Configuring Cross-Origin Resource Sharing on a z/OS Connect (OpenAPI 2) Server

IBM® z/OS® Connect supports Cross-Origin Resource Sharing (CORS). CORS is a mechanism that allows access to a resource from a different domain than the one in which the resource is located.

CORS is enabled in IBM z/OS Connect by using the Liberty cors configuration element. For more information, see Configuring Cross Origin Resource Sharing on a Liberty server in the WebSphere Application Server for z/OS Liberty documentation.

To enable API toolkit connections, you must have a cors definition in your server.xml. When you create a server by using one of the server templates supplied with the product, a cors element that enables API toolkit connections, is automatically added to the server.xml configuration file. The following excerpt from the server.xml shows a cors element definition that allows API toolkit connections.

<cors id="defaultCORSConfig" 
      domain="/"
      allowedOrigins="*" 
      allowedMethods="GET, POST, PUT, DELETE, OPTIONS" 
      allowedHeaders="Origin, Content-Type, Authorization, Cache-Control, Expires, Pragma"
      allowCredentials="true" 
      maxAge="3600" />

You may want to customize this configuration further to, for example, restrict the allowed origins.

If you have JavaScript clients that access IBM z/OS Connect resources, you may need to further customize your cors element definition. For example, the allowedHeaders attribute, on the cors element, must specify all headers that you want to be permitted on any request. The CORS access control headers themselves do not need to be listed.

Tip: If any problems occur, ensure that you gather all relevant diagnostic information by including the Liberty trace specification: *=info:CorsService=all:GenericBNF=all. For more information, see Enabling trace in IBM z/OS Connect.