DOD CAC/mod_rewrite: Is there an easy way to extract the variable?


Splunk support,

I am working out an SSO solution with DOD CAC (certificate authentication). I am doing this through user of an apache proxy server which extracts the certificate information. The variable I am extracting is "SSL_CLIENT_S_DN_CN" which looks something like this "Lastname.Firstname.1234567890". The portion of the variable I need is the string of numbers at the end (1234567890). Is there an easy way to extract this information? So long as the variable editing is done in apache, I am able to send it to the second server(Splunk).


The proxy services are running on server1. Splunk is running on server2. Apache version is 2.2.3

Labels (1)

0 Karma


I worked out my issue. I needed three lines in my apache configuration. They are:

RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} ([0-9]+$)

RewriteRule (.*) - [E=USER:%1]

RequestHeader set user %{USER}e

The thing I was missing was %1 to reference RewriteCond ad opposed to $1, which references RewriteRule


The branch I support appends the CN inside AD. I had to point Splunk at employeeID instead of sAMAccountName to get it to match up with the CN from the users CAC. Other than that, MatthewRogers solutiuon worked great.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...