AWS Elemental Integration
PallyCon KMS supports SPEKE (Secure Packager and Encoder Key Exchange), which issues the keys required for Multi DRM packaging in AWS Elemental MediaConvert and MediaPackage.
PallyCon KMS URL may be set to the URL of DRM encryption setting of AWS Elemental, then the link is completed easily. This guide explains how to integrate with MediaConvert or MediaPackage service.
This video is a tutorial for enabling DRM encryption on MediaConvert and playing the DASH VOD DRM content.
For optimal playback, select ‘1080p’ as the video quality and enable subtitle (Korean or English) before starting playback.
Create MediaConvert IAM role
Please refer to IAM Settings AWS Guide Document and proceed as follows.
In the AWS Console, select the IAM service.
Rolestab and select
MediaConvertand click the
Confirm the S3 Access and APIGateway access permissions and click
Set RoleName to
MediaConvert-roleand click the
Create MediaConvert job and set IAM role
- In the AWS Console, select the MediaConvert service.
- Click the
create jobbutton on the Jobs tab to start job creation.
- Select the
MediaConvert-rolecreated in the previous step in the IAM role setting section of the Job settings screen.
Set MediaConvert Input
- In the Input field, enter the content path to be packaged in s3.
Set MediaConvert Output groups
Add the ouptput to the output groups by pressing the Add button. (Dash ISO for PlayReady and Widevine, Apple HLS for FairPlay)
In Custom group name, enter a name that is easy for you to identify.
In the Destination field, type the path on s3 that contains the package-completed file.
Select the DRM encryption option, and then enter the Resource ID, System ID, and URL.
- Resource ID: It is a value corresponding to the content ID (CID) in the integration specification in DRM Token Guide.
- System ID: The DRM-specific system id value specified in Dash System ID. You need to set PlayReady and Widevine ID for DASH output(as shown below) and set FairPlay ID for HLS output.
- PlayReady: 9A04F079-9840-4286-AB92-E65BE0885F95
- Widevine: EDEF8BA9-79D6-4ACE-A3C8-27DCD51D21ED
- FairPlay: 94CE86FB-07FF-4F43-ADB8-93D2FA968CA2
- Key Provider URL: Enter the following KMS URL. The
enc-tokenat the end of the URL is an API authentication token that is generated when you sign up PallyCon service, and can be found on the PallyCon Console site.
- Certificate ARN: leave it blank
- Play device compatibility: CENC v1
Set the Outputs and click the Create button.
- In case of widevine, it is mandatory to create the video and audio track separately because there are clients that can not play if you do not divide video and audio tracks into output. (click ‘add output’ button to add track)
Make public or set permission on the S3 storage to play the generated file stored on it.
Output group configuration for Apple HLS
If you want to support Apple devices as well as others, you need to create both ‘DASH ISO’ and ‘Apple HLS’ output groups for a single input. Please set the below DRM encryption parameters in Apple HLS group.
- Encryption method: Sample AES
- Key provider type: SPEKE
- Resource ID: the same content ID as DASH output
- System ID: DRM system ID for FairPlay (94CE86FB-07FF-4F43-ADB8-93D2FA968CA2)
- Key provider URL: same as DASH output (PallyCon KMS URL with enc token)
- the other items: leave them as default
Notes on CMAF Packaging
In addition to
CMAF(Common Media Application Format) type output can also be generated through SPEKE integration.
However, at this time, Apple devices only support
AES CBC encryption and Windows(Edge, IE browser) only support
AES CTR encryption, so it is not yet possible to support all platforms with one CMAF content.
Content can be encrypted in real time in conjunction with services such as AWS MediaLive which can upload HLS.
Note: In order to perform DRM packaging in MediaPackage, you must turn off Encryption in the Output Group of MediaLive.
Create MediaPackage IAM role
Create the same as MediaConvert IAM Authorization, and create only Role Name with SPEKEAccess.
On the Roles tab, select SPEKEAccess role and click the Edit trust relationship button on the Trust relationships tab.
Change the value of Principal.Service to mediapackage.amazonaws.com and click the Update button.
Create MediaPackage Channel
In the AWS Console, select the MediaPackage service.
Create a channel.
At the endpoints, press the Add button to set the endpoint.
Set the endpoint name, packager settings, etc. according to the desired content specification.
Configure Encryption and Outputs in the same way as MediaConvert Output groups setting no. 4.
Enter the SPEKEAccess Role created in Role ARN.
Click the Save button.
Support for key rotation
- Key rotation via MediaPackage is currently not supported. Therefore, you must uncheck the
Additional Configurationin the Encryption option of a MediaPackage Endpoint.