Splunk Enterprise

Apache SSO proxy service for Splunk to accept the DoD CAC

don1966
Loves-to-Learn Everything

I am using RHEL 8.5 with Apache proxy and trying to get the proxy to do DOD CAC authentication. I am very new to Splunk and Apache.

I am able to get the proxy to point to the Splunk server but I am not getting the regular prompt for the CAC authentication.

I am using a reserve.conf for this as the main setup file as seen below:

====web.conf

SSOMode = strict
remoteUser = Remote_User
enableSplunkWebSSL = True
trustedIP = 192.168.110.10

===server.conf

trustedIP = 192.168.110.10

===Reserve.conf

ServerName www.mcscapache.com
ProxyRequests Off
ProxyPreserveHost Off

SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

#SSLVerifyClient require
SSLVerifyDepth 10

# initialize the special headers to a blank value to avoid http header forgeries
RequestHeader set SSL_CLIENT_S_DN ""
RequestHeader set SSL_CLIENT_I_DN ""
RequestHeader set SSL_SERVER_S_DN_OU ""
RequestHeader set SSL_CLIENT_VERIFY ""

# add all the SSL_* you need in the internal web application
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}e"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}e"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}e"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}e"

RequestHeader add X-Forwarded-Proto https
RequestHeader add X-Forwarded-Port 443

RequestHeader set X-Forwarded-Proto "https"
RequestHeader set Client-Cert-Subject "%{SSL_CLIENT_S_DN}s"
RequestHeader set Remote_User %{Remote_User}s

ProxyPass / https://www.mcscsplunk.com:8000/en-US/app/launcher/home
ProxyPassReverse / https://www.mcscsplunk.com:8000/en-US/app/launcher/home

#SSLCertificateChainFile /etc/pki/tls/certs/ca-bundle.crt
SSLCertificateFile /etc/pki/tls/private/dodserver.crt
#SSLCACertificateFile /etc/pki/tls/private/DoD_CAs.pem
SSLCertificateKeyFile /etc/pki/tls/private/dodserverkey.key

<Proxy *>
RewriteEngine On
RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} ([0-9]+$)
RewriteRule (.*) - [E=USER:%1]

#RequestHeader set cacuser %{USER}e@mil
RequestHeader set Remote_User %{Remote_User}e

# SSL conf file to force users to a warning cookie before they are able to access Splunk

RewriteCond %{HTTP_COOKIE} !accepted_warning=true [NC]
RewriteRule ^/(de-DE|en-US|en-GB|it-IT|ja-JP|ko-KO|zh-CN|zh-TW)/.*$ warning/ [NC,L,R=302]

</Proxy>

<Location />
Require all granted
allow from all AuthType Kerberos
require valid-user
Options +SymLinksIfOwnerMatch
# AllowOverride All
Order deny,allow
Allow from 192.168.190.0/24
Deny from all

</Location>

 

Thank you

Labels (1)
0 Karma

Stefanie
Builder

We have a working apache SSO proxy service for Splunk CAC logins 🙂 

I will share with you our setup (this is our httpd conf file)

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule dumpio_module modules/mod_dumpio.so

<VirtualHost *:443>

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
#Uncomment below lines for Debbugging
#DumpIOInput On
#DumpIOOutput On
#LogLevel debug
LogLevel warn

SSLEngine on

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNull:!MD5:!DSS:!EXP

SSLCertificateFile /etc/pki/tls/certs/MYCERT.crt
SSLCertificateKeyFile /etc/pki/tls/private/MYPRIVATEKEY.key

SSLCertificateChainFile /etc/pki/tls/certs/DoD_CAs.pem

SSLCACertificateFile /etc/pki/tls/certs/DoD_CAs.pem

SSLVerifyclient require
SSLVerifyDepth 5

CustomLog logs/splunk_sslrequest_log \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ServerAdmin myadminemailaddress@mail.mil
        ServerName SplunkSH.myserver.com
        Errorlog logs/splunk_error_log
        CustomLog logs/splunk_access_log common
        SSLProxyEngine on
        KeepAlive On
        <Proxy *>
                RequestHeader set cacuser %{SSL_CLIENT_SAN_OTHER_msUPN_0}s
       </Proxy>

        ProxyPass / https://SPLUNKSH.myserver.com:8000
        ProxyPassReverse / https://SPLUNKSH.myserver.com:8000

</VirtualHost>

web.conf

[settings]
httpport = 8000
SSOMode = permissive
remoteUser = cacuser
enableSplunkWebSSL = 1
trustedIP = X.X.X.X

 

server.conf

[general]
serverName = SPLUNKSH
pass4SymmKey = XXXXXX
trustedIP = 127.0.0.1
sessionTimeout = 15m

 

 

PS. if anyone has tips on how to set up a consent banner before accessing Splunk I would greatly appreciate it!!

Tags (2)
0 Karma

don1966
Loves-to-Learn Everything

Thank you for your help but unfortunately, the same configurations you provided are not working for my system.

0 Karma

Stefanie
Builder

You will need to provide more information on why it's not working. Any logs? 

Your best bet would be to reach out to Splunk Support if you are struggling to find out why it's not working.

 

0 Karma

don1966
Loves-to-Learn Everything
The system info is RHEL8, Splunk Splunk 8.2.4, and Apache/2.4.37.
After I clicked on the Apache server, I received the prompt and entered my CAC pin. When done, the proxy redirected me to the Splunk server where I have to input my user name and password.
My understanding is that Splunk Enterprise must accept the DoD CAC or other PKI credentials for identity management and personal authentication. So I should not have to enter my user name and password (My understanding).
 
--From the access.log file
 
[19/Jan/2022:04:25:39 +0000] "GET / HTTP/1.1" 303 144 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0"
[19/Jan/2022:04:25:43 +0000] "GET / HTTP/1.1" 303 144 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0"
[19/Jan/2022:04:25:59 +0000] "GET / HTTP/1.1" 303 144 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0"
[19/Jan/2022:04:26:13 +0000] "GET / HTTP/1.1" 303 144 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0"
 
127.0.0.1 - - [18/Jan/2022:21:38:57.540 +0000] "GET /en-US/app/laucher/home HTTP/1.1" 303 144 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0" - 61e733718a7fa159832550 7ms
127.0.0.1 - - [18/Jan/2022:21:38:57.971 +0000] "GET /en-US/config?autoload=1 HTTP/1.1" 200 133 "https://SPLUNTEST.COM:8000/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0" - 61e73371f87fa148680290 4ms
127.0.0.1 - - [18/Jan/2022:21:38:58.055 +0000] "GET /en-US/config HTTP/1.1" 200 302 " " "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0" - 61e733720e7fa148679c10 4ms
127.0.0.1 - - [19/Jan/2022:04:14:07.248 +0000] "GET /en-US/app/laucher/home HTTP/1.1" 303 144 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0" - 61e7900f3f7fa148674e50 15ms
127.0.0.1 - - [19/Jan/2022:04:14:07.939 +0000] "GET /en-US/config?autoload=1 HTTP/1.1" 304 - "https://SPLUNTEST.COM:8000/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0" - 61e7900ff07fa148679650 4ms
127.0.0.1 - - [19/Jan/2022:04:14:08.018 +0000] "GET /en-US/config HTTP/1.1" 304 - "https://SPLUNTEST.COM:8000/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0" - 61e79010047fa159823790 4ms
 
Thanks
 
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...