Secure Token for Client not working on Wowza on EC2

Wowza Streaming Engine
1

I’ve been using Wowza on EC2 (devpay) successfully now for several weeks. My app is live streaming via RTMP. I’m using RTMP Auth to authenticate originating encoders which are FMLE or Wirecast. That all works fine. I wanted to add authentication to the Flash client player to help thwart leeches on the playback side. I followed the directions on using secure token with Wowza and JW player 5. I modified the JW 5 source to use the shared token per the instructions, and rebuilt player.swf using the flex tools. I also modified the Application.xml in my ‘live’ sub-dir of my Wowza conf directory. The stream URL in the invocation of the modified player.swf client was changed to be ‘rtmpe://server_ip/live’.

The client never plays the stream and I always get this in the log every time the player polls for the stream:

ERROR session comment 2012-04-03 04:39:09 1927003086 173.65.230.15 - 3639 3543 1.411 - - - – - - 1927003086 ModuleRTMPAuthenticate.checkSecureToken: Action before response received: kill connection: clientId:1927003086

It seems the player.swf is not authenticating properly with the wowza server. However, I know the changes to RTMPMediaProvider.as and the re-compile of player.swf were done correctly per the instructions. My Application.xml in my ‘conf/live’ folder on the server has this in it…

.

.

.

flvplayback

FLVPlayback

com.wowza.wms.module.ModuleFLVPlayback

ModuleLiveStreamRecord

ModuleLiveStreamRecord

com.wowza.wms.plugin.livestreamrecord.ModuleLiveStreamRecord

ModuleRTMPAuthenticate

ModuleRTMPAuthenticate

com.wowza.wms.plugin.security.ModuleRTMPAuthenticate

domainLock

localhost,livenewsvideonetwork.com,*livenewsvideonetwork.com

AllowEncoder

FM,Wirecast

requireSecureConnection

true

Boolean

secureTokenSharedSecret

123456789

I’ve stop and restarted Wowza after modifying Application.xml to be sure it’s been reloaded. I also know I’m loading the right modified player.swf in my client browser. Still I can’t get this to work and get that above error in the log.

Any ideas to help my debug? Is it possible the instructions for secure token are not 100% correct for live streams on Wowza-EC2 or the latest JW player source?

Thanks for your help.

Brian

2

The log message shows that SecureToken is working in Wowza, but that the token does not match.

Richard

3

In your examples the two tokens are different. Keep looking at the Flash side, the Wowza side is working.

Richard

4

Brian,

Take a look at this guide also:

https://www.wowza.com/docs/how-to-add-securetoken-protection-to-jw-player

It’s a more generic, no line numbers. You need to find the right line.

Richard

5

You can show the bit of Actionscript you changed from and to. Are you compiling with Flash Builder? There is probably not a bug on the Wowza side of this, we haven’t heard any other reports.

Richard

6

I’m not sure. I build JW Player in Flash Builder, and Flowplayer following their ant/Flex guide.

Richard

7

Take a look at this guide for building JW Player (3 methods):

http://developer.longtailvideo.com/trac/browser/trunk/fl5/README.txt

Richard

8

Thanks for the update, Brian.

Richard

9

Brian,

We’ve tested here and had no difficulty with Wowza 3.0.5 or later, verifying token via secure and non-secure methods. We’ve tested using JWPlayer 5 as well as our own players.

We would like to try and set up your environment here as closely as possible.

Could you send your Wowza log/ conf/ folders zipped up.

Also, point me to version of the JWPlayer.swf you are using and example html that wraps it and passes the config.token in.

Also, what specific JWPlayer source version are you using?

Send to support@wowza.com and reference this thread.

Thanks,

Scott

10

Brian,

I happened on your thread regarding this on longtail’s site (http://www.longtailvideo.com/support/forums/jw-player/servers-and-streaming/25998/jw5-no-working-with-wowza-secure-token) and it seems you are using the live streaming plugin, which according to longtail does not support the secure token.

Does the problem go away if you remove this plugin?

Scott

11

The log message shows that SecureToken is working in Wowza, but that the token does not match.

Richard

It should match because the same exact token is in “RTMPMediaProvider.as” at line 556 of 758 before I recompile player.swf. This is what has me stumped and looking for other possible explanations for it not working.

.

.

.

/** Receive NetStream status updates. **/

private function statusHandler(evt:NetStatusEvent):void {

_responded = true;

switch (evt.info.code) {

case ‘NetConnection.Connect.Success’:

if (evt.info.secureToken != undefined) {

_connection.call(“secureTokenResponse”, null,

TEA.decrypt(evt.info.secureToken,‘12345678’)); <<<<<<<<<< token matches that in Application.xml

}

if (evt.info.data) {

checkDynamic(evt.info.data.version);

}

if(getConfigProperty(‘dvr’)) {

_connection.call(“DVRSubscribe”, null, getID(item.file));

setTimeout(doDVRInfo,2000,getID(item.file));

} else if (getConfigProperty(‘subscribe’)) {

_subscribeInterval = setInterval(doSubscribe, 2000);

} else {

if (item.levels.length > 0) {

if (_dynamic || _bandwidthChecked) {

setStream();

} else {

12

In your examples the two tokens are different. Keep looking at the Flash side, the Wowza side is working.

Richard

Well, that brain fart typo of mine was from staying up way too late working on this last night. Still, when I fix it to ‘really’ match. I get the same error in the wowza error log (same as I saw last night with various attempts at using different tokens.)

  1. Change conf/live/Application.xml for correct token.

.

.

requireSecureConnection

true

Boolean

secureTokenSharedSecret

12345678 <<<<<<<<< removed the ‘9’ at the end now

.

.

  1. service WowzaMediaServer stop

  2. service WowzaMediaServer start

  3. Start FMLE encoder live stream. Ok.

  4. Start JW player with the matching secure token compiled in.

  5. Tail the log…

tail -F -s 3 wowzamediaserver_error.log

keeps giving me this when the player tries to connect…

ERROR session comment 2012-04-03 13:20:03 1709015410 173.65.230.15 - 3640 3543 1.645 - - - – - - 1709015410 ModuleRTMPAuthenticate.checkSecureToken: Action before response received: kill connection: clientId:1709015410

Now, the URL I’m using in the client is of this form:

rtmpe://<wowza_ec2_ip>/live

Does rtmpe need to be caps (RTMPE?) or shouldn’t that matter?

If you can agree that my conf/live/Application.xml setup is completely correct for what I’m trying to do, then I will start looking for support from longtail for JW 5.x. I noticed their instructions say the change for the token in RTMPMediaProvider.as is around line 182. That is off by a few hundred lines in the latest JW player 5.x, but the code looks the same. My there is something obsolete in this instructions for the new player code. I need this feature to work, so I need to get to the bottom of it.

Thanks for your excellent help.

-Brian

13

Those are the exact instructions I used from Wowza. JW give their version too on their site. Everything looks fine there. There something more to this. I believe there is an authentication bug here. I need to bypass secure token to make this work temporarily until I can root cause it. If I change conf/live/Application.xml to not require RTMPE, and change the client URL to use rtmp and not rtmpe, it still aborts with that same error in the log.

So on server side, I changed this…

requireSecureConnection

true

Boolean

to this…

requireSecureConnection

false <<<<< make false

Boolean

Then on client side, the url was changed to use rtmp and not rtmpe:

rtmp://<wowza_ec2_ip>/live

Restart server and refresh browser with client reference. Getting these error log messages w/o any playback…

ERROR session comment 2012-04-03 14:08:16 308512701 173.65.230.15 - 3639 3543 0.907 - - - – - - 308512701 ModuleRTMPAuthenticate.checkSecureToken: Action before response received: kill connection: clientId:308512701

Seem like with requireSecureConnection being false and the client URL having rtmp and not rtmpe, this would work now using straight rtmp and ignore the requirement to verify the token, but it doesnt.

-Brian

14

“src/com/longtailvideo/jwplayer/media/RTMPMediaProvider.as” line 556 of 758

/** Receive NetStream status updates. **/

private function statusHandler(evt:NetStatusEvent):void {

_responded = true;

switch (evt.info.code) {

case ‘NetConnection.Connect.Success’:

if (evt.info.secureToken != undefined) {

_connection.call(“secureTokenResponse”, null,

TEA.decrypt(evt.info.secureToken,‘12345678’)); <<<< ‘12345678’ was config.token prior to my change

}

That is all I changed. I’m using ant and Flex SDK on linux to build. It all seems to be building fine and the player.swf is generated fresh each time I complile. I’m following the instructions to compile from the link shown in the first post here:

http://www.longtailvideo.com/support/forums/jw-player/player-development-and-customization/17712/help-to-add-wowza-secure-token

Thanks,

Brian

15

Note that even if I use the official released player.swf, and try and pull in this token using the config.token reference from the player invocation in the web page, i get the same failing type of result. I know having the token in the html isn’t very secure, but it was only for a test to figure this out. This method should work per the original RTMPMediaProvider.as source code prior to my change. However, it doesn’t.

16

The guys at Longtail say this is something on Wowza side. I don’t think they really know, they just probably know you guys are getting my money for a license and they haven’t sold me anything yet, so they want to punt the problem to Wowza.

What do we do now? Do I need to dump JW player and go with Flowplayer instead?

Thanks,

Brian

17

FYI - I tried out flow player in secure token mode in place of JW 5 player. I followed their config here but adapted for a live stream:

http://flowplayer.org/demos/plugins/streaming/secure-wowza.html

Thus my clients config is:

My client config:

$f(“rtmp_player”, “…/flowplayer-3.2.8.swf”, {

clip: {

url : ‘BrianD.1’,

live : true,

provider: ‘rtmp’,

connectionProvider: ‘secure’

},

// our rtmp plugin is configured identically as in the first example

plugins: {

rtmp: {

url: “…/flowplayer.rtmp-3.2.8.swf”,

netConnectionUrl: ‘rtmpe://ec2-50-17-112-225.compute-1.amazonaws.com/live’

},

secure: {

url : “http://releases.flowplayer.org/swf/flowplayer.securestreaming-3.2.8.swf”,

token: ‘12345678’

}

}

});

This Flowplayer config DOES work with secure token on playback! So the Wowza config is Ok. The problem is with JW player version 5.x from the latest trunk source. Too bad because JW player has some features I really want to use, but may not be able to if this doesn’t work.

18

Hello. Been a long time since I updated here. I wanted to report back since the Wowza staff was so responsive here to help me. Maybe this will help other.

JW Player support also claimed the problem is their livestream plugin doesn’t support the secure token. Thus that must be the root cause. I had switch to flowplayer to get around this in the mean time however so just moved on.

I do have a way to not require JW player’s livestream plugin to auto re-connect to live RTMP streams. It’s actually pretty easily done in javascript with an interval timer. I may try JW Player again with RTMPE sans their livestream plugin using my javascript based auto-reconnect.

Thanks,

Brian