ISCSI method for authenticating, its initiating equipment and target device and method for authenticating
Technical field
The present invention relates to data transmission technology, relate in particular to a kind of iSCSI method for authenticating, its initiating equipment and target device and method for authenticating based on iSCSI (internet SCSI is based on the SCSI host-host protocol of internet).
Background technology
SCSI (Small Computer System Interface, small computer system interface) the standards system standard carry out data block I/O (Input/Output between applied host machine and the external equipment, I/O) Cao Zuo process, wherein, external equipment comprises: disk, tape, CD, printer and scanner etc.The reference model of scsi device is a typical client-server, and a side who initiates service request is called Initiator (initiating equipment), as applied host machine; A side who accepts service request is called Target (target device), and different physical connection modes can be arranged between initiating equipment and the target device.
ISCSI is a kind of SCSI host-host protocol based on TCP/IP, is used between applied host machine and storage system by IP network transmission scsi command and data.The typical applied environment of an iSCSI agreement as shown in Figure 1, client 10 integrated iSCSI initiating equipment modules, an integrated iscsi target EM equipment module in the storage system 30, client 10 scsi command and/or data encapsulation in the iSCSI message, send to storage system 30 by IP network 20, storage system 30 is handled each iSCSI message, takes out data wherein and is written in the storage medium.
In storage system, storage resources uses iSCSI Target to represent that each storage system can be created a plurality of storage resources.For storage resources is provided with access rights, only allow client to be referred to as the uniqueness sign in the storage system, visit the storage resources of mandate by iSCSI initiating equipment name.Client will be visited the storage resources that storage system is distributed, and the operation that reads and writes data must obtain the storage resources tabulation that storage system is distributed earlier, uses the storage resources title to identify the authority of initiating equipment in this tabulation.
The general implementation that initiating equipment obtains the storage resources tabulation is: the reference address that at first configures target device place storage system in initiating equipment one side statically, as IP address or TCP (Transmission Control Protocol, transmission control protocol) port, start the discovery procedure of a storage resources then, to obtain the authorization to the storage resources tabulation of this initiating equipment.
A typical storage resources discovery procedure may further comprise the steps as shown in Figure 2:
S201, initiating equipment sends a login request message to storage system, wherein carries the name parameter InitiatorName of this iSCSI initiating equipment in this message;
S202, storage system is returned login response message to initiating equipment after receiving the login request message of initiating equipment, and both sides set up session channel;
S203, initiating equipment sends a text request message to storage system, wherein has to send target component SendTargets, and the request storage system is returned all storage resources that licenses to this initiating equipment tabulations;
S204, storage system is checked its storage resources Access Control List (ACL), the storage resources tabulation that initiating equipment is had the right to visit returns to initiating equipment, comprises storage resources title and storage resources address in this tabulation;
After s205, initiating equipment obtain the storage resources tabulation, withdraw from request message to the storage system transmission, request finishes the storage resources discovery procedure;
S206, storage system is returned to initiating equipment and is withdrawed from response message, finishes the storage resources discovery procedure.
Table 1:
The storage resources title | The storage resources address | Access rights | The iSCSI Initiator title of authorizing |
Iqn.target:sample1 | 10.165.112.100:3260 | Read/write | Iqn.Initiator:sample1 |
Iqn.target:sample2 | 10.165.112.100:3260 | Read/write is read-only | Iqn.Initiator:sample1 Iqn.Initiator:sample2 |
Iqn.target:sample3 | 10.165.112.200:3260 | Read/write | Iqn.Initiator:sample2 |
…… | …… | …… | …… |
A typical storage resources Access Control List (ACL) is as shown in table 1 among the step s203: the client that iSCSI initiating equipment name the is called Iqn.Initiator:sample1 access name of having the right is called two Target of Iqn.target:sample1, Iqn.target:sample2; The client that name the is called Iqn.Initiator:sample2 access name of having the right is called two Target of Iqn.target:sample2, Iqn.target:sample3, wherein Iqn.target:sample2 is had read-only authority, and Iqn.target:sample2 allows simultaneously by two client-access.
By above-mentioned storage resources Access Control List (ACL), storage system has been eliminated the unauthorized access to storage resources on certain program, but thorough not enough.Because in the iSCSI protocol architecture, iSCSI initiating equipment title in order to uniqueness sign client is a character string that generates according to certain naming rule, technically can not guarantee its uniqueness, no matter be configuration error, still malice is counterfeit, all is that safety of data is brought certain threat.
In order further to improve safety of data, introduced the security mechanism of some IP communications fields in the iSCSI agreement, realize authentication to client, as CHAP (Challenge HandshakeAuthentication Protocol, the challenge-handshake authentication protocol), SRP (Secure Remote Password, safety long-distance password) etc.Concrete storage resources is initiated process as shown in Figure 3:
When s301, initiating equipment start iSCSI Target discovery procedure, at first in login request message, the authentication mode list of being supported is sent to storage system by method for authenticating information A uthMethod;
S302 carries out authentication operations to initiating equipment if desired, and then storage system is returned the authentication pattern of setting to initiating equipment by method for authenticating information A uthMethod;
S303, initiating equipment and storage system are carried out authentication process, as CHAP according to the authentication pattern of setting;
S304, after authentication was passed through, storage system was returned login success response message to initiating equipment;
S305-s308 is identical with storage resources discovery procedure general among Fig. 2.
After the authentication process that has increased initiating equipment, if initiating equipment can't be by the authentication of storage system, then initiating equipment just can't obtain the storage resources tabulation, also just can't have access to storage resources, this has further improved safety of data, has avoided some unauthorized access to data effectively.
By combining,, changed over use iSCSI initiating equipment title and password and discerned initiating equipment identifying client by iSCSI initiating equipment title merely with the security mechanism of maturation.But this can't change iSCSI initiating equipment title and password is the defective of configurable parameter, still easily by counterfeit and steal, still has certain Information Security problem.
Summary of the invention
The problem to be solved in the present invention provides a kind of iSCSI method for authenticating, its initiating equipment and target device and method for authenticating, to solve in the prior art authentication parameter easily by counterfeit and defective that steal.
In order to realize above purpose, the invention provides a kind of iSCSI method for authenticating, may further comprise the steps:
A, iSCSI initiating equipment send login request message to iscsi target equipment, comprise in the described login request message that reliability is higher than the sign of iSCSI initiating equipment title;
B, be higher than the sign of iSCSI initiating equipment title according to described reliability, the authority that conducts interviews in described iscsi target equipment is judged, if having access rights, is then changeed step C;
C, described iscsi target equipment send authentication success response message to described iSCSI initiating equipment.
The access rights deterministic process of step B specifically comprises:
Judge and whether carry the sign that reliability is higher than iSCSI initiating equipment title in the described login request message, if carry, then judge whether marking matched with storage in advance of sign that described reliability is higher than iSCSI initiating equipment title, if coupling then has access rights.
Described coupling comprises: reliability is higher than the identification character length of iSCSI initiating equipment title and/or reliability identical with the length standard value, and to be higher than the identification character content of iSCSI initiating equipment title identical with the content standard value.
Also comprise before the steps A:
Judge that sign that whether described iscsi target equipment be configured to described iSCSI initiating equipment to utilize reliability to be higher than iSCSI initiating equipment title carries out the pattern of authentication, if comprise in the login request message that reliability is higher than the sign of iSCSI initiating equipment title.
The sign that described reliability is higher than iSCSI initiating equipment title comprises iSCSI initiating equipment hardware identifier or global unique identification symbol GUID.
Described iSCSI initiating equipment hardware identifier comprises: the CPU sequence number of iSCSI initiating equipment or the MAC Address of iSCSI initiating equipment.
The present invention also provides a kind of method for authenticating of iSCSI initiating equipment side, may further comprise the steps:
(71), obtain the sign that reliability is higher than the iscsi device title from iSCSI initiating equipment inside;
(72), when initiating logging request, described sign is put into the iSCSI login request message sends to iscsi target equipment and carry out authentication for it.
Also comprise before in step (72):
Judge that sign that whether iscsi target equipment be configured to described iSCSI initiating equipment to utilize reliability to be higher than iSCSI initiating equipment title carries out the pattern of authentication, if then change step (72).
Step (71) also comprises before:
Judge that sign that whether iscsi target equipment be configured to described iSCSI initiating equipment to utilize reliability to be higher than iSCSI initiating equipment title carries out the pattern of authentication, if then change step (71).
The sign that described reliability is higher than iSCSI initiating equipment title comprises iSCSI initiating equipment hardware identifier or global unique identification symbol GUID.
Described iSCSI initiating equipment hardware identifier comprises: the CPU sequence number of iSCSI initiating equipment or the MAC Address of iSCSI initiating equipment.
The present invention also provides a kind of method for authenticating of iscsi target equipment side, may further comprise the steps:
(121), from login request message, obtain the sign that its reliability of carrying is higher than iSCSI initiating equipment title from the iSCSI initiating equipment;
(122), iscsi target equipment sign and the described sign of obtaining deposited in advance according to inside compare, if coupling, the then logging request by the iSCSI initiating equipment.
Described coupling comprises: reliability is higher than the identification character length of iSCSI initiating equipment title and/or reliability identical with the length standard value, and to be higher than the identification character content of iSCSI initiating equipment title identical with the content standard value.
The sign that described reliability is higher than iSCSI initiating equipment title comprises iSCSI initiating equipment hardware identifier or global unique identification symbol GUID.
Described iSCSI initiating equipment hardware identifier comprises: the CPU sequence number of iSCSI initiating equipment or the MAC Address of iSCSI initiating equipment.
The present invention also provides a kind of iSCSI initiating equipment, comprising: reliability is higher than sign acquiring unit, reception storage resources information unit and the message encapsulation unit of iSCSI initiating equipment title,
Described reliability is higher than the sign acquiring unit of iSCSI initiating equipment title, is used to gather the sign that iSCSI initiating equipment reliability is higher than iSCSI initiating equipment title;
Described message encapsulation unit, the sign that is used for reliability is higher than iSCSI initiating equipment title is encapsulated into the iSCSI login request message;
Described reception storage resources information unit is used for downloading the storage resources information that described iSCSI initiating equipment has the right to visit from the storage resources tabulation of iscsi target equipment.
Also comprise control unit, when being used to receive sign that dependability that iscsi target equipment sends is higher than iSCSI initiating equipment title and carrying out the authentication instruction, control described message encapsulation unit the sign that reliability is higher than iSCSI initiating equipment title is encapsulated in the login request message.
The sign that described reliability is higher than iSCSI initiating equipment title comprises iSCSI initiating equipment hardware identifier or global unique identification symbol GUID.
Described iSCSI initiating equipment hardware identifier comprises: the CPU sequence number of iSCSI initiating equipment or the MAC Address of iSCSI initiating equipment.
The present invention also provides a kind of iscsi target equipment, comprising: packet parsing unit, storage resources list cell and tabulation allocation manager unit;
Described packet parsing unit is used to receive and resolve the login request message that the iSCSI initiating equipment sends, and obtains the sign that reliability is higher than iSCSI initiating equipment title;
Described storage resources list cell is used for the corresponding relation of sign, storage resources list information and access rights that memory reliability is higher than iSCSI initiating equipment title;
Described tabulation allocation manager unit is used for being higher than the sign of iSCSI initiating equipment title and corresponding access rights to described iSCSI initiating equipment memory allocated the Resources list information according to described reliability.
Also comprise the sign judging unit, the sign that the reliability that is used for judging described iSCSI login request message is higher than iSCSI initiating equipment title whether with set in advance marking matched, when coupling, control described tabulation allocation manager unit to iSCSI initiating equipment memory allocated the Resources list information.
Described sign judging unit further comprises: length detection subelement and content detection subelement;
Described length detection subelement is used to judge whether the length that described reliability is higher than the sign of iSCSI initiating equipment title meets the length standard value;
Described content detection subelement is used for when length conformance with standard value, judges whether the identification character content that described reliability is higher than iSCSI initiating equipment title meets the content standard value.
The sign that described reliability is higher than iSCSI initiating equipment title comprises iSCSI initiating equipment hardware identifier or global unique identification symbol GUID.
Described iSCSI initiating equipment hardware identifier comprises: the CPU sequence number of iSCSI initiating equipment or the MAC Address of iSCSI initiating equipment.
Compared with prior art, the present invention has the following advantages:
Storage system of the present invention no longer only uses iSCSI initiating equipment title to come identify customer end, but adopts reliability to be higher than the sign of iSCSI initiating equipment title, as CPU sequence number, MAC Address etc., discerns a client jointly.When having only the reliability of client to be higher than iSCSI initiating equipment title marking matched, storage system is just returned storage resources and is tabulated to client.Therefore, more Yan Ge control the visit of client to storage resources, the data security problem that can effectively avoid counterfeit iSCSI initiating equipment title to bring improves Information Security.
Description of drawings
Fig. 1 is the typical application structure figure of an iSCSI agreement in the prior art;
Fig. 2 is a storage resources discovery procedure of a prior art flow chart;
Fig. 3 is another storage resources discovery procedure flow chart of prior art;
Fig. 4 is a kind of iSCSI method for authenticating of the present invention flow chart;
Fig. 5 is an iSCSI initiating equipment side method for authenticating flow chart of the present invention;
Fig. 6 is an iscsi target equipment side method for authenticating flow chart of the present invention;
Fig. 7 is that the present invention utilizes the iSCSI method for authenticating to realize the flow chart that storage resources is found;
Fig. 8 is a kind of iSCSI initiating equipment of the present invention structure chart;
Fig. 9 is the another kind of iSCSI initiating equipment of a present invention structure chart;
Figure 10 is a kind of iscsi target equipment structure chart of the present invention.
Embodiment
Describe the present invention below in conjunction with specific embodiment.
A kind of iSCSI method for authenticating of the present invention as shown in Figure 4, may further comprise the steps:
Step s401, the iSCSI initiating equipment sends login request message to iscsi target equipment, comprises in the described login request message that reliability is higher than the sign of iSCSI initiating equipment title.Wherein, the sign that this reliability is higher than iSCSI initiating equipment title comprises the parameters such as hardware identifier of iSCSI initiating equipment, for example: the CPU sequence number of iSCSI initiating equipment or the MAC Address of iSCSI initiating equipment etc.; Or global unique identification symbol (GUID), in general each computer generation GUID can not repeat; Perhaps other reliabilities are higher than the sign of device name.
Step s402 is higher than the sign of iSCSI initiating equipment title according to described reliability, judges in the target device authority that conducts interviews, if having access rights, then changes step s403.Wherein, the access rights judgement specifically comprises: search whether carry the sign that reliability is higher than iSCSI initiating equipment title in the login request message, if carry, then judge whether marking matched with storage in advance of sign that described reliability is higher than iSCSI initiating equipment title, if coupling then has access rights.Wherein, coupling comprises: reliability is higher than the character length of sign of iSCSI initiating equipment title or reliability identical with the full-length value, and to be higher than the character content of sign of iSCSI initiating equipment title identical with the standard content value.
Step s403, iscsi target equipment sends the authentication success response to the iSCSI initiating equipment, and notice iSCSI initiating equipment can obtain the storage resources list information of mandate from iscsi target equipment.
Wherein, comprise authentication mode list parameter among the step s401 in the login request message, the authentication pattern comprises challenge-handshake authentication protocol CHAP mode or safety long-distance password SRP mode etc.Can comprise common authentication step between step s402 and the s403: iscsi target equipment carries out authentication according to authentication mode list parameter to the iSCSI initiating equipment.
In addition, can be provided with before the step s401: when the sign that the iSCSI initiating equipment is configured to utilize reliability to be higher than iSCSI initiating equipment title when the iscsi target equipment disposition is carried out the authentication pattern, comprise just in the login request message that reliability is higher than the sign of iSCSI initiating equipment title.
The present invention also provides a kind of method for authenticating of iSCSI initiating equipment side, as shown in Figure 5, may further comprise the steps:
Step s501 obtains the sign that reliability is higher than the iscsi device title from iSCSI initiating equipment inside.Wherein, the sign that reliability is higher than iSCSI initiating equipment title comprises iSCSI initiating equipment hardware identifier or global unique identification symbol GUID, and iSCSI initiating equipment hardware identifier comprises: the CPU sequence number of iSCSI initiating equipment or the MAC Address of iSCSI initiating equipment.
Step s502 when initiating logging request, puts into the iSCSI login request message with described sign and sends to iscsi target equipment and carry out authentication for it.
Wherein, the iSCSI initiating equipment can be under the control of iSCSI initiating equipment dependability be higher than the sign of iscsi device title, when the sign that the iSCSI initiating equipment is configured to utilize reliability to be higher than iSCSI initiating equipment title when iscsi target equipment is carried out the pattern of authentication, the iSCSI initiating equipment just obtains the sign that reliability is higher than the iscsi device title, or with described sign put into the iSCSI login request message send to iscsi target equipment for its carry out authentication
The present invention also provides a kind of method for authenticating of iscsi target equipment side, as shown in Figure 6, may further comprise the steps:
Step s601 obtains the sign that its reliability of carrying is higher than iSCSI initiating equipment title from the login request message from the iSCSI initiating equipment.Wherein, the sign that reliability is higher than iSCSI initiating equipment title comprises iSCSI initiating equipment hardware identifier or global unique identification symbol GUID, and iSCSI initiating equipment hardware identifier comprises: the CPU sequence number of iSCSI initiating equipment or the MAC Address of iSCSI initiating equipment.
Step s602, sign and the described sign of obtaining that iscsi target equipment is deposited in advance according to inside compare, if mate, then pass through the logging request of iSCSI initiating equipment.Wherein, coupling comprises: reliability is higher than the identification character length of iSCSI initiating equipment title and/or reliability identical with the length standard value, and to be higher than the identification character content of iSCSI initiating equipment title identical with the content standard value.
According to above-mentioned principle, a kind of iSCSI storage resources discovery procedure of using the iSCSI method for authenticating may further comprise the steps as shown in Figure 7:
Step s701, initiating equipment sends login request message Login Request to storage system, comprise iSCSI initiating equipment title InitaitorName, initiating equipment uniqueness hardware identifier parameter I nitiatorID and authentication mode list parameter A uthMethod in this message, wherein, AuthMethod is an optional parameters.If do not carry the InitiatorID parameter in the login request message, perhaps the InitiatorID parameter is illegal, and is different with standard value as curtailment or overlength etc. or content, then refuses the logging request of initiating equipment;
Step s702, storage system sends login response message Login Response to initiating equipment, comprises the authentication pattern in this message;
Step s703 carries out authentication according to existing security mechanism, for example CHAP mode or SRP mode, and this process is optional;
Step s704, storage system sends login response message Accept to initiating equipment;
After step s705, initiating equipment login successfully, send text request message TextRequest, the storage resources tabulation of acquisition request mandate to storage system;
Step s706, after storage system is received text request message, use the iSCSI initiating equipment title and the initiating equipment uniqueness hardware identifier parameter of initiating equipment to inquire about the storage resources Access Control List (ACL) simultaneously, when having only the two simultaneously the match is successful, think that just corresponding storage resources is the storage resources that licenses to this initiating equipment, sends to initiating equipment with storage resources title and storage resources address by text response message;
Step s707, initiating equipment send to storage system and withdraw from request message Logout Request;
Step s708, storage system sends to initiating equipment and withdraws from response message Logout Response.
The present invention also provides a kind of iSCSI initiating equipment, as shown in Figure 8, comprising: reliability is higher than sign acquiring unit 120, reception storage resources information unit 130 and the message encapsulation unit 110 of iSCSI initiating equipment title; The sign acquiring unit 120 that reliability is higher than iSCSI initiating equipment title is used for gathering the sign that reliability is higher than iSCSI initiating equipment title from the iSCSI initiating equipment, the sign that message encapsulation unit 110 is used for reliability is higher than iSCSI initiating equipment title is encapsulated into the iSCSI login request message, receives storage resources information unit 130 and is used for downloading the storage resources information that described iSCSI initiating equipment has the right to visit from the storage resources tabulation of iscsi target equipment.
In addition, in the entry stage of storage resources discovery procedure, can carry out also a kind of as authentication pattern (AuthMethod parameter) of authentication to the sign that dependability is higher than iSCSI initiating equipment title.Initiating equipment does not need active that the sign (InitiatorID parameter) that its reliability is higher than iSCSI initiating equipment title is sent to target device, have only when the authentication pattern of target device configuration is to use reliability to be higher than the sign authentication of iSCSI initiating equipment title, in login response message, require initiating equipment that the sign that its reliability is higher than iSCSI initiating equipment title is sent to target device again.For realizing above-mentioned functions, as shown in Figure 9, the iSCSI initiating equipment also needs to increase control unit 140, when being used to receive sign that dependability that iscsi target equipment sends is higher than iSCSI initiating equipment title and carrying out the authentication instruction, control message encapsulation unit is encapsulated into the sign that reliability is higher than iSCSI initiating equipment title in the login request message.Wherein, the sign that reliability is higher than iSCSI initiating equipment title comprises iSCSI initiating equipment hardware identifier or global unique identification symbol GUID, and iSCSI initiating equipment hardware identifier comprises: the CPU sequence number of iSCSI initiating equipment or the MAC Address of iSCSI initiating equipment.
The present invention also provides a kind of iscsi target equipment, as shown in figure 10, comprising: packet parsing unit 210, sign judging unit 220, storage resources list cell 240 and storage resources tabulation allocation manager unit 230; Wherein, packet parsing unit 210 is used for receiving and resolving described login request message, obtains the sign that reliability is higher than iSCSI initiating equipment title; Storage resources list cell 240 is used for the corresponding relation of sign, storage resources list information and access rights that memory reliability is higher than iSCSI initiating equipment title; Sign judging unit 220, whether the sign that the reliability that is used for judging the iSCSI login request message is higher than iSCSI initiating equipment title marking matched with storage in advance, when when coupling, storage resources tabulation allocation manager unit 230 is higher than the sign of iSCSI initiating equipment title and corresponding access rights to iSCSI initiating equipment memory allocated the Resources list information according to reliability.Wherein, the sign that reliability is higher than iSCSI initiating equipment title comprises iSCSI initiating equipment hardware identifier or global unique identification symbol GUID, and iSCSI initiating equipment hardware identifier comprises: the CPU sequence number of iSCSI initiating equipment or the MAC Address of iSCSI initiating equipment.
Wherein, sign judging unit 220 further comprises length detection subelement and content detection subelement, and the length detection subelement is used to judge whether the character length that described reliability is higher than the sign of iSCSI initiating equipment title meets the length standard value; The content detection subelement is used for when length conformance with standard value, judges whether the concrete character content of sign that reliability is higher than iSCSI initiating equipment title meets the content standard value.
In addition, iscsi target equipment can also comprise the authentication mode list, is used to store the mode parameter that the iSCSI initiating equipment is carried out common authentication.Wherein, the authentication pattern comprises challenge-handshake authentication protocol CHAP mode or safety long-distance password SRP mode.
Lift an authentication instance of utilizing above-mentioned initiating equipment and target device below.
If the initiating equipment name is called iqn.initiator.sample1, use the MAC Address (00-65-5B-6D-4F-01) of its certain port to be higher than the sign of iSCSI initiating equipment title as its reliability.Target device is an initiating equipment memory allocated resource, and corresponding storage resources name is called iqn.target.sample1, and the reference address of storage resources is 192.168.112.100, and tcp port number is 3260.Storage resources Access Control List (ACL) such as table 2 that target device is set up:
Table 2:
ISCSI Target title | ISCSI Target address | Access rights | ISCSI Initiator title | ISCSI Initiator sign |
Iqn.target:sample1 | 10.165.112.100:3260 | Read/write | Iqn.Initiator:sample1 | 00-65-5B-6D-4F-01 |
…… | …… | ...... | …… | |
When initiating equipment need be visited its storage resources, the sign 00-65-5B-6D-4F-01 that simultaneously initiating equipment title Iqn.Initiator:sample1 and reliability is higher than iSCSI initiating equipment title in login request message sent to target device.After finishing interacting messages such as initiating equipment authentication, target device uses initiating equipment title Iqn.Initiator:sample1 and reliability to be higher than the storage resources Access Control List (ACL) of the sign 00-65-5B-6D-4F-01 inquiry of iSCSI initiating equipment title itself, therefrom obtain the authorization to the storage resources (name is called Iqn.target:sample1) of initiating equipment, and return to initiating equipment.Behind the authorized storage resources of initiating equipment, promptly addressable corresponding storage resources carries out reading and writing data.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.