CX3-Series, CX-Series, and AX150-Series - iSCSI … CX-Series, and AX150-Series iSCSI Server Setup...

CX3-Series, CX-Series, and AX150-SeriesiSCSI Server Setup Guide for

WindowsP/N 300–003–805, Revision A04

June 14, 2007

This document describes how to configure iSCSI initiator ports and how toset up iSCSI security on a server connected to the iSCSI data ports on CX3UltraScale TM series, CX-series, and AX150-series storage systems runningNavisphere® Manager.

Refer to the EMC Support Matrix (ESM) on the Powerlink website:http://Powerlink.EMC.com for supported operating system revisions.

Topics include:

Before you start ............................................................................. 2iSCSI server setup process overview ............................................... 4Installing NIC or HBA iSCSI initiator configuration software ........... 5Assigning an IP address to a NIC or iSCSI HBA .............................. 8Installing the Navisphere Server Utility (NIC initiators only)............ 9Modifying TCP/IP registry settings ................................................ 13Configuring NIC or iSCSI HBA initiators ........................................ 16Preparing for CHAP security.......................................................... 26Configuring CHAP on the iSCSI initiators....................................... 28Modifying CHAP credentials on the server ..................................... 37

1

http://Powerlink.EMC.com

Before you start

Before you use this guide to set up iSCSI initiator ports on the serveror to set up iSCSI security (Challenge Handshake AuthenticationProtocol – CHAP), you must configure the storage-system iSCSI portsas described in the CLARiiON CX3-20c Setup Guide (P/N 300-003-517),CLARiiON CX3-40c Setup Guide (P/N 300-003-745), or the InstallationRoadmap for CX3-Series, CX-Series, AX-Series, and FC-Series StorageSystems (P/N 069001166).

We recommend that you use this server setup guide in conjunction with thesetup guides (CX3-series or CX-series storage systems) or the InstallationRoadmap (AX150-series, CX3-series, or CX-series storage systems). The setupguides and Installation Roadmap are available on the Powerlink website:http://Powerlink.EMC.com.

For more information on CHAP security, refer to the sections below.Otherwise, refer to the iSCSI server setup process overview, page 4 .

CHAP security overview

Challenge Handshake Authentication Protocol (CHAP) is an optionaliSCSI authentication method where the target authenticates iSCSIinitiators. CHAP consists of initiator CHAP and mutual CHAP,depending on which way the authentication occurs. For initiatorCHAP, the target authenticates the initiator. Mutual CHAP can beconfigured in addition to initiator CHAP. For mutual CHAP, the initiatorauthenticates the target.

Initiator CHAP

When an initiator sends a request to an iSCSI target, it sends its initiatorCHAP username and secret (password). The storage system comparesthe username and secret with a database of CHAP user accounts toauthenticate the initiator. If you set up initiator CHAP authentication,you will enter the settings on the target and on all initiators. Theinitiator CHAP data is entered on the storage system and on theinitiators that will connect to the storage system.

2 iSCSI Server Setup Guide for Windows


Mutual CHAP

In addition to initiator CHAP, you can optionally set up the initiators toauthenticate targets. This is referred to as mutual (target) CHAP. Formutual CHAP, you create a target username and secret for the storagesystem. The storage system sends the username and secret to theinitiator and the initiator authenticates the storage system. The mutualCHAP data is entered on the storage system and on all initiators thatwill connect to the storage system.

iSCSI Server Setup Guide for Windows 3

iSCSI server setup process overview

The following overview describes the steps required for configuringiSCSI initiator ports and setting up iSCSI security.

Configuring iSCSI initiator ports

❑ Install network interface card (NIC) or host bus adapter (HBA)iSCSI initiator configuration software on each server with NICs orHBAs that you will connect to the storage system as described inInstalling NIC or HBA iSCSI initiator configuration software, page 5 .

❑ Assign an IP address for the NICs or iSCSI HBAs as described inAssigning an IP address to a NIC or iSCSI HBA, page 8 .

❑ Install the Navisphere® Server Utility if you have a Windowsserver with Microsoft NIC initiators. You will use the server utilityto configure iSCSI connections and mutual CHAP (optional).

❑ Configure initiator network parameters for the NIC or HBAiSCSI initiators as described in Configuring NIC or iSCSI HBAinitiators, page 16.

Setting up iSCSI security

❑ Prepare for setting up CHAP on the server as described in Preparingfor CHAP security, page 26.

❑ Configure initiator and mutual (optional) CHAP on each NIC oriSCSI HBA initiator as described in Configuring CHAP on the iSCSIinitiators, page 28.


Installing NIC or HBA iSCSI initiator configuration software

You must install NIC or HBA iSCSI initiator configuration softwareon each server with NICs or iSCSI HBAs that you will connect to thestorage system.

For NICs, install the Microsoft iSCSI Software Initiator as described inDownloading and installing the Microsoft iSCSI software initiator, page 5 .

You must install the Microsoft iSCSI Software Initiator because the NavisphereServer Utility uses it to configure iSCSI connections.

For iSCSI HBAs, install the Microsoft iSCSI Software Initiator Serviceoption as described in Downloading and installing the Microsoft iSCSIsoftware initiator, page 5 , and the QLogic SANsurfer software asdescribed in Downloading and installing the QLogic SANsurfer softwarefor iSCSI HBAs, page 7 .

You must install the Initiator Service option of the Microsoft iSCSI SoftwareInitiator because the QLogic driver requires it.

Downloading and installing the Microsoft iSCSI software initiator

1. Open a web browser and connect to the Microsoft website:http://www.microsoft.com

2. Go to the Downloads page.

3. Search for iscsi initiator.

4. Select and download the latest supported initiator software andrelated documentation.

For information on supported software on an AX150 storagesystem, refer to Supported Configurations in “Technical Descriptions”on the storage-system support website.

For information on supported software on a CX3–series or CX-seriesstorage system, refer to the E-Lab™ Interoperability Navigator onthe Powerlink website: http://Powerlink.EMC.com.


http://www.microsoft.com


To determine which file to download:

a. Right-click My Computer and select Manage.

b. Select System Information > System Summary.

c. View the System Type option. If x86 is displayed, you havea 32–bit system. If IA64 or AMD64 is displayed, you have a64–bit system and need to install the appropriate 64–bit version(IA or AMD).

5. After you download the appropriate software, double-click theexecutable to open the installation wizard and click Next at thewelcome screen.

6. Depending on which version of PowerPath you are running, at theInstallation Options screen, select one of the following:

PowerPath 4.6 or later and PowerPath iSCSI 1.1 or later

For NICs – select the following:Initiator Service , SoftwareInitiator, and Microsoft MPIO Multipathing Support foriSCSI, then click Next.

Note: AX iSCSI storage systems are currently not supported withPowerPath 4.6. Refer to the EMC Support Matrix (ESM) on thePowerlink website for any updates. PowerPath iSCSI is no longeravailable for CX3-series and CX-series storage systems.

For iSCSI HBAs – select Initiator Service and Microsoft MPIOMultipathing Support for iSCSI, then click Next.

Do not select Software Initiator.

PowerPath 4.5 or earlier

For NICs – select Initiator Service and Software Initiator, andclick Next.

Do not select Microsoft MPIO Multipathing Support for iSCSI.

For iSCSI HBAs – select Initiator Service and click Next.



Do not select Microsoft MPIO Multipathing Support for iSCSI orSoftware Initiator.

7. Read and accept the license agreement and click Next to installthe software.

8. At the completion screen, click Finish if this is a new installation. Ifthis is an upgrade, you must reboot the system to apply the updates.To reboot automatically, click Finish. To reboot later, select Do notrestart now and then click Finish. If you have a NIC and will bemodifying the TCP/IP registry settings in the next section, you donot need to reboot now. If you have an iSCSI HBA, download andinstall the QLogic SANsurfer software.

Downloading and installing the QLogic SANsurfer software for iSCSI HBAs

1. Download the QLogic SANsurfer software on the server:

a. Open a web browser and connect to the QLogic website:http://www.qlogic.com/go/emc_approved

b. Go to the Downloads page.

c. Select the HBA.

For information on supported software for an AX150 storagesystem, refer to Supported Configurations in “Technicaldescriptions” on the storage-system support website.

For information on supported software for a CX3–seriesor CX-series storage system, refer to the E-LabInteroperability Navigator on the Powerlink website:http://Powerlink.EMC.com

d. Select and download the software and related documentation.

2. Install the software as described in the QLogic documentation.


http://www.qlogic.com/go/emc_approved


Assigning an IP address to a NIC or iSCSI HBA

Assign an IP address to each NIC or iSCSI HBA in the server that willbe connected to the storage system.

For the NIC or iSCSI HBA IP addresses, refer to the iSCSI target and initiatorport network information worksheet, which should have been completed whenyou planned your configuration.

Assigning an IP address to a NIC in a Windows server

Open the appropriate Microsoft networking tool provided with theoperating system, such as NetWork Connections, and select the NICand set its IP address, as described in Microsoft documentation.

For example:

1. Select Start > Settings > Network Connections.

2. Select the NIC.

3. Select Properties > Internet Protocol (TCP/IP) > Properties andspecify the IP address for the NIC.

If the NIC is a replacement for a previously installed NIC, assign itthe same IP address as the NIC it replaced, so that it automaticallyhas the same iSCSI initiator settings and optional CHAP securitysettings as the NIC it replaced.

Assigning an IP address to an iSCSI HBA in a Windows server

1. Open QLogic SANsurfer as described in the QLogic documentation.

2. Use QLogic SANsurfer to set the IP address for the HBA asdescribed in the documentation provided with the HBA.

If the HBA is a replacement for a previously installed HBA, assign itthe same IP address as the HBA it replaced, so that it automaticallyhas the same iSCSI initiator settings and optional CHAP securitysettings as the HBA it replaced.


Installing the Navisphere Server Utility (NIC initiators only)

If you have a Windows server with Microsoft NIC initiators, you mustinstall the Navisphere Server Utility to configure iSCSI connections andmutual CHAP (optional), which you will do in a later step.

Important: If you have an iSCSI HBA or a 64–bit system, you can install theNavisphere Server Utility but you can not use it to configure iSCSI connections.For iSCSI HBAs use the QLogic SANsurfer software.

If the host agent is installed on this server or you plan on installing it,you can do one of the following:

Run the server utility from the Server Support CD when youconfigure iSCSI connections. For information on how to run theserver utility from the CD, refer to the server support productsinstallation guide for your operating system.

Install revision 6.22.20 or later of the server utility. For informationon how to install the server utility, refer to Installing the NavisphereServer Utility on a Windows server, page 9 .

If you install both the host agent and revision 6.22.20 or later of the serverutility, the server utility’s Registration Service feature will not be installed.Prior to revision 6.22.20 of the Server Utility, you could not install bothapplications on the same server.

If the host agent is not installed on this server and you do not plan toinstall it, install the server utility as described in Installing the NavisphereServer Utility on a Windows server, page 9 .

Installing the Navisphere Server Utility on a Windows server

EMC recommends that you install the most recent version of theNavisphere Server Utility software that is appropriate for yourconfiguration. You can download the most recent version from eitherthe software download page on the Powerlink website (CX3–series andCX-series) or on the support website (AX-series storage systems). Youcan also install the software from the server support CD (any storage


system); however, the CD may not contain the most recent version foryour configuration.

Important: If you are running PowerPath 4.6 or later, you must install version6.22.20 or later of the Navisphere Server Utility. If your server is connected onlyto an AX100-series storage system running Navisphere Server Utility version2.19 or earlier, and you are adding an AX150-series storage system, you mustinstall the version that shipped with your AX150-series system.

1. Log in to the Windows server as the administrator or someone whohas administrative privileges.

2. To download the software for CX3–series or CX-series storagesystems, do the following:

a. On the Powerlink website, select Support > Downloads andPatches and navigate to the Navisphere Server Utility downloadsection, which may be in either the CLARiiON NavisphereServer Utility section or the CLARiiON Navisphere Managersection.

b. Select the appropriate Navisphere Server Utility version todownload and select the option to save the software to yourserver.

c. In the directory where you saved the software, double-click theexecutable file to start the installation wizard.

3. To download the software for AX-series storage systems, do thefollowing:

a. On the support website select Download for AX150 series or

b. Navigate to the Navisphere Server Utility download and selectthe option to save the software to your server.

c. In the directory where you saved the software, double-click theexecutable file to start the installation wizard.

4. To install the software from the server support CD (any storagesystem), do the following:

a. In the server’s drive, insert the server support CD, whichshipped with the storage system or the upgrade kit (forAX-Series systems upgrading to Navisphere Manager).



The server support menu opens. If you do not see the serversupport menu, follow these steps to open it:

From the Windows taskbar, select:Start > Run

In the Run dialog box, enter the following program name,and then click OK:

For CX3-series or CX-seriesdrive:\CXSeries.exe

For AX-seriesdrive:\AXSeries.exe

where drive is the letter for the CD drive.

b. Select your language, if prompted for it.

c. From the main menu, click Install Products on Server.

d. From the Install Products menu, click Navisphere ServerUtility to open the installation wizard.

5. Follow the instructions on the installation screens and accept allthe defaults.

Do not disable the Registration Service option (it is enabled bydefault as part of the Complete setup type). The Registration Serviceoption automatically registers the server’s NICs or HBAs with thestorage system after the installation and updates server informationto the storage system whenever the server configuration changes (forexample, when you mount new volumes or create new partitions).If you have the host agent installed and you are installing revision 6.22.20or later of the server utility, the server utility’s Registration Service featurewill not be installed. Prior to revision 6.22.20 of the server utility, you couldnot install both applications on the same server.

6. If you are prompted about updating information when the serverstarts, click Yes.

7. If you are prompted to reboot the server, click Yes.


You must reboot the server when the installation dialog prompts you toreboot. If the server is connected to the storage system with NICs andyou do not reboot before you run the or server utility, the NIC initiatorswill not log in to the storage system.

8. When the installation is complete, click Finish to exit the wizard.

9. If you installed the server utility from the CD, close the serversupport menu by selecting Main Menu and then Exit. You can nowremove the CD from the server’s CD drive.


Modifying TCP/IP registry settings

Important – This section is recommended if you are running a version of theNavisphere Server Utility that is earlier than 6.24.1.4.0 and have a MicrosoftiSCSI configuration. This section is required for all Microsoft iSCSI clusterconfigurations that are running a version of the Navisphere Server Utility thatis earlier than 6.24.1.4.0.

You can improve the performance of any NICs that will be usedprimarily for iSCSI traffic rather than general network traffic bychanging the network settings so that NICs immediately acknowledgeincoming TCP segments. If you are running a version of the NavisphereServer Utility that is earlier than 6.24.1.4.0, you need to manuallymodify the TCP/IP registry settings, as described below, to improveperformance. If you are running Navisphere Server Utility version6.24.1.4.0 or later, the system will prompt you to change these settingswhen you configure the network parameters for your NICs (set upiSCSI connections).

! CAUTION

The following section contains information about modifying TCP/IPregistry settings. Before you modify the registry, make sure youback it up and understand how to restore the registry if a problemoccurs. For information about how to back up, restore, and edit theregistry, click the following link to the Microsoft Knowledge Base:http://support.microsoft.com/kb/256986/.

Depending on your operating system type, follow the appropriateprocedure below to modify the TCP/IP settings for network interfacescarrying iSCSI traffic so that they immediately acknowledge incomingTCP segments.

Windows Server 2003 SP1 or later

1. Determine which IP addresses or DHCP IP addresses are used foriSCSI traffic.

2. Start the Registry Editor.


http://support.microsoft.com/kb/256986/

a. Select Start >Run.

b. Enter Regedit and click OK.

3. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet >Services > Tcpip > Parameters > Interfaces

The interfaces will be listed below the Interfacesfolder by automatically generated GUIDs, for example,064A622F-850B-4C97-96B3-0F0E99162E56.

4. Click each of the interface GUIDs and perform the following steps:

a. Select the IPAddress or DhcpIPAddress parameters that are usedfor iSCSI traffic.

b. Select Edit > New > DWORD value.

c. Name the new value TcpAckFrequency and assign it a valueof 1.

5. Exit the Registry Editor.

6. Restart Windows for this change to take effect.

Windows 2000 SP3 or later

1. Determine which IP addresses or DHCP IP addresses are used foriSCSI traffic.

2. Start the Registry Editor.

a. Select Start >Run.

b. Enter Regedit and click OK.

3. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet >Services > Tcpip > Parameters > Interfaces

The interfaces will be listed below the Interfacesfolder by automatically generated GUIDs, for example,064A622F-850B-4C97-96B3-0F0E99162E56.

4. Click each of the interface GUIDs and perform the following steps:

a. Select the IPAddress or DhcpIPAddress parameters that are usedfor iSCSI traffic.


b. Select Edit > New > DWORD value.

c. Name the new value TcpDelAckTicks and assign it a value of 0.

5. Exit the Registry Editor.

6. Restart Windows for this change to take effect.


Configuring NIC or iSCSI HBA initiators

Before an iSCSI initiator can send data to or receive data from thestorage system, you must configure the initiator network parameters forthe NIC or HBA initiators so that they connect with the storage-systemSP iSCSI targets.

Depending on your configuration, refer to the appropriate sectionlisted below.

Configuring NIC initiators on Windows servers to connect to thestorage-system iSCSI targets with iSNS, page 16

Configuring NIC initiators on Windows servers to connect to thestorage-system iSCSI targets without iSNS, page 19

Configuring HBA initiators on Windows servers to connect to thestorage-system iSCSI targets with iSNS, page 22

Configuring HBA initiators on Windows servers to connect to thestorage-system iSCSI targets without iSNS, page 23

Configuring NIC initiators on Windows servers to connect to the storage-system iSCSItargets with iSNS

Use the Navisphere Server Utility to configure the network parametersfor each NIC iSCSI initiator.

1. On the server, open the Navisphere Server Utility.

2. Select Configure iSCSI Connections on this server and click Next.

3. Select Configure iSCSI Connections and click Next.

4. In the iSCSI Targets and Connections window, select DiscoveriSCSI targets using this iSNS server to send a request to the iSNSserver for all connected iSCSI storage-system targets and click Next.

5. For each target you want to log in to:

a. In the iSCSI Targets window, select the IP address of theInactive target.

b. Under Login Options, select Also login to peer iSCSI target forHigh Availability (recommended) if the peer iSCSI target islisted.


This option allows the utility to create a login connection to thepeer target so that data will continue to the peer target if thetarget you selected above becomes unavailable.

! CAUTION

If multiple NICs are on the same subnet and you leave theServer Network Adapter IP option set to Default, only oneNIC is actually used at a time. Other NICs are in standbymode. If you leave the Server Network Adapter IP option setto Default and a NIC fails, the server will use one of the otherNICs, even if they are on the same subnet, as long as thereis a network path from the storage system to the NIC that isin standby mode.

c. If you selected Also login to peer iSCSI target for HighAvailability (recommended) in the previous step, leave theServer Network Adapter IP set to Default. This allows theiSCSI initiator to automatically fail over to an available NICin the event of a failure.

If you are an advanced user and you want to control which networkor subnet is used, you can select a Server Network Adapter IP addressfrom the drop-down list but failover may not occur if you do not havethe appropriate failover software.

d. Click Logon to connect to the selected target.

If CHAP authentication is enabled on the target, a CHAP loginpop-up dialog box is displayed.

e. If a CHAP login pop-up dialog box is displayed, enter theCHAP security information (username and secret) and, if youhave mutual CHAP configured on the storage system and theserver and you want the initiator to authenticate the target,check Mutual CHAP, and click OK.


The CHAP login window will not be displayed if:– you are already logged in to this target.– you already entered the CHAP credentials to this targetin a previous login and you did not close the utility.

6. Click Next.

One of the following windows is displayed:

Network Interfaces (NICs) window — This window is displayedif all of the following statements are true:

the NICs are on the same subnet as an iSCSI target connectedto this server.

the NICs appear to be used primarily for iSCSI traffic ratherthan general network traffic.

the NICs do not already have the recommended TCPsettings enabled.

This window allows you to update network settings on theselected NICs so that the NICs immediately acknowledgeincoming TCP segments.

Server registration window — This window is displayed andlists all connected storage systems if the above conditions arenot true.

7. If the Network Interfaces (NICs) window is displayed,

a. Uncheck any NICs that will be used for general network trafficand click Apply.

Important: If a NIC is not listed and it is used primarily for iSCSItraffic, complete the remaining steps in this section and refer to theserver utility’s online help for information on using the OptimizeNetwork Interface (NICs) for iSCSI option. This option lists all the NICson your server and allows you to manually select which NICs youwant to immediately acknowledge incoming TCP segments for.


A confirmation dialog is displayed stating that the networksettings for your NICs have been updated but that you mustrestart your system to apply them.

b. Click OK and then Next.

8. In the server registration window, click Next to send the updatedinformation to the storage system.

A success message will be displayed.

Important: If you have the host agent installed on the server, you will getan error message indicating that the host agent is running and you cannotuse the server utility to update information to the storage system; the hostagent will do this automatically.

9. Click Finish to close the wizard.

Configuring NIC initiators on Windows servers to connect to the storage-system iSCSItargets without iSNS

Use the Navisphere Server Utility to configure the network parametersfor each NIC initiator that needs access to the storage system.




4. In the iSCSI Targets and Connections window, select one ofthe following options to discover the iSCSI target ports on theconnected storage systems:

Discover iSCSI targets on this subnet - Scans the current subnetfor all connected iSCSI storage-system targets. The utility scansthe subnet in the range from 1 to 255. For example, if the currentsubnet is 10.12.77, the utility will scan the IP addresses from10.12.77.1 to 10.12.77.255.

If CHAP authentication is enabled on all target ports on a storagesystem, you cannot discover the iSCSI target ports using a subnet scan.You must discover the targets using the target portal.


Discover iSCSI targets for this target portal - Discovers targetsknown to the specified iSCSI SP data port.

5. Click Next.

If you entered the IP address of the iSCSI target and you haveCHAP authentication enabled on that target, the CHAP loginwindow is displayed.

6. If the CHAP login window is displayed, enter the CHAP securityinformation (username and secret) and, if you have mutual CHAPconfigured on the storage system and the server and you want theinitiator to authenticate the target, check Mutual CHAP, and clickNext.

7. For each target you want to log in to:

a. In the iSCSI Targets window, select the IP address of theInactive target.

b. Under Login Options, select Also login to peer iSCSI target forHigh Availability (recommended) if the peer iSCSI target islisted.

This option allows the utility to create a login connection tothe peer target so if the target you selected above becomesunavailable, data will continue to the peer target.

! CAUTION

If multiple NICs are on the same subnet and you leave theServer Network Adapter IP option set to Default, only oneNIC is actually used at a time. Other NICs are in standbymode. If you leave the Server Network Adapter IP option setto Default and a NIC fails, the server will use one of the otherNICs, even if they are on the same subnet, as long as thereis a network path from the storage system to the NIC that isin standby mode.

c. If you selected Also login to peer iSCSI target for HighAvailability (recommended) in the previous step, leave theServer Network Adapter IP set to Default to allow the iSCSI


initiator to automatically fail over to an available NIC in theevent of a failure.


d. Click Logon to connect to the selected target.

If CHAP authentication is enabled on the target, a CHAP loginpop-up dialog box is displayed.

e. If a CHAP login pop-up dialog box is displayed, enter theCHAP security information (username and secret) and, if youhave mutual CHAP configured on the storage system and theserver and you want the initiator to authenticate the target,check Mutual CHAP, and click OK.

The CHAP login window will not be displayed if:– you are already logged in to this target.– you already entered the CHAP credentials to this targetin a previous login and you did not close the utility.

8. Click Next.

One of the following windows is displayed:

Network Interfaces (NICs) window — This window is displayedif all of the following statements are true:

the NICs are on the same subnet as an iSCSI target connectedto this server.

the NICs appear to be used primarily for iSCSI traffic ratherthan general network traffic.

the NICs do not already have the recommended TCPsettings enabled.

This window allows you to update network settings on theselected NICs so that the NICs immediately acknowledgeincoming TCP segments.


Server registration window — This window is displayed andlists all connected storage systems if the above conditions arenot true.

9. If the Network Interfaces (NICs) window is displayed:

a. Uncheck any NICs that will be used for general network trafficand click Apply.

Important: If a NIC is not listed and it is used primarily for iSCSItraffic, complete the remaining steps in this section and refer to theserver utility’s online help for information on using the OptimizeNetwork Interface (NICs) for iSCSI option. This option lists all the NICson your server and allows you to manually select which NICs youwant to immediately acknowledge incoming TCP segments for.

A confirmation dialog is displayed stating that the networksettings for your NICs have been updated but that you mustrestart your system to apply them.

b. Click OK and then Next.

10. In the server registration window, click Next to send the updatedinformation to the storage system.

A success message is displayed.

Important: If you have the host agent installed on the server, you will getan error message indicating that the host agent is running and you cannotuse the server utility to update information to the storage system; the hostagent will do this automatically.


Configuring HBA initiators on Windows servers to connect to the storage-system iSCSItargets with iSNS

Use the QLogic SANsurfer package to configure the networkparameters for each HBA iSCSI initiator:



2. In the HBA tree, select the HBA and click the HBA Options tab.

The iSCSI name defaults to the iSCSI standard (iqn.xxxx).

3. Select Enable iSNS.

4. For each iSNS server, set the iSNS server address automatically ormanually:

For an automatic setting - Select Obtain iSNS server addressautomatically (via DCHP).

For a manual setting - Select Use the following iSNS serveraddress and enter the IP address of the server.

5. Click Save to save the new settings.

6. On the Target Settings tab, verify that the targets were discovered.

If any target was not discovered, verify that the IP address for eachiSNS server is correct and that iSNS is set up correctly on the server.

For an existing storage system with CHAP already configured, thestate of its targets will be Session Failed. If any other target wasnot discovered, verify that the IP address for each iSNS server iscorrect and that iSNS is set up correctly on the server.

7. For an existing storage system with CHAP already configured:

a. Configure CHAP for the iSCSI HBA initiator as described in thesection on setting up optional CHAP security.

b. After you enable CHAP security for the iSCSI HBA initiator,click Save.

c. At the prompt to refresh the information for the server, clickYes.

Configuring HBA initiators on Windows servers to connect to the storage-system iSCSItargets without iSNS

Use the QLogic SANsurfer software to configure the networkparameters for each QLogic iSCSI HBA that needs to access the storagesystem.


! CAUTION

Athough the Microsoft iSCSI Software Initiator Service option isrequired by the QLogic driver, you must use the QLogic SANsurfersoftware to control iSCSI HBAs.


2. For each iSCSI connection to the storage system:

a. If multiple HBAs are listed in the first column under the server’sname, select the HBA to be configured.

b. Click the Target Settings tab.

c. On the Target Settings page, click the green plus (+) sign andenter the IP address for the iSCSI port on your storage system,and click OK.

For the iSCSI data port IP addresses, refer to the iSCSI target andinitiator port network information worksheet, which shouldhave been completed when you planned your configuration.

The state for the port is No Connection Active.

d. Select Auto Discover Targets.

e. Click Save and Yes to save the changes and discover all targets.

If the network is routed, the discovery finds all targets (ports)for the IP address you entered earlier. The state of routed portsis Session Active; for unrouted ports, it is Unknown.

f. In the Security Check window, enter your password and clickOK.

The default password is config.

For an existing storage system with CHAP already configured,the state will be Session Failed.

g. For an existing storage system with CHAP already configured:


Configure CHAP for the iSCSI HBA initiator as described inthe section on setting up optional CHAP security.

After you enable CHAP security for the iSCSI HBA initiator,click Save.

At the prompt to refresh the information for the server,click Yes.

h. Select Config Parameters.

i. Select and enable all the targets that you want to connect to theserver.

If you do not want the server to connect to a port or you want toremove unknown ports, select the entry for the port and clickthe red minus (-) sign.

j. Enable timestamps, set the execution throttle to 256, anduncheck immediate data.

k. Click Save and Yes.

l. In the Security Check window, enter your password and clickOK.

The HBA performs an iSCSI discovery. Once finished,SANsurfer displays all targets on the storage system.


Preparing for CHAP security

To prepare for using CHAP security, you must have done the following:

❑ Completed the CHAP worksheets in the chapter on iSCSIconfiguration in the appropriate guide listed below and have theworksheets available.

Planning Your CX3-20c Storage System Configuration or PlanningYour CX3-40c Storage System Configuration

CX300, CX300i, CX500, CX500i, and CX700 Storage SystemsConfiguration and Planning Guide (P/N 300-001-273)

Planning Your AX150-Series iSCSI Storage-System Configuration(P/N 300–002–951)

❑ Configured CHAP security on the storage system as described inthe setup guide for your iSCSI storage system.

❑ On a Windows server that uses NICs, cleared any existing sessionsor target portals to the storage system as described below.

Logging off and removing targets on a Windows server

When you remove an iSCSI target, the specified target and all other targets onthe storage system will be removed. If you want to remove a specific target butnot all targets on the storage system, you must use the Microsoft SoftwareInitiator.

1. On the server that includes your iSCSI initiators, open theNavisphere Server Utility.

2. Log off and remove any targets on the storage system you aresetting up for CHAP:

a. Select Configure iSCSI Connections on this server and thenConfigure iSCSI Connections.

b. In the iSCSI Targets and Connections window, under ViewiSCSI Connections, select View currently available targets.

c. Click Next. The utility scans for target and displays the IPaddress for each target it discovers.


d. In the iSCSI Targets window, select the IP address of theConnected target and click Logoff. The target status changes toInactive.

e. Select the IP address of the Inactive target and click Remove.All targets for the storage system are removed.

f. Click Cancel to close the wizard.


Configuring CHAP on the iSCSI initiators

Before configuring CHAP security on iSCSI initiators, verify that youhave completed the steps listed in the previous section, Preparing forCHAP security.

To configure initiator CHAP, refer to one of the following sections:

Configuring initiator CHAP on NIC initiators on a Windowsserver, page 28

Configuring initiator CHAP on the iSCSI HBA initiators on aserver, page 31

To configure mutual CHAP (optional), refer to one of the followingsections:

Configuring mutual (target) CHAP on NIC initiators on a Windowsserver, page 32

Configuring mutual (target) CHAP on the iSCSI HBA initiators on aserver, page 35

Configuring initiator CHAP on NIC initiators on a Windows server

! CAUTION

CHAP security must be enabled on the storage system before youcan configure CHAP for the NIC.

After entering CHAP data on the target, you must enter the samedata on each NIC initiator you log in to. On each initiator, you enterthe initiator CHAP user account data (username and secret) that theinitiator sends to the target for authentication. For initiator CHAP,this data is the initiator username and secret that you entered on thetarget. When the initiator sends this data, the target compares it withan account database and authenticates the initiator.







If CHAP authentication is enabled on all target ports on a storagesystem, you cannot discover a target port using a subnet scan. Youmust discover the targets using the target portal.

Discover iSCSI targets for this target portal - Discovers thespecified IP address of the iSCSI SP port.

Discover iSCSI targets using this iSNS server - Sends a requestto the iSNS server for all connected iSCSI storage-system targets.

5. Click Next.

The utility scans for iSCSI target ports and displays the IP addressfor each target it discovers.

If you entered the IP address of the iSCSI target and you have CHAPauthentication enabled on that target, the CHAP login window isdisplayed. Enter the CHAP security information (username and secret).If you have mutual CHAP configured on the storage system and on thisserver, check Mutual CHAP. Click OK.

6. In the iSCSI Targets window, select the IP address of the Inactivetarget.

7. Under Login Options, select Also login to peer iSCSI target forHigh Availability (recommended) if the peer iSCSI target is listed.This allows the utility to create a login connection to the peer targetso if the target you selected above becomes unavailable, data wouldcontinue to the peer target.


! CAUTION

If multiple NICs are on the same subnet and you leave the ServerNetwork Adapter IP option set to Default, only one NIC isactually used at a time. Other NICs are in standby mode. If youleave the Server Network Adapter IP option set to Default and aNIC fails, the server will use one of the other NICs, even if theyare on the same subnet, as long as there is a network path fromthe storage system to the NIC that is in standby mode.

8. If you selected Also login to peer iSCSI target for High Availability(recommended) in the previous step, leave the Server NetworkAdapter IP set to Default. This allows the iSCSI initiator toautomatically fail over to an available NIC in the event of a failure.


9. Click Logon to connect to the selected target. If CHAPauthentication is enabled on the target, a CHAP login pop-updialog box is displayed. Enter the CHAP security information(username and secret) and, if you have mutual CHAP configuredon the storage system and the server, check Mutual CHAP if youwant the initiator to authenticate the target. Click OK.

If you are running PowerPath 4.6 or later, the Navisphere Server Utility willautomatically enable multipath when logging on to the target.

10. Repeat steps 6 – 9 for each target you want to log in to.

11. Click Next. The server registration window opens and lists allconnected storage systems.

12. In the server registration window, click Next to send the updatedinformation to the storage system. A success message will bedisplayed.


Important: If you have the host agent installed on the server, you will getan error message indicating that the host agent is running and you cannotuse the Server Utility to update information to the storage system; thehost agent will do this automatically.


You have set and enabled initiator security on the server and storagesystem.

Configuring initiator CHAP on the iSCSI HBA initiators on a server

Configure initiator CHAP on each iSCSI HBA that communicates withthe server.

The steps below apply to version 4.01.00 or later of the QLogic SANsurfersoftware. If you are running an earlier version, refer to the SANsurferdocumentation.

1. Open the SANsurfer software.

2. Click Connect and enter the hostname or IP address. Click Connect.

3. Under the iSCSI HBA tab, double-click the HBA and select theHBA port.

4. Click the Target Settings tab.

5. Click Config Authentication on the bottom of the pane.


6. Select the CHAP tab.

7. Click the green plus sign (+) on the right of the CHAP Entriesportion of the CHAP screen.

a. Type in the initiator name for your HBA initiator. This namemust match the CHAP username you entered on the storagesystem.

b. Type in the secret for that initiator. The CHAP username secretmust match the secret you entered on the storage system.


8. Under the Targets portion of the CHAP screen, select the ChapName/Secret row; then from the drop-down menu, select theinitiator name and secret you just entered in the CHAP Entriestable.

9. Click OK.

10. Save your changes on the Target Settings window (the defaultpassword remains config).

You have set up initiator CHAP security on the server.

Configuring mutual (target) CHAP on NIC initiators on a Windows server

! CAUTION

CHAP security must be enabled on the storage system before youcan configure CHAP for the NIC.

After entering CHAP data on the target, you must enter the sameCHAP user account data (username and secret) on each NIC initiatorthat will connect to the target. The initiator sends the user accountcredentials to the target for authentication. When the initiator sends thisdata, the target compares it with an account database and authenticatesthe initiator.



3. If you are setting up mutual CHAP, follow the steps below.

If you are not setting up mutual CHAP, go to step 4.

a. Select Configure Mutual CHAP and click Next.

b. In the Mutual CHAP Authentication window, enter the mutualCHAP secret (password). If you have already configured mutualCHAP on the storage system, enter the same secret. Click Next.

c. Click Finish in the success window.





If CHAP authentication is enabled on all target ports on a storagesystem, you cannot discover a target port using a subnet scan. Youmust discover the targets using the target portal.

Discover iSCSI targets for this target portal - Discovers targetsknown to the specified iSCSI SP data port.

Discover iSCSI targets using this iSNS server - Sends a requestto the iSNS server for all connected iSCSI storage-system targets.

6. Click Next. If you entered the IP address of the iSCSI target andyou have CHAP authentication enabled on that target, the CHAPlogin windows displays. Enter the CHAP security information(username and secret) and if you have mutual CHAP configuredon the storage system and the server and you want the initiator toauthenticate the target, check Mutual CHAP. Click Next.

The utility scans for iSCSI target ports and displays the IP addressfor each target it discovers.

7. In the iSCSI Targets window, select the IP address of the Inactivetarget.

8. Under Login Options, select Also login to peer iSCSI target forHigh Availability (recommended) if the peer iSCSI target is listed.This allows the utility to create a login connection to the peer targetso if the target you selected above becomes unavailable, data wouldcontinue to the peer target.


! CAUTION

If multiple NICs are on the same subnet and you leave the ServerNetwork Adapter IP option set to Default, only one NIC isactually used at a time. Other NICs are in standby mode. If youleave the Server Network Adapter IP option set to Default and aNIC fails, the server will use one of the other NICs, even if theyare on the same subnet, as long as there is a network path fromthe storage system to the NIC that is in standby mode.

9. If you selected Also login to peer iSCSI target for High Availability(recommended) in the previous step, leave the Server NetworkAdapter IP set to Default. This allows the iSCSI initiator toautomatically fail over to an available NIC in the event of a failure.


10. Click Logon to connect to the selected target. If CHAPauthentication is enabled on the target, a CHAP login pop-updialog box is displayed. Enter the CHAP security information(username and secret) and, if you have mutual CHAP configuredon the storage system and the server and you want mutual CHAPenabled on the initiator, check Mutual CHAP. Click OK.

If you are running PowerPath 4.6 or later, the Navisphere Server Utility willautomatically enable multipath when logging on to the target.

11. Repeat steps 7 – 10 for each target you want to log in to.

12. Click Next. The server registration window opens and lists allconnected storage systems.

13. In the server registration window, click Next to send the updatedinformation to the storage system. A success message is displayed.


Important: If you have the host agent installed on the server, you will getan error message indicating that the host agent is running and you cannotuse the Server Utility to update information to the storage system; thehost agent will do this automatically.


You have completed the setup and enabling of target security on theserver and storage system.

Configuring mutual (target) CHAP on the iSCSI HBA initiators on a server

Mutual CHAP is applied in addition to initiator CHAP, so youmust set up initiator CHAP before setting up mutual CHAP.The steps below apply to version 4.01.00 or later of the QLogic SANsurfersoftware. If you are running an earlier version, refer to the SANsurferdocumentation.


2. Click Connect and enter the hostname or IP address, and clickConnect.


4. Select the Target Settings tab.

5. Select Config Authentication from the bottom of the pane, and inthe password prompt, use the password config.


7. Click the green plus sign (+) on the right of the Target Table portionof the CHAP screen.

a. In the blank row under the Target Name column, enter the targetCHAP username that you entered on the storage system.

b. In the Target Secret column, enter the target CHAP secret thatyou entered on the storage system.

8. Under the Targets portion of the CHAP screen, select Bidi(bi-directional) for the target you want the initiator to authenticate.

9. Click OK.


10. Save your changes on the Target Settings screen (the defaultpassword remains config).

You have set up mutual (target) CHAP security on the server.


Modifying CHAP credentials on the server

Before modifying the CHAP secret on the server, you must modify iton the storage system first.

For information on modifying CHAP credentials on the storage system, refer tothe Navisphere Manager online help.

Modifying the mutual CHAP secret for NICs



3. Select Configure Mutual CHAP and click Next.

4. In the Mutual CHAP Authentication window, enter the newmutual CHAP secret (password). Be sure to enter the same newsecret you entered on the storage system. Click Next.

5. Click Finish in the success window.

Modifying the mutual CHAP secret for iSCSI HBAs








7. Under the Target Table portion of the CHAP screen, select thetarget secret you want to modify and enter the new mutual CHAPsecret (password). Be sure to enter the same new secret you enteredon the storage system.

8. Click OK.



Modifying the mutual CHAP secret for NICs



3. Select Configure Mutual CHAP and click Next.

4. In the Mutual CHAP Authentication window, enter the newmutual CHAP secret (password). Be sure to enter the same newsecret you entered on the storage system. Click Next.

5. Click Finish in the success window.

Modifying the mutual CHAP secret for iSCSI HBAs








7. Under the Target Table portion of the CHAP screen, select thetarget secret you want to modify and enter the new mutual CHAPsecret (password). Be sure to enter the same new secret you enteredon the storage system.

8. Click OK.



Copyright© 2006–2007 EMC Corporation. All Rights Reserved.

EMC believes the information in this publication is accurate as of its publication date. Theinformation is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATIONMAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TOTHE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIEDWARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires anapplicable software license.

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks onEMC.com.

All other trademarks mentioned herein are the property of their respective owners.


CX3-Series, CX-Series, and AX150-Series - iSCSI … CX-Series, and AX150-Series iSCSI Server Setup...

Documents

Transcript of CX3-Series, CX-Series, and AX150-Series - iSCSI … CX-Series, and AX150-Series iSCSI Server Setup...