Verimatrix

USP supports Verimatrix VCAS. You need to fetch a content key with the VCAS API and pass it on the commandline when creating the server manifest.

Using the VCAS API

Obtaining a key from the VCAS license server is a two step process.

The first step is to create a key, for instance:

# create 1 key (c=1)
curl -v \
 -X POST \
 'http://VERIMATRIX_URL/CAB/keyfile?r=YOUR_USER_ID&t=VOD&c=1'

  • the HTTP verb used is POST

  • the c parameter is used to indicate the number of keys to create

The second step is to get the created key:

# get the key (p=0)
binary_key=$(curl -v \
 -X GET \
 'http://VERIMATRIX_URL/CAB/keyfile?r=YOUR_USER_ID&t=VOD&p=0')

  • the HTTP verb used is GET

  • the p parameter is used to indicate which key should be returned

The return of the second call is a binary key, which should be converted to hex (base16) before it can be used with mp4split.

Creating a server manifest with Verimatrix VCAS

The following command creates a server manifest file with the key information embedded:

#!/bin/bash

curl -v \
 -X POST \
 'http://VERIMATRIX_URL/CAB/keyfile?r=YOUR_USER_ID&t=VOD&c=1'

binary_key=$(curl -v \
 -X GET \
 'http://VERIMATRIX_URL/CAB/keyfile?r=YOUR_USER_ID&t=VOD&p=0')

key_hex16=$(echo -n $binary_key | hexdump -e '16/1 "%02x"')

mp4split -o video.ism \
  --hls.key=:${key_hex16}
  --hls.license_server_url="http://VERIMATRIX_URL/CAB/keyfile?r=YOUR_USER_ID&t=VOD&p=0"
  video.ismv

Please note that in the above example some dummy values are used:

  • you need to provide values for r, t, c and p (see the Verimatrix documentation)

  • VERIMATRIX_URL should be replaced with the URL provided by Verimatrix

  • YOUR_USER_ID should be replaced with your customer id, provided by Verimatrix

  • VOD can also be another type (see the Verimatrix documentation)

Adding AES-128 Encryption

--hls.key

The key id (KID) and content encryption key (CEK) are passed with the --hls.key option where KID and CEK are separated by a colon, e.g. --hls.key=KID:CEK

As no KID is used for AES-128, this can be left empty. The CEK is a (random) 128 bit value and must be coded in hex (base61).

--hls.license_server_url

The URL used by the player to retrieve the key.

Adding PlayReady Envelope DRM

New in version 1.6.9.

USP supports adding 'Playready Envelope' (PRE) encryption to presentations played out to for instance the Inside Secure player. The encryption is applied on-the-fly, so there is no preprocessing involved. The options for enabling encryptions are stored in the server manifest file.

For PlayReady Envelope encryption a KID:CEK and a license acquisition URL is needed.

--iss.key

The 128 bits Key ID (KID) and 128 bits Content Encryption Key (CEK) are passed with the --iss.key option where KID and CEK are separated by a colon, e.g. --iss.key=KID:CEK

Both KID and CEK must be coded in base16 (hex).

Note

The KID from a PlayReady License server may be formatted as a little-endian GUID. In that case you have to change the endianness as we always use a big-endian UUID representation of the KID.

--iss.license_server_url

The URL of the license server used.

--hls.playout

The string 'playready_envelope' indicating PRE.

Example

The following command creates a server manifest file with the key information embedded:

#!/bin/bash

KID=7C9AA2B68306466F882D75BED922CD25
CEK=827eb4cef2afa2afe8fe5d2c374cd60e
LAURL=https://test.playready.microsoft.com/service/rightsmanager.asmx

MP4SPLIT_OPTIONS=
MP4SPLIT_OPTIONS+=" --iss.key=${KID}:${CEK}"
MP4SPLIT_OPTIONS+=" --iss.license_server_url=${LAURL}"
MP4SPLIT_OPTIONS+=" --hls.playout=playready_envelope"

mp4split -o video.ism ${MP4SPLIT_OPTIONS} video.ismv

Server Manifest and Playlist

The generated server manifest file (video.ism) now holds the key information. When a client requests an .m3u8 playlist the webserver module will provide it. Please note that with PRE no signaling is to be found in the m3u8. Requests for the MPEG-TS fragments are encrypted on-the-fly (and will contain the signaling).