Read the Note at the bottom to
decide on MBR vs. GPT.
17) Right-click the black line to the right of Disk 1
and select New Simple Volume. Run through the
Wizard and configure as needed (or just accept
the defaults on each screen).
18) You now have a disk drive E:\.
19) Right-click the disk and select
Properties.
20) On the Hardware tab you should see a NetApp
multi-path disk. Click Cancel to exit.
Windows 2012
Windows 2012 is essentially the exact process as Windows 2008. The only real differences are the interface and
navigation for Server Manager, Disk Management and Computer Management.
The only steps depicted below are how to find the iSCSi Initiator and MPIO off the Tools menu. Other than that just
run through the Windows 2008 steps above. When you get the MPIO step just look at #2 below. When you get to
the point when you need find Disk Management to initialize the disk see #3 and #4 below.
1) In Server Manager, in the upper right select Tools > iSCSI
Initiator.
2) In Server Manager, in the upper right select Tools >
MPIO.
3) In Server Manager, in the upper right select Tools >
Computer Management.