4.3.0 policy-handler - tls to policy-engine

- tls to policy-engine
- tls on web-socket to policy-engine
- tls to deployment-handler
- no tls on the web-server side
  = that is internal API
  = will add TLS in R4

- policy-handler expecting the deployment process
  to mount certs at /opt/app/policy_handler/etc/tls/certs/
- blueprint for policy-handler will be updated to contain
  cert_directory : /opt/app/policy_handler/etc/tls/certs/

- the matching local etc/config.json has new part tls with:
  = cert_directory : etc/tls/certs/
  = cacert : cacert.pem

- new optional fields tls_ca_mode in config on consul that
  specify where to find the cacert.pem for tls per each https/web-socket
    values are:
    "cert_directory" - use the cacert.pem stored locally in cert_directory
                       this is the default if cacert.pem file is found
    "os_ca_bundle"   - use the public ca_bundle provided by linux system.
                       this is the default if cacert.pem file not found
    "do_not_verify"  - special hack to turn off the verification by cacert
                       and hostname
- config on consul now has 2 new fields for policy_engine
  = "tls_ca_mode" : "cert_directory"
  = "tls_wss_ca_mode" : "cert_directory"
- config on consul now has 1 new field for deploy_handler
  = "tls_ca_mode" : "cert_directory"

- removed customization for verify -- it is now a built-in feature

Change-Id: Ibe9120504ed6036d1ed4c84ff4cd8ad1d9e80f17
Signed-off-by: Alex Shatov <alexs@att.com>
Issue-ID: DCAEGEN2-611

1 files changed, 5 insertions, 1 deletions

diff --git a/etc/config.json b/etc/config.json
index e54569b..aa24419 100644
--- a/etc/config.json
+++ b/etc/config.json
@@ -1,7 +1,11 @@
 {
     "wservice_port" : 25577,
     "policy_handler" : {
-        "system" : "policy_handler"
+        "system" : "policy_handler",
+        "tls" : {
+            "cert_directory" : "etc/tls/certs/",
+            "cacert" : "cacert.pem"
+        }
     },
     "logging" : {
         "version": 1,