Introduction

In today’s highly secure environments, ensuring robust authentication mechanisms is critical to safeguarding sensitive data and systems. For organizations within the United States Department of Defense (DoD) and other federal agencies, the Common Access Card (CAC) has become an essential tool for enforcing secure access controls.

As a leader in data analytics and security, Splunk Enterprise offers built-in support for CAC authentication, enabling organizations to leverage this secure method of access control for their Splunk deployments. This whitepaper provides a comprehensive guide on configuring Splunk Enterprise to use CACs for authentication, ensuring seamless integration with existing DoD security protocols.

 

What is a Common Access Card (CAC)?

A Common Access Card (CAC) is a smart card distributed by the United States Department of Defense (DoD) to authorized personnel. This card is about the size of a credit card and contains an embedded chip that holds a certificate unique to the cardholder. The CAC is used to gain access to DoD buildings, controlled spaces, computer systems, and networks. It prominently lists the user’s name, rank, service agency, and pay grade, along with other relevant information.

 

CAC Authentication in Splunk Enterprise

As of Splunk Enterprise version 9.0.2 and higher, administrators can configure Splunk Web to authenticate users through the certificates stored on their CACs. When properly configured, this method allows authorized users to log into Splunk Enterprise without entering a username or password. Instead, they insert their CAC into a card reader connected to a DoD-authorized computer, and the browser retrieves the certificate from the card to present to Splunk Enterprise for authentication.

 

Benefits of CAC Authentication in Splunk Enterprise

  • Enhanced Security: CACs provide a high level of security, leveraging two-factor authentication (2FA) and encryption technologies to protect access to sensitive systems.
  • Seamless User Experience: Once configured, users can access Splunk Enterprise simply by inserting their CAC into a reader, bypassing the traditional login screen.
  • Compliance: Using CACs aligns with DoD and federal agency requirements for secure access controls, aiding in regulatory compliance.

 

Challenges of Implementing CAC Authentication

  • Complex Configuration: Implementing CAC authentication requires careful configuration of both Splunk Enterprise and the user’s operating environment. Administrators must ensure that Splunk Web is correctly set up to interact with the CAC infrastructure.
  • Limited Support: CAC authentication is not supported on Splunk Cloud Platform deployments, restricting its use to on-premises Splunk Enterprise installations.
  • Maintenance: Ongoing management of certificates and LDAP credentials can be complex, particularly in environments with a large number of users.

 

Configuring Splunk Enterprise for CAC Authentication

To enable CAC authentication in Splunk Enterprise, administrators must configure several components, including the Splunk Web server, certificate authorities (CAs), and LDAP directories. The following sections outline the necessary steps for configuring Splunk Enterprise to authenticate users via CACs.

Prior to Splunk v9.0.2, enabling PIV token authentication for Splunk logins required use of a reverse proxy, such as Apache, to pass the token information to Splunk for LDAP authentication.  Starting with version 9.0.2, there is now the ability to configure CAC/PIV token authentication within Splunk itself.

 

Prerequisites:

  1. LDAP authentication scheme must be configured for authentication to the Splunk Enterprise instance.
  2. Splunk Web must use HTTPS protocol.
  3. Server certificates must be in Privacy-Enhanced Mail (PEM) format.

 

Configuration:

The configuration for the PIV token authentication is setup by configuration changes in the web.conf and server.conf files found in the /opt/splunk/etc/system/local directory.

Add the following attributes under the [settings] stanza in web.conf:

## Splunk Web encryption configuration

enableSplunkWebSSL = 1

serverCert = /opt/splunk/etc/auth/certs/myserver.pem

privKeyPath = /opt/splunk/etc/auth/certs/myserver.key

 

## PIV Configuration

requireClientCert = true

enableCertBasedUserAuth = true

SSOMode = permissive

trustedIP = 127.0.0.1

certBasedUserAuthMethod = PIV

certBasedUserAuthPivOidList = Microsoft Universal Principal Name

allowSsoWithoutChangingServerConf = 1

 

Setting definitions:

enableSplunkWebSSL: Set to true (or 1) to enable https.

serverCert: The full path to the PEM format Splunk web server certificate.

privKeyPath: The path of the file containing the serverCert private key.

requireClientCert: When set to true, the client must present a certificate that was signed by the same CA found in the root CA certificate in sslRootCAPath found in web.conf, or the sslRootCAPath found in server.conf on the Splunk instance.

enableCertBasedUserAuth: Set to true to enable certificate-based authentication for users.

SSOMode: Must be configured as permissive.

trustedIP: Set to a valid IP address to enable SSO. Can be set to 127.0.0.1.

certBasedUserAuthMethod:  The method Splunk uses to extract LDAP credentials from the PIV certificate.  Other values: CommonName or EDIPI (i.e. CAC authentication)

certBasedUserAuthPivOidList: A list of object identifiers (OID) Splunk uses to lookup the PIV info in the Subject Alternate Name extension found on the PIV certificate.

allowSsoWithoutChangingServerConf: If set to 1, web-based SSO is enabled without trustedIP configured in server.conf

 

Add the following attributes under the [sslConfig] stanza in server.conf:

 

serverCert = /opt/splunk/etc/auth/certs/myserver.pem

sslRootCAPath = /opt/splunk/etc/auth/certs/rootCA.pem

sslRootCAPath: The full path to the PEM format of the root Certificate Authority (CA) certificate.  If multiple root CA certificates are used, they must be concatenated into one certificate.

 

To setup authentication using CAC, the certBasedUserAuthMethod would need to be set to EDIPI, instead of PIV.   This will extract the numeric identifier from the Common Name field.

 

Testing and Validation

After configuring Splunk Enterprise for CAC authentication, it is essential to thoroughly test the setup to ensure that it works as expected. Testing should include:

  • User Authentication: Verify that users can log in with their CACs and that the system correctly identifies and authorizes them.
  • Access Control: Ensure that access control settings are applied correctly based on the user’s role and permissions.
  • Fallback Procedures: Establish fallback procedures in case of CAC failure, including alternative authentication methods.

 

Conclusion

Configuring Splunk Enterprise to use a Common Access Card (CAC) for authentication strengthens your organization’s security posture by aligning with DoD and federal standards for secure access. By following the proper configuration steps and validating the setup, you can ensure a secure and efficient implementation of CAC authentication within your Splunk Enterprise environment.

To learn more about Splunk and how SecureStrux can support your organization in the design and deployment of a compliant Splunk architecture, please reach out to our sales team.

SecureStrux

SecureStrux

As a cybersecurity firm with deep roots in the Department of Defense (DoD) cybersecurity community, we provide specialized services in the areas of compliance, vulnerability management, cybersecurity strategies, and engineering solutions. Since 2013, we’ve partnered with hundreds of organizations within and outside the DoD to understand and proactively manage their risk. Our strength within the DoD has allowed us to easily translate best practices to our clients in other industries including Energy, Manufacturing, Architecture, Education, and Aerospace.