Skip to main content

Set up Encoding Profiles

The Axinom Encoding allows to encode videos while Axinom DRM protects them. This can be done by utilizing the Encoding API directly or by using the Video Service GUI. This documentation describes the process to configure the encoding settings in the Management System.

All encoding related settings are available in the Management System under Settings:

Video Settings

Video settings

Caution

For security reasons, all the secrets should be encrypted using the credentials protection approach. Secret values are encrypted by the Encoding API’s public key. This way, your secrets can only be decrypted by the video decoder process - but not by anybody else, including the Management System itself. See Credentials Protection Tool.

Acquisition and Publishing Profiles

Acquisition and Publishing Profiles define respectively the Input Storage and the Output Storage for the Encoder. Input Storage is where the source video files are taken from (section "Content Acquisition" in a job request). Output Storage is where the processed video files are stored (section "Content Publishing" in a job request).

Caution

For security reasons, the acquisition profile and the publishing profile should use different storages. In development environments it is ok to share the same storage account and differentiate by container or by a sub-folder, but for production it is advisable to use separate storage accounts with different credentials.

warning

Encoding Service supports many different Storage Providers, including Mosaic Hosting Service, Azure Blob Storage, Amazon S3, FTPS. All providers except FTPS can be configured in the GUI; support for FTP will be added later. Also, as of today, only a single acquisition profile and a single publishing profile are supported. This will be extended later.

tip

We recommend to create your storage using Mosaic Hosting Service. You can setup acquisition and publishing with minimal configuration with that. Alternatively, you can create storage using Microsoft Azure or AWS.

Both, acquisition profile and publishing profile define the following properties. The following articles explain the steps to acquire the following properties when using :

Properties common for every storage provider

PropertyDescription
TitleA human-readable profile identifier
Storage ProviderThe storage provider type

Mosaic Hosting Service specific properties

PropertyDescription
Container NameWhich container to use. The container can be picked from list of available containers from Mosaic Hosting Service Cloud Storage.

Azure Storage specific properties

PropertyDescription
Storage Account NameThe username/account name
Storage Account KeyThe corresponding password/access key for the storage account above. It is a secret and must be encrypted, see credentials protection
Container NameWhich storage container to use. A Storage Account can have multiple Containers used for different purpose

AWS specific properties

PropertyDescription
Access Key IdAccess Key Id
Access KeyThe corresponding password/access key. It is a secret and must be encrypted, see credentials protection
Bucket nameWhich bucket to use. Multiple buckets can be accessible with the same access key for different purpose
RegionAWS Region to use for data storage. We recommend to use eu-west-1, as the encoding service also runs in this region

Acquisition Profile

Acquisition Profile defines an Input Storage. The Encoding Service assumes, that for every video all input files will be placed in the same folder. All video folders should be nested under a root folder inside the specified container.

Additional properties of an Acquisition Profile common for every storage provider

PropertyDescription
Root PathAn optional value that is used to define some sub-folder from which the videos should be downloaded. If no value is specified, the videos are acquired from the root of storage container/bucket. If a value is specified, it must be a single folder name or a path, e.g folderName/anotherFolder. In this case, the videos are acquired relatively to this folder.

Two different security boundaries are involved here:

  • The encoder side: the video encoder process runs in a secure processing environment without any outside process reaching into it. This process needs read permissions to access the Input Storage (in Azure: READ, in AWS: HeadBucket, ListObjects. GetObject).
  • The management side: The Mosaic GUI can show a list of all the videos that are available in the source storage location. This service, strictly speaking, only needs permissions to list sub-folders in the root folder. In Azure it can be achieved with a SAS-token with LIST permissions. In AWS this level of granularity is unfortunately not reachable (see below).

Mosaic Hosting Service

When using Mosaic Hosting Service as the storage provider, no additional properties are required.

Acquisition Profile / Mosaic Hosting Service

Acquisition Profile / Mosaic Hosting Service

Azure Storage

Additional properties of an Acquisition Profile in Azure

PropertyDescription
SAS TokenThis is an Azure Storage SAS Token used by the Management System GUI to list the folders in the input storage. It must not be encrypted with Credentials Protection and it is not passed to the encoder. The token shall have LIST permissions. It is advisable not to provide it any other permissions, such as a READ permission to reduce the exposure of non-protected video content.

Acquisition Profile / Azure

Acquisition Profile / Azure

AWS

Additional properties of an Acquisition Profile in AWS

PropertyDescription
Management Access KeyThis is the same as the "Access Key" above, just in an unencrypted form. Unlike the Access Key, the Management Access Key is used by Mosaic Management System to access the list of sub-folders under the root. We are working on a solution to avoid duplication of credentials and better credentials protection.

Acquisition Profile / AWS

Acquisition Profile / AWS

note

Once the GUI will be extended with a capability to upload video directly, it will additionally need a WRITE permission. For security reasons, those should not be valuable videos but rather trailers or other short video clips.

Publishing Profile

Publishing Profile defines an Output Storage. For every processed video, the Encoding Service will create a folder in the root of the Output Storage.

note

The folder name will be generated randomly, it will not be the same as the input folder name. You can find the folder name in the job details.

Processing Profile

A processing profile defines how the desired video, audio, subtitle, and closed caption tracks can be found. You can define more than one processing profile to allow different use cases. One of the available profiles must be selected before the video encoding process can start encoding a new video. After clicking the Processing tile, you see a list of all configured profiles in the profiles explorer. After selecting a profile, you can manage its settings.

**Processing Profile **

Processing Profile

The default profile is filled out with a set of reasonable values that you can adjust to your needs. A description of all the properties can be found in the content processing and media mapping documentation. You can find a short summary from the table below. There is also a mapping to the sections and properties of a job request (see Encoding API).

Field

Job Request Mapping

Description

Title

A human-readable profile identifier. This can also be used as a profile identifier for customizable software integrations (e.g. during an ingest process of a customizable service).

Video Stream Expression

MediaMappings.VideoStreamExpression

A regular expression for finding the file that contains the main video stream. Provided expression can be checked/verified by clicking a button next to the input field - the opened inline menu enables opening a new browser tab where regex can be tested.

Audio File Language Expression

MediaMappings.AudioFileLanguageExpression

A regular expression for finding the files that contain the audio tracks. Expression validation opportunity is also provided.

Subtitle File Language Expression

MediaMappings.SubtitleFileLanguageExpression

A regular expression for finding the files that contain the subtitle tracks and their language mapping. Expression validation opportunity is also provided.

Closed Captions File Language Expression

MediaMappings.CaptionFileLanguageExpression

A regular expression for finding the files that contain the closed caption tracks and their language mapping. Expression validation opportunity is also provided.

Output Format

ContentProcessing.OutputFormat

This field defines the output format of the encoded video, which could be one of the following:

  • DASH - creates a DASH video that allows to use the Widevine and PlayReady DRM technologies
  • HLS - creates a HLS video that allows to use the FairPlay DRM technology
  • CMAF - creates a CMAF video that allows to use the FairPlay, Widevine, and PlayReady DRM technologies
  • DASH & HLS - produces two videos: one HLS and one DASH video
  • Dash-on-Demand - a special version of the DASH output using the so-called "On-Demand Profile"

DRM Protection

ContentProcessing.DrmProtection

Choose whether the video should DRM-protected (single key or multiple keys) or not. Before DRM protection can be used, DRM Settings have to be set

Tar Mode

ContentProcessing.Archiving

Select a tar mode, also known as Archiving approach.

Delete after Processing

This option tells the encoding job to remove the source content from the acquisition location, once the processing is completed. CAUTION: If you activate this option, the source material is not available once the job completes, so you cannot repeat the job. Please only use this option for additional security if you fully understand the consequences.

note

If you want to use more fine-grained control over the jobs, use the Encoding API directly.

DRM Settings

If you want to protect your videos with DRM, you need DRM credentials for your environment. (If you don’t plan to protect videos with DRM you don’t have to fill out this section.) If you didn’t do it yet, go to My Mosaic, DRM on the left side and Acquire Credentials. All the data you need below will be provided under the "Key Service" section.

Caution

Don’t lose the management keys, they can’t be restored (but you can request their reset - raise a support request).

DRM settings for the Encoding Service include the access data for the Axinom DRM Key Service. The Encoding Service will then acquire the necessary encryption keys from the Key Service. For details see DRM integration.

DRM Settings

DRM Settings

You can find a short summary from the table below:

FieldDescription
Management API URLURL of the Key Service Management API, e.g. https://key-server-management.axprod.net/api
Tenant IDYour Key Service tenant ID, UUID
Management KeyYour Key Service management key, must be encrypted, see credentials protection
Key Seed IDThe ID of the Key Seed from which they keys will be derived. Usually, you have only one Key Seed created automatically during DRM setup. But you can create more Key Seeds and decide which to use. Must be encrypted, see credentials protection.