DG 8 client certificate authentication doesn't work with HTTP/2

Solution Verified - Updated -

Issue

Data Grid cluster in OCP that is managed by Data Grid Operator. The cluster is configured to use client certificate authentication in "Authenticate" mode.
Using a Spring Boot application the authentication works fine. However, after importing the client certificate into a browser, the Web Console doesn't load - and returns blank page.
The server throws the following error:

14:03:59,374 ERROR (non-blocking-thread--p2-t2) [org.infinispan.rest.RestRequestHandler] ISPN012005: An error occurred while responding to the client java.util.concurrent.CompletionException: java.lang.RuntimeException: org.wildfly.security.http.HttpAuthenticationException: ELY05053: Callback handler failed for unknown reason
    at java.base/java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:314)
    at java.base/java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:319)
    at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1702)
    at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
    at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
    at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.lang.RuntimeException: org.wildfly.security.http.HttpAuthenticationException: ELY05053: Callback handler failed for unknown reason
    at org.infinispan.server.security.ElytronHTTPAuthenticator.lambda$challenge$0(ElytronHTTPAuthenticator.java:120)
    at org.infinispan.util.concurrent.BlockingManagerImpl.lambda$supplyBlockingOperation$3(BlockingManagerImpl.java:149)
    at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1700)
    ... 5 more
Caused by: org.wildfly.security.http.HttpAuthenticationException: ELY05053: Callback handler failed for unknown reason
    at org.wildfly.security.mechanism._private.MechanismUtil.handleCallbacks(MechanismUtil.java:160)
    at org.wildfly.security.http.cert.ClientCertAuthenticationMechanism.attemptAuthentication(ClientCertAuthenticationMechanism.java:120)
    at org.wildfly.security.http.cert.ClientCertAuthenticationMechanism.evaluateRequest(ClientCertAuthenticationMechanism.java:94)
    at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:119)
    at org.wildfly.security.auth.server.http.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:84)
    at org.infinispan.server.security.ElytronHTTPAuthenticator.lambda$challenge$0(ElytronHTTPAuthenticator.java:101)
    ... 7 more
Caused by: java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0
    at org.wildfly.security.evidence.X509PeerCertificateChainEvidence.getFirstCertificate(X509PeerCertificateChainEvidence.java:94)
    at org.wildfly.security.evidence.X509PeerCertificateChainEvidence.getDefaultPrincipal(X509PeerCertificateChainEvidence.java:59)
    at org.wildfly.security.evidence.X509PeerCertificateChainEvidence.getDefaultPrincipal(X509PeerCertificateChainEvidence.java:31)
    at org.wildfly.security.auth.server.SecurityDomain$Builder.lambda$new$2(SecurityDomain.java:839)
    at org.wildfly.security.auth.server.ServerAuthenticationContext.setDecodedEvidencePrincipal(ServerAuthenticationContext.java:778)
    at org.wildfly.security.auth.server.ServerAuthenticationContext$UnassignedState.verifyEvidence(ServerAuthenticationContext.java:1699)
    at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:767)
    at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1021)
    at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:868)
    at org.wildfly.security.auth.server.http.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:125)
    at org.wildfly.security.mechanism._private.MechanismUtil.handleCallbacks(MechanismUtil.java:156)
    ... 12 more

Environment

  • Red Hat Data Grid (RHDG)
    • 8.3.x
  • Red hat OpenShift Container Platform (OCP)
    • 4.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content