Introduction

This guideline provides the essential information to integrate an OTT encoder with the SSP Key Server, and retrieve content encryption keys and DRM signaling data for OTT content.

It also provides information about how to test playback of the encrypted content in order to verify the integration.

The integrator must have the following equipment:

  • OTT encoder/packager
  • Origin server

Integration overview

System architecture

The following diagram shows the integration points with the NAGRA SSP platform to enable an OTT video service with DRM-protected content:

  1. The OTT encoder/packager retrieves content keys and DRM signaling from the SSP Key Server.
  2. A client application retrieves a DRM license to play out the DRM-protected content.
  3. The operator accesses OTT dashboards showing metrics about content keys and DRM license delivery.


This integration guide covers the different APIs supported by the SSP Key Server to deliver content keys and DRM signaling.

It also provides reference HTML video players that can be used to validate that the generated encrypted content can be played out using the respective DRM license service provided by SSP.

Supported streaming protocols and DRMs

The table below gives a high-level overview of compatibility between streaming protocols, DRM, and devices.

Streaming mode

DRM type

Devices

HTML5 browsers

HLS Sample AESFairPlay StreamingiOS, Apple TV, MacOSSafari
HLS AES-128

PRM

Widevine (note 1)

STB
DASH CENC

Widevine

PlayReady

PRM

Android, Chromecast, Windows, MacOS

Android, Chromecast, Windows

STB, OpenTV Player

Chrome, Firefox, Opera, Edge

IE11, Edge

HLS / DASH CBCS

FairPlay Streaming

PlayReady

PRM

Widevine

All devices supporting CMAF content

Safari, Chrome, Firefox

Note 1: Google no longer recommends or advices usage of legacy Widevine HLS v1 (mpeg-2 ts based).

Key Server interfaces

The following table lists the interfaces supported by the NAGRA Key Server, including the supported use cases, DRMs, and client authentication mode. (All interfaces rely on HTTPS for server authentication.)

Key Server interfaceUse casesKey rotationDRMsPackager authentication modeLink to Key Server API spec
NAGRA Encoder KSS

VOD

Live

SupportedAll

SSP AuthN token for client authentication*

NAGRA Encoder KSS spec

AWS Elemental SPEKE

VOD

Live

SupportedAllAWS IAM based authentication

AWS Elemental SPEKE API spec

DASH-IF CPIX

VOD

Live

SupportedAllSSP AuthN token for client authentication*

DASH-IF CPIX API spec


Packager authentication

SSP AuthN token

When the OTT packager authentication is based on an SSP AuthN token, this token must be sent as an HTTP header named "nv-authorizations" with the token itself as the value.

The SSP AuthN token is a JWT token that must be signed with a credential provided by NAGRA to the partner prior to starting the integration activity.

In addition, a pre-generated AuthN token to facilitate the integration testing can be provided by NAGRA. Please contact integrationsupport@nagra.com.

Details of the SSP AuthN token can be found under this page.

OTT packagers pre-integrated with NAGRA SSP

The following table lists the OTT encoders/packagers that have been integrated with NAGRA SSP Key Server.

Encoder vendorEncoder modelKey Server interfaceUse caseDRMsPackager authenticationOthers
Concurrent/ VecimaVecima OriginNAGRA KSSVOD LiveAllSSP AuthN token
MediaKindMKP v12NAGRA KSSVoD Live

FPS WV PR

SSP AuthN token via proxy
Anevia

NeaDVR 4.6

NeaDRM Gateway 1.4.0

NAGRAKSSVoD LiveFPS WV PRSSP AuthN token
VelocixVXOA 5.0.0.3 / 5.0.0.6NAGRAKSSVODFPS WV PRSSP AuthN token
BroadPeakBKS350NAGRAKSSVoD LiveAllSSP AuthN token

BKS350DASH-IF CPIXVODFPS WVSSP AuthN tokenBasic inter-operability only
HarmonicVOS / VOS 360Harmonic KMSLiveFPS WVSSP AuthN token

PMXO 2.2Harmonic KMSVoD LiveFPS WVSSP AuthN token via proxy
ElementalDeltaNagra KSSVOD LiveWVSSP AuthN token via proxy
AWS Elemental

MediaConvert

SPEKEVODFPS WVAWS IAM based AuthN

MediaPackageSPEKELiveFPS WVAWS IAM based AuthN

Integration platform details

Key Server URLs

Key Server interfaceKey Server endpoint URLLink to sample requests & responses
NAGRAEncoder KSShttps://<TenantId>-op.anycast.nagra.com/<TenantId>/cks-ws-keyAndSignalization/keySample requests and responses can be found here.
Replace <TenantId>with your tenant identifier.

License Server URLs

SSP Platform License Server URLs
Widevinehttps://<TenantId>.anycast.nagra.com/<TenantId>/wvls/contentlicenseservice/v1/licenses
FairPlayhttps://<TenantId>.anycast.nagra.com/<TenantId>/fpls/contentlicenseservice/v1/licenses
PlayReadyhttps://<TenantId>.anycast.nagra.com/<TenantId>/prls/contentlicenseservice/v1/licenses
Nagra PRMhttps://<TenantId>.anycast.nagra.com/<TenantId>/prmls/contentlicenseservice/v1/licenses

Replace <TenantId>with your tenant identifier.

Test the content

NAGRA provides Dash.js- and Shaka-based reference HTML players for content playback.

Please refer to License Server integration guide.