Article: How to secure Apple HTTP Live Streaming (AES-128 - external method)

I have a basic question regarding the event sequence in external method security.

I have a password protected page: http://URL1 which loads the HTML5 player in the customer’s IPhone/IPad to play http://IP:1935/application/mystream

I have script https://URL2 which returns the key generated in /keys/mystream.key generated by genkey.bat

I am trying to confirm that my server will only stream to the HTML5 player in http://URL1

Where is https://URL2 called from to prevent direct linking to http://IP:1935/application/mystream from anywhere other than http://URL1?

How do you automatically generate keys for livestreams on publishing, i.e when a streamer connects and starts streaming to our wowza server (we don’t want to do anything manually)? We are using transcoding to 3 different qualities and origin-edge and plan do use nDVR in the future if that makes any difference. quote from above regarding automation: “Note: You can also use the genkey utility to generate key files. A key file with a different key is generated each time you run this utility. You can integrate this utility into an automated workflow to create many .key files for a video library.”

Hello

I’m currently using VOD Stream type with External Method encryption without DRM, I have read about key rotation feature and i would like to use it, what i want to achieve is that each group of n files is encrypted using a different key. For example the first 10 ts files use a key then the next 10 ts files uses a different key.

How can i do this in my current setup ?

Thanks

Hello Richard

This sounds great, but can i do it in a way where i can pre-know the encryption key that will be used for n number of ts files. Helix supports a feature where you can use a different pre-known key for every ts file.

Hello Richard

I will postpone this to a later phase in the future, now i have another question. I’m using external method as i told you before, i’m streaming content from amazon s3 bucket using MediaCache addon. Now the encryption is not happening !! is MediaCache compatible with encryption? if so what should i change to make it work again.

Thanks

Hello Richard

To test my work, i made a new wowza server on different server. I used out of the box Application.xml found in conf/Application.xml and followed the instructions from MediaCache User Guide:

  1. Copy lib/wms-plugin-mediacache.jar from this package into the Wowza Server folder [install-dir]/lib folder

  2. Copy conf/MediaCache.xml from this package into the[install-dir]/conf folder Wowza Server folder

  3. Create the folder [install-dir]/application/mediacache

  4. Create the folder [install-dir]/conf/mediacache and copy the [install-dir]/conf/Applications.xml into this new folder.

  5. Edit the newly copied Application.xml file and make the following changes:

a. Set the RTP/Authentication/PlayMethod to: none

b. Add the following property to the MediaReader/Properties so that the section looks like this:

randomAccessReaderClass

com.wowza.wms.plugin.mediacache.impl.MediaCacheRandomAccessReader

bufferSeekIO

true

Boolean

  1. Edit [install-dir]/conf/Server.xml and add a reference to the MediaCacheServerListener class in the section:

com.wowza.wms.plugin.mediacache.impl.MediaCacheServerListener

  1. Then in conf/MediaCache.xml i uncommented the following:

awsAccessKeyId

MyawsAccessKeyId

awsSecretAccessKey

MyawsSecretAccessKey

And in i set the to http://s3.amazonaws.com//SubFolderName/

It reads very well from amazon using this setup, now to enable external Method URL, i have only to create a key file with same mp4 file name and place it in keys directory.

Anything wrong i’m doing in here ? Maybe i should change details (, or ) in conf/mediacache/Applications.xml !!!

Thanks

I’m already using it, same like the example myStream.php found in external method and inserting it in ./genkey.sh . I have checked, if i use the same config without mediacache configuration enabled in Application.xml it works like a charm but with mediacache enabled it doesn’t do encryption. Any Ideas !!

Abed Abu Dhair

Hello Richard

After testing all scenarios, i found the problem was in the keys folder. I had to create a subdirectory inside the keys folder with the same name of configured MediaCacheSource and that solved the problem. For example in conf/MediaCache.xml the MediaCacheSource name used is http so you have to create keys/html and place your keys inside it.

Thanks for your support

For the streams themselves or the site where i have the php file?

I do not think there is a way to change this message.

Charlie

Indika,

You can use HTTProviders and HTTPUTils. I.e. call and process response from HTTProvider on one Wowza server with HTTPUtils on another

Richard

Indika,

AES is for encrypting Cupertino streams. Nothing to do with Wowza server to Wowza server communcations.

Here are some examples of HTTProviders:

https://www.wowza.com/docs/http-provider-code-examples-for-wowza-media-server

HTTPUtils is an API included in Wowza to load and process HTTP resources, such as HTTProviders. See the Wowza ServerSide API for more info.

Richard

You just follow one of these guides:

https://www.wowza.com/docs/how-to-secure-apple-http-live-streaming-aes-128-external-method)

https://www.wowza.com/docs/how-to-use-the-internal-method-of-aes-128-encryption-to-secure-live-or-vod-streams-sent-to-apple-ios-devices-moduleencryptionhandlercupertinostreaming)

Richard

Did you copy the generated keys to [wowza-install-dir]/keys folder (step 3)?

Zip up the conf and logs and keys folders, and send them to support@wowza.com.

Include a link to this thread for reference.

Richard

I think you can just generate one and copy it to different stream names.

When files are in sub-folders, the path is part of the stream name. So you should include full name when generating key.

Richard

Indika,

Take a look at IMediaWriterActionNotify interface:

https://www.wowza.com/docs/how-to-use-imediawriteractionnotify-to-programmatically-move-and-rename-recordings-of-live-streams

You can use onWriteComplete event handler to write a key file after each recording. You could use a template key file and just make a copy using java.io.File API

Richard

Indika,

I see, my mistake. No, that event will not fire. If you are providing an upload mechanism, a php or asp page, you can do the same there: copy a template key to new file with the correct name.

Richard

What is [stream-name] ? Is it a simple name like “myStream”, and you have the rtmp address of the origin in /originURL?

If so, try using a .stream file instead. Create a text file named origin.stream in the content folder:

/content/origin.stream, with contents:

rtmp://[wowza-address]:1935/liveorigin/definst/myStream

Now use stream name “origin.stream”

Richard

I’m not sure. Zip up the conf, logs and keys folders and send them to support@wowza.com

If you can, delete the current access log then restart Wowza and do some tests, then send that log with /conf and /keys

Richard

Don’t turn on DEBUG level logging, leave it as INFO, which is default (if you haven’t made a change there is nothing to do)

Richard