License Service Configuration(license_server)

The License Service Configuration(license_server) section of Entitlement Message allows default behavior that is not related to generating a License to be overridden.

The structure of a License Service object is defined as follows.

entitlement_message.license_server

{
    "return_license_request_info": true,

    "access_control":
    {
        "prevent_drm_message_reuse": false,

        "concurrency_limit": 2,
        "concurrency_mode": "BLOCK_NEW_DEVICE",

        "allowed_ip_addresses":
        [
            "10.11.12.13",
            "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
        ],

        "fairplay":
        {
            "concurrency_mode": "NONE",
            "use_native_session_ids": false,

            "allowed_device_ids":
            [
                "dd5f6907-f579-45e0-8b49-632a49d4fe55",
                "ded51696-dd59-464c-9890-5b6db5e673c3"
            ]
        },

        "playready":
        {
            "concurrency_mode": "NONE",

            "allowed_device_ids":
            [
                "ed85e2bc-63d8-4a26-8ad0-18c382c12dd9",
                "0d268a04-ca6e-4e9e-8412-e05344817cf5"
            ]
        },

        "widevine":
        {
            "concurrency_mode": "NONE",
            "use_native_session_ids": false,

            "min_vmp_level": "PLATFORM_SOFTWARE_VERIFIED",
            "allow_tampered_platforms": false,
            "allow_non_vmp_platforms": true

            "allowed_device_ids":
            [
                "fbdcdcaf-af84-4bf3-8dbf-3e7c47922c65",
                "5a0f8872-4c83-4362-a6b5-03228a4547ce"
            ],

            "allowed_device_certificate_serial_numbers":
            [
                "29a622dd-ef79-4f8f-92be-96175a3e145d",
                "5a164b33-63fc-4ac6-a7db-b304f897e08f"
            ]
        }
    }
}

return_license_request_info

Allows to specify if license request info is returned.

Default	false
Supported values	false - License request info is not returned. true - License request info is returned.

access_control

Allows to specify restrictions on which clients can obtain a License.

note

This object uses device IDs. For more information on device IDs, see the License Request Info Message document.

Default	The settings in this section have their default behaviour.
Supported values	Any valid Access Control object (see below).

prevent_drm_message_reuse

Specifies whether particular DRM Messages can be reused. If set to true, DRM Messages with the same ID can only be used to receive a license once per entitled key, per license service instance.

Please note:

• This is most effective against large-scale re-use of DRM Messages. This is because the tracking is performed individually by each license service instance, and the tracking data is not persisted over long periods of time.
• We recommend to enable this feature by default. Except, when a DRM Message is designed to be used multiple times.
• Additionally, it is recommended to to set the expiration_date for each DRM Message - as short as possible.

Default	false
Supported values	true, false
Availability	Axinom DRM FairPlay API v6.23.0+, Widevine API v6.28.0+, PlayReady API 6.22.0+

concurrency_limit

Enables Concurrent Stream Limiting (CSL) and specifies how many concurrent playbacks are allowed. See the CSL guide for more information.

Default	Concurrent playbacks are not limited
Supported values	1 - 6
Availability	Axinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+

concurrency_mode

Specifies the behaviour of Concurrent Streaming Limiting (CSL). This affects all DRMs; it is possible to override this setting with NONE in the DRM-specific subsections to disable CSL for specific DRMs.

• All modes require the playback clients to present a reliable DRM identifier, or the license acquisition will fail. This particularly concerns Widevine L3 Desktop browser CDMs, where the persistentState EME setting must be set to required.

• The session-specific modes require a session ID to be provided in the session section of the Entitlement Message. Or, alternatively, in case of FairPlay or Widevine, use_native_session_ids must be set to true.

See the CSL guide for more information.

Default	BLOCK_NEW_DEVICE
Supported values	BLOCK_NEW_DEVICE, BLOCK_NEW_SESSION, BLOCK_OLDEST_SESSION
Availability	Axinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+

allowed_ip_addresses

Allows to specify a list of client IP addresses that may receive a License. If a client’s IP address is not in this list they are not allowed to receive a License. If this list is defined but empty then no clients receive a License.

Default	No IP addresses are restricted.
Supported values	Any array of strings, each of which represents an IP address in IPv4 or IPv6 format. For example: ["10.11.12.13", "2001:0db8:85a3:0000:0000:8a2e:0370:7334"]

fairplay

Allows to specify restrictions on which clients can obtain a License from Axinom DRM FairPlay API. These access controls only have an effect if the FairPlay DRM is used.

Default	The settings in this section have their default behaviour.
Supported values	Any valid FairPlay Access Control object (see below).

concurrency_mode

Allows exempting FairPlay DRM from Concurrent Stream Limiting, by specifying NONE here.

Default	Inherits the value of the parent concurrency_mode setting
Supported values	NONE
Availability	Axinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+

use_native_session_ids

Indicates whether to use native FairPlay DRM session identifiers when using session-based CSL modes (BLOCK_NEW_SESSION, BLOCK_OLDEST_SESSION).

Setting this to true is recommended, if using a mix of session ID sources is not a concern (for PlayReady, native ID's are not available; for Widevine, their viability depends on the overall setup). In general, using native session IDs allows distinguishing individual playback sessions with most granularity.

See the CSL guide for more information.

Default	false
Supported values	true, false
Availability	Axinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+

allowed_device_ids

Allows to specify a list of client device IDs that may receive a License. If a client’s device ID is not in this list they are not allowed to receive a License. If this list is defined but empty, no clients receive a License.

Default	No device IDs are restricted.
Supported values	Any array of strings, each of which represents a GUID. For example: ["dd5f6907-f579-45e0-8b49-632a49d4fe55", "ded51696-dd59-464c-9890-5b6db5e673c3"]

playready

Allows to specify restrictions on which clients can obtain a License from Axinom DRM PlayReady API. These access controls only have an effect if the PlayReady DRM is used.

Default	The settings in this section have their default behaviour.
Supported values	Any valid PlayReady Access Control object (see below).

concurrency_mode

Allows exempting PlayReady DRM from Concurrent Stream Limiting, by specifying NONE here.

Default	Inherits the value of the parent concurrency_mode setting
Supported values	NONE
Availability	Axinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+

allowed_device_ids

Allows to specify a list of client device IDs that may receive a License. If a client’s device ID is not in this list they are not allowed to receive a License. If this list is defined but empty, no clients receive a License.

Default	No device IDs are restricted.
Supported values	Any array of strings, each of which represents a GUID. For example: [ "ed85e2bc-63d8-4a26-8ad0-18c382c12dd9", "0d268a04-ca6e-4e9e-8412-e05344817cf5" ]

widevine

Allows to specify restrictions on which clients can obtain a License from Axinom DRM Widevine API. These access controls only have an effect if the Widevine DRM is used.

Default	The settings in this section have their default behaviour.
Supported values	Any valid Widevine Access Control object (see below).

concurrency_mode

Allows exempting Widevine DRM from Concurrent Stream Limiting, by specifying NONE here.

Default	Inherits the value of the parent concurrency_mode setting
Supported values	NONE
Availability	Axinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+

use_native_session_ids

Indicates whether to use native Widevine DRM session identifiers when using session-based CSL modes (BLOCK_NEW_SESSION, BLOCK_OLDEST_SESSION).

For Widevine, it is not recommended to set this to true unless the implications are understood. While in general using native session IDs allows individual playback sessions to be distinguished with most granularity, in some cases one actual playback session can cause multiple DRM sessions to be created, causing a single playback to be counted multiple times towards the concurrency limit.

See the CSL guide for more information.

Default	false
Supported values	true, false
Availability	Axinom DRM FairPlay API 6.23.0+, Widevine API 6.28.0+, PlayReady API 6.22.0+

allowed_device_certificate_serial_numbers

Allows to specify a list of Widevine DRM device certificate serial numbers that may receive a License. If the corresponding device DRM client device certificate serial number is not in this list, it is not allowed to receive a License. If this list is defined but empty, no clients receive a License.

A Widevine DRM device certificate serial number can be retrieved from the LicenseRequestInfo message. To signal the License Service to return the LicenseRequestInfo message, set the return_license_request_info parameter to true in the Entitlement Message. More information on LicenseRequestInfo message can be found in the License Request Info Message documentation.

Default	No devices are restricted by their serial number.
Supported values	Any array of strings, each of which represents a GUID. For example: [ "29a622dd-ef79-4f8f-92be-96175a3e145d", "5a164b33-63fc-4ac6-a7db-b304f897e08f" ]

allowed_device_ids

Allows to specify a list of client device IDs that may receive a License. If a client’s device ID is not in this list, they are not allowed to receive a License. If this list is defined but empty, no clients receive a License.

warning

Current Widevine clients no longer report the Device ID. Use this option only if you need compatibility with older clients. Otherwise, use the allowed_device_certificate_serial_numbers instead.

Default	No devices are restricted by their Device ID.
Supported values	Any array of strings, each of which represents a GUID. For example: [ "fbdcdcaf-af84-4bf3-8dbf-3e7c47922c65", "5a0f8872-4c83-4362-a6b5-03228a4547ce" ]

allow_non_vmp_platforms

Specifies whether client platforms that do not support Verified Media Path (VMP) are allowed to get licenses. Such platforms include: Android, Tizen, WebOS and Roku.

warning

This is an advanced setting that should not be used unless there is a special reason for it. Non-VMP platforms do not implement VMP by design and should not be considered less secure.

Default	true
Supported values	true, false
Availability	Axinom DRM Widevine API v6.21.0+

allow_tampered_platforms

Specifies whether client platforms with tampered Verified Media Path implementation should be allowed to get a license.

warning

It is highly recommended to set this to false. The default is true to align with the default behaviour of Google’s Widevine license service SDK and service, to avoid backwards incompatible changes.

Default	true
Supported values	true, false
Availability	Axinom DRM Widevine API v6.21.0+

min_vmp_level

Specifies the minimum Verified Media Path (VMP) level of client platforms that should be allowed to get a license. Verified Media Path is an anti-tamper system mainly intended to ensure the integrity of browser platforms.

The levels, from the lowest to the highest, are:

1. "PLATFORM_UNVERIFIED" - indicates that a browser-based client is used where the Widevine CDM cannot verify its hosting application. This includes all browser-based platforms on Linux, Electron apps without proper VMP implementation and Chrome OS running in developer mode or with remote attestation blocked.
2. "PLATFORM_SOFTWARE_VERIFIED" - VMP is verified at software level. This is equivalent to clients with L3 security level.
3. "PLATFORM_SECURE_STORAGE_SOFTWARE_VERIFIED" - this is equivalent to clients with L3 security level that also have a secure storage required for license persistence.
4. "PLATFORM_HARDWARE_VERIFIED" - VMP is verified at the hardware level. This is equivalent to clients with L1 security level.

tip

It is recommended to set the minimum VMP level higher than "PLATFORM_UNVERIFIED". However, it should be kept in mind that raising the level beyond the minimum may block some popular platforms, such as browser clients on Linux or some Electron-based solutions without proper VMP implementation.

The default used by Axinom is "PLATFORM_UNVERIFIED", since it is also the default of Google’s Widevine license service SDK and services, and avoids backwards incompatible changes.

Default	"PLATFORM_UNVERIFIED"
Supported values	"PLATFORM_UNVERIFIED", "PLATFORM_SOFTWARE_VERIFIED", "PLATFORM_SECURE_STORAGE_SOFTWARE_VERIFIED", "PLATFORM_HARDWARE_VERIFIED"
API support	Widevine API 6.21.0+