Configuring Common Secure Interoperability version 2 (CSIv2) in Liberty
Liberty supports CSIv2 security at
various levels such as the message authentication (authentication layer), identity assertion
(attribute layer), and client certificate authentication (transport layer). Using the CSIv2 feature,
you can specify the type of authentication for both inbound and outbound requests to downstream
servers. CSIv2 features are enabled automatically when the appSecurity-2.0
and
ejbRemote-3.2
features are configured in the server.xml file.
You can configure CSIv2 in Liberty to enable
interoperability between Java Platform, Enterprise Edition vendors.
Procedure
The following is the default configuration that is used without having to specify it in
the server.xml file when the
appSecurity-2.0
and
ejbRemote-3.2
features are configured. <orb id="defaultOrb">
<serverPolicy.csiv2>
<layers>
<attributeLayer identityAssertionEnabled="false"/>
<authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Required"/>
<transportLayer/>
</layers>
</serverPolicy.csiv2>
<clientPolicy.csiv2>
<layers>
<attributeLayer identityAssertionEnabled="false"/>
<authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Supported"/>
<transportLayer/>
</layers>
</clientPolicy.csiv2>
</orb>
You can change each of the layers in serverPolicy.csiv2
and in
clientPolicy.csiv2
for customizing the inbound and outbound CSIv2 settings.