Encrypting private keys of Dragon Voice engines

Note: This procedure is for Dragon Voice users. Ignore it if not using Dragon Voice.

When setting up secure connections, you must encrypt (obfuscate) the password phrase of the private keys. The procedure varies for each component. For an overview, see Securing connections with SSL/TLS.

Obfuscating Krypton engine, Resource Manager, and NTpE keys

Note: This procedure uses one encrypted password for the relevant passphrase properties. Alternatively, you can create a different encrypted password for each property.

To obfuscate the password/phrase for Krypton, Nuance Resource Manager, and NTpE, use the command-line.

  • On Windows, run the commands from a Windows command prompt. Do not use cygwin.
  • Do not copy and paste the password at the “Password: “ prompt. You must manually type it. Otherwise, the command returns an invalid obfuscation string.

This procedure creates a single, encrypted password for all these services. It is not necessary to have different passwords for each service. Follow these steps:

  1. Stop all Speech Suite services on the host.

  2. Log in to the host and run one of these commands. (These services use the same obfuscation methodology: you can encrypt passwords for any service from any of these locations. It is not necessary to execute scripts at locations that match the service types.)
    3. Service Script command and argument
    Krypton

    Linux: $KR_HOME/bin/nrm obfuscate

    Windows: %KR_HOME%\bin\nrm.exe obfuscate

    Resource Manager

    Linux: $NRM_HOME/bin/nrm obfuscate

    Windows: %NRM_HOME%\bin\nrm.exe obfuscate

    NTpE

    Linux: $TEXTPROC_HOME/bin/nrm obfuscate

    Windows: %TEXTPROC_HOME%\bin\nrm.exe obfuscate

  3. When the script prompts for a password, enter the caSigned password for the service. The script does not echo the data but it returns the obfuscated string and a status code:
    Password: my_password
4fea21b2fb7d2116d8b48fb8a189616e
2019-11-18 16:18:03,894—status: Process is exiting with code 0

    For example, using the Krypton obfuscation script: 

    # cd $KR_HOME
# ./startEngine.sh obfuscate
Password: my_password
4fea21b2fb7d2116d8b48fb8a189616e
    2019-11-18 16:18:03,894—status: Process is exiting with code 0
  4. Copy the encrypted output, and use the value to set the following properties.

    For Krypton, https : passphrase and httpClient : passphrase.

    For NTpE set https: passphrase

    For Resource Manager, set https : passphrase

  5. Start all services.

Obfuscating NLE keys

To obfuscate the password/phrase for NLE, use the command-line:

  1. Stop all Speech Suite services on the host.

  2. Log in to the host and enter this command:

    • Linux: $NLE_HOME/bin/encrypt_properties.sh nlepassword
    • Windows: %NLE_HOME%\bin\encrypt_properties.bat nlepassword

    For example, you can change directory to the bin location and enter:

    # ./encrypt_properties.sh nlepassword
ptanG58LMzxaUlUnVj7XHFCC9wdj3mKT

    Where:

    • nlepassword is the caSigned passphrase to be encrypted
    • ptanG58LMzxaUlUnVj7XHFCC9wdj3mKT is the encrypted output
  3. Copy the encrypted output and set https.keyStorePassword by pasting the value (enclosed in parentheses and preceded by ENC). For example:
    ENC(ptanG58LMzxaUlUnVj7XHFCC9wdj3mKT)
  4. Enable the rm.hostNameVerificationEnabled and ntpe.hostNameVerificationEnabled parameters.

  5. Start all services.

Obfuscating NLP service keys

Note: This procedure uses one encrypted password for the relevant passphrase properties. Alternatively, you can create a different encrypted password for each property.

To obfuscate the password/phrase for NLP service, use the command-line:

Log in to the host and enter this command:

  1. Stop all Speech Suite services on the host.

  2. Log in to the host and enter this command:

    Linux: java –jar $NLPS_HOME/lib/nlps.jar encrypt

    Windows: java –jar %NLPS_HOME\lib\nlps.jar encrypt

  3. In response, the command prompts for a password. When you enter the caSigned.p12 keystore password for the service, the command returns the obfuscated string:

    password? myPassword
    50348e1a2de57527d48fb38bd77d56aa

  4. Copy the encrypted output, and set these properties by pasting the value (enclosed in parentheses and preceded by ENC).

    server.ssl.keystore-password

    httpClient.keystorePassword

    httpClient.truststorePassword

  5. Start all services.

To decrypt a password, run the same command with the decrypt argument, and enter the encrypted password string:

java –jar nlps.jar decrypt

password? myEncryptedPassword