DOD CAC/mod_rewrite: Is there an easy way to extra...

MathewRogers · ‎07-17-2012

Splunk support,

I am working out an SSO solution with DOD CAC (certificate authentication). I am doing this through user of an apache proxy server which extracts the certificate information. The variable I am extracting is "SSL_CLIENT_S_DN_CN" which looks something like this "Lastname.Firstname.1234567890". The portion of the variable I need is the string of numbers at the end (1234567890). Is there an easy way to extract this information? So long as the variable editing is done in apache, I am able to send it to the second server(Splunk).

NOTE

The proxy services are running on server1. Splunk is running on server2. Apache version is 2.2.3

VTARNG_Paul · ‎07-20-2022

FYI- https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SetupCACPIV

MathewRogers · ‎07-18-2012

I worked out my issue. I needed three lines in my apache configuration. They are:

RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} ([0-9]+$)

RewriteRule (.*) - [E=USER:%1]

RequestHeader set user %{USER}e

The thing I was missing was %1 to reference RewriteCond ad opposed to $1, which references RewriteRule

ElCoronel · ‎04-16-2015

The branch I support appends the CN inside AD. I had to point Splunk at employeeID instead of sAMAccountName to get it to match up with the CN from the users CAC. Other than that, MatthewRogers solutiuon worked great.

DOD CAC/mod_rewrite: Is there an easy way to extract the variable?

other

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms