Skip to main content
Skip table of contents

CONNECT Provisioning Service

1. Overview

Usage of a CONNECT provisioning operation is mandatory when any flavour of the CONNECT client (CCL) is used with:

  • NAGRA SSP,

  • Conax Contego, or

  • Netflix or other OTT service providers when secured with PRM

The provisioning operation allows authorizing a device to access a license server (OTT, DVB or DAS) of an operator. NAGRA supports two options to access to this operation:

  • NAGRA Provisioning Service (PVS) hosted in AWS and provided free of charge for operators and device manufacturers. This option is the recommended one for all CONNECT flavours and the only one possible for CONNECT NOCS.

  • Conax Contego and SSP on-premise deployments support a provisioning operation. This option is only possible with CONNECT SKL and CONNECT TKL and allows easy deployment of those CONNECT flavors on networks without AWS access.

2. Provisioning operation

The provisioning operation consists of delivering all the secrets to the device that are needed to access an operator license server. This operation is normally done once in the lifetime of the device. This operation might need to be repeated if:

  • A new license server needs to be accessed by the device.

  • There is an error on the network.

  • Locally persisted data becomes corrupted.

  • Manual or triggered factory reset of the device.

  • Security breach of the license server.

  • A new CCL library is deployed to the device that is incompatible with previously provisioned data. This can happen when switching from a debug to a release version of the CCL, but could also happen between two release versions.

The operation consists of the following steps, which are driven by the device:

  1. Download of the targeted operatorVault from the operator backend by the application interfacing the CCL. For SSP, the operatorVault file can be downloaded directly from SSP at https://{frontAddress}/filedownload/v1/opvault/.

  2. Import of the operatorVault in the CCL to start an application session.

  3. If the CCL has not yet been provisioned for the operator, it will return the specific error NV_ASM_ERROR_NEED_PROVISIONING. The application should only react and call the provisioning server if this happens.

  4. The provisioning request requires a specific message including data from the operatorVault. To build it, the application calls nvAsmGetProvisioningParameters() on the original application session, then nvDpscSetClientData() on the provisioning session. The operation is defined in /provisioning/device/v2 for the AWS PVS and in /tkap/provisioning/device/v2 for SSP on-premise.

  5. The provisioning response needs to be imported into the CCL.

  6. At that point, the new application session that is opened with the used operatorVault on the CCL returns NV_ASM_SUCCESS.

2.1.1. Warning

A provisioning operation that is done with CONNECT TKL and SKL will systematically invalidate any licenses that were previously accessible by the device (in RAM or persisted). So, this operation must be systematically followed by license acquisitions.

A provisioning operation that is done with CONNECT NOCS does not invalidate licenses that were previously accessible by the device (in RAM or persisted) unless it happens because of a security breach of the license server.

3. Restoring security in case of a security breach of the license server

In case of a serious security breach on a license server, the provisioned secrets could be considered to be compromised. To restore security, the PVS and the CONNECT system include the following logic:

  1. In each provisioning operation, PVS actually delivers not only the secrets needed to access the license server at time T, but also two other generations of secrets. Thanks to this mechanism, one single provisioning operation is actually capable of resisting two security breaches on the license server.

  2. Each time a security breach happens on the license server, NAGRA generates and installs a new operatorVault on the server, and request that the CCL use a new generation of secrets.

  3. At the third security breach, the CCL would again return NV_ASM_ERROR_NEED_PROVISIONING and request a new provisioning operation.

3.1.1. Warning

Restoring security after a security breach on the server is the reason why the operatorVault file must always be downloaded from a server and never hardcoded into devices.



JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close