![Start of change](../../delta.gif)
Enabling CORS support for Db2 REST services
You can enable Cross-Origin Resource Sharing (CORS) support for Db2 to permit a web page or application to access remote content from a different domain (or port) than the site that the web page was loaded from. You can enable Db2 REST services to use the HTTP Cross-Origin Resource Sharing (CORS) protocols, including support for the CORS "pre-flight" HTTP OPTIONS verb and CORS HTTP request/response header fields.
Before you begin
Apply the PTF for APAR PH59837.
If you want to use the REST CORS functionality before the availability of the RACF module ICHRRCDX update that delivers the new DSNRAUTH class definition, your z/OS® RACF security administrator can temporarily create the DSNRAUTH class using the RACF dynamic class descriptor table (CDT) support. For more information, see Creating a temporary DSNRAUTH class by using the RACF dynamic class descriptor table.
About this task
Cross-Origin Resource Sharing (CORS) is a protocol standard for permitting a web page or application to access remote content from a different domain (or port) than the site that the web page was loaded from. For example, assume that a user loads a page from the “origin” site at mynode.ibm.com. The downloaded web page includes client-side content (such as Java Script) which invokes a Db2 native REST service using site db2server.ibm.com:446
. The call to the Db2 REST service triggers the CORS protocols because the Db2 REST service site is different than the “origin” site where which the web page was originally loaded.
Db2 REST services supports the HTTP Cross-Origin Resource Sharing (CORS) protocols, including support for the CORS "pre-flight" HTTP OPTIONS verb and CORS HTTP request/response header fields.
The configuration and management of the Db2 REST CORS origin authorization rules are implemented using a new z/OS RACF RESOURCE CLASS (DSNRAUTH) and associated RACF generic or discrete resource profiles to represent the allowed remote (origin) sites.
The CORS origin checking is managed as a system wide Db2 setting which is independent of the "end-user" that is driving the CORS request. So, the authorization ID associated with the DDF address space (ssnmDIST) started task is used for the CORS origin resource authorization check.
Procedure
To enable and permit Db2 REST CORS support for a specific origin, complete the following steps.
Examples
- Example 1
- Enable Db2 REST CORS access on stand-alone Db2 subsystem DB2A, with a DB2ADIST started task ID of SYSDSP, from host origin "www.mybank.com":
RDEFINE DSNRAUTH DSNCORS.DB2A.COM.MYBANK.WWW UACC(NONE) PERMIT DSNCORS.DB2A.COM.MYBANK.WWW CLASS(DSNRAUTH) ACCESS(READ) ID(SYSDSP) SETROPTS RACLIST(DSNRAUTH) REFRESH
- Example 2
- Enable Db2 REST CORS access on Db2 data-sharing group with group attach name DB2G, where all members use the same DDF (ssidDIST) started task ID of SYSDSP for, from any host origin with ".org” as the top level domain:
RDEFINE DSNRAUTH DSNCORS.DB2G.ORG.** UACC(NONE) PERMIT DSNCORS.DB2G.ORG.** CLASS(DSNRAUTH) ACCESS(READ) ID(SYSDSP) SETROPTS RACLIST(DSNRAUTH) REFRESH
- Example 3
- Enable Db2 REST CORS access on stand-alone Db2 subsystem DB2D, with a DB2DDIST started task ID of SYSDSP, from any host origin under the "internal.myco.com" sub-domain:
RDEFINE DSNRAUTH DSNCORS.DB2D.COM.MYCO.INTERNAL.** UACC(NONE) PERMIT DSNCORS.DB2D.COM.MYCO.INTERNAL.** CLASS(DSNRAUTH) ACCESS(READ) ID(SYSDSP) SETROPTS RACLIST(DSNRAUTH) REFRESH
- Example 4
- Enable Db2 REST CORS access on stand-alone Db2 subsystem DB2A, with a DB2ADIST started task ID of SYSDSP, from host origin value "http://192.168.1.100":
RDEFINE DSNRAUTH DSNCORS.DB2A.0000.0000.0000.0000.0000.0000.192.168.001.100 UACC(NONE) PERMIT DSNCORS.DB2A.0000.0000.0000.0000.0000.0000.192.168.001.100 CLASS(DSNRAUTH) – ACCESS(READ) ID(SYSDSP) SETROPTS RACLIST(DSNRAUTH) REFRESH
![End of change](../../deltaend.gif)