Splunk Support,
As a DoD entity we are required to have Web applications, including Splunk, to be DoD CAC enabled for login authentication. Is there any way to do this in Splunk Web in any shape or form?
Thanks,
George Jackson
DISA
Hi there DISA,
Have you guys found a solution to PKI CAC enable Splunk. We are also being directed to get this done. Not sure if other DoD entities are moving forward with this directive as well. Let me know if there is a group with information to share on this tasking. Thank you.
R/
Luciano
Navy Metoc
IHAC with a mandate for smart-card authentication (DOD CAC) as well. This mandate explicitly EXCLUDES a proxy solution.
So although the solutions below may work, they all require a proxy and therefore don't meet the requirements.
It looks like this question has been idle for the past 18 months - any updates?
George,
I'm facing the same issue with a looming suspense. Please contact me at kmattern@araneasolutions.com so we can directly share info. We have been seeking other DoD users.
Ken
I have configured my proxy three different ways for testing purposes.
All three worked without issue when I added "Keepalive On" to ssl.conf (As I stated above). Of the three ways, I prefer #1 because the keepalive statement can be made in the virtual host configuration. This would cause the least repercussions, only affecting other services in the virtual host configuration.
Splunk SSO requires every page request to include the remote-user in the header ... wouldn't this method make page loads extremely slow due to the constant querying of the smart card?
There is actually a rather simple way to perform what you are asking. If you configure SSL on a proxy server (I used a RHEL 5.8 server with apache installed), you can do it with the following three lines:
RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} ([0-9]+$)
RewriteRule (.*) - [E=USER:%1]
RequestHeader set xuser %{USER}e
Assuming you have configured your proxy server correctly, you can use the above three statements to send your login information to Splunk as "Xuser". At that point, it is a matter of typing in the correct AD attribute in Splunk.
After this process is complete, the certificate authentication is then done by Apache. Apache then forwards the username on to splunk. Splunk SSO references Active Directory for the user account based on the attribute you specified in Splunk.
The branch I support appends the CN inside AD. I had to point Splunk at employeeID instead of sAMAccountName to get it to match up with the CN from the users CAC. Other than that, MatthewRogers solutiuon worked great.
Yes. Keepalive on makes a world of a difference!!
I also had to add "Keepalive On" to ssl.conf. Once I added this, there was very little difference between access through the proxy and direct access.
However, if at any time you pull the smart card you have authenticated with, you must close the browser, re-open it, and reauthenticate.
As I understand it, CAC is a PKI smartcard implementation. As such, any website you authenticate to using CAC is done via an X.509 client certificate stored on the CAC itself. Splunk does not support X.509 certificate authentication out of the box, but I think a SSO/Proxy setup using Apache could do it. But, I don't think it would be a trivial setup to get working -- as you still have to deal with user/role definitions within Splunk and so on.
If this is the route you must take, I would recommend discussing this with Splunk Professional Services.