Integrating Axinom DRM with AWS MediaLive/MediaPackage

Introduction

It is possible to integrate Axinom Key Service Secure Packager and Encoder Key Exchange (SPEKE) with Amazon Web Services MediaLive and MediaPackage. The following article provides you step-by-step guidelines for doing so.

note

This guide outlines the main integration points with Axinom DRM and is intended to support your implementation efforts. For production use, we strongly recommend consulting the official AWS documentation to ensure best practices and a secure, scalable setup are followed.

Pre-Requisites

The prerequisites for integrating Axinom DRM Key Service with AWS MediaPackage are:

• Setup an API Gateway endpoint to handle SPEKE key requests (Refer: Setting up the AWS API Gateway)
• Setup an IAM role that allows MediaPackage to invoke API Gateway.(Refer: Setting up the Identity and Access Management Role)

MediaPackage Setup

MediaPackage takes a live stream sent by the MediaLive service (configured in the next section) and then packages it as DASH and CMAF content while obtaining keys from Axinom Key Service via the previously configured API Gateway proxy service.

Encrypted DASH content is created for playback with Widevine and PlayReady DRM; encrypted CMAF (HLS + fMP4) for playback with FairPlay. Clear versions of both types of content are also created.

1. Open the AWS MediaPackage console: https://console.aws.amazon.com/mediapackage

2. Create a new channel:

   1. Choose Next step in the Create a new channel pane.

   2. Configure the channel:

      1. When using MediaPackage V1,

         • ID: "MediaPackage-Channel01"
         • Choose Create. A channel with two inputs is created.

         

         note

         Note down the URL, username and password of both inputs. They are used later when configuring MediaLive.

      2. When using MediaPackage V2,

         • Go to MediaPackage channel List -> Live v2, select Channel groups

         

         • Create a Channel Group

           • Channel group name: "MediaPackageV2-ChannelGroup01"
           • Click Create.

           

         • Now under the above created channel group, you can create a channel.

           • Click on Create Channel
           • Channel Name: "MediaPackageV2-Channel01"
           • Input Type : HLS
           • Click on Create

3. Add an endpoint for clear DASH content:

   1. Choose Add endpoints.

      

   2. Configure the endpoint:

      • ID: "DASH-Clear".

      • Manifest Name: "Manifest".

      • Packager settings -> Type: select DASH-ISO.

      • Package encryption -> select No encryption.

        

   3. Choose Save.

4. Add an endpoint for the encrypted DASH content:

   1. Choose Add/edit endpoints.

   2. Choose Add.

      

   3. Configure the endpoint:

      • ID: "DASH-Encrypted".

      • Manifest Name: "Manifest".

      • Packager settings -> Type: select DASH-ISO.

      • Package encryption -> select Encrypt content and provide the following:

        • Resource ID: "EncryptionTest" (an arbitrary value that MediaPackage uses for generating content key IDs).

        • System ID is a DRM system-specific identifier, see DRM systems

        • URL: <API Gateway Invoke URL for Axinom Key Service> (the value from the API Gateway setup).

        • Role ARN: <IAM MediaPackage role ARN> (the value from the IAM setup).

          

      • Disable key rotation to simplify license token generation for testing purposes:

        • Expand Additional configuration and unselect Key rotation interval (sec).

          

   4. Choose Save.

5. Add an endpoint for clear CMAF content:

   1. Choose Add/edit endpoints.
   2. Choose Add.
   3. Configure the endpoint:
      • ID: "CMAF-Clear".
      • Manifest Name: "Manifest".
      • Packager settings -> Type: select Common Media Application Format (CMAF).
      • HLS manifest -> ID: "CMAF-Clear".
      • Package encryption -> select No encryption.
   4. Choose Save.

6. Add an endpoint for the encrypted CMAF content:

   1. Choose Add/edit endpoints.

   2. Choose Add.

   3. Configure the endpoint:

      • ID: "CMAF-Encrypted".

      • Manifest Name: "Manifest".

      • Packager settings -> Type: select Common Media Application Format (CMAF).

      • HLS manifest -> ID: "CMAF-Encrypted".

      • Package encryption -> select Encrypt content and provide the following:

        • Resource ID: "EncryptionTest" (an arbitrary value that MediaPackage uses for generating content key IDs).

        • System IDs: "94CE86FB-07FF-4F43-ADB8-93D2FA968CA2" (FairPlay System ID).

        • URL: <API Gateway Invoke URL for Axinom Key Service> (the value from the API Gateway setup).

        • Role ARN: <IAM MediaPackage role ARN> (the value from the IAM setup).

      • Disable key rotation to simplify license token generation for testing purposes:

        • Expand Additional configuration and unselect Key rotation interval (sec).

   4. Choose Save.

7. Add an endpoint when using Media Package V2:

   1. Select TS as the container type.
   2. Package encryption -> select Encrypt content and provide the following:
      • Encryption method : "Sample AES"
      • DRM systems : "Fairplay"
      • Resource ID: "EncryptionTest" (an arbitrary value that MediaPackage uses for generating content key IDs).
      • Key server URL: <API Gateway Invoke URL for Axinom Key Service> (the value from the API Gateway setup).
      • Role ARN: <IAM MediaPackage role ARN> (the value from the IAM setup).
      • Video encryption preset : Select Shared if you need a single key for Video and Audion tracks.
   3. Add a HLS manifest :
      • Manifest name: "Manifest"
   4. Choose Save.

8. Note down the endpoints URLs. These are used when testing playback.

   

MediaLive Setup

Now the MediaLive service can be configured to ingest a live stream and send it to the MediaPackage service for packaging. In this demo, we take a clear live HLS stream from an external source and package it into two live DASH streams: one clear and one encrypted.

1. Open the AWS MediaLive console: https://console.aws.amazon.com/medialive

2. Create a new channel:

   1. Choose Create channel in the Get started pane.

   2. Channel name: "MediaLive-Channel01".

   3. Create MediaLive IAM role for the channel:

      1. Select Create role from template (alternatively, select a suitable existing role).

         

      2. Choose Create IAM role.

   4. Add channel inputs:

      1. In the Input attachments section of the Channel pane, choose Add.

         

      2. Choose Create input in the Attach input pane.

         

      3. Configure the input:

         • Input name: "MediaLive-Input".

         • Input type: select HLS.

           

         • Input source A URL: "https://cph-p2p-msl.akamaized.net/hls/live/2000341/test/master.m3u8".

         • Input source B URL: "https://cph-p2p-msl.akamaized.net/hls/live/2000341/test/master.m3u8".

           note

           It is recommended to provide your own input sources. The example sources may or may not be available.

           note

           As tested during the creation of this guide, the HLS input type expects MPEG2-TS content and does not work with fMP4 HLS input.

           

      4. Choose Create.

      5. Select MediaLive-Input as the Input in the Attach input pane.

         

      6. Choose Confirm.

   5. Add channel outputs:

      1. In the Output groups section of the Channel pane, choose Add.

         

      2. Output group type: choose HLS.

      3. Choose Confirm.

      4. Configure HLS group destination A (refer to the values of the first MediaPackage input noted down previously):

         1. When using MediaPackage V1,

            1. URL: <MediaPackage-Channel01 Input #1 URL>.

            2. Expand Credentials.

            3. Username: <MediaPackage-Channel01 Input #1 Username>.

            4. Select Create parameter in the Password section.

            5. Name: "MediaPackage-Channel01-Credentials01".

            6. Password value: <MediaPackage-Channel01 Input #1 Password>.

               

            7. Choose Create parameter.

         2. When using MediaPackage V2,

            1. URL: You can find the Ingest URL from the MediaPackage Channel Settings. Add the Ingest endpoint 1 URL here.

               

            2. Since the Credentials are optional, you can ignore it.

      5. Configure HLS group destination B (refer to the values of the second MediaPackage input noted down previously):

         1. When using MediaPackage V1,

            1. URL: <MediaPackage-Channel01 Input #2 URL>.
            2. Expand Credentials.
            3. Username: <MediaPackage-Channel01 Input #2 Username>.
            4. Select Create parameter in the Password section.
            5. Name: "MediaPackage-Channel01-Credentials02".
            6. Password value: <MediaPackage-Channel01 Input #2 Password>.
            7. Choose Create parameter.

         2. When using MediaPackage V2,

            1. URL: You can find the Ingest URL from the MediaPackage Channel Settings. Add the Ingest endpoint 2 URL here.

               

            2. Since the Credentials are optional, you can ignore it.

      6. Configure HLS settings:

         • Choose HLS webdav in the CDN Settings section (this is required for sending content to MediaPackage).

           

   6. Choose Create channel.

      

3. Choose Start to start the channel and wait until it’s in the Running state.

   note

   When the Running state is reached it may take an additional minute before the stream is available.

   

Playback Test

Playback can be tested on the Axinom Video Test Bench website.

1. Open the VTB site: https://vtb.axinom.com. Use a suitable browser for the content being tested:

   • Playback of clear content doesn’t have browser restrictions.
   • To play the encrypted DASH content with Widevine, use Chrome or Firefox.
   • To play the encrypted DASH content with PlayReady, use Edge or IE.
   • To play the encrypted CMAF content (FairPlay-protected), use Safari.

2. Test DASH-Clear playback:

   1. Select Shaka player.

      note

      For DASH content, we recommend Shaka player because the latest Dash.js players were unable to play some of the content produced in this demo.

   2. Stream URL: <MediaPackage DASH-Clear endpoint URL>.

   3. Leave rest of the fields blank.

   4. Choose Load stream. The video should play.

      

3. Test DASH-Encrypted playback:

   1. Select Shaka player.

   2. Stream URL: <MediaPackage DASH-Encrypted endpoint URL>.

   3. Token: <Your license token>.

      note

      Make sure that the token specifies the Key ID(s) generated by AWS MediaPackage.

   4. Set the license service:

      • For Widevine playback: "https://drm-widevine-licensing.axprod.net/AcquireLicense".
      • For PlayReady playback: "https://drm-playready-licensing.axprod.net/AcquireLicense".

   5. Choose Load stream. Video should play.

      

4. Test the CMAF-Clear playback:

   1. Select the FairPlay player (Safari only). Alternatively, clear CMAF also plays in Shaka.
   2. Stream URL: <MediaPackage CMAF-Clear endpoint URL>.
   3. Leave rest of the fields blank.
   4. Choose Load stream. The video should play.

5. Test the CMAF-Encrypted playback:

   1. Select the FairPlay player (Safari only).

   2. Stream URL: <MediaPackage CMAF-Encrypted endpoint URL>.

   3. Token: <Your license token>.

   4. FPS Certificate URL: <the URL to your FairPlay application certificate>.

   5. License service: "https://drm-fairplay-licensing.axprod.net/AcquireLicense".

   6. Choose Load stream. The video should play.