I am making a web application migration from Glassfish 4.1 to Payara 6. The application uses a standalone client written in Java and runs successfully when no client authentication is set up, i.e. with "empty" web.xml and payara-web.xml and reaching it on 
The same error persists even if I omit point nr. 3.
I used the same steps when setting up Glassfish where it worked.
Any ideas what I am missing?
CodePudding user response:
In order to eliminate client-related issues, I switched to using Firefox as a client. I installed client's certificate into Firefox and contacted the webapp running on Glassfish 4.1 (the one I am migrating from). A pop-up window in Firefox asked which certificate I want to use and then I got the expected response from the server.
Contacting the webapp running on Payara 6 (the one I am migrating to) raises no pop-up window (no, I didn't click "Remember my choice"), gives the HTTP Status 400 response as seen above and the following debug output on Payara side:
CodePudding user response:
Posting my findings about how to make mutual certificate authentication work on Payara 6:
- Deactivate TLS 1.3 in admin. console (Configurations -> server-config -> Network Config -> Protocols -> http-listener-2 -> SSL)
- Deactivate HTTP/2 in admin. console (Configurations -> server-config -> Network Config -> Protocols -> http-listener-2 -> HTTP)
- Do NOT use spaces after commas in
<principal-name>inpayara-web.xml:<principal-name>CN=Name,OU=Unit,O=Org,L=AA,ST=BB,C=CC</principal-name>is OK<principal-name>CN=Name, OU=Unit, O=Org, L=AA, ST=BB, C=CC</principal-name>is NOT OK (but was OK on Glassfish 4.1)