IBM i Global

 View Only
Expand all | Collapse all

IBM i REST API with CORS validation

  • 1.  IBM i REST API with CORS validation

    Posted Fri March 25, 2022 01:22 PM
    I have an open support case with IBM, but I am not getting anywhere with the tech so any help would be appreciated. 

    I want to provide an REST API interface using my IBM i to a couple of different websites. These websites run on different servers and are not a part of the IBM i. So with that in mind I have no problems when using Postman or something similar to access the API, but when using a browser I run into the dreaded CORS security validation. 

    I have looked through dozens of IBM support docs, websites, etc... but I can't find a solution. IBM has made me very aware that the problem is the IWS server runs on top of another Apache server and is the reason my apache config changes don't work. However, they haven't yet been able to tell me how to correct it. I can't believe that an application server built specifically for delivering REST and SOAP APIs wouldn't support websites, mobile apps or anything else that might use CORS. So I am really hoping that I have just missed the correct configuration and it is possible. 

    Jeremy Bowling

  • 2.  RE: IBM i REST API with CORS validation

    Posted Sat March 26, 2022 06:08 AM
    I don't get the flow. IIUC, you have created a REST API that runs on the IBM i, and the underlying program reaches out to other websites.

    Then you have some javascript on the browser that calls your API. Does that first call get blocked or is it blocked later? 

    If it is the first call, then you have to understand the CORS dance (called pre-flight-check). I'm not sure if I understand it completely but the gist is this:

    * When a browser makes a POST call to another domain it is deemed CROSS ORIGIN
    * Before the actual POST call, an OPTIONS call is made by the browser. (it is the browser that is worried, postman, CURL, etc.., don't care)
    * The OPTIONS call must therefore be implemented by your REST API
    * The OPTIONS call does nothing but authorizes the upcoming POST (by adding the cross-origin headers)
    * If the browser sees a valid return from the OPTIONS call the POST call is made. Otherwise, it throws the CORS exception

    So in short, you have to implement the OPTIONS call in your API, check the origin (if required), and, if OK, add the cors headers.


    Wim Jongman
    Remain Software
    IBM i Devops / MiWorkplace / Enterprise Wide Cross Reference / OpenAPI Studio for RPG Free

    Wim Jongman

  • 3.  RE: IBM i REST API with CORS validation

    Posted Sun March 27, 2022 09:21 PM
    Please check if these articles help with your case or not:

    Fixing Common Problems with CORS and JavaScript

    CORS Tutorial: A Guide to Cross-Origin Resource Sharing

    Satid Singkorapoom

  • 4.  RE: IBM i REST API with CORS validation

    IBM Champion
    Posted Mon March 28, 2022 10:36 AM

    If you are actually using IWS then I am not surprised that you are having issues when you need to go "outside the box".

    IWS is designed to provide a simple wizard type interface to permit SQL statements or conventional programs/service programs to be deployed as web services. It is not a full function tool with the kind of additional hooks it sounds like you need. All the "plumbing" is under the covers.

    Sounds to me like you need one of the API toolkits provided by software vendors like Remain, Profound Logic, Eradani or Midrange just to name a few. Either that or write the code yourself using the raw APIs or one of the open source web service toolkits.

    Jon Paris

  • 5.  RE: IBM i REST API with CORS validation

    IBM Champion
    Posted Mon March 28, 2022 10:50 AM
    Have you tried the options specified at the following URL?

    Have you considered making your API calls from the back-end program instead of calling them from the browser?

    Have you considered setting up a reverse proxy on the origin server instead of making a cross-origin call?

    Scott Klement
    Profound Logic Software
    Oak Creek WI

  • 6.  RE: IBM i REST API with CORS validation

    IBM Champion
    Posted Tue March 29, 2022 11:09 PM
    Edited by Aaron Magid Tue March 29, 2022 11:11 PM
    Hi Jeremy,
    Echoing what Jon said, the IWS system is designed to make simple apis very quickly, so if you want to move into mature api systems with customizations, I'd recommend looking at more industry standard tools.
    As Scott mentioned, one common option is to set up a reverse proxy server in front of your IWS apis. Usually I use NginX for that kind of setup. NginX is an extremely popular open source web server which is available in PASE through the open source package management.
    If I'm understanding you correctly, it sounds like you just want to open your apis to clients from any domain. In that case, the nginx configuration is pretty simple. You'd need something roughly like this:
    server {
        listen 4000;
        add_header "Access-Control-Allow-Origin" "*";
        location / {
    That configuration will create a new webserver listening on port 4000 on your IBM i. Any calls going to that server will be redirected to your iws apis thanks to the location directive, and an additional header will be added to the responses. The Access-Control-Allow-Origin header will specify that requests should be allowed from any origin, so you shouldn't get cors errors anymore.
    If you need a more specific configuration to only allow specific sites or allow based on logic, you can do that too with a slightly more complex configuration.
    This would require a change in your api flow - api clients would call to your NginX server and it would pass the calls onto IWS, rather than clients calling IWS directly.

    This kind of setup has become (in my experience) the dominant architecture in the Node.js world.

    Let me know if you have any questions.

    Aaron Magid
    VP, Open Source Technologies

  • 7.  RE: IBM i REST API with CORS validation

    Posted Mon April 04, 2022 10:09 AM
    I am trying to make a simple API call to the IBM i from another website. You are correct about the options call, but apparently IBM didn't think an API needed to be called from another server so they didn't add that functionality. 

    Thanks for the info, but I am already familiar with CORS. The problem is the IBM i IWS engineers apparently weren't.

    How is it possible to have a API server that doesn't support API calls from another server or domain? That's like having a car with no wheels, but it looks like that is what IBM built. Thanks for the heads up on the other solutions. 

    Yes the options specified in the URL provided don't work. Why have APIs if you can't call them from the web? If I am going to access data directly from the back-end program, I would just skip the API call all together. I am looking into the reverse proxy scenario. 

    Thanks for the info, but the reason I have an IBM i is because I don't want to manage a bunch of different solutions. Also adding another layer seems like a performance hit to me. 

    Jeremy Bowling

  • 8.  RE: IBM i REST API with CORS validation

    IBM Champion
    Posted Mon April 04, 2022 11:11 AM

    "How is it possible to have a API server that doesn't support API calls from another server or domain? That's like having a car with no wheels, but it looks like that is what IBM built. Thanks for the heads up on the other solutions. "


    I think you have missed the point of IWS. It was never intended as a full blown API server. It had one primary purpose. To provide a simple, wizard driven, method of deploying a conventional RPG (or COBOL or ...) program/Service Program procedure as a web service. Period. It was aimed at the masses of IBM i developers who had no idea how to develop web services and to give them a quick and easy way to get started. In this regard it has done a good job and many thousands of such services have been deployed that way. Sure it is missing features - and more will be added over time as users become more sophisticated. But to critique it in the way that you have is rather like critiquing a bicycle for not being able to take you to the moon. As I pointed out there are many alternatives both open source and third partly and many folks are using them. 

    P.S. In our System i Developer Lunch & Learn series (which continues tomorrow with a session from Remain (one of the API deployment tool vendors) and you can also see the recordings of sessions from many of the other vendors in this space including folks such as Eradani and Profound who have both responded in this thread.  See

    Jon Paris

  • 9.  RE: IBM i REST API with CORS validation

    Posted Mon April 04, 2022 11:26 AM
    From the front page of the IWS website:
    "In today's increasingly interconnected world, application programming interfaces (APIs) are becoming the digital reflection of an organization. Whether you call it web APIs or web services, getting started on IBM i is easier than ever with the Integrated Web Services for i."

    A web service and an API is basically the same thing. Even IBM acknowledges that. So explain to me how a "web" service isn't designed to work over the web?

    Jeremy Bowling

  • 10.  RE: IBM i REST API with CORS validation

    IBM Champion
    Posted Mon April 04, 2022 12:10 PM

    It does work over the web. Try this:  (values such as 01, 02 etc can be used.) That is a simple implementation an RPG program deployed via IWS. 

    Similarly this one is a deployment of a simple SQL statement.

    Both will work for a few hours and then I'll be shutting the server down.

    Don't mis-understand me. There is a lot I don't like about IWS, but as the text you quoted says "...getting started on IBM i is easier than ever ..." and with IWS it is. But is not to my mind the end point nor as far as I know did IBM ever intend to to be.

    In this arena IBM is far more focussed these days on OS tooling be it in PHP, Python, node.js, Java (which is what IWS is under the covers).

    Jon Paris

  • 11.  RE: IBM i REST API with CORS validation

    Posted Tue October 11, 2022 09:54 PM
    Dear Jeremy

    While studying a presentation on the new IBM i 7.5 TR1 and 7.4 TR7 enhancements today, I notice that these new TRs deliver CORS support for IWS which should be what you need.  Details of CORS support in IWS is here :

    There is also another new support delivery for IWS HTTP Strict Transport Security (HSTS) that may interest you as well :

    At the end of these IBM i Technotes, there is an indication that IBM i 7.3 also gets these enhancements by the latest HTTP Group PTFs  V7R3M0 SF99722 Level 40.

    Hope this is a good news for you.

    Right action is better than knowledge; but in order to do what is right, we must know what is right.
    -- Charlemagne

    Satid Singkorapoom

  • 12.  RE: IBM i REST API with CORS validation

    Posted Wed October 12, 2022 08:36 AM

    Understanding the concepts of CORS is also essential, so I wrote a blog explaining it to RPG programmers.



    Have fun reading it.


    Best regards,


    Wim Jongman, CTO





    Embrace Change. Remain In Control.


    See our video to learn more about Remain.




  • 13.  RE: IBM i REST API with CORS validation

    Posted Wed October 12, 2022 09:21 AM
    Thank you Satid, 

    Unfortunately the project I was working on was migrated over to another database system. I will read over this and keep it in mind for future projects. I am glad IBM was able to add this support and fulfilled the enhancement request I submitted. I think this makes the IBM i a much more capable API server. 

    Thank you,
    Jeremy Bowling

    Jeremy Bowling