Splunk Search

DoD CAC enable for Splunk Web

gjackson3
Engager

Splunk Support,

As a DoD entity we are required to have Web applications, including Splunk, to be DoD CAC enabled for login authentication. Is there any way to do this in Splunk Web in any shape or form?

Thanks,
George Jackson
DISA

Tags (1)

ten_yard_fight
Path Finder

Hi there DISA,

  Have you guys found a solution to PKI CAC enable Splunk. We are also being directed to get this done. Not sure if other DoD entities are moving forward with this directive as well. Let me know if there is a group with information to share on this tasking. Thank you.

R/
Luciano
Navy Metoc

0 Karma

lguinn2
Legend

IHAC with a mandate for smart-card authentication (DOD CAC) as well. This mandate explicitly EXCLUDES a proxy solution.

So although the solutions below may work, they all require a proxy and therefore don't meet the requirements.

It looks like this question has been idle for the past 18 months - any updates?

kmattern
Builder

George,

I'm facing the same issue with a looming suspense. Please contact me at kmattern@araneasolutions.com so we can directly share info. We have been seeking other DoD users.

Ken

0 Karma

MathewRogers
Explorer

I have configured my proxy three different ways for testing purposes.

  1. Create a new virtual host on a separate port (Access would be through https://proxy:port).
  2. Change the splunk root to /splunk (Reverse proxy would be configured to forward everything https://proxy/splunk)
  3. Configured the proxy to forward all /en-US/ requests (Access through https://proxy/en-US/)

All three worked without issue when I added "Keepalive On" to ssl.conf (As I stated above). Of the three ways, I prefer #1 because the keepalive statement can be made in the virtual host configuration. This would cause the least repercussions, only affecting other services in the virtual host configuration.

l3est
New Member

Splunk SSO requires every page request to include the remote-user in the header ... wouldn't this method make page loads extremely slow due to the constant querying of the smart card?

0 Karma

MathewRogers
Explorer

There is actually a rather simple way to perform what you are asking. If you configure SSL on a proxy server (I used a RHEL 5.8 server with apache installed), you can do it with the following three lines:

RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} ([0-9]+$)

RewriteRule (.*) - [E=USER:%1]

RequestHeader set xuser %{USER}e

Assuming you have configured your proxy server correctly, you can use the above three statements to send your login information to Splunk as "Xuser". At that point, it is a matter of typing in the correct AD attribute in Splunk.

After this process is complete, the certificate authentication is then done by Apache. Apache then forwards the username on to splunk. Splunk SSO references Active Directory for the user account based on the attribute you specified in Splunk.

ElCoronel
Engager

The branch I support appends the CN inside AD. I had to point Splunk at employeeID instead of sAMAccountName to get it to match up with the CN from the users CAC. Other than that, MatthewRogers solutiuon worked great.

0 Karma

aoniha
Engager

Yes. Keepalive on makes a world of a difference!!

0 Karma

MathewRogers
Explorer

I also had to add "Keepalive On" to ssl.conf. Once I added this, there was very little difference between access through the proxy and direct access.

However, if at any time you pull the smart card you have authenticated with, you must close the browser, re-open it, and reauthenticate.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

As I understand it, CAC is a PKI smartcard implementation. As such, any website you authenticate to using CAC is done via an X.509 client certificate stored on the CAC itself. Splunk does not support X.509 certificate authentication out of the box, but I think a SSO/Proxy setup using Apache could do it. But, I don't think it would be a trivial setup to get working -- as you still have to deal with user/role definitions within Splunk and so on.

If this is the route you must take, I would recommend discussing this with Splunk Professional Services.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...