Data Center Virtualization Certification：VCP6.5-DCV Exam Guide

上QQ阅读APP看书，第一时间看更新

Enabling/configuring/disabling iSCSI CHAP

The iSCSI traffic requires a secure network, both for the confidentiality and for the integrity of the data. Usually, you can use an isolated VLAN to reach this scope.

But for the authentication, iSCSI implements the Challenge Handshake Authentication Protocol (CHAP), which verifies the initiators (and, if needed, the targets).

ESXi supports unidirectional CHAP for all types of iSCSI initiators, and bidirectional CHAP for software and dependent hardware iSCSI initiators.

For software and dependent hardware iSCSI initiators, you can configure the authentication in the initiator settings, as we mentioned in the previous section.

Using the vSphere Web Client, you can select a host, then, in the Configure tab, select the Storage | Storage Adapters menu. In the iSCSI initiator Properties tab, click on the Edit... button in the Authentication section:

Figure 3.12: iSCSI port bindings

You can choose between these options:

None: CHAP authentication is not used at all
Use unidirectional CHAP if required by target: ESXi prefers non-CHAP connections but can use CHAP if required by the target
Use unidirectional CHAP unless prohibited by target: ESXi prefers CHAP, but can use non-CHAP if the target does not support CHAP
Use unidirectional CHAP: The target requires CHAP authentication for the ESXi initiator
Use bidirectional CHAP: Both the initiator and the target require CHAP authentication

The CHAP name cannot exceed 511 alphanumeric characters and the CHAP secret cannot exceed 255 alphanumeric characters. Some hardware adapters might have lower limits.

For more information, see the vSphere 6.5 Storage guide (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.storage.doc/GUID-AC65D747-728F-4109-96DD-49B433E2F266.html).