Security

Splunk RSA Authentication

bsteelz93
Path Finder

We are trying to get 2 factor RSA Authentication working with Splunk 4.1.6. We have tried Splunk SSO. Our server is solaris 10. We have compiled Apache version 2.0.59 (Recommended version for RSA agent) and we installed the RSA agent.

web.conf
trustedIP = server ip

server.conf
[general]
serverName = server hostname
trustedIP = server ip

It seems that everything is working but the remote user is not being passed. The following is my apache config

<VirtualHost my server ip:80>
    # Proxy Configurations
    <Proxy *>
        Order allow,deny
        Allow from all
    </Proxy>
    ProxyPass / http://mysplunksever:8000/
    ProxyPassReverse / http://mysplunkserver:8000/
    #SSLProxyEngine On
    RequestHeader set User %{REMOTE_USER}e
    AllowCONNECT 8000
</VirtualHost>

Has anybody gotten RSA authentication factor working with splunk?

Tags (1)
0 Karma

jrodman
Splunk Employee
Splunk Employee

I'm no apache wizard, but in our example configurations for internal testing, we do things like this:

RequestHeader set REMOTE_USER %{REMOTE_USER}s   

I think you're sending the user as "User" not as "REMOTE_USER". You can do this, but you'd have to tell Splunk to expect this by setting the remoteUser setting in web.conf

You can turn on splunkweb debugging if you like to try to see what's going on in more detail here http://www.splunk.com/base/Documentation/latest/admin/ContactSupport#Debug_Splunk_Web

Note that this may log all http headers to web_service.log, if you mind that sort of thing. (Of course, you can always delete after).

bsteelz93
Path Finder

Currently our believe is that RSA is not passing the remote_user variable. If we hardcode a user in the apache config then we are able to successfully log into to splunk. Right now we are trying to see how we could pass the remote_user variable ...possibly though RSAs api. Any thoughts?

0 Karma

jrodman
Splunk Employee
Splunk Employee

When I'm unsure about this many components I look for verifiable quantities. The debug endpoint is useful. If we distrust that, a sniffer is useful. To that end, I suggested to hexx to possibly try ruling out variables by axing the trusted IP and other settings for now and seeing if user login can be gotten working at all.

0 Karma

bsteelz93
Path Finder

jrodman. Thanks for the reply. Sorry having User in there was me just trying multiple things. I have used:
RequestHeader set REMOTE_USER %{REMOTE_USER}s

Also the s at the end is if you are using ssl. I have shut off ssl thinking maybe that was complicating the problem. e is for non ssl from my understanding in the apache docs. Of course I am not an apache expert either. I am wondering if the RSA agent is not sending the remote user. I tried harding coding a user in there as well:

RequestHeader set REMOTE_USER userid

That failed as well.

Any Thoughts?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You can also use the http://splunkserver:8000/debug/sso URL to see the headers that are being seen by the Splunk server.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...