I am in the process of migrating an application from WildFly 10 to WildFly 32. We have a datasource connection to an Impala database, which uses Kerberos authentication. Below is the working configuration in WildFly 10:

<datasource jta="false" jndi-name="java:jboss/datasources/OssaFaultDS" pool-name="OssaFaultDS">
    <connection-url>jdbc:impala://impala_server.net:21050/alarm_db;AuthMech=1;KrbHostFQDN=krbserver.net;KrbServiceName=impala;SSL=1;SSLKeyStore=/home/ossa/.security/cm-keystore.jks;SSLKeyStorePwd=3B51QQfX;AllowSelfSignedCerts=1</connection-url>
    <driver>impala</driver>
    <pool>
        <max-pool-size>128</max-pool-size>
        <flush-strategy>FailingConnectionOnly</flush-strategy>
    </pool>
    <security>
        <security-domain>kerberos-cdh</security-domain>
    </security>
    <validation>
        <check-valid-connection-sql>SELECT 1</check-valid-connection-sql>
        <validate-on-match>false</validate-on-match>
        <background-validation>true</background-validation>
        <background-validation-millis>120000</background-validation-millis>
    </validation>
    <timeout>
        <blocking-timeout-millis>300000</blocking-timeout-millis>
        <idle-timeout-minutes>60</idle-timeout-minutes>
    </timeout>
</datasource>

In WildFly 10, we configured the Kerberos security domain as follows:

<security-domain name="kerberos-cdh" cache-type="infinispan">
    <authentication>
        <login-module code="org.jboss.security.negotiation.KerberosLoginModule" flag="required" module="org.jboss.security.negotiation">
            <module-option name="storeKey" value="true"/>
            <module-option name="useKeyTab" value="true"/>
            <module-option name="keyTab" value="/home/tester/cdp.keytab"/>
            <module-option name="principal" value="tester/[email protected]"/>
            <module-option name="useTicketCache" value="false"/>
            <module-option name="debug" value="true"/>
            <module-option name="refreshKrb5Config" value="true"/>
            <module-option name="isInitiator" value="true"/>
            <module-option name="doNotPrompt" value="true"/>
            <module-option name="addGSSCredential" value="true"/>
        </login-module>
    </authentication>
</security-domain>

Migrating to WildFly 32:
In WildFly 32, I have made changes to accommodate the new Elytron-based security configuration. The updated datasource configuration is as follows:

WildFly 32 Datasource Configuration:

<datasource jta="false" jndi-name="java:jboss/datasources/FaultDS" pool-name="FaultDS" statistics-enabled="true">
    <connection-url>jdbc:impala://impala_server.net:21050/alarm_db;AuthMech=1;KrbHostFQDN=krbserver.net;KrbServiceName=impala;SSL=1;SSLKeyStore=/home/tester/.security/cm-key.jks;SSLKeyStorePwd=3B51QQfX;AllowSelfSignedCerts=1</connection-url>
    <driver>impala</driver>
    <pool>
        <max-pool-size>8</max-pool-size>
        <flush-strategy>FailingConnectionOnly</flush-strategy>
    </pool>
    <security>
        <elytron-enabled>true</elytron-enabled>
        <authentication-context>kerberos-auth-context</authentication-context>
    </security>
    <validation>
        <check-valid-connection-sql>SELECT 1</check-valid-connection-sql>
        <validate-on-match>false</validate-on-match>
        <background-validation>true</background-validation>
        <background-validation-millis>120000</background-validation-millis>
    </validation>
    <timeout>
        <blocking-timeout-millis>300000</blocking-timeout-millis>
    </timeout>
</datasource>

I also configured the authentication-context for Kerberos as follows:

WildFly 32 Authentication Context:

<authentication-client>
    <authentication-configuration name="kerberos-auth-config" kerberos-security-factory="kerberos-cdh"/>
    <authentication-context name="kerberos-auth-context">
        <match-rule authentication-configuration="kerberos-auth-config"/>
    </authentication-context>
</authentication-client>

The Kerberos Security Factory is configured as follows:

<credential-security-factories>
    <kerberos-security-factory name="kerberos-cdh" principal="tester/[email protected]" path="/home/tester/cdp.keytab" debug="true"/>
</credential-security-factories>

Problem:
With the above configuration in WildFly 32, the datasource connection is not working. I am getting below error messages,

Caused by: java.lang.NullPointerException: invalid null input(s)
        at java.base/java.util.Objects.requireNonNull(Objects.java:235)
        at java.base/javax.security.auth.Subject$SecureSet.add(Subject.java:1168)
        at java.base/java.util.Collections$SynchronizedCollection.add(Collections.java:2104)
        at [email protected]//org.jboss.as.connector.security.ElytronSubjectFactory.addPrivateCredential(ElytronSubjectFactory.java:166)
        at [email protected]//org.jboss.as.connector.security.ElytronSubjectFactory.createSubject(ElytronSubjectFactory.java:126)

I could not find a working example in the official WildFly 32 documentation or any forums for this kind of setup using Elytron with Kerberos authentication for an datasource.

Could anyone provide guidance or a working example for configuring a datasource with Kerberos authentication in elytron security system?