Set up in-band authentication over NVMe
Beginning with ONTAP 9.12.1 you can use the ONTAP command line interface (CLI) to configure in-band (secure), bidirectional and unidirectional authentication between an NVMe host and controller over the NVME/TCP and NVMe/FC protocols using DH-HMAC-CHAP authentication. Beginning with ONTAP 9.14.1, in-band authentication can be configured in System Manager.
To set up in-band authentication, each host or controller must be associated with a DH-HMAC-CHAP key which is a combination of the NQN of the NVMe host or controller and an authentication secret configured by the administrator. For an NVMe host or controller to authenticate its peer, it must know the key associated with the peer.
In unidirectional authentication, a secret key is configured for the host, but not the controller. In bidirectional authentication, a secret key is configured for both the host and the controller.
SHA-256 is the default hash function and 2048-bit is the default DH group.
Beginning with ONTAP 9.14.1, you can use System Manager to configure in-band authentication while creating or updating an NVMe subsystem, creating or cloning NVMe namespaces, or adding consistency groups with new NVMe namespaces.
-
In System Manager, click Hosts > NVMe Subsystem and then click Add.
-
Add the NVMe subsystem name, and select the storage VM and host operating system.
-
Enter the Host NQN.
-
Select Use in-band authentication next to the Host NQN.
-
Provide the host secret and controller secret.
The DH-HMAC-CHAP key is a combination of the NQN of the NVMe host or controller and an authentication secret configured by the administrator.
-
Select the preferred hash function and DH group for each host.
If you don't select a hash function and a DH group, SHA-256 is assigned as the default hash function and 2048-bit is assigned as the default DH group.
-
Optionally, click Add and repeat the steps as needed to add more host.
-
Click Save.
-
To verify that in-band authentication is enabled, click System Manager > Hosts > NVMe Subsystem > Grid > Peek view.
A transparent key icon next to the host name indicates that unidirectional mode is enabled. An opaque key next to the host name indicates bidirectional mode is enabled.
-
Add DH-HMAC-CHAP authentication to your NVMe subsystem:
vserver nvme subsystem host add -vserver <svm_name> -subsystem <subsystem> -host-nqn <host_nqn> -dhchap-host-secret <authentication_host_secret> -dhchap-controller-secret <authentication_controller_secret> -dhchap-hash-function <sha-256|sha-512> -dhchap-group <none|2048-bit|3072-bit|4096-bit|6144-bit|8192-bit>
-
Verify that the DH-HMAC CHAP authentication protocol is added to your host:
vserver nvme subsystem host show
[ -dhchap-hash-function {sha-256|sha-512} ] Authentication Hash Function [ -dhchap-dh-group {none|2048-bit|3072-bit|4096-bit|6144-bit|8192-bit} ] Authentication Diffie-Hellman Group [ -dhchap-mode {none|unidirectional|bidirectional} ] Authentication Mode
-
Verify that the DH-HMAC CHAP authentication was performed during NVMe controller creation:
vserver nvme subsystem controller show
[ -dhchap-hash-function {sha-256|sha-512} ] Authentication Hash Function [ -dhchap-dh-group {none|2048-bit|3072-bit|4096-bit|6144-bit|8192-bit} ] Authentication Diffie-Hellman Group [ -dhchap-mode {none|unidirectional|bidirectional} ] Authentication Mode