topic Re: Splunk RSA Authentication in Security

Splunk RSA Authentication

bsteelz93 — Tue, 01 Feb 2011 03:18:03 GMT

We are trying to get 2 factor RSA Authentication working with Splunk 4.1.6. We have tried Splunk SSO. Our server is solaris 10. We have compiled Apache version 2.0.59 (Recommended version for RSA agent) and we installed the RSA agent.

web.conf
trustedIP = server ip

server.conf
[general]
serverName = server hostname
trustedIP = server ip

It seems that everything is working but the remote user is not being passed. The following is my apache config

<VirtualHost my server ip:80>
    # Proxy Configurations
    <Proxy *>
        Order allow,deny
        Allow from all
    </Proxy>
    ProxyPass / http://mysplunksever:8000/
    ProxyPassReverse / http://mysplunkserver:8000/
    #SSLProxyEngine On
    RequestHeader set User %{REMOTE_USER}e
    AllowCONNECT 8000
</VirtualHost>

Has anybody gotten RSA authentication factor working with splunk?

Re: Splunk RSA Authentication

jrodman — Tue, 01 Feb 2011 08:05:01 GMT

I'm no apache wizard, but in our example configurations for internal testing, we do things like this:

RequestHeader set REMOTE_USER %{REMOTE_USER}s

I think you're sending the user as "User" not as "REMOTE_USER". You can do this, but you'd have to tell Splunk to expect this by setting the remoteUser setting in web.conf

You can turn on splunkweb debugging if you like to try to see what's going on in more detail here http://www.splunk.com/base/Documentation/latest/admin/ContactSupport#Debug_Splunk_Web

Note that this may log all http headers to web_service.log, if you mind that sort of thing. (Of course, you can always delete after).

Re: Splunk RSA Authentication

gkanapathy — Tue, 01 Feb 2011 14:59:54 GMT

You can also use the http://splunkserver:8000/debug/sso URL to see the headers that are being seen by the Splunk server.

Re: Splunk RSA Authentication

bsteelz93 — Mon, 28 Sep 2020 09:24:01 GMT

jrodman. Thanks for the reply. Sorry having User in there was me just trying multiple things. I have used:
RequestHeader set REMOTE_USER %{REMOTE_USER}s

Also the s at the end is if you are using ssl. I have shut off ssl thinking maybe that was complicating the problem. e is for non ssl from my understanding in the apache docs. Of course I am not an apache expert either. I am wondering if the RSA agent is not sending the remote user. I tried harding coding a user in there as well:

RequestHeader set REMOTE_USER userid

That failed as well.

Any Thoughts?

Re: Splunk RSA Authentication

jrodman — Fri, 04 Feb 2011 07:00:26 GMT

When I'm unsure about this many components I look for verifiable quantities. The debug endpoint is useful. If we distrust that, a sniffer is useful. To that end, I suggested to hexx to possibly try ruling out variables by axing the trusted IP and other settings for now and seeing if user login can be gotten working at all.

Re: Splunk RSA Authentication

bsteelz93 — Mon, 28 Sep 2020 09:24:28 GMT

Currently our believe is that RSA is not passing the remote_user variable. If we hardcode a user in the apache config then we are able to successfully log into to splunk. Right now we are trying to see how we could pass the remote_user variable ...possibly though RSAs api. Any thoughts?