Key Server Integration
If you are using Contego/Conax products, please refer to the documentation available at https://doc.integra.nagra.com/.
Introduction
This guideline provides the essential information to integrate an OTT encoder with the SSP Key Server, and retrieve content encryption keys and DRM signaling data for OTT content.
It also provides information about how to test playback of the encrypted content in order to verify the integration.
The integrator must have the following equipment:
- OTT encoder/packager
- Origin server
Integration overview
System architecture
The following diagram shows the integration points with the NAGRA SSP platform to enable an OTT video service with DRM-protected content:
- The OTT encoder/packager retrieves content keys and DRM signaling from the SSP Key Server.
- A client application retrieves a DRM license to play out the DRM-protected content.
- The operator accesses OTT dashboards showing metrics about content keys and DRM license delivery.
This integration guide covers the different APIs supported by the SSP Key Server to deliver content keys and DRM signaling.
It also provides reference HTML video players that can be used to validate that the generated encrypted content can be played out using the respective DRM license service provided by SSP.
Supported streaming protocols and DRMs
The table below gives a high-level overview of compatibility between streaming protocols, DRM, and devices.
Streaming mode | DRM type | Devices | HTML5 browsers |
|---|---|---|---|
| HLS Sample AES | FairPlay Streaming | iOS, Apple TV, MacOS | Safari |
| HLS AES-128 | PRM Widevine (note 1) | STB | |
| DASH CENC | Widevine PlayReady PRM | Android, Chromecast, Windows, MacOS Android, Chromecast, Windows STB, OpenTV Player | Chrome, Firefox, Opera, Edge IE11, Edge |
| HLS / DASH CBCS | FairPlay Streaming PlayReady PRM Widevine | All devices supporting CMAF content | Safari, Chrome, Firefox |
Note 1: Google no longer recommends or advices usage of legacy Widevine HLS v1 (mpeg-2 ts based).
Key Server interfaces
The following table lists the interfaces supported by the NAGRA Key Server, including the supported use cases, DRMs, and client authentication mode. (All interfaces rely on HTTPS for server authentication.)
| Key Server interface | Use cases | Key rotation | DRMs | Packager authentication mode | Link to Key Server API spec |
|---|---|---|---|---|---|
| NAGRA Encoder KSS | VOD Live | Supported | All | SSP AuthN token for client authentication* | |
| AWS Elemental SPEKE | VOD Live | Supported | All | AWS IAM based authentication | |
| DASH-IF CPIX | VOD Live | Supported | All | SSP AuthN token for client authentication* |
Packager authentication
SSP AuthN token
When the OTT packager authentication is based on an SSP AuthN token, this token must be sent as an HTTP header named "nv-authorizations" with the token itself as the value.
The SSP AuthN token is a JWT token that must be signed with a credential provided by NAGRA to the partner prior to starting the integration activity.
In addition, a pre-generated AuthN token to facilitate the integration testing can be provided by NAGRA. Please contact integrationsupport@nagra.com.
Details of the SSP AuthN token can be found under this page.
OTT packagers pre-integrated with NAGRA SSP
The following table lists the OTT encoders/packagers that have been integrated with NAGRA SSP Key Server.
| Encoder vendor | Encoder model | Key Server interface | Use case | DRMs | Packager authentication | Others |
|---|---|---|---|---|---|---|
| Concurrent/ Vecima | Vecima Origin | NAGRA KSS | VOD Live | All | SSP AuthN token | |
| MediaKind | MKP v12 VSPP 8.0.1 | NAGRA KSS | VoD Live | FPS WV PR | SSP AuthN token via proxy SSP AuthN token | |
| Anevia | NeaDVR 4.6 NeaDRM Gateway 1.4.0 | NAGRAKSS | VoD Live | FPS WV PR | SSP AuthN token | |
| Velocix | VXOA 5.0.0.3 / 5.0.0.6 | NAGRAKSS | VOD | FPS WV PR | SSP AuthN token | |
| BroadPeak | BKS350 | NAGRAKSS | VoD Live | All | SSP AuthN token | |
| BKS350 | DASH-IF CPIX | VOD | FPS WV | SSP AuthN token | Basic inter-operability only | |
| Harmonic | VOS / VOS 360 | Harmonic KMS | Live | FPS WV | SSP AuthN token | |
| PMXO 2.2 | Harmonic KMS | VoD Live | FPS WV | SSP AuthN token via proxy | ||
| Elemental | Delta | Nagra KSS | VOD Live | WV | SSP AuthN token via proxy | |
| AWS Elemental | MediaConvert | SPEKE | VOD | FPS WV | AWS IAM based AuthN | |
| MediaPackage | SPEKE | Live | FPS WV | AWS IAM based AuthN |
Integration platform details
Key Server URLs
| Key Server interface | Key Server endpoint URL | Link to sample requests & responses |
|---|---|---|
| NAGRAEncoder KSS | https://<TenantId>-op.anycast.nagra.com/<TenantId>/cks-ws-keyAndSignalization/key | Sample requests and responses can be found here. |
License Server URLs
| SSP Platform License Server URLs | |
|---|---|
| Widevine | https://<TenantId>.anycast.nagra.com/<TenantId>/wvls/contentlicenseservice/v1/licenses |
| FairPlay | https://<TenantId>.anycast.nagra.com/<TenantId>/fpls/contentlicenseservice/v1/licenses |
| PlayReady | https://<TenantId>.anycast.nagra.com/<TenantId>/prls/contentlicenseservice/v1/licenses |
| Nagra PRM | https://<TenantId>.anycast.nagra.com/<TenantId>/prmls/contentlicenseservice/v1/licenses |
Replace <TenantId>with your tenant identifier.
Test the content
NAGRA provides Dash.js- and Shaka-based reference HTML players for content playback.
Please refer to License Server integration guide.