License Service Configuration(license_server)
The License Service Configuration(license_server) section of Entitlement Message allows default behavior that is not related to generating a License to be overridden.
The structure of a License Service object is defined as follows.
{
"return_license_request_info": true,
"access_control":
{
"prevent_drm_message_reuse": false,
"concurrency_limit": 2,
"concurrency_mode": "BLOCK_NEW_DEVICE",
"allowed_ip_addresses":
[
"10.11.12.13",
"2001:0db8:85a3:0000:0000:8a2e:0370:7334"
],
"fairplay":
{
"concurrency_mode": "NONE",
"use_native_session_ids": false,
"allowed_device_ids":
[
"dd5f6907-f579-45e0-8b49-632a49d4fe55",
"ded51696-dd59-464c-9890-5b6db5e673c3"
]
},
"playready":
{
"concurrency_mode": "NONE",
"allowed_device_ids":
[
"ed85e2bc-63d8-4a26-8ad0-18c382c12dd9",
"0d268a04-ca6e-4e9e-8412-e05344817cf5"
]
},
"widevine":
{
"concurrency_mode": "NONE",
"use_native_session_ids": false,
"min_vmp_level": "PLATFORM_SOFTWARE_VERIFIED",
"allow_tampered_platforms": false,
"allow_non_vmp_platforms": true
"allowed_device_ids":
[
"fbdcdcaf-af84-4bf3-8dbf-3e7c47922c65",
"5a0f8872-4c83-4362-a6b5-03228a4547ce"
],
"allowed_device_certificate_serial_numbers":
[
"29a622dd-ef79-4f8f-92be-96175a3e145d",
"5a164b33-63fc-4ac6-a7db-b304f897e08f"
]
}
}
}
return_license_request_infoβ
Allows to specify if license request info is returned.
Default |
false |
Supported values |
|
access_controlβ
Allows to specify restrictions on which clients can obtain a License.
This object uses device IDs. For more information on device IDs, see the License Request Info Message document.
Default | The settings in this section have their default behaviour. |
Supported values | Any valid Access Control object (see below). |
prevent_drm_message_reuseβ
Specifies whether particular DRM Messages can
be reused. If set to true
, DRM Messages with the same
ID
can only be used to receive a license once per entitled key, per license
service instance.
Please note:
- This is most effective against large-scale re-use of DRM Messages. This is because the tracking is performed individually by each license service instance, and the tracking data is not persisted over long periods of time.
- We recommend to enable this feature by default. Except, when a DRM Message is designed to be used multiple times.
- Additionally, it is recommended to to set the
expiration_date
for each DRM Message - as short as possible.
Default | false |
Supported values | true, false |
Availability | Axinom DRM FairPlay API v6.23.0+, Widevine API v6.28.0+, PlayReady API 6.22.0+ |
concurrency_limitβ
Enables Concurrent Stream Limiting (CSL) and specifies how many concurrent playbacks are allowed. See the CSL guide for more information.
Default | Concurrent playbacks are not limited |
Supported values | 1 - 6 |
Availability | Axinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+ |
concurrency_modeβ
Specifies the behaviour of Concurrent Streaming Limiting (CSL). This affects
all DRMs; it is possible to override this setting with NONE
in the
DRM-specific subsections to disable CSL for specific DRMs.
-
All modes require the playback clients to present a reliable DRM identifier, or the license acquisition will fail. This particularly concerns Widevine L3 Desktop browser CDMs, where the
persistentState
EME setting must be set torequired
. -
The session-specific modes require a session ID to be provided in the
session
section of the Entitlement Message. Or, alternatively, in case of FairPlay or Widevine,use_native_session_ids
must be set totrue
.
See the CSL guide for more information.
Default | BLOCK_NEW_DEVICE |
Supported values | BLOCK_NEW_DEVICE, BLOCK_NEW_SESSION, BLOCK_OLDEST_SESSION |
Availability | Axinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+ |
allowed_ip_addressesβ
Allows to specify a list of client IP addresses that may receive a License. If a clientβs IP address is not in this list they are not allowed to receive a License. If this list is defined but empty then no clients receive a License.
Default | No IP addresses are restricted. |
Supported values | Any array of strings, each of which represents an IP address in IPv4 or IPv6 format. For example: ["10.11.12.13", "2001:0db8:85a3:0000:0000:8a2e:0370:7334"] |
fairplayβ
Allows to specify restrictions on which clients can obtain a License from Axinom DRM FairPlay API. These access controls only have an effect if the FairPlay DRM is used.
Default | The settings in this section have their default behaviour. |
Supported values | Any valid FairPlay Access Control object (see below). |
concurrency_modeβ
Allows exempting FairPlay DRM from Concurrent Stream Limiting, by
specifying NONE
here.
Default | Inherits the value of the parent concurrency_mode setting |
Supported values | NONE |
Availability | Axinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+ |
use_native_session_idsβ
Indicates whether to use native FairPlay DRM session identifiers when using session-based CSL modes (BLOCK_NEW_SESSION, BLOCK_OLDEST_SESSION).
Setting this to true
is recommended, if using a mix of session ID sources is
not a concern (for PlayReady, native ID's are not available; for Widevine,
their viability depends on the overall setup). In general, using native
session IDs allows distinguishing individual playback sessions with most
granularity.
See the CSL guide for more information.
Default | false |
Supported values | true, false |
Availability | Axinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+ |
allowed_device_idsβ
Allows to specify a list of client device IDs that may receive a License. If a clientβs device ID is not in this list they are not allowed to receive a License. If this list is defined but empty, no clients receive a License.
Default | No device IDs are restricted. |
Supported values | Any array of strings, each of which represents a GUID. For example: ["dd5f6907-f579-45e0-8b49-632a49d4fe55", "ded51696-dd59-464c-9890-5b6db5e673c3"] |
playreadyβ
Allows to specify restrictions on which clients can obtain a License from Axinom DRM PlayReady API. These access controls only have an effect if the PlayReady DRM is used.
Default | The settings in this section have their default behaviour. |
Supported values | Any valid PlayReady Access Control object (see below). |
concurrency_modeβ
Allows exempting PlayReady DRM from Concurrent Stream Limiting, by
specifying NONE
here.
Default | Inherits the value of the parent concurrency_mode setting |
Supported values | NONE |
Availability | Axinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+ |
allowed_device_idsβ
Allows to specify a list of client device IDs that may receive a License. If a clientβs device ID is not in this list they are not allowed to receive a License. If this list is defined but empty, no clients receive a License.
Default | No device IDs are restricted. |
Supported values | Any array of strings, each of which represents a GUID. For example: [ "ed85e2bc-63d8-4a26-8ad0-18c382c12dd9", "0d268a04-ca6e-4e9e-8412-e05344817cf5" ] |
widevineβ
Allows to specify restrictions on which clients can obtain a License from Axinom DRM Widevine API. These access controls only have an effect if the Widevine DRM is used.
Default | The settings in this section have their default behaviour. |
Supported values | Any valid Widevine Access Control object (see below). |
concurrency_modeβ
Allows exempting Widevine DRM from Concurrent Stream Limiting, by
specifying NONE
here.
Default | Inherits the value of the parent concurrency_mode setting |
Supported values | NONE |
Availability | Axinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+ |
use_native_session_idsβ
Indicates whether to use native Widevine DRM session identifiers when using session-based CSL modes (BLOCK_NEW_SESSION, BLOCK_OLDEST_SESSION).
For Widevine, it is not recommended to set this to true
unless the
implications are understood. While in general using native session IDs allows
individual playback sessions to be distinguished with most granularity, in
some cases one actual playback session can cause multiple DRM sessions to be
created, causing a single playback to be counted multiple times towards the
concurrency limit.
See the CSL guide for more information.
Default | false |
Supported values | true, false |
Availability | Axinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+ |
allowed_device_certificate_serial_numbersβ
Allows to specify a list of Widevine DRM device certificate serial numbers that may receive a License. If the corresponding device DRM client device certificate serial number is not in this list, it is not allowed to receive a License. If this list is defined but empty, no clients receive a License.
A Widevine DRM device certificate serial number can be retrieved from the
LicenseRequestInfo message. To signal the License Service to return the
LicenseRequestInfo message, set the return_license_request_info
parameter to
true
in the Entitlement Message. More information on LicenseRequestInfo
message can be found in the License Request Info Message documentation.
Default | No devices are restricted by their serial number. |
Supported values | Any array of strings, each of which represents a GUID. For example: [ "29a622dd-ef79-4f8f-92be-96175a3e145d", "5a164b33-63fc-4ac6-a7db-b304f897e08f" ] |
allowed_device_idsβ
Allows to specify a list of client device IDs that may receive a License. If a clientβs device ID is not in this list, they are not allowed to receive a License. If this list is defined but empty, no clients receive a License.
Current Widevine clients no longer report the Device ID. Use this
option only if you need compatibility with older clients. Otherwise, use the
allowed_device_certificate_serial_numbers
instead.
Default | No devices are restricted by their Device ID. |
Supported values | Any array of strings, each of which represents a GUID. For example: [ "fbdcdcaf-af84-4bf3-8dbf-3e7c47922c65", "5a0f8872-4c83-4362-a6b5-03228a4547ce" ] |
allow_non_vmp_platformsβ
Specifies whether client platforms that do not support Verified Media Path (VMP) are allowed to get licenses. Such platforms include: Android, Tizen, WebOS and Roku.
This is an advanced setting that should not be used unless there is a special reason for it. Non-VMP platforms do not implement VMP by design and should not be considered less secure.
Default | true |
Supported values | true, false |
Availability | Axinom DRM Widevine API v6.21.0+ |
allow_tampered_platformsβ
Specifies whether client platforms with tampered Verified Media Path implementation should be allowed to get a license.
It is highly recommended to set this to false
. The default is
true
to align with the default behaviour of Googleβs Widevine license
service SDK and service, to avoid backwards incompatible changes.
Default | true |
Supported values | true, false |
Availability | Axinom DRM Widevine API v6.21.0+ |
min_vmp_levelβ
Specifies the minimum Verified Media Path (VMP) level of client platforms that should be allowed to get a license. Verified Media Path is an anti-tamper system mainly intended to ensure the integrity of browser platforms.
The levels, from the lowest to the highest, are:
- "PLATFORM_UNVERIFIED" - indicates that a browser-based client is used where the Widevine CDM cannot verify its hosting application. This includes all browser-based platforms on Linux, Electron apps without proper VMP implementation and Chrome OS running in developer mode or with remote attestation blocked.
- "PLATFORM_SOFTWARE_VERIFIED" - VMP is verified at software level. This is equivalent to clients with L3 security level.
- "PLATFORM_SECURE_STORAGE_SOFTWARE_VERIFIED" - this is equivalent to clients with L3 security level that also have a secure storage required for license persistence.
- "PLATFORM_HARDWARE_VERIFIED" - VMP is verified at the hardware level. This is equivalent to clients with L1 security level.
It is recommended to set the minimum VMP level higher than "PLATFORM_UNVERIFIED". However, it should be kept in mind that raising the level beyond the minimum may block some popular platforms, such as browser clients on Linux or some Electron-based solutions without proper VMP implementation.
The default used by Axinom is "PLATFORM_UNVERIFIED", since it is also the default of Googleβs Widevine license service SDK and services, and avoids backwards incompatible changes.
Default | "PLATFORM_UNVERIFIED" |
Supported values | "PLATFORM_UNVERIFIED", "PLATFORM_SOFTWARE_VERIFIED", "PLATFORM_SECURE_STORAGE_SOFTWARE_VERIFIED", "PLATFORM_HARDWARE_VERIFIED" |
API support | Widevine API 6.21.0+ |