Skip to main content
Skip table of contents

OTT key delivery and license validity

1. Overview

SSP offers various options to deliver keys depending on the selected authorization mode, the DRM used, and the key server and packager configurations. This page details the behavior of SSP depending of the various combinations.


2. License post-delivery operation

All the license servers supported by SSP offer a post-delivery operation. This operation returns a license message containing at least the key requested in the license request message.

When the following conditions are met, SSP will deliver additional keys in the license, in order to optimize the user experience on the device in case of key rotation:

  • Connect or SW-PRM or TVkeyCloud or Widevine or Playready is used in the device

  • More than one key associated to the content is known by the SSP key server at the license request time and one of the following OTT Authorization options is used:

    • OTT authorization based on Content Authorization token:

      • The license will contain the requested key plus all the keys whose start time is closer than the start time of the key requested plus the "postDelivery.validity" parameter.

      • This parameter is a global tenant configuration set to 48 hours by default.

      • The license validity will be determined by the content rights specified in the token (ContentRights.end - ContentRights.start). If not present, it is not set.

    • OTT authorization based on RMG with a right for a subscription product:

      • As in the previous case, the license will contain the requested key plus all the keys whose start time is closer than the start time of the key requested plus the "postDelivery.validity" parameter.

      • The license validity will be set to the "postDelivery.validity" parameter (48 h by default).

    • OTT authorization based on RMG with a right for a PPV product:

      • The license will be granted if the event linked to the PPV product is about to start and the license will contain the keys used to encrypt the content during the PPV event.

      • The license validity will be limited to the duration of the EPG event linked to the PPV product, plus a certain extension to cover cases where the event lasts longer than expected or the user replays while watching.

To illustrate these rules, the following diagram explains different cases when there is an OTT live channel with key rotation (Kc1 to Kc5), a PPV event on that channel, and the license authorization is based on:

  1. Content Authorization token or RMG authorization with a right for a subscription product. SSP will return all keys used in the upcoming 48 hours from the start of the current key.

    1. For instance, License request #1 will be granted including keys: Kc1, Kc2, Kc3, Kc4, Kc5 and a validity set according to the token or 48 hours (RMG subscription-based authorization).

  2. RMG with a right for a PPV event

    1. License request #1 will be rejected as the PPV event has not started (regardless of the key requested by the device).

    2. License request #2 (for Kc2) will be granted as the PPV event is about to start (lead time, see note below). SSP will return the keys used during the event: Kc2, Kc3, Kc4. License validity will be limited to lead time + event duration + duration extension.

    3. License request #3 (for Kc3) will be granted as the PPV event has started but not yet finished. SSP will return the keys used during the event: Kc2, Kc3, Kc4. However, license validity will be limited to remaining event duration + duration extension.

    4. License request #4 will be rejected by default as the PPV event has already finished. If the system is configured to authorize requests bound to PPV events in the past (see note below), and the device requests a key used during the PPV event (Kc2, Kc3 or Kc4), the license will be granted including keys Kc2, Kc3, Kc4 and license validity as in case 2.b.


Parameters used for PPV:

  • "postDelivery.leadTime" is a global tenant configuration equal to 15 minutes by default.

  • "postDelivery.durationExtension" is a global tenant configuration equal to 30 minutes by default. It is used to cover the case where the EPG event lasts longer than expected.

  • "postDelivery.allowPPVInThePast" is a global tenant configuration, FALSE by default. It has to be set to TRUE to allow delivery of keys granted through PPV right for events in the past. It is recommended to keep the default FALSE value unless frequent key rotation is used.

This possibility can only be fully exploited if future keys are already known by the key server, so it requires that the packager either imports or requests them in advance, and that it uses a key server interface supporting key rotation.


3. License pre-delivery with Connect

PRM LS supports a specific operation for pre-delivery. This operation is able to returns keys for more than one content because of the additional SSP authorization services (ADM/RMG) and the SSP content definition service (IMS).

When a device calls this operation:

  1. SSP first authenticates the device,

  2. then SSP checks the list of rights accessible by this authorized device thanks to ADM and RMG services

  3. then SSP gets the list of contentId accessible via these rights using IMS. It filters out the content that are flagged out of pre-delivery, see preDeliveryEnabled in the channel API

  4. then SSP gets all the keys matching the preDelivery configuration by calling the SSP key server:

    • For all content typed as target OTT, SSP delivers all keys accessible by the key server with a start time between the license request time minus "preDelivery.replayDeliveryWindow" (default 3 hours) and "preDelivery.validity" (default 48 hours)

    • For all content typed as target OTT_CATCH_UP, SSP delivers all keys accessible by the key server with a start time between the license request time minus "preDelivery.catchupDeliveryWindow" (default 7 days) and "preDelivery.validity" (default 48 hours)

    • For content authorized via a PPV product, include only the keys used during the PPV event and only if the event has started or is about to start (lead time).

      • If the event linked to the PPV product is in the past, SSP will not include the keys used during the event unless the "preDelivery.allowPPVInThePast" is set to TRUE (FALSE by default). In which case, SSP will include all the keys used to encrypt the stream when the event was live.

  5. Finally, SSP creates the license including all these keys:

    • This license is persisted and replaced automatically after each new pre-delivery call by the CONNECT client.

    • This license is intended to be renewed after predelivery.RenewalDate (default to 24 hours).

    • This license includes as well all the different content usage rules related to the different contents as defined in the IMS service.

    • This license expires after preDelivery.validity (default to 48 hours).

To illustrate the rules above, the following diagram explains a case in which SSP would return 17 keys (KA4, KA5, KA6, KA7, KA8, KB4, KB5, KB6, KB7, KB8, KC2, KC3, KC4, KC5, KC6, KC7 and KC8) in the license response.

This possibility can only be fully exploited if future keys are already known by the key server, so it requires that the packager either imports or requests them in advance, and that it uses a key server interface supporting key rotation.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.