IZUG846W: An HTTP request for a z/OSMF REST service was received from a remote site

Question

I setup z/OSMF and I am receiving this error when attempting to access the url https://my.zos.com/zosmf/restjobs/jobs.

{ “errorID”:“IZUG846W”,“errorMsg”:“IZUG846W: An HTTP request for a z/OSMF REST service was received from a remote site. The request was rejected, however, because the remote site \“\” is not permitted to z/OSMF server \“IZUSVR\” on target system \“my.zos.com\” .“}

The error message is does not provide sufficient information to identify the root cause. Has someone else hit this issue?

Answer 1

It is preferable, and I believe it is the default, to keep CSRF_SWITCH(ON), which requires a whitelist to be setup so that only hosts in the whitelist can originate requests.

The whitelist is a RACF ZMFAPLA resource class profile of the form IZUDFLT.ZOSMF.REST.<zosmf-service>.<reversed-host-name>. All such profiles must be defined with UACC(NONE) and permit READ access to the server's ID (default is IZUSVR).

An example profile IZUDFLT.ZOSMF.REST.*.com.whoa.test.myserver, will allow inbound cross-origin requests from the host name myserver.test.whoa.com. Same origin requests such as those from a web browser that is accessing the z/OSMF host directly are not subject to CSRF protection.

Answer 2

If you are generating the REST request yourself you can add the header X-CSRF-ZOSMF-HEADER with any value to get around this. Firefox postman for example lets you add the header I've got a picture of before and after in postman

Another good way to deal with a fussy z/OSMF server is to drive the API through CURL

curl -k -H "X-CSRF-ZOSMF-HEADER: dummy" -u : https://:/zosmf/restfiles/ds?dslevel=T*

In zowe.org we provide a set of REST APIs that don't insist on the header and abstract some of the nuances of z/OSMF, as well as a command line interface and a nifty looking JES explorer as well as couple of file explorers for data sets and USS files that run in a browser, so if you've got a moment swing by zowe.org and let us know if it helps at all.

Cheers,

Joe

Answer 3

By default z/OSMF is configured in a secure mode so as not to open up an accidental security hole. The message provided indicates that the remote system (source of the REST call) may potentially be unsecure. This means that the request is denied.

One way of avoiding this issue is to modify the IZUPRMnn member that initializes z/OSMF. The parameter:

CSRF_SWITCH(ON) which is the default can be changed to CSRF_SWITCH(OFF) this disables the cross site scripting safety mechanism.

The parameters for z/OSMF can be found here.

The specific entry for CSRF_SWITCH is included for reference below and is based on z/OS 2.3.

CSRF_SWITCH(ON|OFF)

Indicates whether Cross Site Request Forgery (CSRF) custom header checking is enabled for REST API requests. By default, CSRF_SWITCH is set to ON to ensure that your installation is protected against CSRF attacks. However, in some limited cases, such as for testing, you might choose to temporarily disable CSRF checking by setting CSRF_SWITCH=OFF. However, it is recommended that you leave this setting enabled to prevent CSRF attacks. For more information, see IBM z/OS Management Facility Programming Guide. Default: ON

More information on z/OSMF Configuration can be be found here