Archive
Highlighted

DoD CAC enable for Splunk Web

Engager

Splunk Support,

As a DoD entity we are required to have Web applications, including Splunk, to be DoD CAC enabled for login authentication. Is there any way to do this in Splunk Web in any shape or form?

Thanks,
George Jackson
DISA

Tags (1)
Highlighted

Re: DoD CAC enable for Splunk Web

SplunkTrust
SplunkTrust

As I understand it, CAC is a PKI smartcard implementation. As such, any website you authenticate to using CAC is done via an X.509 client certificate stored on the CAC itself. Splunk does not support X.509 certificate authentication out of the box, but I think a SSO/Proxy setup using Apache could do it. But, I don't think it would be a trivial setup to get working -- as you still have to deal with user/role definitions within Splunk and so on.

If this is the route you must take, I would recommend discussing this with Splunk Professional Services.

Highlighted

Re: DoD CAC enable for Splunk Web

Explorer

There is actually a rather simple way to perform what you are asking. If you configure SSL on a proxy server (I used a RHEL 5.8 server with apache installed), you can do it with the following three lines:

RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} ([0-9]+$)

RewriteRule (.*) - [E=USER:%1]

RequestHeader set xuser %{USER}e

Assuming you have configured your proxy server correctly, you can use the above three statements to send your login information to Splunk as "Xuser". At that point, it is a matter of typing in the correct AD attribute in Splunk.

After this process is complete, the certificate authentication is then done by Apache. Apache then forwards the username on to splunk. Splunk SSO references Active Directory for the user account based on the attribute you specified in Splunk.

Highlighted

Re: DoD CAC enable for Splunk Web

Explorer

I also had to add "Keepalive On" to ssl.conf. Once I added this, there was very little difference between access through the proxy and direct access.

However, if at any time you pull the smart card you have authenticated with, you must close the browser, re-open it, and reauthenticate.

0 Karma
Highlighted

Re: DoD CAC enable for Splunk Web

Engager

Yes. Keepalive on makes a world of a difference!!

0 Karma
Highlighted

Re: DoD CAC enable for Splunk Web

Engager

The branch I support appends the CN inside AD. I had to point Splunk at employeeID instead of sAMAccountName to get it to match up with the CN from the users CAC. Other than that, MatthewRogers solutiuon worked great.

0 Karma
Highlighted

Re: DoD CAC enable for Splunk Web

New Member

Splunk SSO requires every page request to include the remote-user in the header ... wouldn't this method make page loads extremely slow due to the constant querying of the smart card?

0 Karma
Highlighted

Re: DoD CAC enable for Splunk Web

Explorer

I have configured my proxy three different ways for testing purposes.

  1. Create a new virtual host on a separate port (Access would be through https://proxy:port).
  2. Change the splunk root to /splunk (Reverse proxy would be configured to forward everything https://proxy/splunk)
  3. Configured the proxy to forward all /en-US/ requests (Access through https://proxy/en-US/)

All three worked without issue when I added "Keepalive On" to ssl.conf (As I stated above). Of the three ways, I prefer #1 because the keepalive statement can be made in the virtual host configuration. This would cause the least repercussions, only affecting other services in the virtual host configuration.

Highlighted

Re: DoD CAC enable for Splunk Web

Builder

George,

I'm facing the same issue with a looming suspense. Please contact me at kmattern@araneasolutions.com so we can directly share info. We have been seeking other DoD users.

Ken

0 Karma
Highlighted

Re: DoD CAC enable for Splunk Web

Legend

IHAC with a mandate for smart-card authentication (DOD CAC) as well. This mandate explicitly EXCLUDES a proxy solution.

So although the solutions below may work, they all require a proxy and therefore don't meet the requirements.

It looks like this question has been idle for the past 18 months - any updates?