Unsolved
1 Rookie
•
28 Posts
0
501
At least one iSCSI target is configured not to use authentication.
I recently ran a pen test on my environment. The result was that at least one iscsi target is configured not to use authentication. The following iSCSI targets allow unauthenticated access
-iqn.2002-03.com.compellent:5000d31004731231
The pen test report said to configure authentication on the target and restrict access to authorized initiators. This is to fix the vulnerability.
My storage manager is DELL EMC ScV3020
Origin3k
4 Operator
4 Operator
•
1.9K Posts
1
December 24th, 2022 03:00
To see a green check in your pen test configure CHAP or CHAP/Mutal for your iSCSI Targets.
Regards,
Joerg
Prometheus
1 Rookie
1 Rookie
•
28 Posts
0
December 26th, 2022 15:00
@Origin3k How do i do this configuration for CHAP? How will this affect my volumes? will i lose access to the storage disks.
Origin3k
4 Operator
4 Operator
•
1.9K Posts
0
December 26th, 2022 22:00
On a Compellent you configure CHAP or Mutual Chap(Bi-Directional) on the iSCSI fault domains. Please take a look to the DSM manual (page 278 and following depending on your version of DSM), Dont get confused and be careful because DSM can be used to manage EqualLogic(PS) and Compellent(SC) and both a i the manual. Compared to SC working with CHAP on PS is easy and simple.
I cant say if the target reset an existing connection immediately or just wait untl the initiator try to login again. The manual says clearly that existing connections get lost and need to reconfigure.
When speaking of ESXi swISCSI the initiator have 3 options
A "rescan" is needed to take config changes effected but Option 2. is maybe a way to configure the initiator first and than the target if you have used iSCSI sessions. Otherwise expect a interruption and you should wait until you have a maintenance windows.
AGAIN... because of the hint in in the manual please expect that you will lost your sessions when enabling CHAP on SC site.
Regards,
Joerg