Configure Common Secure Interoperability version 2 (CSIv2) in Liberty

Liberty supports CSIv2 security at various levels such as the message authentication (authentication layer), identity assertion (attribute layer), and client certificate authentication (transport layer). Use the CSIv2 feature, we can specify the type of authentication for both inbound and outbound requests to downstream servers. CSIv2 features are enabled automatically when the appSecurity-2.0 and ejbRemote-3.2 features are configured in server.xml. We can configure CSIv2 in Liberty to enable interoperability between Java Platform, Enterprise Edition vendors. The following is the default configuration used without having to specify it in server.xml when the appSecurity-2.0 and ejbRemote-3.2 features are configured.

<orb id="defaultOrb">
    <serverPolicy.csiv2>
        <layers>
    <attributeLayer identityAssertionEnabled="false"/>
    <authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Required"/>
    <transportLayer/>
        </layers>
    </serverPolicy.csiv2>
    <clientPolicy.csiv2>
        <layers>
    <attributeLayer identityAssertionEnabled="false"/>
    <authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Supported"/>
    <transportLayer/>
        </layers>
    </clientPolicy.csiv2>
</orb>

We can change each of the layers in serverPolicy.csiv2 and in clientPolicy.csiv2 for customizing the inbound and outbound CSIv2 settings.