updated july 16, 2025

In today’s highly secure environments, ensuring robust authentication mechanisms is critical to safeguarding sensitive data and systems. For organizations within the United States Department of Defense (DoD) and other federal agencies, the Common Access Card (CAC) has become an essential tool for enforcing secure access controls.

As a leader in data analytics and security, Splunk Enterprise offers built-in support for CAC authentication, enabling organizations to leverage this secure method of access control for their Splunk deployments. This whitepaper provides a comprehensive guide on configuring Splunk Enterprise to use CACs for authentication, ensuring seamless integration with existing DoD security protocols.

What is a Common Access Card (CAC)?

A Common Access Card (CAC) is a smart card distributed by the United States Department of Defense (DoD) to authorized personnel. This card is about the size of a credit card and contains an embedded chip that holds a certificate unique to the cardholder. The CAC is used to gain access to DoD buildings, controlled spaces, computer systems, and networks. It prominently lists the user’s name, rank, service agency, and pay grade, along with other relevant information.

CAC Authentication in Splunk Enterprise

As of Splunk Enterprise version 9.0.2 and higher, administrators can configure Splunk Web to authenticate users through the certificates stored on their CACs. When properly configured, this method allows authorized users to log into Splunk Enterprise without entering a username or password. Instead, they insert their CAC into a card reader connected to a DoD-authorized computer, and the browser retrieves the certificate from the card to present to Splunk Enterprise for authentication.

Benefits of CAC Authentication in Splunk Enterprise

  • Enhanced Security: CACs provide a high level of security, leveraging two-factor authentication (2FA) and encryption technologies to protect access to sensitive systems.
  • Seamless User Experience: Once configured, users can access Splunk Enterprise simply by inserting their CAC into a reader, bypassing the traditional login screen.
  • Compliance: Using CACs aligns with DoD and federal agency requirements for secure access controls, aiding in regulatory compliance.

Challenges of Implementing CAC Authentication

  • Complex Configuration: Implementing CAC authentication requires careful configuration of both Splunk Enterprise and the user’s operating environment. Administrators must ensure that Splunk Web is correctly set up to interact with the CAC infrastructure.
  • Limited Support: CAC authentication is not supported on Splunk Cloud Platform deployments, restricting its use to on-premises Splunk Enterprise installations.
  • Maintenance: Ongoing management of certificates and LDAP credentials can be complex, particularly in environments with a large number of users.

Configuring Splunk Enterprise for CAC Authentication

To enable CAC authentication in Splunk Enterprise, administrators must configure several components, including the Splunk Web server, certificate authorities (CAs), and LDAP directories. The following sections outline the necessary steps for configuring Splunk Enterprise to authenticate users via CACs.

Prior to Splunk v9.0.2, enabling PIV token authentication for Splunk logins required use of a reverse proxy, such as Apache, to pass the token information to Splunk for LDAP authentication.  Starting with version 9.0.2, there is now the ability to configure CAC/PIV token authentication within Splunk itself.

Prerequisites:

  1. Server certificate must be in Privacy-Enhanced Mail (PEM) format with at least Common Name (CN) and Organization (O) defined in the certificate Subject, and the Subject Alternate Name (SAN) defined with at least the Fully Qualified Domain Name (FQDN) of the Splunk server.
  2. Splunk Web must use HTTPS protocol.

Configuration:

PIV token authentication is setup by adding configuration to the authentication.conf, web.conf and server.conf files found in the /opt/splunk/etc/system/local directory.

First configure LDAPS authentication using either Splunk web GUI by navigating to Settings > Authentication Methods > LDAP > Configure Splunk to Use LDAP > New LDAP

Your setup may look like below:

LDAP Connection Settings CAC Configuration

Or, add the following configuration to the authentication.conf file. Note: All values in bold are custom values.

[authentication]
authSettings = LDAP_Config ##Custom name given to LDAP stanza##
authType = LDAP[LDAP_Config]SSLEnabled=1
anonymous_referrals = 1
bindDN = splunkbind ##AD account to connect Splunk to Active Directory##
bindDNpassword = password ##Password to the bindDN account##
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=GroupName,OU=OrgUnit,DC=domain,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = DC1.domain.com ##Must be FQDN of LDAP server##
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 636
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Users,OU=OrgUnit,DC=domain,DC=com
userNameAttribute = userprincipalname

 

Add the following configuration to the web.conf file:

[settings]
### Start Splunk Web Using HTTPS ###
enableSplunkWebSSL = 1

SSL Certificate Files ###
privKeyPath = /opt/splunk/etc/auth/path/to/key.pem
serverCert = /opt/splunk/etc/auth/path/to/cert.pem

CAC/PIV Authentication ###
requireClientCert = true
sslRootCAPath = /opt/splunk/etc/auth/path/to/RootCA.pem
enableCertBasedUserAuth = true
SSOMode = permissive
trustedIP = 127.0.0.1
certBasedUserAuthMethod = PIV ##other valid values: CommonName, EDIPI##
certBasedUserAuthPivOidList = Microsoft Universal Principal Name
allowSsoWithoutChangingServerConf = 1

Banner ###
login_content = <p>Any banner verbiage can be added, but this banner will only show up on the username/password login page.  HTML tags are supported.</p> <p>No quotes should be added.</p>

 

Add the following configuration to the server.conf:

[sslConfig]
serverCert = /opt/splunk/etc/auth/certs/myserver.pem
sslRootCAPath = /opt/splunk/etc/auth/certs/rootCA_chain.pem
sslPassword = password

Testing and Validation

After configuring Splunk Enterprise for CAC authentication, it is essential to thoroughly test the setup to ensure that it works as expected. Testing should include:

  • User Authentication: Verify that users can log in with their CACs and that the system correctly identifies and authorizes them.
  • Access Control: Ensure that access control settings are applied correctly based on the user’s role and permissions.
  • Fallback Procedures: Establish fallback procedures in case of CAC failure, including alternative authentication methods.

Conclusion

Configuring Splunk Enterprise to use a Common Access Card (CAC) for authentication strengthens your organization’s security posture by aligning with DoD and federal standards for secure access. By following the proper configuration steps and validating the setup, you can ensure a secure and efficient implementation of CAC authentication within your Splunk Enterprise environment.

To learn more about Splunk and how SecureStrux can support your organization in the design and deployment of a compliant Splunk architecture, please reach out to our sales team.

SecureStrux

SecureStrux

As a cybersecurity firm with deep roots in the Department of Defense (DoD) cybersecurity community, we provide specialized services in the areas of compliance, vulnerability management, cybersecurity strategies, and engineering solutions. Since 2013, we’ve partnered with hundreds of organizations within and outside the DoD to understand and proactively manage their risk. Our strength within the DoD has allowed us to easily translate best practices to our clients in other industries including Energy, Manufacturing, Architecture, Education, and Aerospace.