Configuration Package
When you request access to Axinom DRM On-board, you receive a configuration package. This article describes the content of this package. The content of the package shall be stored in the Config volume mounted to the DRM License Service container.
For each DRM technology there is a separate Docker image and a separate configuration package.
Package Contentβ
|
File |
DRM Technology |
Purpose |
|---|---|---|
|
App.config |
Application configuration, see Configuration Options | |
|
dhparam.pem | ||
|
nginx.conf |
Configuration file for the nginx reverse proxy | |
|
NLog.config |
Configuration for logging, see Logging and Monitoring | |
|
AxRootCA.crt |
Certificate of the Axinom Certification Authority, needed for the client if Axinom evaluation TLS certificate is used | |
|
hosts |
Sample hosts file for the client | |
|
PrivateKey.der | ||
|
ServiceCertificate.bin | ||
|
ApiKeys.json |
API keys for the Sync API, see Push-Updates Using Sync API | |
|
Tenants.json |
Tenant configured to be used in the on-board environment | |
|
KeySeeds.json |
Key Seeds to be used, one or multiple, stored here encrypted | |
|
CommunicationKeys.json |
Communication Keys to be used, one or multiple, stored here encrypted | |
|
FairPlayDataSets.json |
FairPlay |
FairPlay DataSets, see FairPlay and Axinom DRM |
|
DeviceCertificateStatusList.json |
Widevine | |
|
RevocationData.xml |
PlayReady | |
|
axdrm-{drm_technology}-evaluation.axtest.net.cert.pem |
{drm_technology} |
Axinom TLS certificate for evaluation purpose |
|
axdrm-{drm_technology}-evaluation.axtest.net.key.pem |
{drm_technology} |
Private key for the TLS certificate |
Tenant Configurationβ
When you start using Axinom DRM, Axinom creates a Tenant for you which holds all the necessary configuration and settings. The on-board setup uses the same Tenantβs configuration. This ensures, for example, that you can use Axinom Key Service in the cloud to generate encryption keys, and then still play the so encrypted content on-board.
The tenantβs configuration data available on-board includes:
- TenantID - resides inside
Tenants.json - KeySeed - resides in encrypted form inside
KeySeeds.json - Communication Key - resides in encrypted form inside
CommunicationKeys.json - (FairPlay only) FairPlay Data Sets - resides in encrypted form inside
FairPlayDataSets.json
[
{
"Id": "d73b4139-849d-4f2f-93e7-a729009585a0",
"Name": "General Evaluation"
}
]
[
{
"Id": "8b71dc58-d698-44cf-9fa1-a729009585a0",
"TenantId": "d73b4139-849d-4f2f-93e7-a729009585a0",
"EncryptedData": "JuPgYtVLOkPuGdvflnhgLKhYI1y133SB5A/WHB217x4=",
"Created": "2017-03-01T09:04:23.5704506+00:00",
"MadeDefault": "2017-03-01T09:04:23.5704506+00:00"
}
]
[
{
"Id": "0edf9d82-28e8-4351-88de-a729009585a0",
"TenantId": "d73b4139-849d-4f2f-93e7-a729009585a0",
"EncryptedData": "qJo8NrKj+j3PNj3YM9LRhKU1VU3ysPqYtN64UjHK3PI="
}
]
[
{
"Id": "3cb5f5f2-5158-4159-bbd3-ad2400ab64d9",
"TenantId": "d73b4139-849d-4f2f-93e7-a729009585a0",
"Name": "Axinom FPS Test Credentials 2021.05.10",
"EncryptedApplicationSecretKey": "hyyxX7L7iCmcnrGdhfZlsQ==",
"CertificateHash": "OHhFG53+JNzmxoyqLEQRpher3Z8=",
"EncryptedPrivateKey": "rQS...XV"
}
]
Obtaining Tenant Configurationβ
You receive your tenantβs configuration data as a part of the configuration package. But you can also download this configuration from Axinom Cloud DRM using its Management API.
First, you need to create a so called Offline Environment. Usually, one offline environment for your Tenant is enough. Even if you have a fleet of vehicles, each running an instance of Axinom DRM License Service, you can still use the same offline environment. Only if you have a TPM in your hosts and you want to take advantage of the additional security by using the TPM, you will need a separate offline environment for each of your vehicles/hosts.
Details on using TPM will be published later. Ask if you need this information already now.
To create an offline environment send the below HTTPS request with an empty body (add an Authorization header as described in Management API):
POST /OfflineEnvironments
The response will be similar to this:
{
"Id": "96c2c057-d363-4dc1-bbe3-b6f7bb2f835e", // β
"TpmSupported": false,
"EncryptedEncryptionKey": "MTIzNDU2Nzg5MGFiY2RlZg==" // β‘
}
β generated environment ID
β‘ randomly generated environment encryption key used to encrypt the configuration data, in encrypted form
Now you can request all the configuration data:
GET /Sync/Tenants?EnvironmentId={EnvironmentId}
GET /Sync/KeySeeds?EnvironmentId={EnvironmentId}
GET /Sync/CommunicationKeys?EnvironmentId={EnvironmentId}
GET /Sync/FairPlayDataSets?EnvironmentId={EnvironmentId}
Returned sensitive data is encrypted with the environment encryption key from the first POST.
Store the received data in the Config folder.
Store the value of the EncryptedEncryptionKey in the App.config under EncryptedEncryptionKeyAsBase64. This is the key used to encrypt all other configuration data. They key itself is encrypted
with another key, known to Axinom DRM.