Security
Transcription:Batch Deployments:Virtual ApplianceThe Appliance is designed to be installed within your own security perimeter. It has its own firewall installed to only allow ingress to ports that are required for its Management, Monitoring and Speech APIs.
Overview
The Appliance uses a Kubernetes architecture running on a customized Ubuntu machine. AppArmor default security policies are used to protect the OS and running applications on the Appliance.
Data on the Appliance (including audio and video data that is submitted via the Speech API, logs, and output transcripts) are encrypted on disk if the hypervisor is configured to manage at-rest encryption. The OVA you import is not encrypted by default if you require at-rest encryption you should follow the instructions specific to your hypervisor.
Securing the Management API
All requests to the Management API require authentication unless it is explicitly turned off. The default username and password are 'admin' and 'admin'.
To disable HTTP authentication against the Management API, run this command:
curl -L -u admin:$PWD -X 'DELETE' \
"http://${APPLIANCE_HOST}/v2/security/adminpassword"
To configure your own password (advised), run:
curl -L -u admin:$PWD -X 'POST' \
"http://${APPLIANCE_HOST}/v2/security/adminpassword" \
-H 'Content-Type: application/json' \
-d '{
"password": "yourpassword"
}'
or perform these operations from the Management Web UI running on http(s)://${APPLIANCE_HOST}/.
Configuring a Token for the Jobs API
Versions of the Appliance before 6.0.0 required no authentication to use the ASR API. This version requires no authentication by default, but you can configure a token of your choice to protect the jobs endpoint using the Management API.
curl -L -u admin:$PWD -X 'POST' \
"https://${APPLIANCE_HOST}/v2/security/jobtoken" \
-H 'Content-Type: application/json' \
-d '{"user_token": "<your token>"}'
To remove the token, run a DELETE command
curl -L -u admin:$PWD -X 'DELETE' \
"https://${APPLIANCE_HOST}/v2/security/jobtoken"
When a token is in use, requests to the jobs API will require an authentication header identical to the kind used in the Speechmatics SaaS.
curl -s -L -X 'POST' "https://${APPLIANCE_HOST}/v2/jobs/" \
-H "Authorization: Bearer <your token>" \
-F data_file=@sample.wav \
-d 'config={ "type": "transcription",
"transcription_config": { "language": "en" }
}'
Ports and Protocols
There are several firewall rules that may need to be enabled to ensure the communication can be made to the Virtual Appliance. If you set up HTTPS as described in the 'SSL Configuration' section of these docs then you only need to expose port 443.
| Port/Protocol | Description |
|---|---|
| 22/TCP | SSH access |
| 80/TCP | Used for the Management API to manage the Appliance, and for submitting jobs |
| 443/TCP | Used for HTTPS communication with all of the above services |
| 9001/TCP | Prometheus metrics |
| 3100/TCP | Loki logs endpoint * |
*: External Access blocked by default see Loki