Configuring authentication on services

Note: This procedure is for Dragon Voice users. Ignore it if not using Dragon Voice.

When setting up secure connections, you must configure each service. For an overview of the whole procedure, see Securing connections with SSL/TLS.

This topic shows the complete security configuration of Dragon Voice services, and assumes the following:

  • You intend to use CA-signed certificates, and have already acquired them.
  • You already copied your certificates to their locations and used the example filenames. (if you didn't use the example names and locations, make the appropriate substitutions below.) See Copying certificates and keys.
  • You want to use reciprocal authentication with clients and services authenticating each other in both directions. (This is the purpose of the requestCert and rejectUnauthorized properties.)

Configuring Krypton security

Krypton is a server and client. As a server, it uses Secure WebSocket connections (properties configured with the https prefix). As a client, it uses HTTP or HTTPS as determined by the servers it connects to (both protocols configured by properties with the httpClient prefix).

Configure these properties:

Property Description
https : port

Port where the Krypton listens for HTTPS requests.

Only changed when the default is unsatisfactory. For example, if the port is needed by some other process.

https : host

The host where the Krypton HTTPS listener port (https : port) is defined.

https : keyFile

Path and filename of a private key.

https : certFile

Path and filename of the signed certificate file for Krypton.

https : passphrase

The encrypted passphrase for the service's private keyfile.

https : requestCert

Requests and verifies a certificate from clients that try to connect to via HTTPS.

Recommended. Enable this property to ensure reciprocal secure connections.

https : rejectUnauthorized

When the service acts as a client, this property requires servers to be authorized by valid certificates.

Recommended. Enable this property to ensure reciprocal secure connections.

https : caCertificates

Certificate authority (CA) files to use when authenticating certificates.

Most sites do not need to specify this property. Most CA authorities are already loaded onto hosts, and this property is only needed when the organization that generates the Speech Suite certificates is not already loaded.

httpClient : rejectUnauthorized

When the service acts as a client, this property requires servers to be authorized by valid certificates.

Recommended. Enable this property to ensure reciprocal secure connections.

httpClient : keyFile

Path and filename of a private key.

httpClient : certFile

Path and filename of the signed certificate file for Krypton.

httpClient : passphrase

The encrypted passphrase for the service's private keyfile.

httpClient : caCertificates

Certificate authority (CA) files for the service to authenticate server certificates.

Most sites do not need to specify this property. Most CA authorities are already loaded onto hosts, and this property is only needed when the organization that generates the Speech Suite certificates is not already loaded.

defaultHostName

The name of the host where the Resource Manager can connect to the Krypton instance.

rmRegistration : urls

Connects Krypton to the hostname and port of the Resource Manager listener.

By default Krypton uses the same certFile, keyFile, and passphrase configuration values for the https and httpClient properties.

Configuring NLE security

Configure these properties:

Property Description

http : enabled

Enables HTTP access to the service.

Nuance recommends keeping the default value (disabled) when setting up secure communications.

http.port

Defines an HTTP listener for the service.

Only changed when the default is unsatisfactory. For example, if the port is needed by some other process.

https.port

Defines an HTTPS listener for the service.

Only changed when the default is unsatisfactory. For example, if the port is needed by some other process.

https : enabled

Enables SSL/TLS communications.

Nuance recommends keeping the default value (enabled). 

https.keyStore

Path to the service's keystore file.

To create the keystore, see Creating PKCS12 keystores and Converting NLE keystores to JKS.

https.keyStorePassword

Encrypted password to protect the service's keystore file and private key (same password for both).

rm.enabled

Allows the Natural Language Engine to register its capabilities with the Resource Manager.

rm.uris

The hostname (or IP address) and port of the Nuance Resource Manager to register engine capabilities.

rm.hostNameVerificationEnabled

Requires NLE to perform SSL validation with a CA-signed certificate when registering with the Nuance Resource Manager server.

ntpe.uri

The hostname (or IP address) and port of the Nuance Text Processing Engine.

ntpe.resourceManagerEnabled

Instructs NLE to use the Nuance Resource Manager to locate a suitable Nuance Text Processing Engine resource for tokenization.

ntpe.hostNameVerificationEnabled

Specifies how NLE performs SSL validation with NTpE.

resource.download.ssl.certificateVerificationEnabled

Specifies whether NLE verifies the resource HTTPS server certificate when downloading resources.

Configuring NLP service security

Configure these properties:

Property Description
server.port

WebSocket listening port to use for the Natural Language Processing service.

Only changed when the default is unsatisfactory. For example, if the port is needed by some other process.

server.ssl.enabled

Enables SSL/TLS communications.

Nuance recommends keeping the default value (enabled). 

server.ssl.key-store

Path to the service's keystore file.

See Creating NLP service keystores.

Use the same value for server.ssl.key-store and httpClient.keystore.

server.ssl.keystore-password

Encrypted password to protect the service's keystore file and private key (same password for both).

See Creating NLP service keystores.

Use the same value for server.ssl.keystore-password and httpClient.keystorePassword.

server.ssl.key-alias

The alias of the NLP service keystore. See Creating NLP service keystores.

httpClient.hostNameVerificationEnabled

The service requests SSL validation with a CA-signed certificate when registering with Nuance Resource Manager servers when using HTTPS.

httpClient.keystore

Path to the service's keystore file.

See Creating NLP service keystores.

Use the same value for server.ssl.key-store and httpClient.keystore.

httpClient.keystorePassword

Encrypted password to protect the service's keystore file and private key (same password for both).

Use the same value for server.ssl.keystore-password and httpClient.keystorePassword.

httpClient.metadata.trustAll

Enables NLP service to trust all certificates received from application servers reached via an HTTPS connection.

httpClient.truststore

The path to the truststore file for the NLP service.

NLP service does not require a truststore and password. (It uses the keystore and keystore password by default.)

httpClient.truststorePassword

The encrypted passphrase for the service's truststore file.

Only required if using a truststore for NLP service.

Configuring NTpE security

NTpE is both client and server. As a server, it listens and accepts WebSocket connections. You control digital certificates with two sets of configuration parameters, those prefaced with ssl: (in its capacity as server) and those prefaced with httpsClient: (as a client).

Configure these properties:

Property Description

http : enabled

Enables HTTP access to the service.

Nuance recommends keeping the default value (disabled) when setting up secure communications.

http : port

Defines an HTTP listener for the service.

Only changed when the default is unsatisfactory. For example, if the port is needed by some other process.

https : port

Defines an HTTPS listener for the service.

Only changed when the default is unsatisfactory. For example, if the port is needed by some other process.

https: enabled

Enables SSL/TLS communications.

Nuance recommends keeping the default value (enabled). 

https : caCertificates

Certificate authority (CA) files to use when authenticating certificates.

https: keyFile

Path and filename of a private key.

https: passphrase

The encrypted passphrase for the service's private keyfile.

https : certFile

Path and filename of the signed certificate file for NTpE.

https : requestCert

Requests and verifies a certificate from clients that try to connect to via HTTPS.

Recommended. Enable this property to ensure reciprocal secure connections.

https : rejectUnauthorized

When the service acts as a client, this property requires servers to be authorized by valid certificates.

Recommended. Enable this property to ensure reciprocal secure connections.

httpsClient : caCertificates

Certificate authority (CA) files for the service to authenticate server certificates.

Most sites do not need to specify this property. Most CA authorities are already loaded onto hosts, and this property is only needed when the organization that generates the Speech Suite certificates is not already loaded.

httpsClient : keyFile

Path and filename of a private key.

httpsClient : passphrase

The encrypted passphrase for the service's private keyfile.

httpsClient : certFile

Path and filename of the signed certificate file for NTpE.

httpsClient : requestCert

Requests and verifies a certificate from clients that try to connect to via HTTPS.

Recommended. Enable this property to ensure reciprocal secure connections.

httpsClient : rejectUnauthorized

When the service acts as a client, this property requires servers to be authorized by valid certificates.

Recommended. Enable this property to ensure reciprocal secure connections.

resourceManager : enabled

Enables NTpE to publish its capabilities to the Resource Manager during startup.

resourceManager : urls

Hostname or IP address and port (usually 9001) of the Nuance Resource Manager listener,

resourceManager : ntpeHost

Hostname (or IP address) of the host running the Nuance Text Processing Engine.

Configuring Resource Manager security

The Resource Manager listens on HTTP and HTTPS ports. When you enable SSL for the other Dragon Voice components, the HTTP port has no traffic . You can also disable the HTTP port to prevent unsecured communications.

Configure these properties:

Property Description
http : host

The IP address (or hostname) of the Nuance Resource Manager host.

https : host

The IP address (or hostname) of the Nuance Resource Manager host.

http : port

Defines an HTTP listener for the service.

Only changed when the default is unsatisfactory. For example, if the port is needed by some other process.

https : port

Defines an HTTPS listener for the service.

Only changed when the default is unsatisfactory. For example, if the port is needed by some other process.

https : keyFile

The Nuance Resource Manager host's private key filename.

https : certFile

Path and filename of the signed certificate file for Resource Manager.

https : passphrase

The encrypted passphrase for the service's private keyfile.

https : requestCert

Requests and verifies a certificate from clients that try to connect to via HTTPS.

https : rejectUnauthorized

When the service acts as a client, this property requires servers to be authorized by valid certificates.

Recommended. Enable this property to ensure reciprocal secure connections.

https : caCertificates

Certificate authority (CA) files to use when authenticating certificates.

Most sites do not need to specify this property. Most CA authorities are already loaded onto hosts, and this property is only needed when the organization that generates the Speech Suite certificates is not already loaded.

httpClient : rejectUnauthorized

When the service acts as a client, this property requires servers to be authorized by valid certificates.

Recommended. Enable this property to ensure reciprocal secure connections.

httpClient : keyFile

Path and filename of a private key.

httpClient : certFile

Path and filename of the signed certificate file for Resource Manager.

httpClient : passphrase

The encrypted passphrase for the service's private keyfile.

httpClient : caCertificates

Certificate authority (CA) files for the service to authenticate server certificates.

Most sites do not need to specify this property. Most CA authorities are already loaded onto hosts, and this property is only needed when the organization that generates the Speech Suite certificates is not already loaded.

Configuring Voice Platform security

To configure the voice browser service, first set up secure connections for Speech Suite and then see the documentation for Nuance Voice Platform for Speech Suite 11 to set up secure connections for Voice Platform.