Configuring Cross-Origin Resource Sharing (CORS) Whitelist

Configuring Cross-Origin Resource Sharing (CORS) Whitelist for IBM Connections.

About this task

Before you begin verify Cross-Origin Resource Sharing.

Update the Connections Trusted Websites List


  1. To allow the file picker code to be downloaded from the integration service, but access the Files APIs to retrieve information about a user's files, the domain of the integration service must be allowed in the CORS.Trusted.WebSites list.
  2. Edit the LotusConnections-config.xml file which can be found in the LotusConnections-config directory beneath the WAS cell configuration. For example, at at/opt/IBM/WebSphere/AppServer/profiles/profileName/config/cells/cellName/LotusConnections-config/LotusConnections-config.xml.
  3. Locate the CORS.Trusted.WebSitesproperty and add the host into the list, taking care not to disturb any entries that might already exist.
    <genericProperty name="CORS.Trusted.Websites">,
  4. If the Connections service is not running in the Network Deployment cells, restart the appropriate WAS node where the configuration was changed.
  5. If Connections is running in the Network Deployment cells, the configuration must be synchronized across the cluster nodes before they are restarted.

What to do next

Update the HTTP Server CORS Header Handling
  1. Edit the httpd.conf file which can be found in the /opt/IBM/HTTPServer/conf directory. For example, at /opt/IBM/HTTPServer/conf/httpd.conf .
  2. At the end of the file add a Location stanza for the /oauth2 endpoint and add the following entries:
    <Location /oauth2>
    # Allow CORS related access control headers in requests for /oauth2
    Header unset Access-Control-Allow-Origin
    SetEnvIf Origin "^https://(cnx-slack.*)?(\.conncloudk8s\.com)$" origin_is=$0
    Header always set Access-Control-Allow-Origin %{origin_is}e env=origin_is
    Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
    Header always set Access-Control-Max-Age "1000"
    Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, Origin, Authorization, Accept, client-security-token"
    # Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.
    RewriteEngine On
    RewriteRule ^(.*)$ $1 [R=200,L]
  3. Once the file has been updated, stop and start the HTTP server. From the /opt/IBM/HTTPServer/bin directory execute the following commands:
    sudo ./apachectl stop
    sudo ./apachectl start