TLS Support#
Audio2Face-3D NIM provides Transport Layer Security (TLS) support for secure communication.
This feature can be enabled by configuring the NIM_SSL_MODE environment variable and
mounting the appropriate certificates and private keys. Without the NIM_SSL_MODE by default
the service runs in insecure mode.
Note
Transport Layer Security (TLS) is a cryptographic protocol that provides end-to-end security for data transmitted between applications over the network. The following documentation outlines the process for generating and implementing the required security certificates.
Certificate Generation Process#
The following sections detail the process of generating a Certificate Authority (CA) and the necessary server and client certificates for secure communication.
Warning
Certificate and Certificate Authority (CA) generation steps are provided as reference only and users are advised to generate keys, manage Certificate Authority (CA) operations and certificate (e.g. enrollment, renewal) securely
Generating Server Key & Certificate Signing Request (CSR)#
Note
This process creates the server’s private key and Certificate Signing Request (CSR). The Common Name (CN) and Subject Alternative Name (SAN) fields specify the authorized hostnames and IP addresses.
# Generate server private key
openssl genrsa -out server.key 4096
# Generate server Certificate Signing Request
openssl req -new -key server.key -out server.csr -subj "/CN=0.0.0.0" \
-addext "subjectAltName=DNS:localhost,IP:0.0.0.0"
Now that we have a CSR, we need to have our CA sign it to create a valid server certificate. This establishes trust between the CA and the server certificate.
Signing the Server Certificate with CA#
# Sign server CSR with CA to generate server certificate
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out server.crt -days 365 -sha256 \
-extfile <(echo "subjectAltName=DNS:localhost,IP:0.0.0.0")
For mutual TLS (mTLS), we also need client certificates. First, we create a private key and CSR for the client.
Generating Client Key & CSR#
# Generate client private key
openssl genrsa -out client.key 4096
# Generate client Certificate Signing Request
openssl req -new -key client.key -out client.csr -subj "/CN=client"
Finally, we sign the client’s CSR with our CA to create a valid client certificate. This completes the certificate chain and enables mutual authentication.
Signing the Client Certificate with CA#
# Sign client CSR with CA to generate client certificate
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out client.crt -days 365 -sha256
Deploying Audio2Face-3D NIM with TLS#
Standard TLS Mode#
Standard TLS mode implements server-side authentication and encryption, ensuring secure communication between client and server.
Note
This configuration provides standard TLS security, similar to HTTPS implementations, where the server authenticates itself to clients.
docker run -it --rm --name audio2face-3d \
--gpus all \
--network=host \
-e NGC_API_KEY=$NGC_API_KEY \
-e NIM_MANIFEST_PROFILE=$NIM_MANIFEST_PROFILE \
-v "$LOCAL_NIM_CACHE:/tmp/a2x" \
-e NIM_SSL_MODE=tls \
-v server.crt:/opt/nim/crt/ssl_cert_server.pem \
-v server.key:/opt/nim/crt/ssl_key_server.pem \
audio2face_3d_nim
Mutual TLS (mTLS) Mode#
Mutual TLS mode implements bidirectional authentication, requiring both server and client to present valid certificates.
Note
mTLS provides enhanced security through mutual authentication, making it ideal for business-critical applications and secure service-to-service communication.
docker run -it --rm --name audio2face-3d \
--gpus all \
--network=host \
-e NGC_API_KEY=$NGC_API_KEY \
-e NIM_MANIFEST_PROFILE=$NIM_MANIFEST_PROFILE \
-v "$LOCAL_NIM_CACHE:/tmp/a2x" \
-e NIM_SSL_MODE=mtls \
-v server.crt:/opt/nim/crt/ssl_cert_server.pem \
-v server.key:/opt/nim/crt/ssl_key_server.pem \
-v ca.crt:/opt/nim/crt/ssl_ca_cert.pem \
audio2face_3d_nim
Sample Applications#
Sample applications using TLS/mTLS are available in the Audio2Face-3D GitHub repository.