Configuring Common Secure Interoperability version 2 (CSIv2) in Liberty

Liberty supports CSIv2 security at various levels such as the message authentication (authentication layer), identity assertion (attribute layer), and client certificate authentication (transport layer). Using the CSIv2 feature, you can specify the type of authentication for both inbound and outbound requests to downstream servers. CSIv2 features are enabled automatically when the appSecurity-2.0 and ejbRemote-3.2 features are configured in the server.xml file. You can configure CSIv2 in Liberty to enable interoperability between Java Platform, Enterprise Edition vendors.

Procedure

The following is the default configuration that is used without having to specify it in the server.xml file when the appSecurity-2.0 and ejbRemote-3.2 features are configured.

<orb id="defaultOrb">
    <serverPolicy.csiv2>
        <layers>
            <attributeLayer identityAssertionEnabled="false"/>
            <authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Required"/>
            <transportLayer/>
        </layers>
    </serverPolicy.csiv2>
    <clientPolicy.csiv2>
        <layers>
            <attributeLayer identityAssertionEnabled="false"/>
            <authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Supported"/>
            <transportLayer/>
        </layers>
    </clientPolicy.csiv2>
</orb>

You can change each of the layers in serverPolicy.csiv2 and in clientPolicy.csiv2 for customizing the inbound and outbound CSIv2 settings.