Splunk support,
I am working out an SSO solution with DOD CAC (certificate authentication). I am doing this through user of an apache proxy server which extracts the certificate information. The variable I am extracting is "SSL_CLIENT_S_DN_CN" which looks something like this "Lastname.Firstname.1234567890". The portion of the variable I need is the string of numbers at the end (1234567890). Is there an easy way to extract this information? So long as the variable editing is done in apache, I am able to send it to the second server(Splunk).
NOTE
The proxy services are running on server1. Splunk is running on server2. Apache version is 2.2.3
I worked out my issue. I needed three lines in my apache configuration. They are:
RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} ([0-9]+$)
RewriteRule (.*) - [E=USER:%1]
RequestHeader set user %{USER}e
The thing I was missing was %1 to reference RewriteCond ad opposed to $1, which references RewriteRule
The branch I support appends the CN inside AD. I had to point Splunk at employeeID instead of sAMAccountName to get it to match up with the CN from the users CAC. Other than that, MatthewRogers solutiuon worked great.