This feature ensures security by applying CHAP (Challenge-Handshake Authentication Protocol) based authentication of the SDC to the MDM for access to the system in general and to mapped volumes in particular. This prevents the SDC from accessing unauthorized volumes. Once enabled, the SDC internally performs mutual CHAP authentication with the SDSs and the SDRs with no manual intervention.
Prerequisites
Enable SDC authentication according to the following rules:
v3.5 or later must be installed on the SDC
For each SDC, a CHAP authentication password is generated by the MDM
All SDCs must be configured with their generated passwords
Run the
--check_sdc_authentication_status command, to check the status of the SDCs and whether they are ready to authenticate
About this task
NOTE:Using CHAP authentication with SDC also means that an SDC can only perform I/O operations on volumes explicitly mapped to it. The SDS will block SDC I/O operations on unmapped volumes.
NOTE:CHAP authentication is also used internally for I/O authentication to the SDS and SDR, however it is always enabled and not controlled by the user.
This procedure describes how to enable SDC authentication.
Steps
Get the shared generated password for SDC from the MDM using the command:
The reason parameter (mandatory) is used to verify that the SDC password is being reset and not changed by accident. The reason is stored in the MDM events log.
NOTE:SDCs not configured with a password are disconnected after the feature is enabled in
step 3.
Copy the password that was generated in
<SDC_PASSWORD_STRING>, used in the next step.
NOTE:The file option is required for password persistency, for cases such as service scini restart or SDC reboot. Open the file to verify the
<SDC_PASSWORD_STRING> is logged at the end of the MDM line.
A string is returned representing all of the ESXi configuration parameters currently set. Copy the string with the enclosing quotation marks and paste in a text editor for editing.
At the end of the string, add the following text, within the quotation marks:
--run_test runs a connectivity test to check whether the SDCs can successfully authenticate using CHAP
--filename <FILENAME> is the full file name and path for the generated report.
The command sends a report that includes the SDCs authentication password status.
NOTE:When running this command, the SDCs are disconnected for a very short period from the MDM. This does not interrupt running I/Os or have any impact on MDM/SDC activity. It is recommended to run the command when the system is in a healthy state and not during rebalancing or rebuilding operations.
To enable SDC authentication, run the following command:
scli --set_sdc_authentication --enable
To disable SDC authentication, run the following command:
scli --set_sdc_authentication --disable
Reboot the ESXi for the configuration to take effect.
Results
SDC authentication is enabled or disabled.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\