Db2 for z/OS and its ecosystem

 View Only

Cross-origin resource sharing (CORS) support for REST services in Db2 13 for z/OS

By Paul McWilliams posted 4 days ago

  

By Tom Toomire and Paul McWilliams.

Starting in Db2 13 for z/OS with the PTF for APAR PH59837, you can enable cross-origin resource sharing (CORS) for Db2 REST services. Cross-Origin Resource Sharing (CORS) is a protocol standard for permitting a web page or application to access remote content from a different domain (or port) than the site that the web page was loaded from. You can enable Db2 REST services to use the HTTP Cross-Origin Resource Sharing (CORS) protocols, including support for the CORS "pre-flight" HTTP OPTIONS verb and CORS HTTP request/response header fields.

For example, as shown in the following illustration, a user loads a page from the “origin” site at mynode.ibm.com. The downloaded webpage includes client-side content, such as a JavaScript, which invokes a Db2 native REST service using site db2server.ibm.com:446. The call to the Db2 REST service triggers the CORS protocols because the Db2 REST service site is different than the “origin” site from where the webpage was originally loaded. 

The configuration and management of the Db2 REST CORS origin authorization rules are implemented using a new z/OS RACF RESOURCE CLASS (DSNRAUTH) and associated RACF generic or discrete resource profiles to represent the allowed remote (origin) sites.
 
The CORS origin checking is managed as a system-wide Db2 setting which is independent of the "end-user" that is driving the CORS request. So, the authorization ID associated with the DDF (ssidDIST) started task address space are used for the CORS origin resource authorization check.
 
If you want to use the REST CORS functionality before the availability of the RACF module ICHRRCDX update that delivers the new DSNRAUTH class definition, your z/OS RACF security administrator can temporarily create the DSNRAUTH class using the RACF dynamic class descriptor table (CDT) support. for more information, see Creating a temporary DSNRAUTH class by using the RACF dynamic class descriptor table. It is expected that you will remove any temporary DSNRAUTH CDT definition when the RACF module ICHRRCDX update is available to deliver the formal DSNRAUTH class.
 
For more information, see the following topics in the Db2 product documentation: 

0 comments
1 view

Permalink