Configuring authentication on services
Note: This procedure is for Dragon Voice users. Ignore it if not using Dragon Voice.
When setting up secure connections, you must configure each service. For an overview of the whole procedure, see Securing connections with SSL/TLS.
This topic shows the complete security configuration of Dragon Voice services, and assumes the following:
- You intend to use CA-signed certificates, and have already acquired them.
- You already copied your certificates to their locations and used the example filenames. (if you didn't use the example names and locations, make the appropriate substitutions below.) See Copying certificates and keys.
- You want to use reciprocal authentication with clients and services authenticating each other in both directions. (This is the purpose of the requestCert and rejectUnauthorized properties.)
Configuring Krypton security
Krypton is a server and client. As a server, it uses Secure WebSocket connections (properties configured with the https prefix). As a client, it uses HTTP or HTTPS as determined by the servers it connects to (both protocols configured by properties with the httpClient prefix).
Configure these properties:
Property | Description |
---|---|
https : port |
Port where the Krypton listens for HTTPS requests. Only changed when the default is unsatisfactory. For example, if the port is needed by some other process. |
https : host |
The host where the Krypton HTTPS listener port (https : port) is defined. |
Path and filename of a private key. |
|
Path and filename of the signed certificate file for Krypton. |
|
The encrypted passphrase for the service's private keyfile. |
|
https : requestCert |
Requests and verifies a certificate from clients that try to connect to via HTTPS. Recommended. Enable this property to ensure reciprocal secure connections. |
https : rejectUnauthorized |
When the service acts as a client, this property requires servers to be authorized by valid certificates. Recommended. Enable this property to ensure reciprocal secure connections. |
https : caCertificates |
Certificate authority (CA) files to use when authenticating certificates. Most sites do not need to specify this property. Most CA authorities are already loaded onto hosts, and this property is only needed when the organization that generates the Speech Suite certificates is not already loaded. |
httpClient : rejectUnauthorized |
When the service acts as a client, this property requires servers to be authorized by valid certificates. Recommended. Enable this property to ensure reciprocal secure connections. |
Path and filename of a private key. |
|
Path and filename of the signed certificate file for Krypton. |
|
The encrypted passphrase for the service's private keyfile. |
|
httpClient : caCertificates |
Certificate authority (CA) files for the service to authenticate server certificates. Most sites do not need to specify this property. Most CA authorities are already loaded onto hosts, and this property is only needed when the organization that generates the Speech Suite certificates is not already loaded. |
defaultHostName |
The name of the host where the Resource Manager can connect to the Krypton instance. |
rmRegistration : urls |
Connects Krypton to the hostname and port of the Resource Manager listener. |
By default Krypton uses the same certFile, keyFile, and passphrase configuration values for the https and httpClient properties.
Configuring NLE security
Configure these properties:
Property | Description |
---|---|
Enables HTTP access to the service. Nuance recommends keeping the default value (disabled) when setting up secure communications. |
|
Defines an HTTP listener for the service. Only changed when the default is unsatisfactory. For example, if the port is needed by some other process. |
|
Defines an HTTPS listener for the service. Only changed when the default is unsatisfactory. For example, if the port is needed by some other process. |
|
Enables SSL/TLS communications. Nuance recommends keeping the default value (enabled). |
|
Path to the service's keystore file. To create the keystore, see Creating PKCS12 keystores and Converting NLE keystores to JKS. |
|
Encrypted password to protect the service's keystore file and private key (same password for both). |
|
rm.enabled |
Allows the Natural Language Engine to register its capabilities with the Resource Manager. |
rm.uris |
The hostname (or IP address) and port of the Nuance Resource Manager to register engine capabilities. |
rm.hostNameVerificationEnabled |
Requires NLE to perform SSL validation with a CA-signed certificate when registering with the Nuance Resource Manager server. |
ntpe.uri |
The hostname (or IP address) and port of the Nuance Text Processing Engine. |
ntpe.resourceManagerEnabled |
Instructs NLE to use the Nuance Resource Manager to locate a suitable Nuance Text Processing Engine resource for tokenization. |
ntpe.hostNameVerificationEnabled |
Specifies how NLE performs SSL validation with NTpE. |
resource.download.ssl.certificateVerificationEnabled |
Specifies whether NLE verifies the resource HTTPS server certificate when downloading resources. |
Configuring NLP service security
Configure these properties:
Property | Description |
---|---|
server.port |
WebSocket listening port to use for the Natural Language Processing service. Only changed when the default is unsatisfactory. For example, if the port is needed by some other process. |
server.ssl.enabled |
Enables SSL/TLS communications. Nuance recommends keeping the default value (enabled). |
Path to the service's keystore file. See Creating NLP service keystores. Use the same value for server.ssl.key-store and httpClient.keystore. |
|
Encrypted password to protect the service's keystore file and private key (same password for both). See Creating NLP service keystores. Use the same value for server.ssl.keystore-password and httpClient.keystorePassword. |
|
The alias of the NLP service keystore. See Creating NLP service keystores. |
|
httpClient.hostNameVerificationEnabled |
The service requests SSL validation with a CA-signed certificate when registering with Nuance Resource Manager servers when using HTTPS. |
httpClient.keystore |
Path to the service's keystore file. See Creating NLP service keystores. Use the same value for server.ssl.key-store and httpClient.keystore. |
httpClient.keystorePassword |
Encrypted password to protect the service's keystore file and private key (same password for both). Use the same value for server.ssl.keystore-password and httpClient.keystorePassword. |
httpClient.metadata.trustAll |
Enables NLP service to trust all certificates received from application servers reached via an HTTPS connection. |
httpClient.truststore |
The path to the truststore file for the NLP service. NLP service does not require a truststore and password. (It uses the keystore and keystore password by default.) |
httpClient.truststorePassword |
The encrypted passphrase for the service's truststore file. Only required if using a truststore for NLP service. |
Configuring NTpE security
NTpE is both client and server. As a server, it listens and accepts WebSocket connections. You control digital certificates with two sets of configuration parameters, those prefaced with ssl: (in its capacity as server) and those prefaced with httpsClient: (as a client).
Configure these properties:
Property | Description |
---|---|
Enables HTTP access to the service. Nuance recommends keeping the default value (disabled) when setting up secure communications. |
|
Defines an HTTP listener for the service. Only changed when the default is unsatisfactory. For example, if the port is needed by some other process. |
|
Defines an HTTPS listener for the service. Only changed when the default is unsatisfactory. For example, if the port is needed by some other process. |
|
https: enabled |
Enables SSL/TLS communications. Nuance recommends keeping the default value (enabled). |
https : caCertificates |
Certificate authority (CA) files to use when authenticating certificates. |
Path and filename of a private key. |
|
The encrypted passphrase for the service's private keyfile. |
|
Path and filename of the signed certificate file for NTpE. |
|
https : requestCert |
Requests and verifies a certificate from clients that try to connect to via HTTPS. Recommended. Enable this property to ensure reciprocal secure connections. |
https : rejectUnauthorized |
When the service acts as a client, this property requires servers to be authorized by valid certificates. Recommended. Enable this property to ensure reciprocal secure connections. |
Certificate authority (CA) files for the service to authenticate server certificates. Most sites do not need to specify this property. Most CA authorities are already loaded onto hosts, and this property is only needed when the organization that generates the Speech Suite certificates is not already loaded. |
|
Path and filename of a private key. |
|
The encrypted passphrase for the service's private keyfile. |
|
Path and filename of the signed certificate file for NTpE. |
|
httpsClient : requestCert |
Requests and verifies a certificate from clients that try to connect to via HTTPS. Recommended. Enable this property to ensure reciprocal secure connections. |
httpsClient : rejectUnauthorized |
When the service acts as a client, this property requires servers to be authorized by valid certificates. Recommended. Enable this property to ensure reciprocal secure connections. |
resourceManager : enabled |
Enables NTpE to publish its capabilities to the Resource Manager during startup. |
resourceManager : urls |
Hostname or IP address and port (usually 9001) of the Nuance Resource Manager listener, |
resourceManager : ntpeHost |
Hostname (or IP address) of the host running the Nuance Text Processing Engine. |
Configuring Resource Manager security
The Resource Manager listens on HTTP and HTTPS ports. When you enable SSL for the other Dragon Voice components, the HTTP port has no traffic . You can also disable the HTTP port to prevent unsecured communications.
Configure these properties:
Property | Description |
---|---|
http : host |
The IP address (or hostname) of the Nuance Resource Manager host. |
https : host |
The IP address (or hostname) of the Nuance Resource Manager host. |
http : port |
Defines an HTTP listener for the service. Only changed when the default is unsatisfactory. For example, if the port is needed by some other process. |
https : port |
Defines an HTTPS listener for the service. Only changed when the default is unsatisfactory. For example, if the port is needed by some other process. |
https : keyFile |
The Nuance Resource Manager host's private key filename. |
https : certFile |
Path and filename of the signed certificate file for Resource Manager. |
https : passphrase |
The encrypted passphrase for the service's private keyfile. |
https : requestCert |
Requests and verifies a certificate from clients that try to connect to via HTTPS. |
https : rejectUnauthorized |
When the service acts as a client, this property requires servers to be authorized by valid certificates. Recommended. Enable this property to ensure reciprocal secure connections. |
https : caCertificates |
Certificate authority (CA) files to use when authenticating certificates. Most sites do not need to specify this property. Most CA authorities are already loaded onto hosts, and this property is only needed when the organization that generates the Speech Suite certificates is not already loaded. |
When the service acts as a client, this property requires servers to be authorized by valid certificates. Recommended. Enable this property to ensure reciprocal secure connections. |
|
Path and filename of a private key. |
|
Path and filename of the signed certificate file for Resource Manager. |
|
The encrypted passphrase for the service's private keyfile. |
|
Certificate authority (CA) files for the service to authenticate server certificates. Most sites do not need to specify this property. Most CA authorities are already loaded onto hosts, and this property is only needed when the organization that generates the Speech Suite certificates is not already loaded. |
Configuring Voice Platform security
To configure the voice browser service, first set up secure connections for Speech Suite and then see the documentation for Nuance Voice Platform for Speech Suite 11 to set up secure connections for Voice Platform.