Skip to main content

License Service Configuration(license_server)

The License Service Configuration(license_server) section of Entitlement Message allows default behavior that is not related to generating a License to be overridden.

The structure of a License Service object is defined as follows.

entitlement_message.license_server
{
"return_license_request_info": true,

"access_control":
{
"prevent_drm_message_reuse": false,

"concurrency_limit": 2,
"concurrency_mode": "BLOCK_NEW_DEVICE",

"allowed_ip_addresses":
[
"10.11.12.13",
"2001:0db8:85a3:0000:0000:8a2e:0370:7334"
],

"fairplay":
{
"concurrency_mode": "NONE",
"use_native_session_ids": false,

"allowed_device_ids":
[
"dd5f6907-f579-45e0-8b49-632a49d4fe55",
"ded51696-dd59-464c-9890-5b6db5e673c3"
]
},

"playready":
{
"concurrency_mode": "NONE",

"allowed_device_ids":
[
"ed85e2bc-63d8-4a26-8ad0-18c382c12dd9",
"0d268a04-ca6e-4e9e-8412-e05344817cf5"
]
},

"widevine":
{
"concurrency_mode": "NONE",
"use_native_session_ids": false,

"min_vmp_level": "PLATFORM_SOFTWARE_VERIFIED",
"allow_tampered_platforms": false,
"allow_non_vmp_platforms": true

"allowed_device_ids":
[
"fbdcdcaf-af84-4bf3-8dbf-3e7c47922c65",
"5a0f8872-4c83-4362-a6b5-03228a4547ce"
],

"allowed_device_certificate_serial_numbers":
[
"29a622dd-ef79-4f8f-92be-96175a3e145d",
"5a164b33-63fc-4ac6-a7db-b304f897e08f"
]
}
}
}

return_license_request_info​

Allows to specify if license request info is returned.

Default

false

Supported values

  • false - License request info is not returned.
  • true - License request info is returned.

access_control​

Allows to specify restrictions on which clients can obtain a License.

note

This object uses device IDs. For more information on device IDs, see the License Request Info Message document.

DefaultThe settings in this section have their default behaviour.
Supported valuesAny valid Access Control object (see below).

prevent_drm_message_reuse​

Specifies whether particular DRM Messages can be reused. If set to true, DRM Messages with the same ID can only be used to receive a license once per entitled key, per license service instance.

Please note:

  • This is most effective against large-scale re-use of DRM Messages. This is because the tracking is performed individually by each license service instance, and the tracking data is not persisted over long periods of time.
  • We recommend to enable this feature by default. Except, when a DRM Message is designed to be used multiple times.
  • Additionally, it is recommended to to set the expiration_date for each DRM Message - as short as possible.
Defaultfalse
Supported valuestrue, false
AvailabilityAxinom DRM FairPlay API v6.23.0+, Widevine API v6.28.0+, PlayReady API 6.22.0+

concurrency_limit​

Enables Concurrent Stream Limiting (CSL) and specifies how many concurrent playbacks are allowed. See the CSL guide for more information.

DefaultConcurrent playbacks are not limited
Supported values1 - 6
AvailabilityAxinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+

concurrency_mode​

Specifies the behaviour of Concurrent Streaming Limiting (CSL). This affects all DRMs; it is possible to override this setting with NONE in the DRM-specific subsections to disable CSL for specific DRMs.

  • All modes require the playback clients to present a reliable DRM identifier, or the license acquisition will fail. This particularly concerns Widevine L3 Desktop browser CDMs, where the persistentState EME setting must be set to required.

  • The session-specific modes require a session ID to be provided in the session section of the Entitlement Message. Or, alternatively, in case of FairPlay or Widevine, use_native_session_ids must be set to true.

See the CSL guide for more information.

DefaultBLOCK_NEW_DEVICE
Supported valuesBLOCK_NEW_DEVICE, BLOCK_NEW_SESSION, BLOCK_OLDEST_SESSION
AvailabilityAxinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+

allowed_ip_addresses​

Allows to specify a list of client IP addresses that may receive a License. If a client’s IP address is not in this list they are not allowed to receive a License. If this list is defined but empty then no clients receive a License.

DefaultNo IP addresses are restricted.
Supported valuesAny array of strings, each of which represents an IP address in IPv4 or IPv6 format. For example: ["10.11.12.13", "2001:0db8:85a3:0000:0000:8a2e:0370:7334"]

fairplay​

Allows to specify restrictions on which clients can obtain a License from Axinom DRM FairPlay API. These access controls only have an effect if the FairPlay DRM is used.

DefaultThe settings in this section have their default behaviour.
Supported valuesAny valid FairPlay Access Control object (see below).
concurrency_mode​

Allows exempting FairPlay DRM from Concurrent Stream Limiting, by specifying NONE here.

DefaultInherits the value of the parent concurrency_mode setting
Supported valuesNONE
AvailabilityAxinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+
use_native_session_ids​

Indicates whether to use native FairPlay DRM session identifiers when using session-based CSL modes (BLOCK_NEW_SESSION, BLOCK_OLDEST_SESSION).

Setting this to true is recommended, if using a mix of session ID sources is not a concern (for PlayReady, native ID's are not available; for Widevine, their viability depends on the overall setup). In general, using native session IDs allows distinguishing individual playback sessions with most granularity.

See the CSL guide for more information.

Defaultfalse
Supported valuestrue, false
AvailabilityAxinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+
allowed_device_ids​

Allows to specify a list of client device IDs that may receive a License. If a client’s device ID is not in this list they are not allowed to receive a License. If this list is defined but empty, no clients receive a License.

DefaultNo device IDs are restricted.
Supported valuesAny array of strings, each of which represents a GUID. For example: ["dd5f6907-f579-45e0-8b49-632a49d4fe55", "ded51696-dd59-464c-9890-5b6db5e673c3"]

playready​

Allows to specify restrictions on which clients can obtain a License from Axinom DRM PlayReady API. These access controls only have an effect if the PlayReady DRM is used.

DefaultThe settings in this section have their default behaviour.
Supported valuesAny valid PlayReady Access Control object (see below).
concurrency_mode​

Allows exempting PlayReady DRM from Concurrent Stream Limiting, by specifying NONE here.

DefaultInherits the value of the parent concurrency_mode setting
Supported valuesNONE
AvailabilityAxinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+
allowed_device_ids​

Allows to specify a list of client device IDs that may receive a License. If a client’s device ID is not in this list they are not allowed to receive a License. If this list is defined but empty, no clients receive a License.

DefaultNo device IDs are restricted.
Supported valuesAny array of strings, each of which represents a GUID. For example: [ "ed85e2bc-63d8-4a26-8ad0-18c382c12dd9", "0d268a04-ca6e-4e9e-8412-e05344817cf5" ]

widevine​

Allows to specify restrictions on which clients can obtain a License from Axinom DRM Widevine API. These access controls only have an effect if the Widevine DRM is used.

DefaultThe settings in this section have their default behaviour.
Supported valuesAny valid Widevine Access Control object (see below).
concurrency_mode​

Allows exempting Widevine DRM from Concurrent Stream Limiting, by specifying NONE here.

DefaultInherits the value of the parent concurrency_mode setting
Supported valuesNONE
AvailabilityAxinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+
use_native_session_ids​

Indicates whether to use native Widevine DRM session identifiers when using session-based CSL modes (BLOCK_NEW_SESSION, BLOCK_OLDEST_SESSION).

For Widevine, it is not recommended to set this to true unless the implications are understood. While in general using native session IDs allows individual playback sessions to be distinguished with most granularity, in some cases one actual playback session can cause multiple DRM sessions to be created, causing a single playback to be counted multiple times towards the concurrency limit.

See the CSL guide for more information.

Defaultfalse
Supported valuestrue, false
AvailabilityAxinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+
allowed_device_certificate_serial_numbers​

Allows to specify a list of Widevine DRM device certificate serial numbers that may receive a License. If the corresponding device DRM client device certificate serial number is not in this list, it is not allowed to receive a License. If this list is defined but empty, no clients receive a License.

A Widevine DRM device certificate serial number can be retrieved from the LicenseRequestInfo message. To signal the License Service to return the LicenseRequestInfo message, set the return_license_request_info parameter to true in the Entitlement Message. More information on LicenseRequestInfo message can be found in the License Request Info Message documentation.

DefaultNo devices are restricted by their serial number.
Supported valuesAny array of strings, each of which represents a GUID. For example: [ "29a622dd-ef79-4f8f-92be-96175a3e145d", "5a164b33-63fc-4ac6-a7db-b304f897e08f" ]
allowed_device_ids​

Allows to specify a list of client device IDs that may receive a License. If a client’s device ID is not in this list, they are not allowed to receive a License. If this list is defined but empty, no clients receive a License.

warning

Current Widevine clients no longer report the Device ID. Use this option only if you need compatibility with older clients. Otherwise, use the allowed_device_certificate_serial_numbers instead.

DefaultNo devices are restricted by their Device ID.
Supported valuesAny array of strings, each of which represents a GUID. For example: [ "fbdcdcaf-af84-4bf3-8dbf-3e7c47922c65", "5a0f8872-4c83-4362-a6b5-03228a4547ce" ]
allow_non_vmp_platforms​

Specifies whether client platforms that do not support Verified Media Path (VMP) are allowed to get licenses. Such platforms include: Android, Tizen, WebOS and Roku.

warning

This is an advanced setting that should not be used unless there is a special reason for it. Non-VMP platforms do not implement VMP by design and should not be considered less secure.

Defaulttrue
Supported valuestrue, false
AvailabilityAxinom DRM Widevine API v6.21.0+
allow_tampered_platforms​

Specifies whether client platforms with tampered Verified Media Path implementation should be allowed to get a license.

warning

It is highly recommended to set this to false. The default is true to align with the default behaviour of Google’s Widevine license service SDK and service, to avoid backwards incompatible changes.

Defaulttrue
Supported valuestrue, false
AvailabilityAxinom DRM Widevine API v6.21.0+
min_vmp_level​

Specifies the minimum Verified Media Path (VMP) level of client platforms that should be allowed to get a license. Verified Media Path is an anti-tamper system mainly intended to ensure the integrity of browser platforms.

The levels, from the lowest to the highest, are:

  1. "PLATFORM_UNVERIFIED" - indicates that a browser-based client is used where the Widevine CDM cannot verify its hosting application. This includes all browser-based platforms on Linux, Electron apps without proper VMP implementation and Chrome OS running in developer mode or with remote attestation blocked.
  2. "PLATFORM_SOFTWARE_VERIFIED" - VMP is verified at software level. This is equivalent to clients with L3 security level.
  3. "PLATFORM_SECURE_STORAGE_SOFTWARE_VERIFIED" - this is equivalent to clients with L3 security level that also have a secure storage required for license persistence.
  4. "PLATFORM_HARDWARE_VERIFIED" - VMP is verified at the hardware level. This is equivalent to clients with L1 security level.
tip

It is recommended to set the minimum VMP level higher than "PLATFORM_UNVERIFIED". However, it should be kept in mind that raising the level beyond the minimum may block some popular platforms, such as browser clients on Linux or some Electron-based solutions without proper VMP implementation.

The default used by Axinom is "PLATFORM_UNVERIFIED", since it is also the default of Google’s Widevine license service SDK and services, and avoids backwards incompatible changes.

Default"PLATFORM_UNVERIFIED"
Supported values"PLATFORM_UNVERIFIED", "PLATFORM_SOFTWARE_VERIFIED", "PLATFORM_SECURE_STORAGE_SOFTWARE_VERIFIED", "PLATFORM_HARDWARE_VERIFIED"
API supportWidevine API 6.21.0+