Setting up ZooKeeper

When using Dragon Voice services (engines), you must install Apache ZooKeeper and configure Resource Manager to connect to ZooKeeper.

  • You can install ZooKeeper on any host. This includes hosts with no Speech Suite components. The host must communicate with the Resource Manager host.
  • For redundancy, you can install multiple Zookeeper instances on multiple hosts. Use the Zookeeper instructions to configure interoperation among the Zookeeper servers. Typically this means having an odd number of servers for “election” purposes (for example, 1, 3, 5, and so on). For testing and development purposes, a single ZooKeeper host is sufficient. For production environments, Nuance (and Apache) recommends at least three ZooKeeper hosts to ensure that the ZooKeeper service stays active.
  • By default, the connection between Zookeeper and Resource Manager does not use authentication. For maximum security, see Configuring authentication.

Note: You cannot connect one Zookeeper to two different Speech Suite installations.

Preparation

Before you begin:

  • Download the Apache ZooKeeper package on each host and extract it.
  • Use the Apache ZooKeeper documentation for full instructions, including system requirements.
  • Install 64-bit Java on each ZooKeeper host. If installing Zookeeper on a Speech Suite host, see the Speech Suite release notes for details about sharing the Java JRE.

  • IMPORTANT—You must configure Zookeeper's Java system property admin.serverPort to a non-default value. (The default port 8080 conflicts with the Management Station.) Alternatively, you can disable the admin feature with admin.enableServer=false in the zoo.cfg file.

Linux procedure

  1. Make a copy of the provided configuration file: /zookeeper/conf/zoo_sample.cfg
  2. Rename the copied file. For example: zoo.cfg
  3. Create a data directory, using a name of your choosing, in the installation directory.
  4. Edit these settings in zoo.cfg:
    1. dataDir: Enter the path to your data directory. For example: dataDir=/zookeeper/zookeeperDataDir
    2. server.1: Enter the hostname of your ZooKeeper host. For example: server.1=zookeeper-hostname:2888:3888

      Note: If you have more than one ZooKeeper host, edit the zoo.cfg on each host and add server.x settings (incrementing the server .x value for each host). For example:
      server.1=[server1-hostname]:2888:3888
      server.2=[server2-hostname]:2888:3888
      server.3=[server3-hostname]:2888:3888

    3. clientPort: Enter the listening port for client connections.

  5. Save zoo.cfg.
  6. Start the ZooKeeper server:
    > /zookeeper/bin ./zkServer.sh start

    Tip: You can check this log file for any errors /zookeeper/bin/zookeeper.out

  7. Start the ZooKeeper client, which switches to the ZooKeeper prompt:
    > ./zkCli.sh
  8. Type quit to exit the client. The ZooKeeper configuration is now complete.
  9. Configure the zookeeper : servers property of the Nuance Resource Manager service to point to the IP address and port of each ZooKeeper host.

    Note: The list of ZooKeeper addresses must match the list of ZooKeeper hosts for Resource Manager to successfully connect to them.

Enable SSL in ZooKeeper

You can use the SSL in ZooKeeper, instead of the regular ZooKeeper configuration.

Preparation

Before you begin, for every ZooKeeper host you want to have SSL, you must:

  • Complete the regular ZooKeeper setup

  • Create the following:

    • Server keystore

    • Server truststore

    • Client keystore

    • Client truststore

  • Stop the ZooKeeper server, if it's running.

Linux procedure

  1. Go to the Zookeeper bin directory.

  2. Add the following lines to zkEnv.sh, above the line that contains heap parameters:

    SERVER_JVMFLAGS="

    -Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory

    -Dzookeeper.ssl.keyStore.location<server_keystore_file>

    -Dzookeeper.ssl.keyStore.password=password
-Dzookeeper.ssl.trustStore.location=<servertruststore file>

    -Dzookeeper.ssl.trustStore.password=password"
    CLIENT_JVMFLAGS="
    -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
    -Dzookeeper.client.secure=true
    -Dzookeeper.ssl.keyStore.location=<clientkeystore_file>
    -Dzookeeper.ssl.keyStore.password=password
    -Dzookeeper.ssl.trustStore.location=<clienttruststore>
    -Dzookeeper.ssl.trustStore.password=password
    -Dzookeeper.ssl.hostnameVerification=false"

  3. In zoo.cfg, add this line to the end:

    secureClientPort=2281
  4. Save zoo.cfg.
  5. Start the ZooKeeper server:
    > /zookeeper/bin ./zkServer.sh start

    Tip: You can check this log file for any errors /zookeeper/bin/zookeeper.out

  6. Check the ZooKeeper client, which switches to the ZooKeeper prompt:
    > ./zkCli.sh -server localhost:2281
  7. Type quit to exit the client. The ZooKeeper with SSL configuration is now complete.

Windows procedure

Repeat these steps on every ZooKeeper host you want to add SSL to: 

  1. Make a backup copy of zkServer.cmd.

  2. In the original zkServer.cmd file, replace the first line with this new line:

    Old line:

    call %JAVA% "-Dzookeeper.log.dir=%ZOO_LOG_DIR%" "-Dzookeeper.log.file=%ZOO_LOG_FILE%" "-XX:+HeapDumpOnOutOfMemoryError" "-XX:OnOutOfMemoryError=cmd /c taskkill /pid %%%%p /t /f" -cp "%CLASSPATH%" %ZOOMAIN% "%ZOOCFG%" %*

    New line:

    call %JAVA% "-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory" "-Dzookeeper.ssl.keyStore.location=<serverkeystore>" "-Dzookeeper.ssl.keyStore.password=password" "-Dzookeeper.ssl.trustStore.location=<servertruststore file>" "-Dzookeeper.ssl.trustStore.password=password" "-Dzookeeper.log.dir=%ZOO_LOG_DIR%" "-Dzookeeper.log.file=%ZOO_LOG_FILE%" "-XX:+HeapDumpOnOutOfMemoryError" "-XX:OnOutOfMemoryError=cmd /c taskkill /pid %%%%p /t /f" -cp "%CLASSPATH%" %ZOOMAIN% "%ZOOCFG%" %*

  3. In zoo.cfg, add this line to the end:

    secureClientPort=2281

  4. In zkCli.cmd, change the first line with this new line:

    Old line:

    call %JAVA% "-Dzookeeper.log.dir=%ZOO_LOG_DIR%" "-Dzookeeper.log.file=%ZOO_LOG_FILE%" -cp "%CLASSPATH%" %ZOOMAIN% %*

    New line:

    call %JAVA% "-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty" "-Dzookeeper.ssl.keyStore.location<clientkeystore file>" "-Dzookeeper.ssl.keyStore.password=password" "-Dzookeeper.ssl.trustStore.location=<clienttruststore file>" "-Dzookeeper.ssl.trustStore.password=password" "-Dzookeeper.client.secure=true" "-Dzookeeper.log.dir=%ZOO_LOG_DIR%" "-Dzookeeper.log.file=%ZOO_LOG_FILE%" -cp "%CLASSPATH%" %ZOOMAIN% %*
  5. Start the ZooKeeper client, which switches to the ZooKeeper prompt:
    > ./zkCli.sh -server localhost:2281

Configure Resource Manager communications with ZooKeeper servers with SSL

After adding the SSL feature to the ZooKeeper hosts, configure NRM to communicate with ZooKeeper servers with SSL enabled:

  1. Stop NRM service from Nuance Management Station.

  2. In Nuance Management Station, select Nuance Resource Manager service.

  3. Click on Service Properties. Go to "Settings" tab.

    Add or edit following values under ZooKeeper. File paths use Unix-style separators (/). client_cert_file, client_key_file, server_cert_files most be from the same respective keystore files.

    Note: In Linux: the cert and key files below must be in a location with read permission for user nuance, such as /var/local/Nuance. Apply read permission by running chown nuance:nuance. Don't place these files under /root.

    zookeeper:
     servers:
     tlsEnabled: true
     client_cert_file: '<client certificate file path/name>'
     client_key_file: '<client key file path/name>'
     client_key_pass: '<client key password>'
     server_cert_files: [ '<host>;<server certificate file>', ... ]

    Note: server_cert_files is an array containing server names and server certificate file path/name pairs, with each pair in the format of <host;server cert file>. The server name must match what is used in the servers list. For example, if a server is listed under servers using its IP address, then it also has to be listed under server_cert_files using its IP address. Not every server has to show up in this array. If a server uses a self-signed certificate, its certificate must be listed in the array.

  4. Start Resource Manager.

Configuring authentication

Authentication is not enabled between ZooKeeper and Resource Manager by default. This opens a security risk if you host multiple customers on your network because code running on any server can query and modify nodes registered with ZooKeeper (including Resource Manager). For example, there's a risk of redirection of a customer's voice data towards fraudulent Dragon Voice instances.

Note: In the following procedure, follow your standard operating procedures to stop and start services and edit their properties. In other words, use Management Station (if using Management Station at your site) or use scripts or command line operations to affect these changes.

To enable authentication to ZooKeeper :

  1. Stop the Dragon Voice engines: Krypton, NLE, and NTpE and wait a short time for Resource Manager to remove their corresponding entries from ZooKeeper. (Use zkCli.sh or zkCli.bat to confirm nodes KRYPTON, NLE and NTPE are empty.)

  2. Stop all Resource Manager services.

  3. Use the ZooKeeper command line client to delete the ZooKeeper NRM nodes. Run these commands in zkCli.sh or zkCli.bat:

    delete /RM
    delete /Engines/KRYPTON
    delete /Engines/NLE
    delete /Engines/NTPE
    delete /Engines

  1. Add the following ZooKeeper properties to the Resource Manager service configuration. Specify any values for username and authenticationcode, and use the same values if you run a secondary Resource Manager. (If running services without Management Station, add these properties to the ZooKeeper section of every User-nrmxx.yaml file.)

    authUser: 'username'
    authCode: 'authenticationcode'

    Note: The username and authenticationcode are case sensitive.

    Example configuration in the ZooKeeper section of a User-nrmxx.yaml file:

    zookeeper:
      servers:
      - 'hostname:port'
      authUser: 'nuance'
      authCode: 'mypassword'
  2. Start Resource Manager.
  3. Start the Dragon Voice engines.

To inspect NRM nodes in the future (after authentication is enabled), you must run the following command in the ZooKeeper command line client. Substitute the configured values for authUser and authCode:

addauth digest authUser:authCode