If you are using Contego/Conax products, please refer to the documentation available at https://doc.integra.nagra.com/.

This page provides an overview of the steps needed to validate your NAGRA SSP Multi-DRM cloud solution using Content Authorization Tokens.

Prerequisites

Your tenant has been configured in the NAGRA SSP MDRM cloud solution and you have been delivered a JSON file with your NAGRA SSP credentials as well as the URLs of your Multi-DRM license servers.

Play the pre-encrypted content

NAGRA hosts a short video of pre-encrypted content in both DASH and HLS formats that can be used to quickly validate your NAGRA SSP MDRM cloud solution.

To play this content:

  1. Generate one Content Authorization Token.
  2. Generate Content Key Tokens.
  3. Using a hosted HTML player, request a DRM license from the NAGRA SSP MDRM cloud solution and play the content.

Generate a Content Authorization Token

  1. Download the sample JWT Token Generator from here.
  2. Replace the key.json file with your Nagra SSP credentials JSON file.
  3. Under the config directory, edit the ContentAuthZ.json file as follows:
    1. Set the contentId to "VOD-CONTENTID1" .
    2. Verify that "usageRulesProfileId" is set to "Test" .
  4. Run the token generator (run.bat for Windows, run.sh for Linux) and check the token has been generated under the token directory.

Decode (base64) your Content Authorization Token and verify that the value of the "kid" token claim matches the "credentialId" in your NAGRA SSP credentials JSON file.

Your decoded token should look like this (signature not shown): 

{
    "kid": "<your credentials Id here>",
    "typ": "JWT",
    "alg": "HS256"
} {
    "ver": "1.0",
    "typ": "ContentAuthZ",
    "exp": 1659836800 ,
    "device": {
        "accountId": "test_account_0001"
    },
    "contentRights": [{
            "contentId": "VOD-CONTENTID1",
            "usageRulesProfileId": "Test"
        }
    ]
}
XML

Generate the Content Key Tokens

The key used to encrypt this sample content is not present in your NAGRA SSP cloud MDRM solution. So you need to generate a token including that content key and send it with the license request.

To do this you can use the same sample JWT token generator downloaded in the previous step.

Please note that the key used to encrypt the sample content in DASH format is different from the one used for the HLS format. Hence you need to run through this step twice to generate one Content Key Token for DASH and another one for HLS.

  1. Under the config directory, edit the config.json file and set the token_type to "Kc" .
  2. Under the config directory, edit the Kc.json file as follows:
    1. To test DASH content, set the KcId value to "684c5a64-ab63-493d-9465-901aa09a5225" and "value" to "cK/i8tziYlIi/lQKgklwdw==".
    2. To test HLS content, set the KcId value to "7c29127c-547d-4aae-80ba-ca144f7e373f" and "value" to "534Ju04kNfj9x6gbJicCWA==".
  3. Run  the token generator (run.bat for Windows, run.sh for Linux) and check the token has been generated under the token directory.

Tip

Decode (base64) your Content Key Token and verify that the value of the "kid" token claim matches the "credentialId" in your NAGRA SSP credentials JSON file.

A Content Key Token is encrypted, but you can still Base 64 decode your token and verify that the JWT token header has the correct values for the "kid" and "kcIds" fields. 

{
    "kcIds": ["684c5a64-ab63-493d-9465-901aa09a5225"],
    "typ": "JWT",
    "enc": "A128CBC-HS256",
    "alg": "dir",
    "kid": "<your credentials Id here>"
}
XML

Request a DRM license and play the content

NAGRA hosts a set of HTML players based on both Shaka and Dash.js players, available via the URLs below. These players will request the DRM license from the NAGRA SSP cloud solution for you.

PlayerSupported StreamBrowserLink
Dash.jsMPEG-DASH (Widevine, Playready)Chrome, Firefox, Edgehttps://ref-players.anycast.nagra.com/ssp/html5/dashjs/release/1.8.0.1605021752/nmp.html
Dash.jsHLS (Fairplay)Safarihttps://ref-players.anycast.nagra.com/ssp/html5/dashjs/release/1.8.0.1605021752/nmp-fairplay.html
ShakaMPEG-DASH (Widevine, Playready)Chrome, Firefox, Edgehttps://ref-players.anycast.nagra.com/ssp/html5/shaka/release/5.3.0.1604489091/nmp.html
ShakaHLS (FairPlay)Safarihttps://ref-players.anycast.nagra.com/ssp/html5/shaka/release/5.3.0.1604489091/nmp-fairplay.html

To play the pre-encrypted content:

  1. Open the selected player's URL above.
  2. Fill in the Streaming URL with one of the following:
    1. To test DASH: https://ref-players.anycast.nagra.com/ssp/content/dash-cenc/stream.mpd
    2. To test HLS: https://ref-players.anycast.nagra.com/ssp/content/hls-fps/master.m3u8
  3. Edit the License server URL and replace tfs5mlsh with the tenant identifier assigned to you by the NAGRA Cloud Operations team.
  4. Edit the Tenant Id field and set it to your tenant identifier value.
  5. Under the Token Value field, copy the following two tokens, separated by a comma (,):
    1. The Content Authorization Token
    2. And one of the Content Key Tokens generated in the previous step
  6. Click the Play button.

Tip

Make sure that you are using the right Content Key Token depending on whether you want to play back the DASH or the HLS version of the sample content.

Tip

The HTML player performs the license request to the NAGRA SSP cloud solution, selecting the appropriate DRM License Server based on the browser you are using (see the table above).

Play your own content

Once you have successfully validated your NAGRA SSP cloud MDRM solution with the pre-encrypted content, you can generate your own encrypted content and validate playback against the different DRM license servers.

To achieve this:

  1. Request a key and DRM signalling from the NAGRA SSP cloud Key Server.
  2. Encrypt your content using that key and the appropriate encryption algorithm.
  3. Generate a DASH manifest or an HLS playlist including the DRM signalling generated by the NAGRA SSP Key Server in step 1.
  4. Generate a Content Authorization Token for your content.
  5. Play the content using any of the sample HTML players.

Retrieve a key from the NAGRA SSP Key Server

Follow the steps described on the Key Server Integration integration page.

Encrypt your content and generate the content manifest or playlist

To do this, use an OTT packager and provide it with the content key and DRM signalling retrieved in the previous section (above).

There are several commercial OTT packagers that are pre-integrated with NAGRA SSP cloud – these are listed on the Key Server Integration page. Alternatively, you can use a command line, open-source OTT packager like Bento4.

Configuring and running the OTT packager of your choice is outside the scope of this integration guide.

Tip

Make sure that you are using the DRM signalling generated by the NAGRA SSP Key Server in the previous step. For further details about DRM signalling, see the OTT DRM Signaling page.

Generate a Content Authorization Token

Follow the same steps as in the section above for the sample pre-encrypted content:

  1. Download the sample JWT Token Generator from here.
  2. Replace the key.json file with your NAGRA SSP credentials JSON file.
  3. Under the config directory, edit the ContentAuthZ.json file as follows:
    1. Set the contentId to the same value used to retrieve the key from the NAGRA Key Server.
    2. Verify that the "usageRulesProfileId" is set to "Test" .
  4. Run the token generator (run.bat for Windows, run.sh for Linux) and check the token has been generated under the token directory.

Tip

Decode (base64) your Content Authorization token and verify that:

  1. The value of the "kid" token claim matches the "credentialId" in your NAGRA SSP credentials JSON file.
  2. The value of the "contentId" token claim matches the value you used to request the key from the NAGRA SSP Key Server (for example, the <sch1:drmContentId> XML tag in the SOAP request to the key server).

Request a license and play the content

  1. Select one of the available HTML players and open its hosting URL.
  2. Fill in the Streaming URL with one of the following:
    1. DASH: https://ref-players.anycast.nagra.com/ssp/content/dash-cenc/stream.mpd
    2. HLS: https://ref-players.anycast.nagra.com/ssp/content/hls-fps/master.m3u8
  3. Edit the License server URL and replace tfs5mlsh with the tenant identifier assigned to you by the NAGRA Cloud Operations team.
  4. Edit the Tenant Id field and set it to your tenant identifier value.
  5. Under the Token Value field, copy both the Content Authorization Token and the Content Key Token generated in the previous step, separated by a comma (,).
  6. Click the Play button.