DG 8 client certificate authentication doesn't work with HTTP/2
Issue
Data Grid cluster in OCP that is managed by Data Grid Operator. The cluster is configured to use client certificate authentication in "Authenticate" mode.
Using a Spring Boot application the authentication works fine. However, after importing the client certificate into a browser, the Web Console doesn't load - and returns blank page.
The server throws the following error:
14:03:59,374 ERROR (non-blocking-thread--p2-t2) [org.infinispan.rest.RestRequestHandler] ISPN012005: An error occurred while responding to the client java.util.concurrent.CompletionException: java.lang.RuntimeException: org.wildfly.security.http.HttpAuthenticationException: ELY05053: Callback handler failed for unknown reason
at java.base/java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:314)
at java.base/java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:319)
at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1702)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.lang.RuntimeException: org.wildfly.security.http.HttpAuthenticationException: ELY05053: Callback handler failed for unknown reason
at org.infinispan.server.security.ElytronHTTPAuthenticator.lambda$challenge$0(ElytronHTTPAuthenticator.java:120)
at org.infinispan.util.concurrent.BlockingManagerImpl.lambda$supplyBlockingOperation$3(BlockingManagerImpl.java:149)
at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1700)
... 5 more
Caused by: org.wildfly.security.http.HttpAuthenticationException: ELY05053: Callback handler failed for unknown reason
at org.wildfly.security.mechanism._private.MechanismUtil.handleCallbacks(MechanismUtil.java:160)
at org.wildfly.security.http.cert.ClientCertAuthenticationMechanism.attemptAuthentication(ClientCertAuthenticationMechanism.java:120)
at org.wildfly.security.http.cert.ClientCertAuthenticationMechanism.evaluateRequest(ClientCertAuthenticationMechanism.java:94)
at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:119)
at org.wildfly.security.auth.server.http.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:84)
at org.infinispan.server.security.ElytronHTTPAuthenticator.lambda$challenge$0(ElytronHTTPAuthenticator.java:101)
... 7 more
Caused by: java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0
at org.wildfly.security.evidence.X509PeerCertificateChainEvidence.getFirstCertificate(X509PeerCertificateChainEvidence.java:94)
at org.wildfly.security.evidence.X509PeerCertificateChainEvidence.getDefaultPrincipal(X509PeerCertificateChainEvidence.java:59)
at org.wildfly.security.evidence.X509PeerCertificateChainEvidence.getDefaultPrincipal(X509PeerCertificateChainEvidence.java:31)
at org.wildfly.security.auth.server.SecurityDomain$Builder.lambda$new$2(SecurityDomain.java:839)
at org.wildfly.security.auth.server.ServerAuthenticationContext.setDecodedEvidencePrincipal(ServerAuthenticationContext.java:778)
at org.wildfly.security.auth.server.ServerAuthenticationContext$UnassignedState.verifyEvidence(ServerAuthenticationContext.java:1699)
at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:767)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1021)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:868)
at org.wildfly.security.auth.server.http.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:125)
at org.wildfly.security.mechanism._private.MechanismUtil.handleCallbacks(MechanismUtil.java:156)
... 12 more
Environment
- Red Hat Data Grid (RHDG)
- 8.3.x
- Red hat OpenShift Container Platform (OCP)
- 4.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.