Support native TLS in SDO OCS-API

[bmpotter]

Use the agbot and CSS as examples of doing this in a Go REST API. See https://github.com/open-horizon/anax/blob/8b53c01149421b7f7d8534a58dcaff03b1a728d5/agreementbot/secure_api.go#L164 . It is just a matter of:

• Add env var for the path within the container for the certificate and key files.
  • Default location in container: /home/sdouser/ocs-api-dir/keys, file names: sdoapi.crt, sdoapi.key
  • Env var: SDO_API_CERT_PATH
• Create a self-signed cert for dev/test: https://www.linode.com/docs/guides/create-a-self-signed-tls-certificate/

openssl req -newkey rsa:4096 -nodes -sha256 -x509 -keyout sdoapi.key -days 365 -out sdoapi.crt -subj "/C=US/ST=NY/L=New York/O=sdo@somecomp.com/CN=<IP>" -extensions san -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[san]'; echo 'subjectAltName=DNS:<IP>')
chmod +r sdoapi.key

• New env var for the ocs-api https port: SDO_OCS_API_TLS_PORT (defaults to the value of SDO_OCS_API_PORT)
• If the certificate and key files are present, call http.ListenAndServeTLS(listenHostAndPort, certFile, keyFile) instead of http.ListenAndServe(listenHostAndPort, certFile, keyFile)
• Test full sdo process with https
• Give devops details of what needs to be passed to sdo-owner-services:
  • Note: TLS is only supported for the OCS-API. The other ports that the Intel SDO code listens on will continue to use HTTP.
  • Mount the directory containing sdoapi.crt and sdoapi.key onto container path /home/sdouser/ocs-api-dir/keys
  • (You can change the port that it listens to for TLS by setting SDO_OCS_API_TLS_PORT, but that is not necessary. If will default to SDO_OCS_API_PORT, which will default to 9008.)

[bmpotter]

Tested by all-in-1 environment and IBM product based on Horizon