Nimble Streamer DRM: Widevine, Playready, EZDRM, Verimatrix VCAS

Nimble Streamer DRM

Digital Rights Management for live streaming: Widevine, Playready, FairPlay, EZDRM, PallyCon, Verimatrix

Nimble Streamer supports the following DRM encryption.

Google Widevine™ support to protect MPEG-DASH.
Microsoft Playready™ support to protect MPEG-DASH.
Apple FairPlay™ support to protect HLS.
Widevine Cloud Service support with key rotation.
EZDRM DRM-as-a-Service support for Widevine, FairPlay and Playready. Read the introduction blog post.
PallyCon support for Widevine, FairPlay and Playready. Read introduction blog post about our collaboration.
Verimatrix™ VCAS key management support to protect HLS with AES.

Follow these easy steps to start using the DRM feature set:

Set up Nimble Streamer and register Addenda license.
Configure DRM using simple drm.conf file on Nimble Streamer server side.
Test protected streams in your players.

1. Set up Nimble Streamer and Addenda license

1.1 Prerequisites: you need to have the following items to be completed before proceeding with DRM setup.

You have a proper DRM-enabled player set up and tested so you could test the encrypted streams.
You signed up for WMSPanel account.
Latest version of Nimble Streamer was installed and is running.
Test live stream was properly set up and it's playing fine. Check live streaming digest page to find proper setup instructions.
You have a separate working test output stream which you'd like to encrypt.
You subscribed for WMSPanel account, at least for basic minimum subscription.

1.2 Addenda license: Nimble Streamer DRM is part of Nimble Streamer Addenda premium package.
You need to subscribe for Addenda package license for each Nimble Streamer server instance where you want to enable DRM.
Use instruction from Addenda page to obtain and register the license.

2. Configure DRM settings

All DRM settings are stored in drm.conf file located at the same location as nimble.conf. E.g. on Linux, you need to create /etc/nimble/drm.conf file.
Just add a few lines and you're all set.

2.a General parameters

The config consist of a set of drm{} blocks, each of them contains settings for specified applications.
Show setup details

Mandatory parameters must be included in every block, they are as follows.

application defines space-separated list of names of applications where settings will be applied.
type parameter defines the type of a key provider server.
keyserver parameter defines the URL of a key server for specific key provider.

Optional parameters may be used in case when they are needed in specific cases.
By default Nimble Streamer generates unique content IDs itself, but if you need to override them you can use these parameters.

content_id defines content ID for applications covered by current "drm" block.
stream_name_to_content_id = truesets content ID to be generated based on individual stream names.

content_ids defines the set of exact content IDs for each stream.
Here's an example.

content_ids {
    stream1 = Se52m_stream1_id_0mVQ==
    stream2 = Se52m_stream2_id_0mVQ==
    stream3 = Se52m_stream3_id_0mVQ==
}

Other parameters are specific to the key provider, they'll be described in each section.

2.b Widevine Cloud Service

You can encrypt content with Google Widevine and use key rotation.
Show setup details

drm {
  application = live_wv1 live_wv2 live_wv3
  keyserver = https://license.uat.widevine.com/cenc/getcontentkey/widevine_test
  type = widevine
  widevine_signer = widevine_test
  widevine_aes_signing_key = 1ae8ccd0e7985cc0b6203a55855a1034afc252980e970ca90e5202689f947ab9
  widevine_aes_signing_iv = d58ce954203b7c9a9a9d467f59839249
}

Mandatory parameters define Widevine-specific behavior:

widevine_signer, widevine_aes_signing_key, widevine_aes_signing_iv

Optional parameters describe key rotation:

key_rotation_interval parameter defines the interval for rotating keys where it's applicable. If it's set to "0", then keys will not be rotated.
key_count parameter defines how many keys will be taken from a key server at once for further rotation.

2.c EZDRM

You can encrypt content with Google Widevine, Apple FairPlay and Microsoft Playready using EZDRM key servers.
Show setup details

drm {
  application = live_ezdrm
  type = ezdrm
  user = user@yourcompany.com
  password = 12yourpassword34&*@#
}

Mandatory parameters define EZDRM access credentials:

user is user name in EZDRM
password is that user's password

2.d PallyCon

You can encrypt content with Google Widevine, Apple FairPlay and Microsoft Playready using PallyCon key servers.
Show setup details

drm {
  type = pallycon
  pallycon_kms_token = yourtoken
}

Mandatory parameter define access token:

pallycon_kms_token is a token for acessing PallyCon

2.e Verimatrix VCAS

You can encrypt HLS content with AES encryption using Verimatrix VCAS key servers.
Show setup details

drm {
  application = live_vcas
  keyserver = http://key_server_ip:8058
  type = vcas
}

Verimatrix allows using key rotation, it's optional:

key_rotation_interval parameter defines the interval for rotating keys where it's applicable. If it's set to "0", then keys will not be rotated.
key_count parameter defines how many keys will be taken from a key server at once for further rotation.

Verimatrix has other optional parameters like this one:

vcas_encoder_token parameter defines the token for certain cloud scenarios.

3. Test encrypted streams and troubleshoot

Once you re-start Nimble Streamer, you may use your player to test the encrypted live stream to make sure the setup is correct.

If the stream doesn't play then disable corresponding DRM section in drm.conf and re-start Nimble Streamer instance. This will let you determine if the DRM setup is the root cause of the problem.

If you still have issues after making fixes to configuration, contact our support. We'll need your drm.conf file, a live stream to test, and a web page with that stream and DRM-enabled player.