Nimble Streamer supports Digital Rights Management from a variety of encryption providers including Widevine, Playready, FairPlay with EZDRM, Axinom, BuyDRM and other management platforms. DRM provides the required extra layer of security to ensure that only authorized users can access and view content. This can prevent piracy and unauthorized distribution, which protects the rights of content creators and owners.
DRM capabilities of Nimble Streamer
Nimble Streamer supports DRM CENC encryption for MPEG-DASH and HLS with fMP4 container in the following use cases:
- Google Widevine™ Cloud License Service support to protect MPEG-DASH.
- Microsoft Playready™ support to protect MPEG-DASH.
- Apple FairPlay™ support to protect HLS.
- Multi-key HLS can be protected using both Widevine and FairPlay.
Read Widevine DRM support for HLS article to learn more. - All encryption works for H.264/AVC and H.265/HEVC codecs.
- AV1 codec is supported for Widevine-encrypted MPEG-DASH streams.
- EZDRM DRM-as-a-Service support for Widevine, FairPlay and Playready. Read the introduction blog post.
- Axinom support for Widevine, FairPlay and Playready. Read setup docs on Axinom website.
- Cloud DRM is supported for Widevine, FairPlay and Playready. Read the introduction post.
- BuyDRM KeyOS support for Widevine, FairPlay and Playready.
- castLabs DRMToday support
- PallyCon support for Widevine, FairPlay and Playready. Read introduction blog post about our collaboration.
- Sigma DRM support for Widevine, FairPlay and Playready.
- Verimatrix VCAS CPIX multi-DRM support for Widevine, FairPlay and Playready.
- Widevine Cloud Service support with key rotation.
Nimble supports DRM in the following scenarios:
- Encrypting live streaming output based on any input.
- DVR encryption for playback of recorded streams.
- VOD content encryption during playback.
Verimatrix™ VCAS CEI key management is supported to protect live HLS streams with AES encryption.
It’s not supported for DVR and VOD use cases.
Follow these easy steps to start using the DRM feature set:
- Set up Nimble Streamer and register Addenda license.
- Configure DRM using simple drm.conf file on Nimble Streamer server side.
- Test protected streams in your players.
1. Set up Nimble Streamer
1.1 Prerequisites: you need to have the following items to be completed before proceeding with DRM setup.
- You have a proper DRM-enabled player set up and tested so you could test the encrypted streams.
- You signed up for WMSPanel account.
- Latest version of Nimble Streamer was installed and is running.
- SSL is properly set up and tested.
1.2 Set up streaming: create and test your streaming scenario without any encryption first.
- For live streaming, refer to live streaming digest page to find proper setup instructions.
Check NDI conversion to DRM video tutorial as example. - For DVR, refer to DVR feature digest and DVR setup article to make it work for your live stream.
- For VOD scenario, refer to VOD features digest. You can try HLS VOD setup and MPEG-DASH VOD setup articles as examples.
You need to explicitly forbid access to VOD files via progressive download as described in this article. - When a viewer connects to streams via MPEG-DASH or fMP4 HLS within an application protected by the DRM, its output will be encrypted with respective DRM engine.
- If you play fMP4 HLS, make sure you use fMP4 playback URL which has fmp4 suffix, e.g. https://servername/stream/name/playlist_fmp4.m3u8
Overall, you need to make sure you have a separate working test output stream which you’ll try to encrypt.
Once you set up DRM as described below, you’ll be able to apply it to your production environment.
2. Subscribe and License
2.1 WMSPanel subscription
You need to be subscribed for WMSPanel account, at least for basic minimum subscription. So, once you made sure Nimble Streamer works with non-encrypted use cases you can follow subscription instructions on your profile page.
2.2 Addenda license
Nimble Streamer DRM is part of Nimble Streamer Addenda premium package.
You need to subscribe for Addenda package license for each Nimble Streamer server instance where you want to enable DRM.
Use instruction from Addenda page to obtain and register the license.
3. Configure DRM Settings
All DRM settings are stored in drm.conf file located at the same location as nimble.conf. E.g., on Linux, you need to create /etc/nimble/drm.conf file.
Just add a few lines, re-start Nimble Streamer and you’re all set. You may also apply drm.conf changes by using native API call without Nimble re-start.
General parameters
The config consist of a set of drm{} blocks, each of them contains settings for specified applications.
Show setup details
Mandatory parameters must be included in every block, they are as follows.
applicationdefines space-separated list of names of applications where settings will be applied.typeparameter defines the type of a key provider server.keyserverparameter defines the URL of a key server for specific key provider.
Optional parameters may be used in case when they are needed in specific cases.
By default Nimble Streamer generates unique content IDs itself, but if you need to override them you can use these parameters.
widevine_hls_enabled = trueenables Widevine protection for HLS streams.
Read Widevine DRM support for HLS article to learn more.content_iddefines content ID for applications covered by current “drm” block.stream_name_to_content_id = truesets content ID to be generated based on individual stream names.content_idsdefines the set of exact content IDs for each stream.
Here’s an example.content_ids { stream1 = Se52m_stream1_id_0mVQ== stream2 = Se52m_stream2_id_0mVQ== stream3 = Se52m_stream3_id_0mVQ== }
Other parameters are specific to the key provider, they’ll be described in each section.
Nimble can encrypt content with Google Widevine, Apple FairPlay and Microsoft Playready using EZDRM key servers.
Watch step-by-step tutorial showing the setup of Nimble Streamer with EZDRM Widevine for live, DVR and VOD.
Notice that EZDRM resource ID can be specified using content_id parameter.
Show setup details
drm {
application = live_ezdrm
type = ezdrm
user = [email protected]
password = 12yourpassword34&*@#
}Mandatory parameters define EZDRM access credentials:
useris user name in EZDRMpasswordis that user’s password
Nimble can use Axinom service to encrypt content with Widevine, FairPlay and Playready.
You need to go to Axinom portal / My Mosaic and go to DRM section to get configuration details and read setup manual in Axinom knowledge base.
Show setup details
drm {
application = live_drm
type = axinom
axinom_tenant_id = <Key Service Tenant ID>
axinom_management_key = <Key Service Management Key>
content_id = <put your Content ID here>
content_ids {
stream1 = 1232345-8602-11ea-b04b-7fccdabcdef2
stream2 = 1232345-8602-11ea-b04b-7fccdabcdef3
}
}A specified Content ID (an UUID) is used in SPEKE request as both the Content ID (content_id) and Key ID (kid).
Multiple Key IDs for a single stream are currently not supported.
content_id is a default value for the whole application. If you want to set a specific key for a specific stream, you can use content_ids option and specify the stream-specific values.
Mandatory parameters define Axinom access credentials:
axinom_tenant_idis Key Service Tenant IDaxinom_management_keyis Key Service Management Keycontent_id and content_idsare required for respective content encryption, see above
Nimble can use DRM.cloud service to encrypt content with Widevine, FairPlay and Playready.
You need to register to obtain Cloud DRM login and password, they are mandatory. SPEKE 2 API URL should be copied from configuration page.
Show setup details
drm {
application = live_drm
type = cloud_drm
keyserver = <SPEKE 2 API URL>
cloud_drm_login = <basic_auth_login>
cloud_drm_password = <basic_auth_password>
content_id = 1232345-8602-11ea-b04b-7fccdabcdef1
content_ids {
stream1 = 1232345-8602-11ea-b04b-7fccdabcdef2
stream2 = 1232345-8602-11ea-b04b-7fccdabcdef3
}
}Mandatory parameters define Cloud DRM access credentials:
keyserveris SPEKE 2 API URLcloud_drm_login and cloud_drm_passwordare user and passwordcontent_id and content_idsare required for respective content encryption
Nimble can encrypt content with Google Widevine, Apple FairPlay and Microsoft Playready using BuyDRM KeyOS.
Show setup details
drm {
application = live_keyos
type = keyos
keyos_user_certificate_file = /home/user/keyos/conf/keyos_user.crt
keyos_user_key_file = /home/user/keyos/conf/keyos_user.key
}Mandatory parameters define KeyOS access credentials:
keyos_user_certificate_fileis an end user’s public x509 certificatekeyos_user_key_fileis an end user’s x509 private key file
Optional content IDs. You may set content_id and content_ids parameters like in other cases but they must be set in UUID format, e.g.content_id = 2193eb5b-544b-1234-abcd-1e94b0f778b8
Nimble can encrypt content with Google Widevine, Apple FairPlay and Microsoft Playready using PallyCon key servers.
Show setup details
drm {
application = live_pally
type = pallycon
pallycon_kms_token = yourtoken
}Mandatory parameter define access token:
pallycon_kms_tokenis a token for accessing PallyCon
Nimble can encrypt content with Google Widevine, Apple FairPlay and Microsoft Playready using Sigma DRM key servers.
Show setup details
drm {
application = live_sigma
type = sigma_drm
sigma_drm_token = <token>
sigma_drm_merchant_id = <merchant_id>
sigma_drm_app_id = <app_id>
}Mandatory parameter define access token:
sigma_drm_tokenis a token to access Sigma DRM CPIX APIsigma_drm_merchant_idis a merhant ID with Sigma DRMsigma_drm_app_idis an application ID with Sigma DRM
Nimble can encrypt content with Google Widevine, Apple FairPlay and Microsoft Playready using castLabs DRMToday key servers.
Show setup details
drm {
application = live_drmtoday vod_drmtoday
type = drmtoday
drmtoday_user = <user_name>
drmtoday_password = <user_password>
drmtoday_merchant_id = <organization UUID>
drmtoday_cpix_config_id = <CPIX config ID>
content_id = movie
content_ids {
stream1 = movie1
stream2 = movie2
}
}In order to get user_name and user_password, you need to create API account (without DRMToday dashboard access) in “Members / Users” section.
Organization UUID can be obtained in API endpoints in DRMToday dashboard
CPIX config ID can be created in “Configuration -> Ingest settings”
If Nimble is working in DRMToday staging environment then you need to add the following
keyserver = https://fe.staging.drmtoday.com/
drmtoday_auth_url = https://auth.staging.drmtoday.com/cas/v1/ticketscontent_id / content_ids is the Asset ID in DRMToday dashboard.
Nimble can encrypt content with Google Widevine and use key rotation.
Show setup details
drm {
application = live_wv1 live_wv2 live_wv3
keyserver = https://license.uat.widevine.com/cenc/getcontentkey/widevine_test
type = widevine
widevine_signer = widevine_test
widevine_aes_signing_key = 1ae8ccd0e7985cc0b6203a55855a1034afc252980e970ca90e5202689f947ab9
widevine_aes_signing_iv = d58ce954203b7c9a9a9d467f59839249
}Mandatory parameters define Widevine-specific behavior:
widevine_signer, widevine_aes_signing_key, widevine_aes_signing_iv
Optional parameters describe key rotation:
key_rotation_intervalparameter defines the interval for rotating keys where it’s applicable. It’s defined in seconds. If it’s set to “0”, then keys will not be rotated.key_countparameter defines how many keys will be taken from a key server at once for further rotation.
Nimble can encrypt content using Verimatrix multi-DRM with Widevine, Playready and FairPlay.
Show setup details
drm {
application = live_vcas
keyserver = http://key_server_ip:8058
type = vcas_cpix
}Optional parameters may be used in case when they are needed in specific cases.
key_iddefines key ID for applications covered by current “drm” block.key_idsdefines the set of exact key IDs for each stream.
Here’s an example.key_id = 54f7d90a-bc2f-bc9b-08d4-bbeac4ccf08b key_ids { stream1 = 7dfb3eb6-677e-11eb-a5a9-b754f57205c9 stream2 = 82ea16f4-677e-11eb-81e0-6f945b12648a }
Nimble can encrypt HLS content with AES encryption using Verimatrix VCAS key servers.
Show setup details
drm {
application = live_vcas
keyserver = http://key_server_ip:8058
type = vcas_cei
}Verimatrix allows using key rotation, it’s optional:
key_rotation_intervalparameter defines the interval for rotating keys where it’s applicable. If it’s set to “0”, then keys will not be rotated.key_countparameter defines how many keys will be taken from a key server at once for further rotation.
Verimatrix has other optional parameters like this one:
vcas_encoder_tokenparameter defines the token for certain cloud scenarios.
Nimble can make per-application HLS AES encryption of HLS content.
Show setup details
drm {
application = live_aes
type = hls_aes128
key = 78E9A33351234FBDD0EF6C233B310F55
}This feature has optional parameter:
key_urlparameter defines the URL for key if it’s not handled by Nimble Streamer.
4. Test Encrypted Streams and Troubleshoot
Once you re-start Nimble Streamer, you may use your player to test the encrypted live stream to make sure the setup is correct. On Android, you may use Larix Player free app to play content encrypted via MPEG-DASH with Widevine and PlayReady in live, DVR and VOD modes.
Make sure you use SSL for your streams’ playback.
If the stream doesn’t play, then disable corresponding DRM section in drm.conf and re-start Nimble Streamer instance. This will let you determine if the DRM setup is the root cause of the problem. Notice that you may apply drm.conf changes by using this this Nimble native API call.
If you have issues after making fixes to configuration, contact our support. We will need your drm.conf file, a live stream to test, and a web page with that stream and DRM-enabled player.
Free trial of WMSPanel included