Configuration Options
This document describes configuration options for Axinom DRM License Service for Widevine, FairPlay, and PlayReady.
Conventionsβ
In this document, the <APP_PATH> refers to the application root path.
When a relative path is specified as an option, it is relative to the <APP_PATH>.
The application root path is defined as follows:
- FairPlay - location of FairPlayApi.exe
- PlayReady - location of PlayReadyNetCore.exe
- Widevine - location of WidevineApi.exe
Common Optionsβ
The following options are supported for all DRM technologies.
AllowProxyβ
Specifies whether a reverse proxy is used.
If set to "true", the app assumes that all requests come through a trusted proxy.
It then determines the HTTP scheme and the IP of the client via the
X-Forwarded-For and X-Forwarded-Proto HTTP headers (set by the proxy),
respectively.
If set to "false", the actual HTTP scheme and the IP of the HTTP request are used.
If no proxy is present, a setting of "true" creates a security risk as clients can then forge their HTTP scheme and IP address by manipulating the headers. Change this setting only if you understand the consequences.
By default, the setting is "true" for FairPlay and Widevine, as the default container image includes an Nginx reverse proxy that provides HTTPS support.
For PlayReady, the default is "false", since it is an ASP.NET app integrated with the IIS web server.
|
Required |
No |
|
Default value |
FairPlay and Widevine - "true", PlayReady - "false" |
|
Data type |
Boolean |
|
Supported values |
|
ConfigurationFolderPathβ
Specifies the folder where the app searches for its configuration and other DRM technology-specific files. Within this document, this path is referred to as the <CONFIG_PATH>.
| Required | No |
| Default value | PlayReady - "C:\Config" (on Windows), Widevine and FairPlay - "/Config" |
| Data type | String |
| Supported values | Any path in string format. |
IsDevelopmentEnvironmentβ
Specifies whether the environment is meant for development. It configures certain aspects of the app to make it easier to work in a development environment.
This is a development-only option.
|
Required |
No |
|
Default value |
"false" |
|
Data type |
Boolean |
|
Supported values |
|
EncryptedEncryptionKeyAsBase64β
Specifies the encryption key, provided in an encrypted form, that the app uses
for encrypting and decrypting configuration data in KeySeeds.json, CommunicationKeys.json.
The value is encrypted with the key known to Axinom DRM License Service.
| Required | Yes |
| Data type | Base64 string |
| Supported values | Any base64 string that represents an array of 16 bytes. For example: "MlypQgoalSkaX/x1YvnRiA==". |
FrontendDataFolderPathβ
Specifies the location where frontend data is stored.
| Required | No |
| Default value | "<CONFIG_PATH>" |
| Data type | String |
| Supported values | Any path in string format. |
FrontendDataUpdateIntervalβ
Specifies the interval at which the tenant configuration data (=Frontend Data) is reloaded. The interval begins when the application is started or when the last update occurs.
To disable automatic updates, the value can be set to "0".
See also: Updating On-board Configuration.
|
Required |
No |
|
Default value |
"5:00" (5 minutes) |
|
Data type |
TimeSpan string |
|
Supported values |
|
LicenseAcquisitionUrlWithoutSchemeβ
Specifies the license acquisition URL of the application (without the HTTP scheme part). This is only used by the appβs Checks API, which performs self-checks to monitor the appβs health. Since these checks are optional, setting this value is also optional.
If set, this is the URL where the Checks API sends self-check requests. If not set, then some features of the Checks API are not available.
In development environments, i.e. when IsDevelopmentEnvironment is "true",
this value is automatically replaced with an internal value.
| Required | No |
| Default value | N/A (or an internal value, if IsDevelopmentEnvironment is set to "true"). |
| Data type | String |
| Supported values | Any valid URL in string format. For example "example.com/api/AcquireLicense". |
FairPlayβ
There are no FairPlay-specific configuration options.
PlayReadyβ
RevocationDataUpdateIntervalβ
Specifies the interval at which the Revocation List file is reloaded. The interval begins when the application is started or when the last update occurs.
To disable automatic updates, the value can be set to "0".
See also: Revocation List.
| Required | No |
| Default value | "7.00:00:00" |
| Data type | String |
| Supported values | Any string in "days.hours:minutes:seconds" format. Examples: "7.12.00:05" (7 days, 12 hours and 5 seconds), "12.00:00" (12 hours), "5:00" (5 minutes), "30" (30 seconds). |
ServerCertificateFilePathβ
Specifies the location of the PlayReady server certificate file.
| Required | No |
| Default value | "<CONFIG_PATH>/ServerCertificate.xml" |
| Data type | String |
| Supported values | Any file path in string format that points to a PlayReady server certificate XML file. |
ServiceIdβ
Specifies the PlayReady Service ID. Only values provided by Axinom should be used here, otherwise the application does not work as expected.
| Required | Yes |
| Data type | GUID string |
| Supported values | Any valid GUID string in the 00000000-0000-0000-0000-000000000000 format. For example: "1db8e4ba-7705-4ce1-b3ab-4fe6be3ccafd". |
Widevineβ
AllowUnknownDevicesβ
Specifies whether to allow unknown devices, i.e. the devices not present in the device certificate status list, to obtain licenses.
Enabling this option to allow unknown devices poses a security risk.
See also: Allowing Unknown Devices.
|
Required |
No |
|
Default value |
"false" |
|
Data type |
Boolean |
|
Supported values |
|
DeviceCertificateStatusListExpirationTimeβ
Specifies the duration after which the device certificate status list expires.
The expiration time is relative to the creation timestamp embedded into the device
certificate status list data structure. This time must be at least 1 minute longer
than DeviceCertificateStatusListUpdateInterval and cannot be "0".
The default value is 50 years to simplify offline deployments.
| Required | No |
| Default value | "18250.00:00:00" (50 years) |
| Data type | TimeSpan string |
| Supported values | Any string in the "days.hours:minutes:seconds" format. For example: "7.12.00:05" (7 days, 12 hours and 5 seconds), "12.00:00" (12 hours), "5:00" (5 minutes), "30" (30 seconds). |
DeviceCertificateStatusListUpdateIntervalβ
Specifies the interval at which the Device Certificate Status List file is reloaded. The interval begins when the application is started or when the last update occurs.
To disable automatic updates, the value can be set to "0".
See also: Device Certificate Status List.
| Required | No |
| Default value | "24:00:00" |
| Data type | TimeSpan string |
| Supported values | Any string in the "days.hours:minutes:seconds" format. Examples: "7.12.00:05" (7 days, 12 hours and 5 seconds), "12.00:00" (12 hours), "5:00" (5 minutes), "30" (30 seconds). |
MasterSigningKeyAsBase64β
Specifies the Widevine master signing key that is used to handle license renewal and release requests.
Use the default value unless instructed otherwise by Axinom.
| Required | No |
| Default value | "o3XR+JRLTNCH7UGqvjypHA==" |
| Data type | Base64 string |
| Supported values | Any base64 string that represents an array of 16 bytes. For example: "oRHR8RRLSqCH6kGqrjqhGg==". |
ServiceCertificateFilePathβ
Specifies the path to the service certificate file.
|
Required |
No |
|
Default value |
"<CONFIG_PATH>/ServiceCertificate.bin" |
|
Data type |
String |
|
Supported values |
Any file path in string format that points to the DER-encoded service certificate file. |
ServiceCertificatePrivateKeyFilePathβ
Specifies the path to the private key file that is paired with the service certificate.
| Required | No |
| Default value | "<CONFIG_PATH>/PrivateKey.der" |
| Data type | String |
| Supported values | Any file path in string format that points to the service certificateβs private key file. The file must contain a PKCS#8 private key in DER format. |
EncryptedServiceCertificatePrivateKeyPasswordAsBase64β
Specifies the service certificateβs private keyβs password in an encrypted form. If you have your own certificate and password, provide the password to Axinom to get the encrypted value.
| Required | Yes |
| Data type | Base64 string |
| Supported values | Any base64 string. For example: "MlypQgoalSkaX/x1YvnRiA==". |
ServiceCertificateTypeβ
Specifies the type of the service certificate.
Usually, all deployments use "Production" service certificates and this setting should not be changed from the default value.
|
Required |
No |
|
Default value |
"Production" |
|
Data type |
String |
|
Supported values |
|