Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk RSA Authentication

bsteelz93
Path Finder
‎01-31-2011 07:18 PM

We are trying to get 2 factor RSA Authentication working with Splunk 4.1.6. We have tried Splunk SSO. Our server is solaris 10. We have compiled Apache version 2.0.59 (Recommended version for RSA agent) and we installed the RSA agent. 

web.conf
trustedIP = server ip

server.conf
[general]
serverName = server hostname
trustedIP = server ip

It seems that everything is working but the remote user is not being passed. The following is my apache config

<VirtualHost my server ip:80>
    # Proxy Configurations
    <Proxy *>
        Order allow,deny
        Allow from all
    </Proxy>
    ProxyPass / http://mysplunksever:8000/
    ProxyPassReverse / http://mysplunkserver:8000/
    #SSLProxyEngine On
    RequestHeader set User %{REMOTE_USER}e
    AllowCONNECT 8000
</VirtualHost>

Has anybody gotten RSA authentication factor working with splunk?

Tags (1)
0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎02-01-2011 12:05 AM

I'm no apache wizard, but in our example configurations for internal testing, we do things like this:

RequestHeader set REMOTE_USER %{REMOTE_USER}s

I think you're sending the user as "User" not as "REMOTE_USER". You can do this, but you'd have to tell Splunk to expect this by setting the remoteUser setting in web.conf

You can turn on splunkweb debugging if you like to try to see what's going on in more detail here http://www.splunk.com/base/Documentation/latest/admin/ContactSupport#Debug_Splunk_Web

Note that this may log all http headers to web_service.log, if you mind that sort of thing. (Of course, you can always delete after).

Reply

bsteelz93
Path Finder
‎02-09-2011 08:06 PM

Currently our believe is that RSA is not passing the remote_user variable. If we hardcode a user in the apache config then we are able to successfully log into to splunk. Right now we are trying to see how we could pass the remote_user variable ...possibly though RSAs api. Any thoughts?

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎02-03-2011 11:00 PM

When I'm unsure about this many components I look for verifiable quantities. The debug endpoint is useful. If we distrust that, a sniffer is useful. To that end, I suggested to hexx to possibly try ruling out variables by axing the trusted IP and other settings for now and seeing if user login can be gotten working at all.

0 Karma
Reply

bsteelz93
Path Finder
‎02-02-2011 12:54 AM

jrodman. Thanks for the reply. Sorry having User in there was me just trying multiple things. I have used:
RequestHeader set REMOTE_USER %{REMOTE_USER}s

Also the s at the end is if you are using ssl. I have shut off ssl thinking maybe that was complicating the problem. e is for non ssl from my understanding in the apache docs. Of course I am not an apache expert either. I am wondering if the RSA agent is not sending the remote user. I tried harding coding a user in there as well:

RequestHeader set REMOTE_USER userid

That failed as well.

Any Thoughts?

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-01-2011 06:59 AM

You can also use the http://splunkserver:8000/debug/sso URL to see the headers that are being seen by the Splunk server.

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...