Deployment Guide

This guide provides comprehensive installation instructions for Axinom DRM License Service in an on-board environment.

Before you begin

Make sure you have read the overview and worked through contractual, hardware and software prerequisites. In particular you should now have:

• A Linux host with Docker installed
• Access to Linux terminal
• Axinom DRM Tenant and its configuration (available from Axinom Portal)
• Credentials for Axinom Docker Registry (received from Axinom)
• On-board Configuration Package
• Decision which of the DRM technologies you would like to deploy (Widevine, FairPlay, PlayReady).

Conventions

This document has the following conventions:

• Commands and their output are represented like

  echo "Text"

• Commands are modeled for the Linux terminal. However, they have been chosen in a way that all of them work in Windows PowerShell.

• All docker commands require administrative privileges. Therefore, make sure to apply sudo on Linux and launch PowerShell console on Windows with elevated privileges.

• Identifiers and paths are represented like this, and placeholders like {this}.

• Placeholders are explained the first time they are encountered with no further explanations in the rest of the document.

Pull Docker Image

All Docker images are published to Axinom’s private Docker registry https://registry.axinom.com.

To log in to the registry (use the credentials you received from Axinom):

docker login registry.axinom.com -u {username} -p {password}
...
Login Succeeded

Select the correct image depending on DRM technology and CPU architecture:

Axinom DRM License Service Docker Images

DRM Technology	x64	ARM 64-bit
Widevine	widevine-api/app	widevine-api-arm64/app
FairPlay	fairplay-api/app	fairplay-api-arm64/app
PlayReady	playready-api/app	-

You are only given access to the images based on the service agreement. Therefore, you won’t be able to pull any other Docker images that you don’t have access to.

To pull the Docker image (use the name of the selected image):

sudo docker pull registry.axinom.com/{drm_technology}-api/app

...
Status: Downloaded newer image for registry.axinom.com/{drm_technology}-api/app:latest

Create Folders for Configs and Logs

Axinom DRM License Service expects two folders: one where it finds the config-files, and one to which it will write logs. The folders don’t have to be next to each other, the exact mapping will be made when starting the container.

1. Create the folders:

   mkdir ~/{drm_technology}
   mkdir ~/{drm_technology}/config
   mkdir ~/{drm_technology}/logs
   mkdir ~/{drm_technology}/logs/nginx

2. Extract and copy the contents of the Configuration Package into the Config folder.

   1. To verify the contents of the folder run ls ~/{drm_technology}/config

3. For PlayReady follow the section below to copy PlayReady SDK files.

4. If you wish to review/adjust configuration, you can do it now, following Configuration Options and Configuration Package.

(PlayReady) Copy PlayReady SDK Files

The following PlayReady SDK files must be present in the Config folder:

• Microsoft.Media.Drm.RMCore.NETCore.dll
• Microsoft.Media.Drm.RMCore.NetCore.Http.dll
• Microsoft.Media.Drm.RMUtil.so

You also need a PlayReady Server Certificate:

• ServerCertificate.xml

Sample PlayReady ServerCertificate.xml

<?xml version="1.0" encoding="utf-8"?>
<ServerCertificateData>
	<Certificate>Qblablabla[...]blablablaQpP6xas=</Certificate>
	<ECCKeyValue>
		<PrivateKey>7LX1IrfLsjE6V8CXNGviGSP5U9M3OYKD0PyKqm+igUQ=</PrivateKey>
		<PublicKey>2cxfn1WIGXwpL1kCa5t48D64GueK0cf2c+yQQbNqafc=</PublicKey>
		<Curve>1</Curve>
	</ECCKeyValue>
</ServerCertificateData>

These files must be obtained from Microsoft IPLA licensing portal. Once you have concluded the necessary agreements, Microsoft allows you to download the PlayReady SDK packages.

To get the files:

1. Download and extract the SDK package named PlayReady_Server_SDK_.Netcore_<version>.zip from the portal given by Microsoft. E.g: "PlayReady_Server_SDK_.Netcore_v4.4.6222.zip".
2. Navigate to RMSDK.NETCore folder.
3. Each of the DLLs shall be shipped as a NuGet package with the corresponding DLL name. E.g: "Microsoft.Media.Drm.RMCore.NETCore_4.4.6222.nupkg". These NuGet packages are ZIP archives which can be extracted.
4. Extract each of the NuGet packages. The above-mentioned DLL files will be under "lib" directory. The Microsoft.Media.Drm.RMUtil.so will be under the "runtimes\linux-x64\native" directory.

Run the Container

1. Decide which HTTP and HTTPS ports shall be exposed on the host (further refered to as {host_http_port} and {host_https_port}). The Docker image exposes the following ports: 80 (HTTP), 443 (HTTPS), 8080 (alternative HTTP port).

2. Run the docker container:

   sudo docker run -d --restart always -p {host_http_port}:80 -p {host_https_port}:443 -v ~/
   {drm_technology}/config:/Config -v ~/{drm_technology}/logs:/Logs registry.axinom.com/
   {drm_technology}-api/app
   
   3bc85e55c4e18bd5fbb2ea5d43c046d15e63b47bff1ca5fbb564d57f4f0ba9db

3. Verify that the License Service started up successfully:

   sudo docker logs {container_id}

   {container_id} - full or partial identifier of the previously started License Service container.

   Example:

   docker logs 3bc85e55c
   
   Overriding the app's configuration... Done.
   Overriding the app's logging configuration... Done.
   Overriding the hosts configuration... Done.
   Overriding the Nginx configuration... Done.
   The setup has been successfully completed.
   2019-05-21 10:48:12,702 CRIT Supervisor running as root (no user in config file)
   2019-05-21 10:48:12,703 INFO Supervisor started with pid 12
   2019-05-21 10:48:13,705 INFO spawned: 'nginx' with pid 15
   2019-05-21 10:48:13,706 INFO spawned: 'app' with pid 16
   [2019-05-21T10:48:14.3959460+00:00] Listening on: http://127.0.0.1:8089
   Press Ctrl+C to quit.
   2019-05-21 10:48:15,398 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
   2019-05-21 10:48:15,398 INFO success: app entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

Verify that the License Service Responds via HTTP

In a web-browser on the client, navigate to the address where the License Service is hosted. For example, if the host name is widevine-api.example.com, navigate to "http://widevine-api.example.com/AcquireLicense" (license acquisition URL). If the container runs properly, the page should display (for Widevine and FairPlay):

Use POST to get a license.

In case of PlayReady, the response is slighly different:

LicensingService
...

Caution

Instructions in this section apply for a playback machine only. They will most likely not work on the host machine running a License Service Docker image.

Set up HTTPS

To make HTTPS work you need to:

1. Decide on the DNS name to call the License Service (e.g. widevine-api.example.com)
2. Make sure the License Service is accessible in your environment using this name (e.g. via local DNS)
3. Issue a TLS certificate for this name
4. Configure the TLS certificate on the server (you will need the certificate file and its private key in PEM format)
5. Make a test call using HTTPS from the client machine: https://widevine-api.example.com:443/AcquireLicense (expected response is the same as above)

For evaluation purpose the Configuration Package you get already contains a TLS certificate and its private key issued to axdrm-{drm_technology}-evaluation.axprod.net and signed by AxRoot certificate authority. Certificate of the AxRoot CA is also included (AxRootCA.crt). Nginx configuration already contains the mentioned TLS certificate:

nginx.conf

...
ssl_certificate /Config/axdrm-widevine-evaluation.axprod.net.cert.pem;
ssl_certificate_key /Config/axdrm-widevine-evaluation.axprod.net.key.pem;

To use this certificate, on the client machine:

1. Add an entry to the hosts file for axdrm-{drm_technology}-evaluation.axprod.net
2. Import the AxRootCA.crt file into the root certificate store
3. Make a test call using HTTPS from the client machine: https://{drm_technology}-evaluation.axprod.net:443/AcquireLicense

For production purpose you have to use your own TLS certificate. Replace Axinom certificate above with your own.