American Dynamics RAID Storage System iscsi Software User s Manual Release v2.0 April 2006
# /tmp/hello Hello, World! 3 + 4 = 7 How to Contact American Dynamics American Dynamics (800) 507-6268 or (561) 912-6259 http://www.americandynamics.net/ Font Conventions This manual uses the following highlighting conventions: n n n n n n n Boldface indicates graphical user interface (GUI) controls such as the names of menus and fields, the text found within the fields, or drop box entries and selections. It is also used to highlight terms in the glossary. Bold Helvetica indicates buttons. Italics indicates book titles and emphasized words. Courier font indicates code, commands, file names, directory paths, command prompts, and program output. Example: wconfig Italic Courier font indicates a variable in a command that you should replace with a value of the appropriate type. Example: IP_Address Blue Courier font indicates complete Internet addresses (URLs). Example: http://www.americandynamics.net/ The following format indicates code displayed on screen. The command prompt and program output are displayed in Courier font. Code that is to be entered by the user is displayed in bold Courier font. This documentation has been licensed to American Dynamics and is copyright 2006 by Wasabi Systems Inc. All rights reserved. No part of this document may be reproduced, modified, or distributed in any form or by any means without the prior express written consent of American Dynamics Please contact American Dynamics for additional copyright information. Flashware is a registered trademark of Wasabi Systems Inc. All other brand and product names are trademarks of their respective owners. ii American Dymamics RAID Storage System iscsi Software User s Manual
Contents Introduction... 1 Features... 2 iscsi Features... 2 General iscsi Features... 2 iscsi Credential Features... 2 iscsi Portal Features... 2 iscsi Node Features... 2 RAID Features... 3 Volume Management Features... 3 Configuration and Management Features... 4 Graphical User Interface Features... 4 Command Line Interface Features... 4 Required Rebooting... 5 Graphical User Interface... 7 Using the Graphic User Interface... 8 Logging In... 8 Navigating the GUI... 9 Entering Data into the GUI... 10 System Menu... 11 General Menu... 12 General - Overview Tab... 12 General - Password Tab... 13 Modify the Administration Password... 13 General - Flashware Tab... 14 Uploading a New Flashware Image... 14 Restoring the Backup Flashware Image... 14 General - Config DB Tab... 15 Backing up the Configuration Database... 15 Recovering the Configuration Database... 16 Restoring the Backup Configuration Database... 16 American Dymamics RAID Storage System iscsi Software User s Manual iii
Contents Restoring the Factory Default Configuration Database... 16 General - License Tab... 17 Backing up the License... 17 Recovering the License or Uploading a New License... 17 Restoring the Backup License... 17 General - Diagnostics Tab... 18 General - Power Tab... 19 Rebooting the IP-SAN Appliance... 19 Powering Off the IP-SAN Appliance... 19 Managing the iscsi Target... 20 iscsi Target Automatic Start-up Configuration... 20 Notification Menu... 21 Notification - View System Log Tab... 21 Viewing the Entire System Log... 22 Downloading the Entire System Log... 22 Notification - System Log Options Tab... 22 Enabling Remote System Logging... 22 Disabling Remote System Logging... 22 Notification - Email Notification Tab... 23 Email Notification Field Descriptions... 23 Add a To Row... 24 Remove a To Row... 24 Sending A Test Notification Message... 24 Management Menu... 25 Network Menu... 26 Network - Overview Tab... 26 Network - General Tab... 27 General Network Settings Field Descriptions... 27 Network - Interface Tab... 29 View Network Interface Details... 30 Network Interface Field Descriptions... 31 Network - Remote Console Tab... 33 Remote Console Configuration Field Descriptions... 33 Remote Console Management Options... 33 Network - Ping Tab... 34 Ping a Remote IPv4 Host... 34 Network - Ping6 Tab... 35 Ping a Remote IPv6 Host... 35 Network - SLP Tab... 36 iv American Dymamics RAID Storage System iscsi Software User s Manual
Contents SLP Configuration Field Descriptions... 37 SLP Service Agent Management Options... 37 Access Control Menu... 38 Access Control - Overview Tab... 38 Access Control - iscsi Credentials Tab... 39 Create a New iscsi Credential... 39 View iscsi Credential Details... 40 iscsi Credential Field Descriptions... 40 Add an IP Address Range... 41 Remove an IP Address Range... 42 Add an Empty Credential... 42 Add a CHAP Credential... 42 Remove a Credential... 42 IP-SAN Menu... 43 IP-SAN - Overview Tab... 43 IP-SAN - iscsi Portals Tab... 44 Create a New iscsi Portal... 44 View iscsi Portal Details... 45 iscsi Portal Field Descriptions... 45 Specify an IP Address... 47 Specify a Network Interface... 47 IP-SAN - iscsi Nodes Tab... 48 Remove an Existing iscsi Node... 48 Create a New iscsi Node... 49 View iscsi Node Details... 49 iscsi Node Field Descriptions... 51 Create a New Virtual Disk... 54 Reattach an Unattached Virtual Disk... 54 IP-SAN - isns Tab... 55 isns Configuration Field Descriptions... 55 Volumes Menu... 56 Volumes - Volume Groups Submenu... 57 Create a New Volume Group... 57 Delete a Volume Group... 58 View Volume Group Details... 59 Volume Group Field Descriptions... 59 Volumes - Volume Units Submenu... 61 Configure a Volume Unit... 61 View Volume Unit Details... 61 American Dymamics RAID Storage System iscsi Software User s Manual v
Contents Volume Unit Field Descriptions... 62 Volumes - 3ware RAID Submenu... 63 Volumes - 3ware RAID - Overview Tab... 63 Volumes - 3ware RAID - Controller Parameters Tab... 64 Controller Parameter Field Descriptions... 64 Volumes - 3ware RAID - Physical Disks Tab... 66 Rescanning the Controller For New Physical Disks... 66 Replace a Defective Physical Disk... 66 View Physical Disk Details... 67 Physical Disk Field Descriptions... 68 Volumes - 3ware RAID - Logical Disks Tab... 69 Create a New Logical Disk... 69 Delete a Logical Disk... 70 View Logical Disk Details... 70 Logical Disk Field Descriptions... 71 Command Line Interface... 75 Using the Command Line Interface... 76 Logging in... 76 Command History and Command Line Editing... 76 Context-sensitive Help and Command Completion... 77 Commands... 78 date... 78 exit... 78 help... 78 history... 79 hostname... 79 ifconfig... 80 ping... 81 ping6... 82 poweroff... 82 quit... 82 reboot... 82 route... 83 wct... 83 vi American Dymamics RAID Storage System iscsi Software User s Manual
Contents Known Interoperability Issues... 85 Troubleshooting... 87 IP-SAN Appliance Configuration... 87 IP-SAN Appliance Operation... 88 LUN Masking... 91 Target Masking... 92 isns Discovery Domains... 93 More on Target Masking... 94 Managing iscsi Credentials... 97 Model One... 97 Model Two... 97 Model Three... 99 Model Four... 101 Model Five... 102 Using CHAP with the Microsoft iscsi Initiator... 103 RAID 50... 109 Glossary... 111 American Dymamics RAID Storage System iscsi Software User s Manual vii
Contents viii American Dymamics RAID Storage System iscsi Software User s Manual
1 Introduction Congratulations on your purchase of a storage system based on American Dynamics RAID Storage System. Your American Dynamics RAID Storage System based IP-SAN appliance may be deployed in an IP-based Storage Area Network (IP-SAN), or used as IP-based Direct-Attached Storage (IP-DAS) on a dedicated system. The disk array on your IP-SAN appliance may be partitioned into multiple virtual disks, giving you a great deal of flexibility in how your storage is provisioned. This User s Manual is designed to document all of the features available in your IP-SAN appliance. American Dymamics RAID Storage System iscsi Software User s Manual 1
Introduction Features Your IP-SAN appliance includes a rich feature set designed to maximize the interoperability and flexibility of your storage system. iscsi Features Your IP-SAN appliance is compatible with any iscsi initiator that is compliant with the iscsi protocol specification (RFC 3720). The American Dynamics RAID Storage System iscsi features are grouped into four categories: General features, Credential features, Portal features, and Node features. General iscsi Features Your IP-SAN appliance supports basic target discovery (ListTargets). It also supports target discovery using the Service Location Protocol (SLP), and the Internet Storage Name Service protocol (isns). Your IP-SAN appliance can use SLP to locate isns servers on a network. Your IP-SAN appliance also supports the optional CRC32C header and data integrity checking algorithm. iscsi Credential Features An iscsi Credential is an authentication method, and a set of credentials used by the initiator to log into the target server. The credentials presented to the target server may affect which target devices the initiator is allowed to use. Your IP-SAN appliance supports the Challenge Handshake Authentication Protocol (CHAP) authentication scheme. In this scheme, the initiator is required to provide a CHAP login name and a password (also called a CHAP secret). The credentials are securely transmitted over the network and validated by the target. Mutual CHAP, where the target must also provide a set of CHAP credentials to the initiator, is also supported. Your IP-SAN appliance also supports the use of no credentials. This option is not recommended for IP-SAN environments, but it may be useful for IP-DAS configurations, and for troubleshooting purposes. iscsi Portal Features An iscsi Portal is a network address and port number used for iscsi communication. Your IP-SAN appliance allows an iscsi Portal to be bound to an IP address or to a specific network interface. By binding to a specific network interface, the iscsi Portal will automatically use the IP address assigned to that interface. iscsi Node Features An iscsi Node is an actual target device that is presented to the initiator. An iscsi Node has an associated name, which is provided to the initiator during the target 2 American Dymamics RAID Storage System iscsi Software User s Manual
Features discovery phase. Your IP-SAN appliance s iscsi Nodes are virtual disks that simulate a direct-access block device using 512-byte sectors. All iscsi Nodes have a single logical unit (LU). Multiple virtual disks may be created on a single storage array, simply by creating multiple iscsi Nodes. These virtual disks may be as small as 1MB and as large as the underlying storage array. CAUTION The iscsi specification allows multiple initiators to log into the same iscsi node. However, the iscsi specification does not provide a mechanism to support simultaneous data sharing between initiators. Therefore, it is possible for data corruption to occur if multiple initiators attempt to access the same data at the same time without coordinating their access. Storage management software or clustering software (such as Microsoft Cluster) are designed to coordinate such access. Some file systems are also designed to support multiple clients simultaneously accessing the same nodes. DO NOT allow more than one initiator to log into a target without access coordination. RAID Features Your IP-SAN appliance features 3ware RAID data protection technology from Applied Micro Circuits Corp. (AMCC). RAID levels 0, 1, 5, and 10 are available. Some controllers may support RAID 50. NOTE It is possible to use RAID 50 (on controllers that don t support it) by combining RAID 5 at the Logical Disks level with RAID 0 at the Volume Group level. For more information, see RAID 50 on page 109. Using your IP-SAN appliance s Graphical User Interface, you can: n Create RAID arrays. n Delete RAID arrays. n Verify the data on RAID arrays. n Rebuild degraded RAID arrays. n Manage spare physical drives. n Control warm insertion and removal of physical drives. n View the status of RAID arrays. n Control various policy parameters on the RAID controllers. Volume Management Features Your IP-SAN appliance includes a volume manager that allows RAID arrays to be combined into larger volumes. Individual RAID arrays are referred to as Volume Units. Volume Units are assembled into Volume Groups. Volume Groups are named volumes from which all storage on your IP-SAN appliance is exported. Volume Groups are comprised of at least one Volume Unit and may be configured as a Span Group (Volume American Dymamics RAID Storage System iscsi Software User s Manual 3
Introduction Units are serially concatenated) or as a RAID 0 Group. Span Groups provide the most efficient use of space if the Volume Units are not of uniform size. RAID 0 Groups may provide increased performance in some situations. If Volume Units of different sizes are configured into a RAID 0 Group, all Volume Units will be truncated to the size of the smallest Volume Unit in the Group. Configuration and Management Features Your IP-SAN appliance includes a Graphical User Interface (GUI). All supported features are configured using a standard web browser. Your IP-SAN appliance also includes a simple Command Line Interface (CLI) that is accessible from the console. The CLI can be used for troubleshooting, and for initial network configuration to set up the use of the GUI. Graphical User Interface Features In addition to the configuration of network and storage parameters, your IP-SAN appliance s GUI includes the following features: n n n n n n n Optional administration password to prevent unwanted access. Flashware image management. All of the software components of your IP-SAN appliance are contained in a single Flashware image. This feature allows these software components to be updated easily. Configuration database management. All of your IP-SAN appliance s configuration information is stored in a database resident in the flash memory. The current configuration database can be downloaded from the appliance for backup purposes, and a previously downloaded configuration can be restored by uploading it to the appliance. Support for viewing the system log. Support for email notification. Support for rebooting and powering-off the appliance. Support for license upload and download. Command Line Interface Features The CLI on your IP-SAN appliance is designed for network configuration, bootstrapping, and troubleshooting. Storage and iscsi parameters may not be configured from the CLI. The CLI features a command set that will be familiar to Unix users, and includes context-sensitive help. 4 American Dymamics RAID Storage System iscsi Software User s Manual
Required Rebooting Required Rebooting American Dynamics RAID Storage System requires that the IP-SAN appliance be rebooted after the following configuration parameters are changed in order for those changes to take effect: General Flashware Tab After uploading a new Flashware image, the IP-SAN appliance must be rebooted in order to begin using the updated software. Network General Tab n n n n Host name DNS search DNS name servers IPv4 default route n IPv6 mode Network Interface Tab n n n n Desired IPv4 address Desired IPv4 netmask Desired IPv6 address Desired IPv6 prefix length American Dymamics RAID Storage System iscsi Software User s Manual 5
Introduction 6 American Dymamics RAID Storage System iscsi Software User s Manual
2 Graphical User Interface The Graphical User Interface (GUI) is the primary configuration and management interface for your IP-SAN appliance. This chapter describes all the elements of the GUI. The chapter organization corresponds to the order of the menus in the left side-bar menu. n n n n n n n n System Menu General Menu Notification Menu Management Menu Network Menu Access Control Menu IP-SAN Menu Volumes Menu American Dymamics RAID Storage System iscsi Software User s Manual 7
Graphical User Interface Using the Graphic User Interface This section briefly describes logging in, navigating, and entering data into the Graphical User Interface (GUI). Logging In The GUI is optionally password-protected. If an administration password has been set, you will be presented with a login dialog when you connect to the GUI. When logging in to the GUI, you must always use the user name admin as shown above. 8 American Dymamics RAID Storage System iscsi Software User s Manual
Using the Graphic User Interface Navigating the GUI The GUI uses hierarchical menus. A menu navigation bar appears on the left side of the screen. This is called the left side-bar menu. When you select an option from the left side-bar menu, you will be taken to a screen that shows an overview of the selection. Above the overview are a series of tabs that select specific tasks or options. Some left side-bar menu selections will drop open another level of menu selections in the left side-bar menu. Selecting one of these additional menu options may take you to an overview screen with tabs, or may take you directly to a selection. All menu navigation paths are represented in this document as: First Level Second Level Third Level First Level is always a left side-bar menu selection. Second Level may be a tab or an additional left side-bar sub-menu selection. Third Level, if specified, is always a tab. American Dymamics RAID Storage System iscsi Software User s Manual 9
Graphical User Interface Entering Data into the GUI When entering configuration information into the dialog screens, required fields are labelled in bold-face in the GUI, and optional fields are labelled in normal type. For example, in the following screen, iscsi Initiators is an optional field. Some parameters can contain multiple values. A GUI object called a multi-field is used for such parameters. A multi-field always includes a blank field followed by an ellipsis (...). For example, in the above screen, iscsi Initiators and Credentials are multi-fields. When creating a new configuration object, as in the above screen, only one value may be set in each multi-field. You may always add additional values to multi-fields after the configuration object has been created by navigating to that object s details screen. To add a value to a multi-field in the object s details screen, enter the new value into the blank field and click APPLY. This will save the additional value to the configuration database and add a new blank field. To delete a value from a multi-field, change the drop-box to (unset) or clear the value from the text field containing the value (if the multi-field has no drop-box), and click APPLY. This will remove the cleared value from the configuration database and collapse the multi-field. 10 American Dymamics RAID Storage System iscsi Software User s Manual
System Menu System Menu The System menu displays an introduction to the IP-SAN appliance GUI. American Dymamics RAID Storage System iscsi Software User s Manual 11
Graphical User Interface General Menu The General menu provides access to various general system settings. By default, the General Overview tab is shown. General - Overview Tab This tab displays a general overview of the IP-SAN appliance s status. 12 American Dymamics RAID Storage System iscsi Software User s Manual
General Menu General - Password Tab Access to the GUI and CLI of the IP-SAN appliance can be protected with an administration password. Modify the Administration Password This tab allows modification of the administration password. To modify the administration password: 1. Enter the new administration password in the New password field. If you do not wish to use an administration password, leave the field blank. 2. Enter the new administration password again in the Retype new password field. If you do not wish to use an administration password, leave the field blank. 3. Click APPLY. If the two passwords entered are the same, the administration password will be changed. If the two password fields were left blank, then the existing administration password will be cleared. NOTE If you set a new password and then attempt to perform additional configuration or management tasks, you will be presented with a login dialog and required to provide the new password. American Dymamics RAID Storage System iscsi Software User s Manual 13
Graphical User Interface General - Flashware Tab This tab allows manipulation of the IP-SAN appliance s Flashware images. Uploading a New Flashware Image To upload a new Flashware image to the IP-SAN appliance: 1. Click Browse... 2. Select the Flashware image on your local system by using your browser s file selection dialog. 3. Click the UPLOAD button. The file you selected will be uploaded from your browser to the IP-SAN appliance and checked that it is valid Flashware image. Once that occurs, the existing Current Flashware image will be backed up on the IP-SAN appliance, and your file will be installed as the Current Flashware image to be used the next time the IP-SAN appliance boots. Restoring the Backup Flashware Image To restore the previous Backup Flashware image on the IP-SAN appliance: 1. Click the RESTORE button next to the Backup Flashware image that you wish to restore. A screen asking you to confirm the Restore from backup operation will appear. 2. Click CONFIRM to proceed, or click CANCEL to cancel the restore operation. 14 American Dymamics RAID Storage System iscsi Software User s Manual
General Menu General - Config DB Tab This tab allows manipulation of the IP-SAN appliance s configuration database. Backing up the Configuration Database To back up the configuration database of the IP-SAN appliance to a local system: 1. Click the Active link. 2. Save the configuration database locally using your browser s file save dialog. The default filename is config.wdb. IMPORTANT We recommend that you make a backup of the configuration database. Although it is highly unlikely, failure of the Compact Flash or DOM in which American Dynamics RAID Storage System resides would result in the loss of the iscsi node information. With the loss of the iscsi node information, the data that were contained in those iscsi nodes would be inaccessible. With a backup configuration database file, the iscsi node information and other settings could be restored, and data access reestablished. The configuration database should be backed up whenever a change is made to the configuration (IP address, new nodes added, etc.). American Dymamics RAID Storage System iscsi Software User s Manual 15
Graphical User Interface Recovering the Configuration Database To restore the configuration database of the IP-SAN appliance from a backup previously made to a local system: 1. Click Browse... 2. Select the configuration database backup file on your local system by using your browser s file selection dialog. 3. Click the UPLOAD button. The file you selected will be uploaded from your browser to the IP-SAN appliance and checked that it is a valid configuration database. Once that occurs, the existing configuration database will be backed up on the IP-SAN appliance, and your file will be installed as the Active configuration database to be used once the upload completes successfully. Restoring the Backup Configuration Database To restore the previous Backup configuration database: 1. Click the RESTORE button next to the Backup configuration database that you wish to restore. A screen asking to confirm the Restore from backup operation will appear. 2. Click CONFIRM to proceed, or click CANCEL to cancel the restore operation. Restoring the Factory Default Configuration Database The IP-SAN appliance s configuration can be restored to the factory default configuration. To restore the factory default configuration: 1. Click the RESTORE TO DEFAULTS button next to the Active configuration database. A screen asking to confirm the Reset to factory defaults operation will appear. 2. Click CONFIRM to proceed, or click CANCEL to cancel the reset operation. NOTE You can undo this operation by using the operations documented in Restoring the Backup Configuration Database above. 16 American Dymamics RAID Storage System iscsi Software User s Manual
General Menu General - License Tab This tab allows manipulation of the IP-SAN appliance s license. Backing up the License To back up the license of the IP-SAN appliance to a local system: 1. Click the Active or Backup links. 2. The license will be displayed in your browser. Save the license locally using your browser s file save option. The default filename is license.crt for the Active license, and license-backup.crt for the Backup license. Recovering the License or Uploading a New License To recover a license or upload a new license to the IP-SAN appliance: 1. Click Browse... 2. Select the license file on your local system by using your browser s file selection dialog. 3. Click the UPLOAD button. The file you selected will be uploaded from your browser to the IP-SAN appliance and checked that it is valid license. Once that occurs, the existing license image will be backed up on the IP-SAN appliance, and your file will be installed as the Active license to be used immediately. Restoring the Backup License To restore the previous Backup license: 1. Click the RESTORE button next to the Backup license that you wish to restore. A screen asking to confirm the Restore from backup operation will appear. 2. Click CONFIRM to proceed, or click CANCEL to cancel the restore operation. American Dymamics RAID Storage System iscsi Software User s Manual 17
Graphical User Interface General - Diagnostics Tab This tab allows diagnostic information to be retrieved from the target system, typically in response to a direct request from a technical support engineer. After choosing the data you wish to retrieve and entering a password for the archive, a compressed file will be automatically generated for download. Setting Clear Archive Reports to Yes or rebooting the system will remove any previous reports generated. 18 American Dymamics RAID Storage System iscsi Software User s Manual
General Menu General - Power Tab This tab allows control of the IP-SAN appliance s power and the iscsi target. Rebooting the IP-SAN Appliance 1. Click REBOOT. A screen asking to confirm the Reboot operation will appear. 2. Click CONFIRM to proceed, or click CANCEL to cancel the reboot. After a short pause, the IP-SAN appliance will reboot. Rebooting may take several minutes. You will automatically be redirected to the IP-SAN appliance home page in two minutes. Powering Off the IP-SAN Appliance 1. Click POWER OFF. A screen asking to confirm the Power off operation will appear. 2. Click CONFIRM to proceed, or click CANCEL to cancel the power off. After a short pause, the IP-SAN appliance will power off. American Dymamics RAID Storage System iscsi Software User s Manual 19
Graphical User Interface Managing the iscsi Target The iscsi Target can be started, stopped, or restarted with these buttons. Starting the iscsi Target If the iscsi Target is not running, it may be started by clicking the START button. A screen displaying the status of the start of the iscsi Target will appear, and in a few seconds you will be redirected back to the General Power tab. Restarting the iscsi Target If the iscsi Target is running, it may be restarted by clicking the RESTART button. A screen displaying the status of the restart of the iscsi Target will appear, and in a few seconds you will be redirected back to the General Power tab. Stopping the iscsi Target If the iscsi Target is running, it may be stopped by clicking the STOP button. A screen displaying the status of the stop of the iscsi Target will appear, and in a few seconds you will be redirected back to the General Power tab. iscsi Target Automatic Start-up Configuration By default, the iscsi Target is not configured to start up automatically when your IP-SAN appliance boots up. This ensures that no iscsi initiators will be able to communicate with the IP-SAN appliance until after it has been properly configured by the system administrator. This option should be changed to Yes once the desired configuration has been established. To configure the iscsi Target to start automatically when the IP-SAN appliance boots up: 1. Select Yes from the iscsi target enabled at next boot drop box in the iscsi Target Boot Options section. 2. Click APPLY. 20 American Dymamics RAID Storage System iscsi Software User s Manual
Notification Menu Notification Menu This menu allows you to manipulate the IP-SAN appliance s system log and configure email notification settings. By default, the Notification View System Log tab is shown. Notification - View System Log Tab This tab displays the recent system log messages from the IP-SAN appliance. American Dymamics RAID Storage System iscsi Software User s Manual 21
Graphical User Interface Viewing the Entire System Log To view the IP-SAN appliance s entire system log since boot, click DOWNLOAD LOG. A screen displaying the entire system log as a raw text file will appear. Downloading the Entire System Log To download the IP-SAN appliance s entire system log since boot: 1. Shift-click DOWNLOAD LOG. 2. Save the configuration database locally using your browser s file save dialog. The default filename is log.txt. Notification - System Log Options Tab Your IP-SAN appliance is capable of optionally logging informational and error messages to a remote log host using the syslog protocol. Enabling Remote System Logging To enable remote system logging: 1. Enter the DNS name or IP address of the remote log host into the field labeled Remote log host. 2. Click APPLY. IMPORTANT A separate syslog server running on a separate machine is required in order for remote logging to function correctly. Disabling Remote System Logging To disable remote system logging: 1. Clear the DNS name or IP address of the remote log host from the field labeled Remote log host. 2. Click APPLY. 22 American Dymamics RAID Storage System iscsi Software User s Manual
Notification Menu Notification - Email Notification Tab Your IP-SAN appliance is capable of optionally sending email notifications of various system log events to remote email addresses. Email Notification Field Descriptions The following is a description of each Email Notification field. Email Notification Enabled Drop-Box The Email Notification enabled drop-box controls whether email notification is enabled in the IP-SAN appliance. NOTE Other fields including From, Mail hosts, and To need to be configured before email notification will function correctly. From Field The From field defines the email address used in the From: header of the email notification messages sent by the IP-SAN appliance. American Dymamics RAID Storage System iscsi Software User s Manual 23
Graphical User Interface Mail Hosts Field The Mail hosts multi-field contains the DNS names or IP addresses of the SMTP smart hosts that the IP-SAN appliance sends email notification messages through. NOTE At this time only the first Mail host entry will be used; second and subsequent entries will be ignored. To Field The To multi-field contains mappings between notification message priorities and email addresses to send the messages to. Each To multi-field row includes the message priority as a drop-box, and the email address as a text field. The message priority determines which notifications the email address will receive. A given priority selects all messages at that level and above. The supported message priorities in order of highest to lowest priority are: Error Error messages. Warning and Error Warning and error messages. Info, Warning, and Error Informational, warning, and error messages. Add a To Row To add a To row to the list: 1. Select the priority from the drop-box in the last row of the To multi-field. 2. Enter the email address into the text field in the last row of the To multi-field. 3. Click APPLY. Remove a To Row To remove a To row from the list: 1. Select (unset) in the drop-box of the row that you wish to remove. 2. Click APPLY under Email Notification. Sending A Test Notification Message To send a test email notification message: 1. Select the priority of the test message from the Test message priority drop-box. 2. Optionally enter a comment describing the test message into the Test message comment field. 3. Click APPLY under Sent Test Notification Message. 24 American Dymamics RAID Storage System iscsi Software User s Manual
Management Menu Management Menu The Management menu displays an overview of the IP-SAN appliance s system configuration. Various images may be clicked on to directly access the screen to configure the appropriate sub-system. American Dymamics RAID Storage System iscsi Software User s Manual 25
Graphical User Interface Network Menu This menu allows you to manipulate the IP-SAN appliance s network configuration. By default, the Network Overview tab is shown. Network - Overview Tab This tab displays an overview of the network configuration. Various images may be clicked on to directly access the screen to configure the appropriate sub-system. 26 American Dymamics RAID Storage System iscsi Software User s Manual
Network Menu Network - General Tab This tab allows configuration of general network settings. After you have finished modifying the settings, click APPLY. General Network Settings Field Descriptions The following is a description of each General Network Settings and DNS Parameters field. Host Name Field The Host name field contains the host name of the IP-SAN appliance. The host name is used as part of the default iscsi node name. See Name Field on page 51. It is important to remember that the host name of your IP-SAN appliance must be set for proper operation. NOTE The new setting will take effect after the IP-SAN appliance is rebooted. DNS Search Field The DNS search multi-field contains the search list order for Internet Domain Name System (DNS) lookups. If a DNS name query does not find a match, the requested name has each component of the DNS search list appended in turn until a match is found. NOTE The new settings will take effect after the IP-SAN appliance is rebooted. American Dymamics RAID Storage System iscsi Software User s Manual 27
Graphical User Interface DNS Name Servers Field The DNS name servers multi-field contains the IP addresses of the DNS name servers to query for DNS lookups. NOTE The new settings will take effect after the IP-SAN appliance is rebooted. IPv4 Default Route Field The IPv4 Default route field contains the IPv4 address of default route. The default route should be on the same subnet as one of the network interfaces. See Network - Interface Tab below. NOTE The new setting will take effect after the IP-SAN appliance is rebooted. IPv6 Mode Controls The IPv6 mode controls allow you to select between automatic configuration of IPv6 addresses and routes, and the manual configuration of IPv6 routes. To enable IPv6 automatic configuration: 1. Select the radio button next to the field labeled Auto configuration. 2. Click APPLY. To manually specify the IPv6 default route and interface configuration: 1. Select the radio button next to the field labeled Manual. 2. Enter the IPv6 address of the default IPv6 router or gateway into the field labelled IPv6 default route. 3. Click APPLY. 28 American Dymamics RAID Storage System iscsi Software User s Manual
Network Menu Network - Interface Tab This tab allows you to view and modify the parameters of your IP-SAN appliance s network interfaces. This screen displays a network interface summary. From this summary screen, you can view additional information for a listed interface, or modify the parameters for that interface, by navigating from this page to a specific Network Interface ID page. American Dymamics RAID Storage System iscsi Software User s Manual 29
Graphical User Interface View Network Interface Details To view additional information about a specific interface, click DETAILS from the interface summary screen. You may modify several of the interface s parameters from the details screen. After you have finished modifying the parameters, click APPLY. 30 American Dymamics RAID Storage System iscsi Software User s Manual
Network Menu Network Interface Field Descriptions The following is a description of each Network Interface field. ID Field The ID field is a string that uniquely identifies a network interface on the IP-SAN appliance. This field cannot be changed. Description Field The Description field is a string that describes the interface. This field cannot be changed. Type Field The Type field is a string that describes the type of the interface. This field cannot be changed. Flags Field The Flags field is a string that describes the various flags enabled on the interface. This field cannot be changed. Hardware Address Field The Hardware Address field is a string that describes the hardware address of the interface. This field cannot be changed. Status Field The Status field is a string that describes the media link status of the interface. This field cannot be changed. Active Media Field The Active Media field is a string that describes the currently active media type of the interface. This field cannot be changed. Requested Media Field The Requested Media field is a string that describes the currently requested media type of the interface. This field cannot be changed. MTU Drop-Box The MTU drop-box contains the MTU (Maximum Transmission Unit) of the interface. The MTU is the largest packet that can be sent on a network interface. NOTE Not all network interface types support changing the MTU. Capabilities Check List The Capabilities check list contains a list of hardware-assist capabilities supported by the interface. A checked box indicates the capability is enabled. NOTE Not all network interface types support hardware-assist capabilities. American Dymamics RAID Storage System iscsi Software User s Manual 31
Graphical User Interface Current IPv4 Addresses Field The Current IPv4 addresses field contains the IPv4 address and netmask pairs currently configured on the interface. This field cannot be changed. Requested IPv4 Address Field The Requested IPv4 address field contains the IPv4 address of the interface. Requested IPv4 Netmask Field The Requested IPv4 netmask field contains the IPv4 netmask of the interface. NOTE If you change the IPv4 Address or the IPv4 Netmask, the new settings will take effect after the IP-SAN appliance is rebooted. IPv6 Auto Configuration Field The IPv6 auto configuration field displays whether IPv6 automatic configuration is enabled or not. This value is derived from the IPv6 mode control under Network - General Tab on page 27. This field cannot be changed here. Current IPv6 Addresses Field The Current IPv6 addresses field contains the IPv6 address and prefix length pairs currently configured on the interface. This field cannot be changed. Requested IPv6 Address Field The Requested IPv6 address field contains the desired IPv6 address of the interface. NOTE: When IPv6 is used in the IP-SAN appliance, global addresses are recommended. Network interfaces containing IPv6 link-local and site-local addresses cannot be bound to an iscsi portal. Requested IPv6 Prefix Length Field The Requested IPv6 prefix length field contains the desired prefix length for the IPv6 address of the interface. 32 American Dymamics RAID Storage System iscsi Software User s Manual
Network Menu Network - Remote Console Tab The IP-SAN appliance includes support for accessing the CLI console remotely via the telnet protocol. After you have finished modifying the settings, click APPLY. NOTE The use of telnet for remote console is completely optional. Remote Console Configuration Field Descriptions Remote Console Enabled At Next Boot Drop-Box The Remote console enabled at next boot drop-box controls whether the remote console telnet service is enabled at the next system boot. Remote Console Management Options The remote console telnet service can be started, stopped or restarted with these buttons. Starting the Remote Console Service If the remote console telnet service is not running, it may be started by clicking START. The current screen will be refreshed displaying the status of the start of the remote console telnet service. Restarting the Remote Console Service If the remote console telnet service is running, it may be restarted by clicking RESTART.The current screen will be refreshed displaying the status of the restart of the remote console telnet service. Stopping the Remote Console Service If the remote console telnet service is running, it may be stopped by clicking STOP. The current screen will be refreshed displaying the status of the stop of the remote console telnet service. American Dymamics RAID Storage System iscsi Software User s Manual 33
Graphical User Interface Network - Ping Tab This tab allows you to ping a remote IPv4 host. Ping a Remote IPv4 Host To ping a remote IPv4 host with ICMP ECHO REQUESTS to test network connectivity: 1. Enter the DNS name or IPv4 address of the remote IPv4 host into the field labeled Remote host name / IPv4 address. 2. Click PING. Five ping packets will be sent to the remote host and the results displayed on the page. 34 American Dymamics RAID Storage System iscsi Software User s Manual
Network Menu Network - Ping6 Tab This tab allows you to ping a remote IPv6 host. Ping a Remote IPv6 Host To ping a remote host with ICMPv6 ECHO REQUESTS to test network connectivity: 1. Enter the DNS name or IPv6 address of the remote IPv6 host into the field labeled Remote host name / IPv6 address. 2. Click PING. Five ICMPv6 ping packets will be sent to the remote IPv6 host and the results displayed on the page. American Dymamics RAID Storage System iscsi Software User s Manual 35
Graphical User Interface Network - SLP Tab The IP-SAN appliance includes support for the Service Location Protocol (SLP). SLP allows applications to discover the existence, location, and configuration of services on a network. In addition to registration of iscsi Nodes with the SLP Directory Agent, the IP-SAN appliance can use SLP to discover other services on the network that it needs, such as isns. For more information, see IP-SAN - isns Tab on page 55. NOTE The use of SLP is completely optional. This tab allows you to configure the Service Location Protocol (SLP) settings. After you have finished modifying the settings, click APPLY. 36 American Dymamics RAID Storage System iscsi Software User s Manual
Network Menu SLP Configuration Field Descriptions The following is a description of each SLP Configuration field. SLP SA Enabled At Next Boot Drop-Box The SLP SA enabled at next boot drop-box controls whether the SLP Service Agent (SA) is started at the next system boot. SLP Scope Field The SLP scopes multi-field allows specification of SLP scopes other than the default. SLP DA Addresses Field The SLP DA addresses multi-field allows specification of SLP Directory Agent (DA) addresses. NOTE If you do not specify a Directory Agent, the IP-SAN appliance will attempt to automatically discover them on the network. SLP Service Agent Management Options The SLP Service Agent can be started, stopped or restarted with these buttons. Starting the SLP Service Agent If the SLP Service Agent is not running, it may be started by clicking START. The current screen will be refreshed displaying the new status of the SLP Service Agent. Restarting the SLP Service Agent If the SLP Service Agent is running, it may be restarted by clicking RESTART. The current screen will be refreshed displaying the new status of the SLP Service Agent. Stopping the SLP Service Agent If the SLP Service Agent is running, it may be stopped by clicking STOP. The current screen will be refreshed displaying the new status of the SLP Service Agent. American Dymamics RAID Storage System iscsi Software User s Manual 37
Graphical User Interface Access Control Menu This menu allows you to manipulate the IP-SAN appliance s access controls. By default, the Access Control Overview tab is shown. Access Control - Overview Tab This tab displays an overview of the access controls. Various images may be clicked on to directly access the screen to configure the appropriate sub-system. 38 American Dymamics RAID Storage System iscsi Software User s Manual
Access Control Menu Access Control - iscsi Credentials Tab An iscsi Credential is an authentication method and set of credentials used by an iscsi initiator to log into the iscsi target. The credentials presented by the initiator may affect which target devices the initiator is allowed to use. American Dynamics RAID Storage System currently supports the Challenge Handshake Authentication Protocol (CHAP) authentication scheme, as well as the use of no credentials. Two separate credentials must be created for mutual CHAP, one for each set of CHAP secrets. A meaningful description should be used in the Description (Alias) field for each credential. For example, Target Authorization and Initiator Authorization, to remind the you which credential to select within the iscsi Node screen. Upon navigating to this screen, you will see an iscsi Credential summary. NOTE If there are no iscsi Credentials configured, a summary will not be displayed. Create a New iscsi Credential To create a new iscsi Credential: 1. If you are viewing the iscsi Credentials summary screen, click ADD NEW. American Dymamics RAID Storage System iscsi Software User s Manual 39
Graphical User Interface 2. Fill in the required fields and any desired optional fields. The fields are described in detail below. 3. Click ADD NEW. The iscsi Credential will be created and you will be presented with the iscsi Credential s details screen. View iscsi Credential Details To view additional information about a specific iscsi Credential, click DETAILS from the iscsi Credential summary screen. You may modify several of the iscsi Credential s parameters from the details screen. After you have finished modifying the parameters, click APPLY. iscsi Credential Field Descriptions The following is a description of each iscsi Credential field. ID Field The ID field is a non-negative integer that uniquely identifies the iscsi Credential on the IP-SAN appliance. It cannot be changed once the iscsi Credential has been created (by the ADD NEW process). Description (Alias) Field The Description (Alias) field is a user-defined description (or alias) of the iscsi Credential to allow easy identification within the IP-SAN appliance s management tools. It is not part of the iscsi protocol. This field is required. 40 American Dymamics RAID Storage System iscsi Software User s Manual
Access Control Menu iscsi Initiators Field The iscsi Initiators multi-field contains the names of the iscsi initiators (peers) that may use this iscsi Credential. If no names are listed, any initiator may use this iscsi Credential. Address Ranges Field The Address ranges multi-field contains the IP address ranges of the iscsi initiators (peers) that may use this iscsi Credential. If no IP address ranges are listed, any initiator may use this iscsi Credential. Each IP address range multi-field row is comprised of: n The IP address family as a drop-box, n The starting IP address as a text field, and n The ending IP address as a text field. Credentials Field The Credentials multi-field contains the type of credentials to be used for this iscsi Credential. The following credential types are supported: None No credentials are necessary for this iscsi Credential. Use of this option is not recommended except in direct-attached configurations, and for troubleshooting purposes. CHAP Use the Challenge Handshake Authentication Protocol for this iscsi Credential. You must supply the CHAP login name (also referred to as the CHAP user name) and CHAP password (also referred to as the CHAP secret or Target secret). NOTE The CHAP password must be at least 12 characters long. This multi-field must contain at least one credential, even if it is an empty None credential. Each credential multi-field row is comprised of: n The credential type as a drop-box, and n Up to two text fields containing credential type specific information. Add an IP Address Range To add an IP address range to the list: 1. Select the IP address family to use, IPv4 or IPv6 from the first drop-box in the last row of the Address ranges multi-field. American Dymamics RAID Storage System iscsi Software User s Manual 41
Graphical User Interface 2. Enter the starting IP address into the first text field of the last row, using a dotted quad for IPv4. 3. Enter the ending IP address into the second text field of the last row, using the same syntax as the starting IP address. 4. Click APPLY. Remove an IP Address Range To remove an IP address range from the list: 1. Select (unset) in the first drop-box of the row that you wish to remove from the Address ranges multi-field. 2. Click APPLY. Add an Empty Credential To add an empty ( None ) credential to the list: 1. Select None from the first drop-box in the last row of the Credentials multi-field. 2. Leave the other fields in the row empty. 3. Click APPLY. Add a CHAP Credential To add a CHAP credential to the list: 1. Select CHAP from the first drop-box in the last row of the Credentials multi-field. 2. Enter the CHAP login name into the first text field of the row. 3. Enter the CHAP password into the second text field of the row. NOTE Remember, the CHAP password must be at least 12 characters long. 4. Click APPLY. Remove a Credential To remove a credential from the list: 1. Select (unset) in the first drop-box of the row that you wish to remove. 2. Click APPLY. NOTE At least one credential must be defined. 42 American Dymamics RAID Storage System iscsi Software User s Manual
IP-SAN Menu IP-SAN Menu This menu allows you to manipulate the IP-SAN appliance s IP-SAN (iscsi and isns) configuration. By default, the IP-SAN Overview tab is shown. IP-SAN - Overview Tab This tab displays an overview of the IP-SAN configuration. Various images may be clicked on to directly access the screen to configure the appropriate sub-system. American Dymamics RAID Storage System iscsi Software User s Manual 43
Graphical User Interface IP-SAN - iscsi Portals Tab An iscsi Portal is a network address and port number used for iscsi communication. American Dynamics RAID Storage System allows an iscsi Portal to be bound to an IP address or to a specific network interface port. Upon navigating to this screen, you will see an iscsi Portals summary. NOTE If there are no iscsi Portals configured, a summary will not be displayed. Create a New iscsi Portal To create a new iscsi Portal: 1. If you are viewing the iscsi Portals summary screen, click ADD NEW. 2. Fill in the required fields. The fields are described in detail below. 3. Click ADD NEW. The iscsi Portal will be created and you will be presented with the iscsi Portal s details screen. 44 American Dymamics RAID Storage System iscsi Software User s Manual
IP-SAN Menu View iscsi Portal Details To view additional information about a specific iscsi Portal, click DETAILS from the iscsi Portals summary screen. You may modify several of the iscsi Portal s parameters from the details screen. After you have finished modifying the parameters, click APPLY. iscsi Portal Field Descriptions The following is a description of each iscsi Portal field. ID Field The ID field is a non-negative integer that uniquely identifies an iscsi Portal on the IP-SAN appliance. It cannot be changed once the iscsi Portal has been created (by the ADD NEW process). Role Drop-Box The Role drop-box defines the iscsi role of the iscsi Portal. American Dynamics RAID Storage System currently supports a role of Target. This field is required. Address Field The Address field contains the IP address or interface that the iscsi Portal uses. This field is required. American Dymamics RAID Storage System iscsi Software User s Manual 45
Graphical User Interface Maximum Receive Length Field The Maximum receive length field controls the maximum amount of data that can be received in an iscsi Protocol Data Unit (PDU) that arrives on this iscsi Portal. If the field is empty, a default value is used. Header Digest Drop-Box The Header digest drop-box controls the order that digests of the iscsi PDU s header are negotiated. The supported values are: (Default) Use the default behavior, which is to accept the value requested by the iscsi initiator. None (require) Only negotiate None (i.e., no digest). None (prefer) Prefer None, but accept CRC32C. CRC32C (require) Only negotiate CRC32C. CRC32C (prefer) Prefer CRC32C, but accept None. Data Digest Drop-Box The Data digest drop-box controls the order that digests of the iscsi PDU s data segment are negotiated. The supported values are: (Default) Use the default behavior, which is to accept the value requested by the iscsi initiator. None (require) Only negotiate None (i.e., no digest). None (prefer) Prefer None, but accept CRC32C. CRC32C (require) Only negotiate CRC32C. CRC32C (prefer) Prefer CRC32C, but accept None. TCP Port Field The TCP port field contains the TCP port that the iscsi Portal uses. This is used in conjunction with the Address field. 46 American Dymamics RAID Storage System iscsi Software User s Manual
IP-SAN Menu Target Group Field The Target group field contains the iscsi Target Portal Group Tag (TPGT) used by this iscsi Portal. If the field is empty, the iscsi Portal is not associated with a Target Portal Group. Preferred Marker Size Field The Preferred marker size field contains the preferred marker size. If the field is empty, markers are disabled. Specify an IP Address To use a specific IP address for the iscsi Portal: 1. Select the IP address family to use, IPv4 or IPv6 from the first drop-box in the Address row. 2. Select (address) from the second drop-box in the row. 3. Enter the IP address into the text field. Specify a Network Interface To use a specific network interface for the iscsi Portal: 1. Select the IP address family to use, IPv4 or IPv6 from the first drop-box in the Address row. 2. Select the network interface (e.g., Gig-E Port 0 [wm0]) from the second drop-box in the row. 3. Leave the text field empty. American Dymamics RAID Storage System iscsi Software User s Manual 47
Graphical User Interface IP-SAN - iscsi Nodes Tab An iscsi Node is an actual target device that is presented to the initiator. An iscsi Node has an associated name, which is provided to the initiator during the target discovery phase. iscsi Nodes in American Dynamics RAID Storage System are virtual disks with a single logical unit (LU). Multiple virtual disks may be created simply by creating multiple iscsi Nodes. iscsi Nodes must be associated with at least one iscsi Portal and at least one iscsi Credential. Multiple iscsi Credentials and iscsi Portals may be used with a single iscsi Node. Upon navigating to this screen, you will see an iscsi Nodes summary. NOTE If there are no iscsi Nodes configured, a summary will not be displayed. Remove an Existing iscsi Node To delete an exiting iscsi Node: CAUTION This action will destroy all data on the node being deleted. This data cannot be recovered. 1. Click the REMOVE button in the row of the iscsi Node you wish to delete. A confirmation screen will appear. 2. Click CONFIRM. NOTE While the iscsi target device is being removed, this message will be displayed: Removing target device <DeviceID>. Please wait, as this may take a while. 48 American Dymamics RAID Storage System iscsi Software User s Manual
IP-SAN Menu Create a New iscsi Node To create a new iscsi Node: 1. If you are viewing the iscsi Nodes summary screen, click ADD NEW. 2. Fill in the required fields and any desired optional fields. The fields are described in detail below. 3. Click ADD NEW. The iscsi Node will be created and you will be presented with the iscsi Node s details screen. View iscsi Node Details To view additional information about a specific iscsi Node, click DETAILS from the iscsi Nodes summary screen. You may modify several of the iscsi Node s parameters from the details screen. After you have finished modifying the parameters, click APPLY. American Dymamics RAID Storage System iscsi Software User s Manual 49
Graphical User Interface 50 American Dymamics RAID Storage System iscsi Software User s Manual
IP-SAN Menu iscsi Node Field Descriptions The following is a description of each iscsi Node field. ID Field The ID field is a non-negative integer that uniquely identifies an iscsi Node on the IP-SAN appliance. It cannot be changed once the iscsi Node has been created (by the ADD NEW process) Role Drop-Box The Role drop-box defines the iscsi role of the iscsi Node. American Dynamics RAID Storage System currently supports a role of Target. This field is required. Name Field The Name field defines the name of the iscsi Node. The default name supplied should be suitable for most applications. This field is required. Description (Alias) Field The Description (Alias) field is a user-defined description (or alias) of the iscsi Node to allow easy identification within the IP-SAN appliance s management tools. Initial R2T Drop-Box The Initial R2T drop-box controls if the initial Ready To Transfer (R2T) PDU is required before the initiator can start sending data to the target. The supported values are: (default) Use the value that gives best performance, which for this parameter is No. Yes The initiator must wait for an R2T from the target before sending Data-Out PDUs. No The initiator is allowed to send Data-Out PDUs without waiting for an R2T from the target. Immediate Data Drop-Box The Immediate Data drop-box controls if the immediate unsolicited data is accepted from the initiator. The supported values are: (default) Use the value that gives best performance, which for this parameter is Yes. Yes The initiator is allowed to send the initial data for a SCSI command with the command PDU. No The initiator must send all SCSI data in Data-Out PDUs. American Dymamics RAID Storage System iscsi Software User s Manual 51
Graphical User Interface Max Outstanding R2T Field The Max outstanding R2T field contains the maximum number of outstanding R2Ts. If the field is empty, a default value is used. NOTE MaxOutstandingR2T must not exceed four (4). First Burst Length Field The First burst length field contains the maximum SCSI payload (in bytes) of unsolicited data an initiator may send to the target. This includes immediate data and a sequence of unsolicited Data-Out PDUs. If the field is empty, a default value is used. Otherwise, this value must be less than the value in the Max burst length field. Max Burst Length Field The Max burst length field contains the maximum SCSI payload (in bytes) for data-in or for a solicited data-out sequence. If this field is empty, a default value is used. Max Connections Field The Max connections field contains the maximum number of connections per iscsi session that will be supported for this node. If this field is empty, a default value is used. Data Seq In Order Drop-Box The Data seq in order drop-box controls if the data PDU sequence may be transferred in any order. The supported values are: (default) Use the default value, which for this parameter is Yes. Yes The data PDU sequence must be transferred using continuously increasing offsets except for error recovery. No The data PDU sequence may be transferred in any order. Data PDU In Order Drop-Box The Data PDU in order drop-box controls if the data PDUs within a sequence may be transferred in any order. The supported values are: (default) Use the default value, which for this parameter is Yes. Yes The data PDUs within a sequence have to be at continuously increasing addresses, and overlays are forbidden. No The data PDUs within a sequence may be in any order. NOTE This version of American Dynamics RAID Storage System does not support the Data PDU in order drop-box being set to No. If it is set to No the target will emit a warning and internally continue as if it had been set to Yes. 52 American Dymamics RAID Storage System iscsi Software User s Manual
IP-SAN Menu Def Time To Retain Field The Def time to retain field contains the maximum time (in seconds) that connection and task allegiance reinstatement is still possible following a connection termination or reset. If this field is empty, a default value is used. Otherwise, if the value is zero (0), connection and task allegiance reinstatement is disabled. Def Time To Wait Field The Def time to wait field contains the minimum time (in seconds) to wait before attempting connection and task allegiance reinstatement after a connection termination or reset. If this field is empty, a default value is used. Error Recovery Level Field The Error recovery level field contains the error recovery level used by this iscsi Node. If the field is empty, a default value is used. NOTE This version of American Dynamics RAID Storage System only supports Error recovery level set to zero (0) or one (1). iscsi Portals Selection Box The iscsi Portals selection box defines which iscsi Portals are to be used for this iscsi Node. At least one iscsi Portal is required. Self Auths (Node Credentials) Selection Box The Self Auths (Node Credentials) selection box defines which iscsi Credentials are to be used by this iscsi Node. Target Auths (Initiator Credentials) Selection Box The Target Auths (Initiator Credentials) selection box defines which iscsi Credentials are required from the initiator to access this iscsi Node. At least one target Auth is required. Target Device Fields The Target Device fields defines a virtual disk to be used to implement the iscsi Node. This is required. This cannot be changed once the iscsi Node has been created (by the ADD NEW process) American Dymamics RAID Storage System iscsi Software User s Manual 53
Graphical User Interface Create a New Virtual Disk To create a new virtual disk for use as the target device: 1. Select (Create new) from the Target Device Virtual Disk drop-box. 2. Select the Volume Group on which to place the new virtual disk from the Target Device Volume Group drop-box. 3. Enter the size, in megabytes, of the new virtual disk in the field labeled Target Device Size (MB). The size must be at least 1 MB and no greater than the amount of free space available on the Volume Group. 4. Select whether or not you want a fast format of the new virtual disk to be performed from the Target Device Fast Format drop-box. It is recommended that the fast format option be used. If you do not select fast format, then the new virtual disk will be completely filled with zeroes. While this can provide an extra measure of security if the Volume Group previously contained sensitive data, this procedure can take a very long time, increasing with the size of the new virtual disk. 5. Click ADD NEW. The new virtual disk will be created. NOTE While the iscsi target device is being created, this message will be displayed: Creating target device <DeviceID>. Please wait, as this may take a while. Reattach an Unattached Virtual Disk There may be unattached virtual disks available on the IP-SAN appliance from a previous configuration before the IP-SAN appliance was reset to factory defaults, or on Volume Groups migrated from another system. To reattach an unattached virtual disk: 1. Select the unattached virtual disk from the Target Device Virtual Disk drop-box. These usually have a name of the form VG vgname LUN id,0 [nnn MB]. (If no unattached virtual disks are available, only the (Create new) option will be available.) 2. Leave the other Target Device... fields alone (their contents will be ignored.) 3. Click ADD NEW. The unattached virtual disk will be attached to the iscsi Node. 54 American Dymamics RAID Storage System iscsi Software User s Manual
IP-SAN Menu IP-SAN - isns Tab The IP-SAN appliance includes support for Internet Storage Name Service (isns). The isns protocol allows iscsi initiators to discover the existence, location, and configuration of iscsi targets. The use of isns is completely optional. isns Configuration Field Descriptions The following is a description of each isns Configuration field. isns Enabled Drop-Box The isns enabled drop-box controls whether isns support is enabled in the iscsi target. To change the setting: 1. Select the appropriate setting from the drop-box. 2. Click APPLY. isns Server Controls The isns server controls allow you to select between manually specifying the name of the isns server, and automatic discovery of the isns server using SLP. To manually specify an isns server: 1. Select the radio button next to the field labeled Server name. 2. Enter the isns Server name or IP address in the field labeled Server name. 3. Click APPLY. To enable automatic discovery of the isns server using SLP: 1. Select the radio button labeled Auto discovery using SLP. 2. Leave the Server name field alone (its contents will be ignored). 3. Click APPLY. IMPORTANT A separate isns server running on a separate machine is required in order for this iscsi target to be discovered. Not all isns servers support SLP registration, and manual registrations will be needed to make the isns server discoverable via SLP. Please consult your SLP Directory Agent s documentation to determine how to manually register an SLP URL. Such a URL should use a service type of service:iscsi:sms and must have an attribute of protocol=isns. American Dymamics RAID Storage System iscsi Software User s Manual 55
Graphical User Interface Volumes Menu This menu allows you to manipulate the storage volumes on your IP-SAN appliance. Upon navigating to this screen, you will see a volume overview diagram. Various images may be clicked on in order to directly access the screen that allows you to configure the appropriate sub-system. 56 American Dymamics RAID Storage System iscsi Software User s Manual
Volumes Menu Volumes - Volume Groups Submenu A Volume Group is a named volume from which storage on your IP-SAN appliance is exported. A Volume Group is comprised of at least one Volume Unit, and may be configured as a Span Group (Volume Units are serially concatenated) or as a RAID 0 Group. Upon navigating to this screen, you will see a Volume Group summary. NOTE If there are no Volume Groups configured, a summary will not be displayed. If there are no Available volume units, then the ADD NEW button will not be present. Create a New Volume Group To create a new Volume Group: 1. If you are viewing the Volume Group summary screen, click ADD NEW. American Dymamics RAID Storage System iscsi Software User s Manual 57
Graphical User Interface 2. Enter the name of the Volume Group in the New ID field. The name must be no longer than 16 characters, and must consist of the characters A-Z, a-z, and 0-9. Names can also contain plus (+), minus (-), and underscore (_). 3. Select a configuration from the Configuration drop-box. If the Volume Group will consist of a single Volume Unit, or if the Volume Units are different sizes, select the default value Span. Otherwise, you may select a RAID 0 (stripe) configuration. The number indicates the stripe depth. NOTE If a RAID 0 configuration is selected and the Volume Units are of different sizes, all Volume Units will be truncated to the size of the smallest Volume Unit, resulting in a loss of storage capacity. 4. Select the Volume Units that are to make up the new Volume Group from the Volume units selection box. 5. Click ADD NEW. The new Volume Group will be created and you will be presented with the Volume Group s details screen. Volume Group creation may take several minutes. Delete a Volume Group To delete a Volume Group: 1. Set the Status drop-box for the Volume Group you wish to delete to Offline. 2. Click the REMOVE button in the row of the Volume Group you wish to delete. 3. Click CONFIRM. 58 American Dymamics RAID Storage System iscsi Software User s Manual
Volumes Menu View Volume Group Details To view additional information about a specific Volume Group, click DETAILS from the Volume Group summary screen. Volume Group Field Descriptions The following is a description of each Volume Group field. ID Field The ID field is a string that uniquely identifies a Volume Group on the IP-SAN appliance. It cannot be changed once the Volume Group has been created (by the ADD NEW process). Status Drop-Box The Status drop-box controls the status of the Volume Group. The supported values are: Online The Volume Group is on-line and available for use as storage. Offline The Volume Group is off-line and not available for use as storage. A Volume Group must have a status of Offline before it can be removed. Capacity (MB) Field The Capacity (MB) field indicates the total storage capacity, in megabytes, of the Volume Group. American Dymamics RAID Storage System iscsi Software User s Manual 59
Graphical User Interface Available (MB) Field The Available (MB) field indicates the available storage capacity, in megabytes, of the Volume Group. Creation and deletion of iscsi Nodes effects the available storage capacity. Configuration Field The Configuration field indicates the configuration (Span or RAID 0) of the Volume Group. It cannot be changed once the Volume Group has been created (by the ADD NEW process). Volume Units Field The Volume units field indicates the Volume Units that are a part of this Volume Group. It cannot be changed once the Volume Group has been created (by the ADD NEW process). Disk Count Field The Disk count field indicates the number of physical disks used by this Volume Group. Serial Number Field The Serial number field indicates the serial number assigned to this Volume Group. The serial number is the identifier used to associate Volume Units with their Volume Group. 60 American Dymamics RAID Storage System iscsi Software User s Manual
Volumes Menu Volumes - Volume Units Submenu The individual RAID arrays, or units of storage, on your IP-SAN appliance are referred to as Volume Units. These Volume Units are in turn assembled into Volume Groups. Upon navigating to this screen, you will see a Volume Unit summary. Before a Volume Unit can be used in a Volume Group, it must be marked as available for that purpose. Configure a Volume Unit To configure a Volume Unit: 1. Select the value Available from the Status field drop-box. 2. Click APPLY. This writes the on-disk metadata used to store Volume Unit and Volume Group configuration information. View Volume Unit Details To view additional information about a specific Volume Unit, click DETAILS from the Volume Unit summary screen. American Dymamics RAID Storage System iscsi Software User s Manual 61
Graphical User Interface Volume Unit Field Descriptions The following is a description of each Volume Unit field. ID Field The ID field is a string that uniquely identifies a Volume Unit on the IP-SAN appliance. Status Drop-Box The Status drop-box controls the status of the Volume Unit. Certain status conditions cannot be changed, and a drop-box will not be presented in those situations. The supported values are: In use The Volume Unit is an in-use member of a Volume Group. This status condition cannot be changed from this screen so the drop-box is not presented as shown in the screen shot on the previous page. Available The Volume Unit is available for use as a member of a new Volume Group. A Volume Unit in this state may be set to Unavailable and will automatically be set to In use if used as a member of a new Volume Group. Unavailable The Volume Unit is not available for use. A Volume Unit in this state may be set to Available. Unknown The Volume Unit is not functioning correctly, and is not available for use. Capacity (MB) Field The Capacity (MB) field displays the capacity, in megabytes, of the Volume Unit. Disk Count Field The Disk count field indicates the number of physical disks used by this Volume Unit. 62 American Dymamics RAID Storage System iscsi Software User s Manual
Volumes Menu Volumes - 3ware RAID Submenu These submenus allow you to manipulate the configuration of RAID arrays attached to 3ware RAID controllers installed in the IP-SAN appliance. There is one submenu per 3ware RAID controller installed. By default, the Volumes 3ware RAID Overview tab is shown. Volumes - 3ware RAID - Overview Tab This tab displays an overview of the RAID configuration of the selected 3ware RAID controller. Various sub-system images may be clicked on to directly access and configure the sub-system. American Dymamics RAID Storage System iscsi Software User s Manual 63
Graphical User Interface Volumes - 3ware RAID - Controller Parameters Tab This tab displays various parameters of the selected 3ware RAID controller. Most parameters cannot be changed and are for informational purposes only. Only the parameters that can be changed are documented below. After you have finished modifying the parameters, click APPLY. Controller Parameter Field Descriptions The following is a description of each changeable 3ware RAID controller parameter. Rebuild Rate Drop-box The Rebuild rate drop-box controls how quickly the 3ware RAID controller will rebuild a degraded RAID volume onto a spare or replaced disk, at the expense of the performance of I/O to the RAID volume during the rebuild. The supported values are: Low The lowest rebuild rate. This takes the longest time to rebuild, and provides the highest disk I/O performance during the rebuild. Medium Low Medium low. Medium Medium rebuild rate. This provides a reasonable compromise between the time to rebuild and disk I/O performance. Medium High Medium high. 64 American Dymamics RAID Storage System iscsi Software User s Manual
Volumes Menu High The highest rebuild rate. This takes the shortest time to rebuild, at the expense of disk I/O performance during the rebuild. Verify Rate Drop-box The Verify rate drop-box controls how quickly the 3ware RAID controller will verify a RAID volume at the expense of the performance of I/O to the RAID volume during the verification process. The supported values are: Low The lowest verification rate. This takes the longest time to verify, and provides the highest disk I/O performance during the verify. Medium Low Medium low. Medium Medium. This provides a reasonable compromise between the time to verify and disk I/O performance. Medium High Medium high. High The highest verification rate. This takes the shortest time to verify, at the expense of disk I/O performance during the verify. Rebuild/verify Rate Drop-box Certain models of 3ware RAID controllers may have a combined setting for the rebuild rate and the verification rate. The Rebuild/verify rate drop-box controls how quickly the 3ware RAID controller will rebuild or verify a RAID volume at the expense of the performance of I/O to the RAID volume during the rebuild or verification process. The supported values are: Low The lowest rebuild and verification rate. This takes the longest time to rebuild or verify, and provides the highest disk I/O performance during the rebuild or verify. Medium Low Medium low. Medium Medium. This provides a reasonable compromise between the time to rebuild or verify and disk I/O performance. Medium High Medium high. High The highest rebuild and verification rate. This takes the shortest time to rebuild or verify, at the expense of disk I/O performance during the rebuild or verify. American Dymamics RAID Storage System iscsi Software User s Manual 65
Graphical User Interface Volumes - 3ware RAID - Physical Disks Tab 3ware RAID controller Physical Disks are disk drives attached to the controller with an ID that maps to the port number on the controller that the disk is attached to. Upon navigating to this tab, you will see a Physical Disk summary. NOTE If there are no Physical Disks configured, a summary will not be displayed. Rescanning the Controller For New Physical Disks To rescan the controller for newly added physical disks, click the APPLY button in the Rescan Controller section. The controller will be scanned for newly added disks. If any are found, they will now be displayed as part of the Physical Disk summary. Replace a Defective Physical Disk To replace a defective Physical Disk with a new disk: 1. Click REMOVE on the row of the Physical Disk to be replaced. 2. Click CONFIRM. 3. Remove the Physical Disk from its slot in the IP-SAN appliance. Install the replacement disk into the same slot, and make a note of the port number. 4. Click APPLY in the Rescan Controller section. Newly added disks should appear in the display with the appropriate IDs. 66 American Dymamics RAID Storage System iscsi Software User s Manual
Volumes Menu View Physical Disk Details To view additional information about a specific Physical Disk, click DETAILS from the Physical Disks summary screen. None of these parameters can be changed and are for informational purposes only. American Dymamics RAID Storage System iscsi Software User s Manual 67
Graphical User Interface Physical Disk Field Descriptions The following is a description of each Physical Disk field. ID Field The ID field uniquely identifies the Physical Disk on the selected 3ware RAID controller, and maps to the port number on the controller that the disk is attached to. Status Field The Status field displays the status of the Physical Disk. The supported values are: OK: Drive is OK and functioning correctly. Degraded Drive is a failed member of an existing Logical Disk. Failed Drive has failed in another manner. Examine the Port Status field for more details. Port Status Field The Port Status field displays the controller s port status of the Physical Disk. Correctly functioning disks have a status of OK. Any other status value is an error condition. The type of error is indicated by the port status value. Capacity (MB) Field The Capacity (MB) field displays the capacity of the Physical Disk in megabytes (one megabyte is 1048576 bytes). Logical Disk Field The Logical Disk field displays the Logical Disk (if any) that the Physical Disk is a member of. Unallocated Physical Disks have an empty Logical Disk field. Model Field The Model field displays the disk drive vendor s model number for the Physical Disk. Serial Number Field The Serial number field displays the disk drive vendor s serial number for the Physical Disk. Version Field The Version field displays the disk drive vendor s (firmware) version for the Physical Disk. 68 American Dymamics RAID Storage System iscsi Software User s Manual
Volumes Menu Volumes - 3ware RAID - Logical Disks Tab 3ware RAID controller Logical Disks are RAID units comprised of Physical Disks, and are exported by the 3ware RAID controller to the IP-SAN appliance as Volume Units. Upon navigating to this tab, you will see a Logical Disk summary. NOTE If there are no Logical Disks configured, a summary will not be displayed. If there are no unused Physical Disks, then the ADD NEW button will not be present. Create a New Logical Disk To create a new Logical Disk: 1. If you are viewing the Logical Disk summary screen, click ADD NEW. The New ID field will be automatically determined by the Logical Disk creation process. American Dymamics RAID Storage System iscsi Software User s Manual 69
Graphical User Interface 2. Select the RAID configuration of the Logical Disk from the Configuration drop-box. See Configuration Field on page 72 for details on the available RAID configuration types. Only the RAID configuration types supported by the number of unused Physical Disks will be presented. 3. Select the Physical Disks from the list in the Physical disks selection box. Multiple items can be selected, usually with Control-clicking (browser dependent). 4. Click ADD NEW. Delete a Logical Disk To delete a Logical Disk: 1. Click REMOVE on the row of the Logical Disk to delete. This button will not be displayed for Logical Disks that are labeled In use (Volume Units that are members of Volume Groups). 2. Click CONFIRM. View Logical Disk Details To view additional information about a specific Logical Disk, click DETAILS from the Logical Disks summary screen. Most parameters cannot be changed and are for informational purposes only. After you have finished modifying the parameters, click APPLY. 70 American Dymamics RAID Storage System iscsi Software User s Manual
Volumes Menu Logical Disk Field Descriptions The following is a description of each Logical Disk field. ID Field The ID field uniquely identifies the Logical Disk on the selected 3ware RAID controller. Status Drop-Box The Status drop-box displays the status of the Logical Disk. Certain status conditions cannot be changed, and a drop-box will not be presented in those situations. The supported values are: OK The Logical Disk is functioning correctly. A Logical Disk in this state may be set to Verify. Verify Start a verification operation on a Logical Disk in the OK state. Degraded The Logical Disk is in degraded mode. A Logical Disk in this state may be set to Rebuild. Rebuild Start a rebuild operation on a Logical Disk in the Degraded state. Initializing (nn%) The Logical Disk is being initialized, where nn is the percentage completed. Verifying (nn%) The Logical Disk is being verified, where nn is the percentage completed. Rebuilding (nn%) The Logical Disk is being rebuilt, where nn is the percentage completed. Capacity (MB) Field The Capacity (MB) field displays the capacity of the Logical Disk in megabytes (one megabyte is 1048576 bytes). American Dymamics RAID Storage System iscsi Software User s Manual 71
Graphical User Interface Configuration Field The Configuration field displays the RAID configuration of the Logical Disk. The supported RAID configurations are: RAID 0 Use this RAID level to create a RAID 0 (stripe) set. This RAID level requires at least 2 disks. This RAID level is not redundant. There are several stripe depths available for RAID 0. RAID 1 Use this RAID level to create a RAID 1 (mirror) set. This RAID level requires 2 disks. RAID 5 Use this RAID level to create a RAID 5 (striped with rotating parity) set. This RAID level requires at least 3 disks. There may be several stripe depths available for RAID 5, depending upon the controller used. RAID 10 Use this RAID level to create a RAID 10 (stripe of mirrors) set. This RAID level requires at least 4 disks and an even number of disks. There are several stripe depths available for RAID 10. RAID 50 Use this RAID level to create a RAID 50 (stripe of RAID 5) set. This RAID level requires at least 6 disks and an even number of disks. There are several stripe depths available for RAID 50. NOTE Your controller may not support this RAID level. Spare This selection causes a spare physical disk to be assigned as a spare. Multiple spares may be assigned, but you can assign only one spare physical disk at a time. Spares are assigned to a per-controller pool, and individual RAID units (Volume Units) will grab from that pool as necessary. Single disk Use this selection to create a logical disk from a single physical disk. This is also known as a JBOD. This RAID level is not redundant. 72 American Dymamics RAID Storage System iscsi Software User s Manual
Volumes Menu Stripe Depth Field The Stripe depth field displays the RAID stripe depth of the Logical Disk. Physical Disks Field The Physical disks field displays the Physical Disks that are used by the Logical Disk. If any of the controller s physical disks are not in use, the Physical disks field will show two sub-fields, a display-only field called Existing disks that lists the disks that make up this logical disk, and a drop-box called Replacement disk where the replacement disk for a rebuild operation can be selected. Volume Unit Field The Volume Unit field displays the Volume Unit that the Logical Disk is mapped to. Spare Logical Disks do not have a Volume Unit mapping. Write Cache Enabled Drop-box The Write cache enabled drop-box controls whether the logical disk has a write cache enabled. StorSave The StorSave drop-box sets the level of data protection versus performance by specifying the StorSave Profile to be used. Three profiles are provided: Protection, Performance, and Balance.The default setting is Protection. If the write cache setting is disabled for a unit, the StorSave Profile capability does not apply and is automatically disabled. The three profiles automatically adjust several different factors that affect protection and performance. Protection Maximum data protection, but slower performance. This is the default setting. Balance More data protection than Performance but less data protection than Protection. Performance Maximum performance, but less data protection. NOTE.This feature may not be supported on all controllers. American Dymamics RAID Storage System iscsi Software User s Manual 73
Graphical User Interface 74 American Dymamics RAID Storage System iscsi Software User s Manual
3 Command Line Interface The Command Line Interface (CLI) is designed for network configuration bootstrapping and troubleshooting. It features a command set that will be familiar to Unix users, and includes context-sensitive help. American Dymamics RAID Storage System iscsi Software User s Manual 75
Command Line Interface Using the Command Line Interface This section describes how to use the Command Line Interface. Logging in After your IP-SAN appliance has booted, the CLI will present a login prompt. American Dynamics RAID Storage System Admin password: wash> Enter the administration password to log in. If no administration has been set, just press the RETURN key. Once you have logged in, you will be presented with the Admin Shell prompt: Command History and Command Line Editing The CLI includes a command history buffer with command line editing. Emacs-style editing keys are used: Command CTRL-P CTRL-N CTRL-B CTRL-F CTRL-A CTRL-E Action Previous line Next line Back one character Forward one character Go to beginning of line Go to end of line In addition, the following Unix shell editing keys are used: Command CTRL-W CTRL-U Action Delete previous word Erase line 76 American Dymamics RAID Storage System iscsi Software User s Manual
Using the Command Line Interface Context-sensitive Help and Command Completion The CLI provides context-sensitive help and command completion: Command Action? Access context-sensitive help TAB Access context-sensitive command completion Context-sensitive help will list all of the commands, along with a short description, that begin with the characters already typed into the command line. If no characters have been typed, all commands will be listed. In the following example, typing the characters h? will list all of the commands that begin with the letter h. wash> h? help history hostname wash> h show help show or clear history display hostname Context-sensitive command completion will complete the name of the command that begins with the characters already typed into the command line if the command is not ambiguous. In the following example, typing the characters h<tab> will not complete the command, because it is ambiguous. However, typing the characters ho<tab> will cause the command to be completed to hostname. wash> h<tab> help history hostname wash> ho<tab> wash> hostname American Dymamics RAID Storage System iscsi Software User s Manual 77
Command Line Interface Commands date The CLI includes the following commands: The date command displays or sets the date and time on your IP-SAN appliance. To display the date and time, enter the date command with no arguments. wash> date Fri Mar 5 16:53:01 PST 2006 wash> exit To set the date and time, enter the date command with the desired date and time in the following format: date [[[[[cc]yy]mm]dd]hh]mm[.ss] wash> date 200603051655.00 Fri Mar 5 16:55:00 PST 2006 wash> The exit command logs out of the command line interface. wash> exit American Dynamics RAID Storage System console on storagebox.company.com Admin password: help The help command lists all of the available commands, along with a short description. The help command followed by another command name will display the description for the specified command. wash> help help help show help wash> 78 American Dymamics RAID Storage System iscsi Software User s Manual
Commands history The history command shows the command history buffer. wash> history 1 date 2 date 200603051655.00 3 help help 4 history wash> To clear the command history buffer, use the command history clear. wash> history clear wash> history 1 history wash> hostname The hostname command displays the hostname of your IP-SAN appliance. wash> hostname storagebox.company.com wash> American Dymamics RAID Storage System iscsi Software User s Manual 79
Command Line Interface ifconfig The ifconfig command displays and sets network interface parameters. To list all available network interfaces, use the -a option. wash> ifconfig -a wm0: flags=8843<up,broadcast,running,simplex,multicast> mtu 1500 capabilities=87<ip4csum,tcp4csum,udp4csum,tcp4seg> enabled=87<ip4csum,tcp4csum,udp4csum,tcp4seg> address: 00:e0:81:25:69:b4 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.10 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::2e0:81ff:fe25:69b4%wm0 prefixlen 64 scopeid 0x1 wm1: flags=8843<up,broadcast,running,simplex,multicast> mtu 1500 capabilities=87<ip4csum,tcp4csum,udp4csum,tcp4seg> enabled=87<ip4csum,tcp4csum,udp4csum,tcp4seg> address: 00:e0:81:25:69:b5 media: Ethernet autoselect (1000baseT full-duplex) status: active inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 inet6 fe80::2e0:81ff:fe25:69b5%wm1 prefixlen 64 scopeid 0x2 lo0: flags=8009<up,loopback,multicast> mtu 33192 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 wash> To set the address of an interface, you must provide interface, address_family, address, and netmask parameters. wash> ifconfig wm1 inet 10.0.0.1 netmask 255.255.255.0 wash> NOTE Changes to network settings that are made with the ifconfig command will not be reflected in the American Dynamics RAID Storage System configuration database (i.e., once a reboot occurs, the settings in the configuration database will go back into effect). 80 American Dymamics RAID Storage System iscsi Software User s Manual
Commands ping The ping command sends ICMP ECHO_REQUEST packets to other hosts on the network. Use CTRL-C to stop the ping command. wash> ping otherhost.company.com PING otherhost.company.com (192.168.1.200): 56 data bytes 64 bytes from 192.168.1.200: icmp_seq=0 ttl=255 time=0.176 ms 64 bytes from 192.168.1.200: icmp_seq=1 ttl=255 time=0.177 ms 64 bytes from 192.168.1.200: icmp_seq=2 ttl=255 time=0.177 ms 64 bytes from 192.168.1.200: icmp_seq=3 ttl=255 time=0.162 ms 64 bytes from 192.168.1.200: icmp_seq=4 ttl=255 time=0.164 ms 64 bytes from 192.168.1.200: icmp_seq=5 ttl=255 time=0.163 ms 64 bytes from 192.168.1.200: icmp_seq=6 ttl=255 time=0.165 ms ^C ----otherhost.company.com PING Statistics---- 7 packets transmitted, 7 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.162/0.169/0.177/0.007 ms wash> If you wish to bypass any DNS look-up for the specified host, use the -n option. wash> ping -n 192.168.1.200 PING 192.168.1.200 (192.168.1.200): 56 data bytes 64 bytes from 192.168.1.200: icmp_seq=0 ttl=255 time=0.176 ms 64 bytes from 192.168.1.200: icmp_seq=1 ttl=255 time=0.177 ms 64 bytes from 192.168.1.200: icmp_seq=2 ttl=255 time=0.177 ms 64 bytes from 192.168.1.200: icmp_seq=3 ttl=255 time=0.162 ms 64 bytes from 192.168.1.200: icmp_seq=4 ttl=255 time=0.164 ms 64 bytes from 192.168.1.200: icmp_seq=5 ttl=255 time=0.163 ms 64 bytes from 192.168.1.200: icmp_seq=6 ttl=255 time=0.165 ms ^C ----192.168.1.200 PING Statistics---- 7 packets transmitted, 7 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.162/0.169/0.177/0.007 ms wash> American Dymamics RAID Storage System iscsi Software User s Manual 81
Command Line Interface ping6 The ping6 command sends ICMP6_ECHO_REQUEST packets to other IPv6 hosts on the network. Use CTRL-C to stop the ping6 command. wash> ping6 otherhost.company.com PING6(56=40+8+8 bytes) 2001:db8::6 --> 2001:db8::1 16 bytes from 2001:db8::1, icmp_seq=0 hlim=64 time=0.527 ms 16 bytes from 2001:db8::1, icmp_seq=1 hlim=64 time=0.623 ms 16 bytes from 2001:db8::1, icmp_seq=2 hlim=64 time=0.424 ms 16 bytes from 2001:db8::1, icmp_seq=3 hlim=64 time=0.59 ms 16 bytes from 2001:db8::1, icmp_seq=4 hlim=64 time=0.472 ms 16 bytes from 2001:db8::1, icmp_seq=5 hlim=64 time=0.429 ms 16 bytes from 2001:db8::1, icmp_seq=6 hlim=64 time=0.487 ms ^C --- otherhost.company.com ping6 statistics --- 7 packets transmitted, 7 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.424/0.507/0.623/0.071 ms poweroff quit The poweroff command powers off your IP-SAN appliance. You are required to confirm the poweroff command. wash> poweroff Confirm `poweroff' [no] y reboot The quit command logs out of the command line interface. This is an alias of the exit command. wash> quit American Dynamics RAID Storage System Admin password: The reboot command reboots your IP-SAN appliance. Your are required to confirm the reboot command. wash> reboot Confirm `reboot' [no] y 82 American Dymamics RAID Storage System iscsi Software User s Manual
Commands route The route command manipulates your IP-SAN appliance s routing tables. To set the default route if it is not already set, use the add sub-command. wash> route add default 192.168.1.254 add net default: gateway 192.168.1.254 wash> To change the default router if it has already been set, use the change sub-command. wash> route change default 192.168.1.254 change net default: gateway 192.168.1.254 wash> wct NOTE Changes to network settings that are made with the route command will not be reflected in the American Dynamics RAID Storage System configuration database (i.e., once a reboot occurs, the settings in the configuration database will go back into effect). The wct command manipulates your IP-SAN appliance s configuration database. This command is provided for debugging and support purposes only. Do not use this command except as directed by qualified support personnel. American Dymamics RAID Storage System iscsi Software User s Manual 83
Command Line Interface 84 American Dymamics RAID Storage System iscsi Software User s Manual
4 Known Interoperability Issues The following interoperability issues have been identified: n n n Microsoft Windows Dynamic Disks and Microsoft iscsi Initiator Persistent Targets. A Persistent Target is an iscsi target device that the Microsoft iscsi Initiator will establish a session with at each system boot, as if the device were directly attached to the local system. However, due to a boot-time subsystem initialization ordering issue on the Windows system, a Persistent Target that is initialized as a Dynamic Disk will not attach properly at boot-time. Therefore, any iscsi target device that is configured as a Persistent Target must be initialized as a Basic Disk. Newer versions of Microsoft Windows default to initializing disks as Dynamic Disks rather than Basic Disks. To ensure proper operation of Persistent Targets, ensure that the disk is initialized as a Basic Disk. iscsi connection reset issue with Alacritech TCP/IP Accelerators. During testing, an issue was identified where an iscsi session with the Microsoft iscsi Initiator v1.04 using an Alacritech TCP/IP accelerator would become non-responsive. An Alacritech driver update solved the issue. Ensure you have Alacritech driver version 6.2.2.0 or later. Microsoft Internet Explorer HTTP Meta-Refresh issue. The web-based Graphical User Interface included with American Dynamics American Dymamics RAID Storage System iscsi Software User s Manual 85
Known Interoperability Issues RAID Storage System uses the HTTP Meta-Refresh feature. Some versions of Microsoft Internet Explorer do not enable this feature by default. If you experience problems using the Graphical User Interface, ensure that HTTP Meta-Refresh is enabled in your browser s security settings. 86 American Dymamics RAID Storage System iscsi Software User s Manual
A Troubleshooting This appendix describes a set of target configuration and target operation problems, and solutions to these problems. Before reading this appendix, make sure you have read the chapter Known Interoperability Issues on page 85. IP-SAN Appliance Configuration Unable to access American Dynamics RAID Storage System GUI using a web browser 1. Verify the IP address of the management port on the IP-SAN appliance. The factory default IP address for the management port is 192.168.1.10. You may view the current settings for the IP-SAN appliance s network interfaces using the ifconfig -a command in the CLI. 2. Verify the network settings on your local system. 3. Verify network connectivity to the IP-SAN appliance management port using the ping command on your local system. You may also use the ping command in the IP-SAN appliance s CLI to verify network connectivity. Unable to change Volume Group status to "Offline" (Device is busy error) This error indicates that there are active iscsi Nodes residing on the Volume Group. 1. Navigate to IP-SAN iscsi Nodes and ensure no iscsi Nodes are using the Volume Group. If any iscsi Nodes are using the Volume Group, delete them. 2. If you wish to take the Volume Group offline only temporarily, and do not wish to delete the iscsi Nodes using the Volume Group, ensure that the iscsi Target Server is not running. For more information, see General - Power Tab on page 19. American Dymamics RAID Storage System iscsi Software User s Manual 87
Troubleshooting No "Available" Volume Units message when configuring Volume Groups 1. Navigate to Volumes Volume Units. 2. Verify that Volume Units exist. 3. If not, the RAID subsystem must be configured. For more information, see Volumes - 3ware RAID Submenu on page 63. 4. Verify that the status of existing Volume Units is set to Available. For more information, see Volumes - 3ware RAID Submenu on page 63. IP-SAN Appliance Operation iscsi Target Server is not running after system boots 1. Navigate to General Power. 2. Verify that the iscsi target enabled at next boot drop-box has the value Yes. For more information, see General - Power Tab on page 19. 3. Examine the system log for any iscsi Target Server start-up errors. For more information, see Notification Menu on page 21. Unable to connect to iscsi target from an iscsi initiator 1. Make sure that the Ethernet cable is attached to the initiator and to the target. 2. Ensure that the iscsi Target Server is running. For more information, see General - Power Tab on page 19. 3. Ensure that the IP-SAN appliance s network configuration is correct. For more information, see Network Menu on page 26. 4. Verify that the IP address you are attempting to log into is correct. 5. Verify network connectivity to the IP-SAN appliance data port using the ping command from the iscsi initiator. 6. Verify network connectivity to the iscsi initiator using the Ping feature of the Graphical User Interface. For more information, see Network - Ping Tab on page 34. 7. Verify that the IP-SAN appliance s iscsi Portal settings are correct. For more information, see IP-SAN - iscsi Portals Tab on page 44. 8. Verify that the IP-SAN appliance s iscsi Nodes are using the correct iscsi Portals. For more information, see IP-SAN - iscsi Nodes Tab on page 48. 88 American Dymamics RAID Storage System iscsi Software User s Manual
No virtual disks visible to iscsi initiator 1. Verify that iscsi Nodes have been created. For more information, see IP-SAN - iscsi Nodes Tab on page 48. 2. Verify that the IP-SAN appliance s iscsi Nodes are using the correct iscsi Portals. For more information, see IP-SAN - iscsi Nodes Tab on page 48. Unable to log in to virtual disk 1. Verify that the IP-SAN appliance s iscsi Credentials settings are correct. For more information, see Access Control Menu on page 38. 2. Verify that the IP-SAN appliance s iscsi Nodes are using the correct iscsi Credentials. For more information, see IP-SAN - iscsi Nodes Tab on page 48. 3. If you have set a credential using CHAP, verify that the CHAP name and secret you set for the iscsi node are also entered correctly into the initiator. Unable to rebuild array onto a newly inserted disk - new disk does not appear in list of replacement disks. 3ware RAID controllers support warm-swap, not hot-swap. This problem is usually caused by failing to notify the 3ware RAID controller that the old disk has departed and a new disk has arrived. Correct this condition using the following procedure: 1. Navigate to Volumes 3ware RAID Physical Disks. 2. If the disk appears in the Physical Disks summary, click the REMOVE button for that disk. Confirm the operation by clicking CONFIRM. 3. From the Physical Disks summary screen, click ADD NEW. Select the port number of the new drive from the New ID drop-box. Click ADD NEW to add the new disk. The drive will now appear in the list of replacement disks. For more information, see Volumes - 3ware RAID - Logical Disks Tab on page 69. During bootup of the American Dynamics RAID Storage System target, the boot hangs at the line wskbd0 at pckbd0: console keyboard, using wsdisplay0 (this would be displayed on a VGA monitor attached to the American Dynamics RAID Storage System target system). This may occur if a mouse is attached to the American Dynamics RAID Storage System target system and can be resolved by unplugging the mouse. A mouse attached to the target system has no functionality and is not required. The American Dynamics RAID Storage System target hangs during bootup. Check to see that the Compact Flash IDE adapter, or the DOM, is: n Set to Master. n In the motherboard s Primary IDE connector. n Seated properly in the IDE connector. American Dymamics RAID Storage System iscsi Software User s Manual 89
Troubleshooting A hard drive has failed or been removed from a logical drive, but the logical drive status still shows as being OK in the GUI. The status of the array will not change until data is read from or written to the target. Unable to fetch number of ports error from American Dynamics RAID Storage System target: This would be displayed on a VGA monitor attached to the American Dynamics RAID Storage System target system. Make sure that you have the latest revision of firmware for the 3ware controller. Target error from Microsoft Initiator. This error can occur of you have created duplicate portals and credentials, and mapped different iscsi nodes to each of those portals and nodes. If Portal 1 is identical to Portal 2 (for example, both portals use wm0) and, Credential 1 is identical to Credential 2 and the nodes are mapped as: Node 1 Portal 1 / Credential 1 Node 2 Portal 2 / Credential 2 You will get a Target Error when you attempt to log into the 2nd node. Instead, you only need to create Portal 1 and Credential 1, and map both nodes to Portal 1/Credential 1. Like this: Node 1 Portal 1 / Credential 1 Node 2 Portal 1 / Credential 1 I am using Microsoft Windows and have created a shared folder on an iscsi disk. When I restart Windows, the folder is no longer shared. This may occur if the Windows Server service initializes before the iscsi Initiator service initializes. The Server service is therefore trying to create a shared folder on a disk that it is not yet aware of because the iscsi Initiator service has not yet started. To fix this, a dependency needs to be set in Windows so that the Server service is dependent on the iscsi Initiator service. With this dependency set, the Server service will not start until the iscsi Initiator service has started. Microsoft Knowledge Base Article ID 870964 describes how to set the proper dependencies so that shares will remain persistent across system reboots. The URL for the article is: http://support.microsoft.com/default.aspx?scid=kb;en-us;870964 Alternatively, go to http://support.microsoft.com and search the Knowledge Base for article ID 870964. 90 American Dymamics RAID Storage System iscsi Software User s Manual
B LUN Masking American Dynamics RAID Storage System offers a powerful set of SAN security features. This appendix describes two forms of Logical Unit Number (LUN) masking, and also describes how to implement a number of different security configurations using the Challenge Handshake Authentication Protocol (CHAP). A Storage Area Network (SAN) is a network linking storage clients and servers. The iscsi protocol [RFC 3720] permits constructing a SAN using ethernet and other Internet Protocol (IP) technologies. As such, iscsi can construct a much larger SAN than is possible with previous SAN technologies, such as Fibre Channel. With iscsi, a SAN can be constructed across the public internet. iscsi also includes features to secure SANs built with it. iscsi includes authentication based on CHAP and there is a companion MIB used to express access control to targets. CHAP configuration is discussed in Using CHAP with the Microsoft iscsi Initiator on page 103. In this appendix, we will discuss two methods that American Dynamics RAID Storage System uses to control which initiators (storage clients) can connect to a given iscsi node (storage server): target masking and isns 1 discovery domains. American Dynamics RAID Storage System implements target masking using a powerful iscsi credential system. With LUN masking and the security configuration models given in this appendix, the SAN administrator can implement many different secure SAN configurations. 1 The Internet Storage Name Service is described in internet draft: draft-ietf-ips-isns-22.txt. American Dymamics RAID Storage System iscsi Software User s Manual 91
LUN Masking Target Masking A SAN permits a number of storage clients to connect to any given storage server. However, for many configurations only a limited set of clients should be permitted to connect to a given iscsi node on a storage server. LUN masking describes a number of technologies that permit an administrator to limit which clients can connect to an iscsi node. American Dynamics RAID Storage System implements Target Masking, which is a form of LUN masking. In iscsi, a given target portal (IP address and TCP port number) can be used to communicate with a number of SCSI target nodes. An initiator indicates to which target device it wishes to connect by giving a target name at the beginning of login. Target masking limits the iscsi nodes to which an initiator can connect. With it, a given initiator can only connect to the iscsi nodes for which it has authorization. In addition, as part of the iscsi standard, if an initiator is not authorized to connect to a specific iscsi node, the American Dynamics RAID Storage System storage server will not even disclose 2 the existence of that iscsi node to the unauthorized initiator. For optimum security, American Dynamics RAID Storage System always performs target masking. This is done through the use of credentials. An initiator must be granted access to an iscsi node in order to access it. No action needs to be taken to deny an initiator access, as denial of access is the default. American Dynamics RAID Storage System supports one LUN per target name. Multiple LUNs per iscsi node would mean that either all LUNs shared the same security settings as the iscsi node, or that a second security layer would need to be added. This would be undesirable, because a second security layer would be complicated to administer. 2 Using the SendTargets discovery method. American Dynamics RAID Storage System also supports SLP and isns discovery methods. The SLP method in particular supports obtaining both a list of all iscsi nodes and a list of iscsi nodes for a given initiator. Thus an initiator can be made aware of iscsi nodes for which it is not authorized. Target masking will of course prevent the initiator from accessing such iscsi nodes. 92 American Dymamics RAID Storage System iscsi Software User s Manual
isns Discovery Domains isns Discovery Domains isns Discovery Domains offer another form of LUN masking. With isns, the American Dynamics RAID Storage System storage server announces all of its iscsi nodes to the isns server. The administrator then assigns each iscsi node to a discovery domain. The administrator also assigns each initiator to a discovery domain. When an initiator requests the list of targets to which it can communicate, it is only given targets in its domain. Thus with multiple discovery domains, an administrator can easily control which initiators see which iscsi nodes. NOTE In the current release, American Dynamics RAID Storage System only announces its iscsi nodes via isns. It does not use isns to determine if an initiator is authorized to access an iscsi node or not. Thus an initiator must be authorized both in isns and in Target Masking to be able to access an iscsi node. American Dymamics RAID Storage System iscsi Software User s Manual 93
LUN Masking More on Target Masking American Dynamics RAID Storage System actually implements target masking via iscsi credentials. Each iscsi node has a list of iscsi credentials which initiators can use to authenticate themselves for access to the node. At the beginning of iscsi login, the storage server generates a set of all of the iscsi credentials that the initiator can use to connect to the iscsi node. If there are no iscsi credentials the initiator can use to connect, then it is not authorized and the login is terminated. Otherwise, security login proceeds in accordance with the authorization credentials found. Each authorization credential consists of five parts. The first is an ID number which is assigned by the storage server and used internally. The second is a description, which also serves as an alias. This text description identifies the credential throughout the GUI. The third part of an iscsi credential is a list of credentials used for authentication. American Dynamics RAID Storage System currently supports two types of credentials, CHAP and None. The None credential offers no way for the target to authenticate the initiator (positively verify the initiator is truly the initiator it claims to be). This credential is appropriate for a private network where all of the machines are trusted and where some other security feature prevents unauthorized access. Operating the SAN over a private network would be one such security feature. 94 American Dymamics RAID Storage System iscsi Software User s Manual
More on Target Masking The CHAP credential provides information, a name and a password, used during CHAP authentication. How this operates will be described below. The other two parts of an iscsi credential are optional. They are a list of IP address ranges and a list of initiator names. If an iscsi credential has a list of address ranges, then the initiator must be connecting from an address within at least one of the ranges. Likewise, if there is a list of initiator names, the initiator name must match one of the listed names. If an iscsi credential lists only one initiator name, it is usable by only that initiator. Permitting the iscsi credential to be used to access an iscsi node is similar to granting access to a single user. If instead an iscsi credential lists more than one initiator, it forms a group credential. In this case any initiator in that group can, after authentication, access the iscsi node using that credential. NOTE An iscsi credential with no initiator names is also a form of group credential. However, without specific initiator names the group includes all the initiators that connect to the target. To limit an iscsi credential to only one IP address, use the same address for the two endpoints of the range. To limit an iscsi credential to a select list of specific addresses, create an address range for each where each address range s beginning address is the same as its ending address. American Dymamics RAID Storage System iscsi Software User s Manual 95
LUN Masking If the set of matching iscsi credentials includes one with CHAP credentials, the American Dynamics RAID Storage System storage server will accept CHAP authentication. If the set includes a None credential, the server will accept None authentication, or skip authentication. Exactly which security method is used for a given login depends upon what authentication methods both the initiator and target will accept. The initiator will make an initial offer, listing the methods it will accept in the order of preference. The target will agree to the first method on the list that it will accept. If there is no mutually agreeable method, the login will not proceed. If the login uses CHAP, then the storage server will issue a CHAP challenge to the initiator. The initiator will generate a response based on both the challenge and its password. It will also return a CHAP name along with the response. The American Dynamics RAID Storage System storage server will then examine the iscsi credentials for a CHAP credential with a CHAP name that matches the one given by the initiator. The CHAP response is then compared to a response calculated using the password associated with the name. The initiator has successfully authenticated when the CHAP name and the password match. If the initiator also includes a CHAP challenge with its CHAP response, it is indicating that it wishes the target to authenticate itself to the initiator, or to perform mutual authentication. In this case, the American Dynamics RAID Storage System storage server examines the Self Auths for the iscsi node, and will then use the first CHAP credential it finds to generate a CHAP response. 96 American Dymamics RAID Storage System iscsi Software User s Manual
Managing iscsi Credentials Managing iscsi Credentials The American Dynamics RAID Storage System storage server provides a very flexible credential system. This system can implement a number of different security models. In this section, we will describe the features of five of these security models. Model One No Authentication. This model is the simplest of all. In it, any initiator can log into an iscsi node. To implement this model, create one iscsi credential with one security credential set to None. Create an iscsi node using this credential. This configuration is appropriate for SANs where physical access is limited to trusted initiators and where all initiators are equally trusted. This type of authentication is only appropriate in this scenario as it offers no iscsi-level security, and all security must be provided externally. Model Two Limited None Authentication. In this model, None authentication is limited to specific initiators or address ranges. American Dymamics RAID Storage System iscsi Software User s Manual 97
LUN Masking This model skips authentication, but uses target masking to control which initiators can access which iscsi nodes. To implement this model, either create an iscsi credential with an initiator name. Or create an iscsi credential with an address range limitation specific for the desired initiator. 98 American Dymamics RAID Storage System iscsi Software User s Manual
Managing iscsi Credentials Create the iscsi credential with an authentication credential set to None. Next authorize that credential to access an iscsi node. Then only an initiator claiming to be the named one (or connecting from an authorized IP address) can connect to the target. This configuration offers no more security than in the first case (that is to say no security). While the presence of one or more initiator names or address ranges seems to be restrictive, both of these limitations are based on information that can be forged. The initiator name is typically a configuration parameter, and so any initiator that can connect to the storage server could be configured with the same initiator name. Likewise impersonating other IP addresses is a common attack method known as IP Spoofing. However, this configuration can be useful in situations where the administrator trusts that only the right initiator will be configured with a given initiator name, or that only the right initiator will make connections from within a given IP address range. In this case, where the administrator trusts the initiators to behave correctly, this configuration can simplify administrative overhead. Some initiators will automatically connect to all iscsi nodes to which they are authorized. In this model, the target configuration will control which iscsi nodes such an initiator mounts, and catch simple configuration errors. Model Three CHAP Authentication with Initiator Secrets. This model uses CHAP authentication to ensure that each initiator authenticates itself before being granted access to an iscsi node. American Dymamics RAID Storage System iscsi Software User s Manual 99
LUN Masking To implement this model, create an iscsi credential for each initiator that will connect to the given storage server. List only one initiator in the iscsi credential, give the credential a descriptive name, and include the CHAP name and password in a CHAP credential (the password must be at least 12 characters long). Then grant each initiator authorization to the iscsi nodes it should access (select the appropriate iscsi credentials in the iscsi node s configuration). Each initiator that can connect to a given storage server should be given a different CHAP password. Otherwise the effort it takes to give each initiator its own iscsi credential will be circumvented. For optimal security, each initiator that connects to multiple targets should use different passwords for targets in different administrative domains. As the storage server configuration contains the passwords used by an initiator to connect to the iscsi node, a rogue administrator or application could use that information to attempt to impersonate the initiator while connecting to another target. While this threat may not be a great concern between storage servers within the same administrative domain, it should definitely be considered when an initiator contacts iscsi nodes in different domains. As an example, if an initiator connects to targets run by two different companies (different administrative domains), it should use different passwords to authenticate itself. Otherwise a rogue administrator, application, or virus at one company could impersonate the initiator and log into targets at the other company. The above threat is also discussed in section 8.2.1 of RFC3720 (iscsi). 100 American Dymamics RAID Storage System iscsi Software User s Manual
Managing iscsi Credentials Model Four Mutual CHAP Authentication with Per-initiator Secrets and One Target Secret. This model is the same as Model Three, except that the target is configured with a secret for mutual authentication. The main difference between Model Three, and Model Four and Model Five is that Models Four and Model Five use credentials differently. For this reason, we will not display separate screen shots for Models Four and Five. NOTE In accordance with the requirements of RFC3720, Model Four should only be used when the connecting initiators are using an external response verification system, such as RADIUS (Remote Authentication Dial-In User Service). To implement Model Four, after completing the steps for Model Three, create an iscsi credential which will be used for the iscsi node to authenticate itself to the initiators. If all initiators wishing mutual authentication will expect the target to authenticate itself using the same CHAP password, leave the Initiators section blank. Then select this Auth in the Self Auths section of the iscsi node s configuration. If different initiators will expect different passwords for Mutual authentication, for instance they use different RADIUS servers, create separate iscsi credentials for each password. Then list each initiator in the Initiators section of the appropriate iscsi credential and select the iscsi credentials in the Self Auths section of the iscsi node. NOTE Do not list an initiator in more than one Self Auth credential. If this is done, the Self Auth credential selected for use by the target is indeterminate and may change in the future. As noted in RFC3720, this configuration SHOULD NOT be used in the absence of an external response verification system, as then each initiator would be configured with the password the target keeps secret and thus each initiator could impersonate the iscsi node to other initiators. The Address range fields may be used with credentials used as Self Auths. Thus an iscsi node may be configured to use different authentication passwords depending on the address from which an initiator connects. Care should be taken that such a configuration be attempted only when the initiator may be configured to expect the differing passwords. American Dymamics RAID Storage System iscsi Software User s Manual 101
LUN Masking Model Five Mutual CHAP Authentication with Per-initiator Secrets and Multiple Target Secrets. This configuration is similar to Model Four, except that the target has a unique secret to use for authenticating itself to each initiator. Thus this model may be used in the absence of an external response verification system. This model is similar to Model Four, except that there now is one iscsi credential used as a Self Auth for each initiator. Thus for each initiator, there will be two iscsi credentials. Model Four and Model Five differ in the number of target mutual CHAP secrets. In Model Four, there is one secret that the target uses for mutual CHAP, and all initiators that connect to it know it (that is, have it in the config file or can validate the password). In Model Five, each initiator has its own secret it expects the target to be able to verify. So if you have ten initiators logging into a target and doing mutual CHAP, under Model Four you have one secret per target. For Model Five, you have ten secrets, one for each initiator. The key issue is that CHAP secrets have to be retained as clear text to be validated. Thus the party that is challenging the other (the target for initial login and then the initiator for mutual) knows the password the other side is supposed to use. Thus it can use that secret to impersonate the party it was challenging to others. With Model Five each initiator has a different password that the target iscsi node must verify, so that no initiator can impersonate the target to any other initiator. For example, let s say that two users log into the same iscsi server. We will call them User A and User B. Since the target doesn t use the same password for the two users, User A can t trick User B s computer into logging into his rogue initiator and telling him everything he needs to know about payroll and finances. However, if they each had copies of the same target mutual password, User A could trick User B s computer, and that s the problem with Model Four. If you don t have RADIUS or a program like it, it might not matter, but then again it might matter very much. Model Four is safe if you are using something like RADIUS. RADIUS was originally created for dial-in services, where you have banks of modem hosts. You don t want to keep copies of each user s password on each box (each modem server). It s a tremendous amount of information to duplicate, and it makes changing the password difficult because the password for each box must be changed. For AOL, that could be each modem server across the country. That is the reason RADIUS was created. In it, each modem server takes the CHAP information from login and passes it to the RADIUS server. The RADIUS server in turn has the passwords. It determines if the CHAP challenge was successful or not, and then tells the modem server yes or no. There is a password that the modem server shares with the RADIUS server so that the modem server can validate the response is authentic. 102 American Dymamics RAID Storage System iscsi Software User s Manual
C Using CHAP with the Microsoft iscsi Initiator American Dynamics RAID Storage System supports mutual CHAP, sometimes referred to as two-way CHAP. With one-way CHAP the initiator must supply a user name and password that matches the user name and password of the target. With Mutual CHAP the target is also required to supply a password that matches the mutual CHAP password of the initiator. The use of mutual CHAP adds an additional level of security. If one-way CHAP is used, anyone who knows the user name and password of the target can log in from any initiator that has access to that target. If mutual CHAP is used, the person attempting to gain access would also need to know the initiator s mutual CHAP password in order to log into the target. If you wish to use CHAP with the Microsoft iscsi initiator, it is important to remember the following things. On the iscsi node details page the Self Auth is the mutual CHAP credential. If you are using one-way CHAP on an iscsi node it is only necessary to select an Auth in the Target Auths selection box. If you wish to use mutual CHAP on an iscsi node then you must select an AUTH from the Self Auths selection box in addition to Target Auths selection box. IMPORTANT The AUTH selected in the Self Auths box cannot be the same as the AUTH selected in the Target Auths box. American Dymamics RAID Storage System iscsi Software User s Manual 103
Using CHAP with the Microsoft iscsi Initiator This is the mutual CHAP credential. You must select an AUTH in this box if you wish to use mutual CHAP. This is the one-way CHAP credential. You must select an AUTH in this box if you wish to use either one-way or mutual CHAP. On the iscsi node details page, the Self Auth is the mutual CHAP credential. 104 American Dymamics RAID Storage System iscsi Software User s Manual
If you are only using one-way CHAP it is not necessary to select a credential in the Self Auths box. American Dymamics RAID Storage System iscsi Software User s Manual 105
Using CHAP with the Microsoft iscsi Initiator If you are using one-way CHAP, the username and password that are entered into the Target Auth credential must match the username and target secret entered into the CHAP logon information of the Microsoft iscsi initiator. If you are using mutual CHAP, the CHAP Secret that is entered into the mutual CHAP Secret Setup dialog box in the Microsoft iscsi Initiator Settings must match the password that is used for the credential selected in the Self Auths box. To set the CHAP Secret of the Microsoft Initiator, click the Secret button in the General tab of the Microsoft iscsi Initiator Properties window. The CHAP Secret Setup window will appear. 106 American Dymamics RAID Storage System iscsi Software User s Manual
Remember, for mutual CHAP the CHAP Secret that is entered into field in the mutual CHAP Secret Setup window must match the password that is used for the credential selected in the Self Auths box. IMPORTANT Remember that the CHAP secret must be at least 12 characters long. American Dymamics RAID Storage System iscsi Software User s Manual 107