Securing application servers

Speech Suite solutions require application servers to provide runtime resources. In the case of Dragon Voice resources this means fetching nuance_package.json files, NLE semantic models, domain language models (DLMs), and grammars from application servers. When a VoiceXML application uses the https protocol to fetch, the Krypton service needs to authenticate the application server host that supplies the resources.

Ignore this topic when:

  • When the CA organization that provided the application server's certificate is the same authority that provided other Speech Suite certificates, you don't need to explicitly secure the application server (because you've already provided the CA certificate in the configuration, CA.crt in our examples).
  • When the rejectUnauthorized property is disabled. This topic assumes you enable the rejectUnauthorized property to ensure that all Dragon Voice services use secure connections across all hosts in the Speech Suite network. Ignore this topic if the property is not enabled.

To set up a secure connection for an application server:

  1. Acquire the application server's certificate.

  2. Add the application server certificate to the Krypton configuration (on every Speech Suite host that runs Krypton): httpClient : caCertificates.

  3. Add the certificate to the keystore on every host where the NLP service and NLE service run.
  4. On the NLP service , set the httpClient.metadata.trustAll parameter to False.
  5. On the NLE service, set the resource.download.ssl.certificateVerificationEnabled parameter to True.

The procedures below show examples, but they are not the only way to accomplish the objective. You can use any tool or command that produces the same result.

Acquiring the appserver certificate

This example acquires a certificate from a remote host (myServerHost:myPort), and saves it to a local file in PEM format (myhttpserver.crt): 

# openssl s_client -showcerts -connect myServerHost:myPort </dev/null 2>/dev/null | openssl x509 -outform PEM > myhttpserver.crt

Adding the certificate to the NLP service keystore

Copy the application server certificate to every Speech Suite host that runs the NLP service, and add it to the keystore.

This example adds the certificate to the NLP service keystore (as set up in Creating PKCS12 keystores). 

# keytool -importcert -file myhttpserver.crt -keystore caSigned.p12 -alias myhttpserver
Enter keystore password: caSignedP12
Owner: CN=myhttpserver, O=Default Company Ltd, L=Default City, C=XX
Issuer: CN=myhttpserver, O=Default Company Ltd, L=Default City, C=XX
Serial number: b71f6f5933cc5448
Valid from: Wed Mar 13 09:55:06 EDT 2019 until: Thu Mar 12 09:55:06 EDT 2020
Certificate fingerprints:
MD5:  A9:2F:42:3C:0D:42:62:F3:CE:27:4D:E5:41:0B:58:11
...
Trust this certificate? [no]:  yes
Certificate was added to keystore

Note: The alias can be any value that is unique within the keystore.