Security

DOD CAC/mod_rewrite: Is there an easy way to extract the variable?

MathewRogers
Explorer

Splunk support,

I am working out an SSO solution with DOD CAC (certificate authentication). I am doing this through user of an apache proxy server which extracts the certificate information. The variable I am extracting is "SSL_CLIENT_S_DN_CN" which looks something like this "Lastname.Firstname.1234567890". The portion of the variable I need is the string of numbers at the end (1234567890). Is there an easy way to extract this information? So long as the variable editing is done in apache, I am able to send it to the second server(Splunk).

NOTE

The proxy services are running on server1. Splunk is running on server2. Apache version is 2.2.3

Labels (1)

VTARNG_Paul
Explorer
0 Karma

MathewRogers
Explorer

I worked out my issue. I needed three lines in my apache configuration. They are:

RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} ([0-9]+$)

RewriteRule (.*) - [E=USER:%1]

RequestHeader set user %{USER}e

The thing I was missing was %1 to reference RewriteCond ad opposed to $1, which references RewriteRule

ElCoronel
Engager

The branch I support appends the CN inside AD. I had to point Splunk at employeeID instead of sAMAccountName to get it to match up with the CN from the users CAC. Other than that, MatthewRogers solutiuon worked great.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...