Add option to set chap algorithms for iscsid for FIPS

The default CHAP algorithm for iscsid is md5, which is disallowed under fips. We will set the chap algorithm to "SHA3-256,SHA256", which should work under all configurations. Change-Id: Ide186fb53b3f9826ff602cb7fb797f245a15033a
2021-08-06 14:26:37 -04:00 · 2021-08-06 14:26:37 -04:00 · c3b7051387
parent 6c849e3713
commit c3b7051387
1 changed files with 4 additions and 0 deletions
--- a/lib/nova
+++ b/lib/nova
@ -315,6 +315,10 @@ EOF
            sudo systemctl daemon-reload
        fi

+        # set chap algorithms.  The default chap_algorithm is md5 which will
+        # not work under FIPS
+        iniset -sudo /etc/iscsi/iscsid.conf DEFAULT "node.session.auth.chap_algs" "SHA3-256,SHA256"
+
        # ensure that iscsid is started, even when disabled by default
        restart_service iscsid
    fi