Re: DOD CAC/mod_rewrite

MathewRogers · ‎07-17-2012

Splunk support,

I am working out an SSO solution with DOD CAC (certificate authentication). I am doing this through user of an apache proxy server which extracts the certificate information. The variable I am extracting is "SSL_CLIENT_S_DN_CN" which looks something like this "Lastname.Firstname.1234567890". The portion of the variable I need is the string of numbers at the end (1234567890). Is there an easy way to extract this information? So long as the variable editing is done in apache, I am able to send it to the second server(Splunk).

NOTE

The proxy services are running on server1. Splunk is running on server2. Apache version is 2.2.3

VTARNG_Paul · ‎07-20-2022

FYI- https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SetupCACPIV

MathewRogers · ‎07-18-2012

I worked out my issue. I needed three lines in my apache configuration. They are:

RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} ([0-9]+$)

RewriteRule (.*) - [E=USER:%1]

RequestHeader set user %{USER}e

The thing I was missing was %1 to reference RewriteCond ad opposed to $1, which references RewriteRule

ElCoronel · ‎04-16-2015

The branch I support appends the CN inside AD. I had to point Splunk at employeeID instead of sAMAccountName to get it to match up with the CN from the users CAC. Other than that, MatthewRogers solutiuon worked great.

DOD CAC/mod_rewrite: Is there an easy way to extract the variable?

other

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability