This post demonstrates how to secure iSCSI luns between Oracle Solaris 11 and NetApp storage. Solaris calls it Bidirectional CHAP rather than Mutual CHAP. The aggregate, lun and disk sizes are small in this HOWTO to keep it simple. Research the relationship between Solaris EFI, Solaris VTOC and lun size as well as UFS vs ZFS to make sure you choose the proper type for your environment. This was done with Solaris 11 (11/11) x86. All steps except the fdisk step near the end are the same for SPARC systems.
1) Check for the iSCSI packages. They should be installed by default.
> pkginfo | grep iSCSI
system SUNWiscsir Sun iSCSI Device Driver (root)
system SUNWiscsiu Sun iSCSI Management Utilities (usr)
2) Make sure the iSCSI service is running on your Solaris host.
> svcs | grep iscsi
online 6:41:58 svc:/network/iscsi/initiator:default
If not, start it.
> svcadm enable svc:/network/iscsi/initiator:default
3) Get your local iSCSI Initiator Node Name or iqn name on the Solaris host.
> iscsiadm list initiator-node | grep iqn
Initiator node name: iqn.1986-03.com.sun:01:e00000000000.52bcad1c
4) Make sure the iscsi service is running on the NetApp.
netapp> iscsi status
5) Create the volume that will hold the iscsi luns. This command assumes you have aggregate aggr1 already created. If not use an aggregate that has enough room for your volume.
netapp> vol create MCHAPVOL aggr1 10g
6) Create a lun on the volume.
netapp> lun create -s 5g -t solaris_efi /vol/MCHAPVOL/SOL11_iSCSI_MCHAP_01
7) Create an igroup and add the Solaris iscsi node name or iqn from step 3 above to it.
netapp> igroup create -i -t solaris ISCSI_MCHAP_SOL11
netapp> igroup add ISCSI_MCHAP_SOL11 iqn.1986-03.com.sun:01:e00000000000.52bcad1c
netapp> igroup show
ISCSI_MCHAP_SOL11 (iSCSI) (ostype: solaris):
iqn.1986-03.com.sun:01:e00000000000.52bcad1c (not logged in)
8) Map the lun to the igroup and give it lun ID 01.
netapp> lun map /vol/MCHAPVOL/SOL11_iSCSI_MCHAP_01 ISCSI_MCHAP_SOL11 01
Note: Solaris EFI is for larger than 2 TB luns and Solaris VTOC for smaller disks. This lun is small just to demonstrate the configuration.
9) Obtain the NetApp target nodename.
netapp> iscsi nodename
iqn.1992-08.com.netapp:sn.4055372815
10) On the Solaris host, configure the target (NetApp controller) to be statically discovered. Note that there are two dashes “- -” in front of –static and –sendtargets. For some reason it displays as one dash in some browsers.
> iscsiadm modify discovery –static enable
> iscsiadm modify discovery –sendtargets enable
> iscsiadm add discovery-address 10.10.10.141:3260
> iscsiadm add static-config iqn.1992-08.com.netapp:sn.4055372815,10.10.10.141:3260
> iscsiadm list static-config
Static Configuration Target: iqn.1992-08.com.netapp:sn.4055372815,10.10.10.141:3260
11) Check your discovery methods. Make sure Static and Send Targets are enabled.
> iscsiadm list discovery
Discovery:
Static: enabled
Send Targets: enabled
iSNS: disabled
12) Enable Bidirectional CHAP on the Solaris host for the target NetApp controller.
> iscsiadm modify target-param –authentication CHAP iqn.1992-08.com.netapp:sn.4055372815
> iscsiadm modify target-param -B enable iqn.1992-08.com.netapp:sn.4055372815
13) Set the target device secret key that identifies the target NetApp controller. Note Solaris supports a minimum of 12 and a maximum of 16 character CHAP secrets. Also, there are two dashes “- -” in front of –CHAP-secret. You can make up your own secrets.
> iscsiadm modify target-param –CHAP-secret iqn.1992-08.com.netapp:sn.4055372815
Enter secret: NETAPPBICHAP
Re-enter secret: NETAPPBICHAP
14) Set the Solaris host initiator name and CHAP secret. Remember, there are two dashes “- -” in front of –CHAP-secret. You can make up your own secrets.
> iscsiadm modify initiator-node –authentication CHAP
> iscsiadm modify initiator-node –CHAP-name iqn.1986-03.com.sun:01:e00000000000.52bcad1c
> iscsiadm modify initiator-node –CHAP-secret
Enter secret: BIDIRCHAPSOL11
Re-enter secret: BIDIRCHAPSOL11
15) Verify your target parameters. Make sure Bidirectional Authentication is enabled and Authentication type is CHAP.
> iscsiadm list target-param -v iqn.1992-08.com.netapp:sn.4055372815
Target: iqn.1992-08.com.netapp:sn.4055372815
Alias: –
Bi-directional Authentication: enabled
Authentication Type: CHAP
CHAP Name: iqn.1992-08.com.netapp:sn.4055372815
Login Parameters (Default/Configured):
Data Sequence In Order: yes/-
Data PDU In Order: yes/-
Default Time To Retain: 20/-
Default Time To Wait: 2/-
Error Recovery Level: 0/-
First Burst Length: 65536/-
Immediate Data: yes/-
Initial Ready To Transfer (R2T): yes/-
Max Burst Length: 262144/-
Max Outstanding R2T: 1/-
Max Receive Data Segment Length: 8192/-
Max Connections: 65535/-
Header Digest: NONE/-
Data Digest: NONE/-
Tunable Parameters (Default/Configured):
Session Login Response Time: 60/-
Maximum Connection Retry Time: 180/-
Login Retry Time Interval: 60/-
Configured Sessions: 1
16) Set the Bidirectional CHAP secrets on the NetApp controller.
netapp> iscsi security add -i iqn.1986-03.com.sun:01:e00000000000.52bcad1c -s chap -p BIDIRCHAPSOL11 -n iqn.1986-03.com.sun:01:e00000000000.52bcad1c -o NETAPPBICHAP -m iqn.1992-08.com.netapp:sn.4055372815
a) View the iSCSI security configuration.
netapp> iscsi security show
init: iqn.1986-03.com.sun:01:e00000000000.52bcad1c auth: CHAP Local Inbound password: **** Inbound username: iqn.1986-03.com.sun:01:e00000000000.52bcad1c Outbound password: **** Outbound username: iqn.1992-08.com.netapp:sn.4055372815
17) On the Solaris host, reconfigure the /dev namespace to recognize the iSCSI disk (lun) you just connected.
> devfsadm -i iscsi or devfsadm -Cv -i iscsi
18) Login to server and format the disk. Note – the fdisk command below can be skipped on SPARC systems. Your input is in bold red in the next sequence.
> format
Searching for disks…done
AVAILABLE DISK SELECTIONS:
0. c4t0d0 <VMware-Virtual disk-1.0 cyl 1824 alt 2 hd 255 sec 63>
/pci@0,0/pci15ad,1976@10/sd@0,0
1. c5t2d0 <NETAPP-LUN-7350 cyl 2558 alt 2 hd 128 sec 32>
/iscsi/disk@0000iqn.1992-08.com.netapp%3Asn.8416793903E8,1
Specify disk (enter its number): 1
selecting c5t2d0
[disk formatted]
No Solaris fdisk partition found.
FORMAT MENU:
disk – select a disk
type – select (define) a disk type
partition – select (define) a partition table
current – describe the current disk
format – format and analyze the disk
fdisk – run the fdisk program
repair – repair a defective sector
label – write label to the disk
analyze – surface analysis
defect – defect list management
backup – search for backup labels
verify – read and display labels
save – save new disk/partition definitions
inquiry – show disk ID
volname – set 8-character volume name
!<cmd> – execute <cmd>, then return
quit
format> fdisk (skip this command if you are on a SPARC system)
No fdisk table exists. The default partition for the disk is:
a 100% “SOLARIS System” partition
Type “y” to accept the default partition, otherwise type “n” to edit the
partition table.
y
format> p
PARTITION MENU:
0 – change `0′ partition
1 – change `1′ partition
2 – change `2′ partition
3 – change `3′ partition
4 – change `4′ partition
5 – change `5′ partition
6 – change `6′ partition
7 – change `7′ partition
select – select a predefined table
modify – modify a predefined partition table
name – name the current table
print – display the current table
label – write partition map and label to the disk
!<cmd> – execute <cmd>, then return
quit
partition> p
Current partition table (default):
Total disk cylinders available: 2557 + 2 (reserved cylinders)
Part Tag Flag Cylinders Size Blocks
0 unassigned wm 0 0 (0/0/0) 0
1 unassigned wm 0 0 (0/0/0) 0
2 backup wu 0 – 2556 4.99GB (2557/0/0) 10473472
3 unassigned wm 0 0 (0/0/0) 0
4 unassigned wm 0 0 (0/0/0) 0
5 unassigned wm 0 0 (0/0/0) 0
6 unassigned wm 0 0 (0/0/0) 0
7 unassigned wm 0 0 (0/0/0) 0
8 boot wu 0 – 0 2.00MB (1/0/0) 4096
9 unassigned wm 0 0 (0/0/0) 0
partition> 0
Part Tag Flag Cylinders Size Blocks
0 unassigned wm 0 0 (0/0/0) 0
Enter partition id tag[unassigned]: <press enter>
Enter partition permission flags[wm]: <press enter>
Enter new starting cyl[0]: <press enter>
Enter partition size[0b, 0c, 0e, 0.00mb, 0.00gb]: 4.99gb
partition> l (This is a lower case “L” not a numeral one or 1. This step labels the disk.)
Ready to label disk, continue? y
partition> q
format> q
19) Create the file system. You can choose either UFS or ZFS. Both options are shown below.
a) If you will use UFS:
> newfs -Tv /dev/rdsk/c5t2d0s0
newfs: construct a new file system /dev/rdsk/c5t2d0s0: (y/n)? y
mkfs -F ufs /dev/rdsk/c5t2d0s0 10465280 32 128 8192 8192 -1 1 250 1048576 t 0 -1 8 128 y
/dev/rdsk/c5t2d0s0: 10465280 sectors in 2555 cylinders of 128 tracks, 32 sectors
5110.0MB in 18 cyl groups (149 c/g, 298.00MB/g, 320 i/g)
super-block backups (for fsck -F ufs -o b=#) at: 32, 610368, 1220704, 1831040, 2441376,
3051712, 3662048, 4272384, 4882720, 5493056,
6103392, 6713728, 7324064, 7934400, 8544736, 9155072, 9765408, 10375744
> fsck /dev/rdsk/c5t2d0s0
> mkdir /old_ufs_filesystem
> mount /dev/dsk/c5t2d0s0 /old_ufs_filesystem
> vi /etc/vfstab and add the line below to the bottom of the file. This will mount it when the system boots.
/dev/dsk/c5t2d0s0 /dev/rdsk/c5t2d0s0 /old_ufs_filesystem ufs 2 yes –
> wq! (to exit the vi session)
b) Check the new mount.
> df -h | grep old_ufs_filesystem
/dev/dsk/c5t2d0s0 5.0G 5.0M 4.9G 1% /old_ufs_filesystem
20) If you will use ZFS:
a) Create a pool.
> zpool create -f netappluns c5t2d0s0
b) Create the filesystem.
> zfs create netappluns/fs
c) List the new filesystem.
> zfs list -r netappluns
NAME USED AVAIL REFER MOUNTPOINT
netappluns 124K 4.89G 32K /netappluns
netappluns/fs 31K 4.89G 31K /netappluns/fs
d) Use the legacy display method.
> df -h | grep netappluns
netappluns 4.9G 32K 4.9G 1% /netappluns
netappluns/fs 4.9G 31K 4.9G 1% /netappluns/fs
21) You are done. Hope this helps.