(DOCSP-11336): Handle ca certificate for digest transport (#173)

* (DOCSP-11336): Handle ca certificate for digest transport

* (DOCSP-11336): tech review feedback

Author: jwilliams-mongo

source/configure/configuration-file.txt

@@ -60,12 +60,17 @@ the following settings:
 - A project ID
 
 The ``myOpsManager`` profile connects to an |onprem| deployment and
-contains contains the following settings:
-
-- The |onprem| base |url|
-- An organization ID
-- |api| keys
-- A project ID
+contains the following settings:
+
+- The |onprem| base |url|.
+- An organization ID.
+- |api| keys.
+- A project ID.
+- **Optional** The full path on your local system to the PEM-encoded
+  Certificate Authority (CA) certificate used to sign the client and
+  |onprem| TLS certificates
+- **Optional** Flag indicating whether the CA TLS certificate is
+  verified.
 
 .. code-block:: text
    :copyable: false
@@ -80,6 +85,8 @@ contains contains the following settings:
      service = "cloud"
 
    [myOpsManager]
+     ops_manager_ca_certificate = /etc/ssl/certs/ca.pem
+     ops_manager_skip_verify = no
      ops_manager_url = "http://localhost:9080/"
      organization_id = "jklsa23123dsdf3jj456hs2"
      public_api_key = "HIJKLMN"

source/configure/environment-variables.txt

@@ -77,3 +77,19 @@ The {+mcli+} supports the following environment variables:
 
           * - ``ops-manager``
             - |mms-full|
+
+   * - ``MCLI_OPS_MANAGER_CA_CERTIFICATE``
+     - **|onprem| only** If applicable, the full path on your local
+       system to the PEM-encoded Certificate Authority (CA) certificate
+       used to sign the client and |onprem| TLS certificates.
+
+   * - ``MCLI_OPS_MANAGER_SKIP_VERIFY``
+     - **|onprem| only** When set to ``yes``, the
+       ``MCLI_OPS_MANAGER_CA_CERTIFICATE`` TLS certificate is not
+       verified. This prevents your connections from being rejected due
+       to an invalid certificate.
+
+       .. important::
+
+          Setting ``MCLI_OPS_MANAGER_SKIP_VERIFY`` to ``yes`` is
+          insecure and is not recommended in production environments.

source/includes/admonitions/skip-verify-insecure.rst

@@ -0,0 +1,4 @@
+.. important::
+
+   Setting ``ops_manager_skip_verify`` to ``yes`` is insecure and is not
+   recommended in production environments.

source/includes/config-set-properties.rst

@@ -0,0 +1,15 @@
+- ``org_id`` - Unique identifier of an organization.
+- ``project_id`` - Unique identifier of a project.
+- ``public_api_key`` - Public key for programmatic access.
+- ``private_api_key`` - Private key for programmatic access. 
+- ``ops_manager_url`` - **|onprem| only**  |mms| base URL.
+- ``ops_manager_ca_certificate`` - **|onprem| only**
+  If applicable, the full path on your local system to the PEM-encoded
+  Certificate Authority (CA) certificate used to sign the client and
+  |onprem| TLS certificates.
+- ``ops_manager_skip_verify`` - **|onprem| only** When set to ``yes``,
+  the ``ops_manager_ca_certificate`` TLS certificate is not verified.
+  This prevents your connections from being rejected due to an invalid
+  certificate.
+
+  .. include:: /includes/admonitions/skip-verify-insecure.rst

source/reference/config/config-describe.txt

@@ -60,6 +60,8 @@ for recommended solutions.
 
    public_api_key = redacted
    service = <service-name>
+   ops_manager_ca_certificate = /etc/ssl/certs/ca.pem
+   ops_manager_skip_verify = no
    ops_manager_url = <OM-URL>
    private_api_key = redacted
    project_id = <project-ID>
@@ -87,6 +89,8 @@ The preceding command prints the following output to the terminal:
 
    public_api_key = redacted
    service = ops-manager
+   ops_manager_ca_certificate = /etc/ssl/certs/ca.pem
+   ops_manager_skip_verify = no
    ops_manager_url = http://localhost:30700
    private_api_key = redacted
    project_id = 5e84b2edf949e9007a7beac3

source/reference/mcli-config-set.txt

@@ -15,11 +15,7 @@ mongocli config set
 The ``config set`` command sets the following 
 properties in the specified profile for {+mcli+}: 
 
-- ``org_id`` - Unique identifier of an organization 
-- ``project_id`` - Unique identifier of a project
-- ``public_api_key`` - Public key for programmatic access 
-- ``private_api_key`` - Private key for programmatic access 
-- ``ops_manager_url`` - |mms| base URL for |onprem| only
+.. include:: /includes/config-set-properties.rst
 
 You can set also set these properties by directly editing the 
 :ref:`mcli-config-file` or by setting the :ref:`environment 
@@ -62,13 +58,7 @@ Options
      - Property to set in the profile. Value 
        can be one of the following:
 
-       - ``org_id`` - Unique identifier of the organization 
-       - ``project_id`` - Unique identifier of the project
-       - ``public_api_key`` - Public key for programmatic 
-         access 
-       - ``private_api_key`` - Private key for programmatic 
-         access 
-       - ``ops_manager_url`` - |mms| base URL for |onprem| only
+       .. include:: /includes/config-set-properties.rst
 
      - yes
 
@@ -81,6 +71,9 @@ Options
        - Public |api| key for ``public_api_key``
        - Private |api| key for ``private_api_key``
        - |mms| base URL for ``ops_manager_url``
+       - Full path to the CA certificate for
+         ``ops_manager_ca_certificate``
+       - ``yes`` or ``no`` for ``ops_manager_skip_verify``
 
      - yes
 
@@ -104,7 +97,9 @@ where ``<property-name>`` can be:
 - ``project_id``
 - ``public_api_key``
 - ``private_api_key``
-- ``ops_manager_url`` 
+- ``ops_manager_url``
+- ``ops_manager_ca_certificate``
+- ``ops_manager_skip_verify``
 
 .. _config-set-examples: 
 
@@ -200,3 +195,43 @@ The previous command prints the following to the terminal:
    :copyable: false
 
    Updated prop 'private_api_key'
+
+Set Custom CA Certificate File
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The following example uses the ``mongocli config set`` command to 
+set a custom CA certificate file for |onprem| in a profile named
+``egOMprofile``.
+
+.. code-block:: sh
+   :copyable: false
+
+   mongocli config set ops_manager_ca_certificate  /etc/ssl/certs/ca.pem -p egOMprofile
+
+The previous command prints the following to the terminal:
+
+.. code-block:: sh 
+   :copyable: false
+
+   Updated property 'ops_manager_ca_certificate'
+
+Set Certificate Verification
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The following example uses the ``mongocli config set`` command to 
+skip TLS certificate verification for |onprem| in a profile named
+``egOMprofile``.
+
+.. include:: /includes/admonitions/skip-verify-insecure.rst
+
+.. code-block:: sh
+   :copyable: false
+
+   mongocli config set ops_manager_skip_verify yes -p egOMprofile
+
+The previous command prints the following to the terminal:
+
+.. code-block:: sh 
+   :copyable: false
+
+   Updated property 'ops_manager_skip_verify'