Skip to main content

Sharing FPS data set with Axinom

Why you need to share the FPS dataset with the Axinom​

For Widevine (WV) and PlayReady (PR) DRM systems, the necessary components are typically integrated into the software development kits (SDKs) provided by Google and Microsoft, respectively. As a result, in standard scenarios, we can utilize a single set of credentials for production purposes, and customers are not required to furnish us with their own credentials.

In the case of FairPlay, these credentials are exclusively distributed to "licensed content owners." Since Axinom specializes in DRM services and not content ownership, we are unable to obtain a universal or "generic" set of credentials that could be shared among all customers. This is because the credentials in the FairPlay system are customer-specific and not something we can access or provide on their behalf.

Therefore each customer needs to request a set of Fairplay credentials and each customer will receive a distinct set of credentials from Apple, and as a service provider like Axinom, we do not have access to these credentials. Therefore, the customer needs share the FPS package with the Axinom in order to verify the licenses signed with the customer-specific Fairplay certificates they received.

How you can share the FPS dataset​

To share your FPS data with Axinom, you have two options: you can either use the FairPlay Data Set Upload Tool or utilize the Management API.

Using the FairPlay Data Set Upload Tool​

In the My Mosaic - DRM section Axinom provides the possibility to upload a FairPlay Data Set to any environment.

Under My Mosaic / DRM:

  1. If you have multiple environments, select the one for which you want to upload a FairPlay Data Set

  2. Under the License Service config of the selected environment, there is a row "FairPlay Data Sets".

  3. When you click the Reveal button, you are asked to enter the Management Key. You have to enter your License Service Management Key to authorize this action.

  4. After that, you can see the uploaded certificate or use an Add button to add your FairPlay Data Set.

  5. Next, you see the window where to upload the PK, ASK, and AC.

    FairPlay Data Set Upload

    fair-play-data-set-upload

    1. In the Upload Application Certificate (AC) section, you need to upload the FairPlay Security Certificate.

    2. In the Upload FPS Application Certificate Private Key (PK) section, you need to upload the private clear key file.

      If your PK is password protected, you can use below command to remove the password:

      openssl rsa -in private_key.pem -out unprotected_privatekey.pem
    3. In the Insert Application Secret Key (ASK), you need to provide the ASK value as a text value.

  6. Once you submit the certificate, you can easily use the certificate with your content. Also, the certificates get uploaded to our host. Then you can find the FairPlay Streaming Certificate URL for the certificate under the License Service config. If you have a production tenant, you need to manage your certificate hosting on your side. In that case, you need to upload your FairPlay.cer into a publicly available web server with CORS support.

    FairPlay Streaming Certificate URL

    fair-play-certificate-url

  7. When you click Copy to Clipboard, you get the URL with some description as seen below.

    If you registered the FairPlay certificate over the Axinom Portal and not directly over
    Axinom Licensing Service API's FairPlay data set endpoint, then you can find the
    certificate hosted for testing purposes from this URL: https://portal.axinom.com/api/testing-certificates/<some_
    values_to point_out_your_certificate>.cer
    1. From this description, you can find the FairPlay Streaming Certificate URL and use it for testing purposes.

      note

      We recommend using this hosted URL only for testing purposes. Please manage the certificate hosting on your side if you use the certificates for production purposes.

note

If you get an error saying this only supports TripleDES, you can convert your private key to PKCS#1 format. Use the below command for the conversion.

   openssl rsa -in pkcs8.key -out pkcs1.key

Alternative: Using the Management API​

As an alternative to the above method, Axinom provides a Management API endpoint to securely share and manage credentials.

Before submitting the PK, ASK, and AC, they must be processed and converted into a certain format. Example commands to do this are given below. The examples use OpenSSL and xxd (for Linux/Mac) or PowerShell (for Windows), but any tools with similar capabilities may be used.

  1. Remove Passphrase from Private Key

    If the PK is passphrase-protected, the passphrase must be removed before sharing it with Axinom.The passphrase can be removed with the following OpenSSL command (you are prompted to enter the passphrase):

    openssl rsa -in protected_privatekey.pem -out unprotected_privatekey.pem
  2. Convert FPS Data Set to base64 Strings

    The AC file data must be converted to a base64 string. The following command does this (-A is needed to stop OpenSSL from outputting new lines):

    openssl base64 -in applicationcert.cer -A

    After the PK passphrase has been removed, its file data must be converted to a base64 string. Use the following command for this:

    openssl base64 unprotected_privatekey.pem -A

    The ASK hex string must first be converted to the byte array it represents. Then, this must be converted to a base64 string. In the following example commands, you must replace the string of zeros with your 32-character ASK hex string (do not include 0x at the start).

    On Linux/Mac:

    echo "00000000000000000000000000000000" | xxd -r -p | openssl base64

    On Windows, from a PowerShell terminal:

    [Convert]::ToBase64String([byte[]] -split ("00000000000000000000000000000000" -replace '..', '0x$& '))
  3. Send the FPS Data Set as base64 Strings to Axinom

    The data must be sent to Axinom DRM License Service Management API’s /api/FairPlayDataSets endpoint using an HTTP POST request with the application/json content type.

    HTTP Basic Authentication should be used, with your tenant ID as the username and your management key as the password. More authentication information can be found at this link: License Service Management API.

    The request body should be JSON in the following form:

    {
    "Name": "<FairPlay data set name>",
    "ApplicationCertificate": "<AC file bytes as base64>",
    "PrivateKey": "<PK bytes as base64>",
    "ApplicationSecretKey": "<ASK bytes as base64>"
    }