AWS Elemental Integration
Overview
PallyCon KMS supports SPEKE (Secure Packager and Encoder Key Exchange), which issues the keys required for Multi DRM packaging in AWS Elemental MediaConvert and MediaPackage.
PallyCon KMS URL may be set to the URL of DRM encryption setting of AWS Elemental, then the link is completed easily. This guide explains how to integrate with MediaConvert or MediaPackage service.
Tutorial Video
This video is a tutorial for enabling DRM encryption on MediaConvert and playing the DASH VOD DRM content.
For optimal playback, select ‘1080p’ as the video quality and enable subtitle (Korean or English) before starting playback.
MediaConvert integration
Create MediaConvert IAM role
Please refer to IAM Settings AWS Guide Document and proceed as follows.
-
In the AWS Console, select the IAM service.
-
Click the
Roles
tab and selectcreate role
. -
Select
MediaConvert
and click theNext: permission
button. -
Confirm the S3 Access and APIGateway access permissions and click
Next: Review
button.IAM role -
Set RoleName to
MediaConvert-role
and click thecreate role
button.Create role
Create MediaConvert job and set IAM role
- In the AWS Console, select the MediaConvert service.
- Click the
create job
button on the Jobs tab to start job creation. - Select the
MediaConvert-role
created in the previous step in the IAM role setting section of the Job settings screen.MediaConvert role
Set MediaConvert Input
Set MediaConvert Output groups
-
Add the ouptput to the output groups by pressing the Add button. (Dash ISO for PlayReady and Widevine, Apple HLS for FairPlay)
MediaConvert output -
In Custom group name, enter a name that is easy for you to identify.
-
In the Destination field, type the path on s3 that contains the package-completed file.
MediaConvert output -
Select the DRM encryption option, and then enter the Resource ID, System ID, and URL.
- Resource ID: It is a value corresponding to the content ID (CID) in the integration specification in DRM Token Guide.
- System ID: The DRM-specific system id value specified in Dash System ID. You need to set PlayReady and Widevine ID for DASH output(as shown below) and set FairPlay ID for HLS output.
- PlayReady: 9A04F079-9840-4286-AB92-E65BE0885F95
- Widevine: EDEF8BA9-79D6-4ACE-A3C8-27DCD51D21ED
- FairPlay: 94CE86FB-07FF-4F43-ADB8-93D2FA968CA2
- Key Provider URL: Enter the following KMS URL. The
enc-token
at the end of the URL is an API authentication token that is generated when you sign up PallyCon service, and can be found on the PallyCon Console site.https://kms.pallycon.com/cpix/getKey?enc-token={enc-token}
- Certificate ARN: leave it blank
- Play device compatibility: CENC v1
DRM encryption
-
Set the Outputs and click the Create button.
-
Make public or set permission on the S3 storage to play the generated file stored on it.
Output group configuration for Apple HLS
If you want to support Apple devices as well as others, you need to create both ‘DASH ISO’ and ‘Apple HLS’ output groups for a single input. Please set the below DRM encryption parameters in Apple HLS group.
- Encryption method: Sample AES
- Key provider type: SPEKE
- Resource ID: the same content ID as DASH output
- System ID: DRM system ID for FairPlay (94CE86FB-07FF-4F43-ADB8-93D2FA968CA2)
- Key provider URL: same as DASH output (PallyCon KMS URL with enc token)
- the other items: leave them as default
Notes on CMAF Packaging
In addition to DASH-ISO
and Apple HLS
, CMAF
(Common Media Application Format) type output can also be generated through SPEKE integration.
However, at this time, Apple devices only support AES CBC encryption
and Windows(Edge, IE browser) only support AES CTR encryption
, so it is not yet possible to support all platforms with one CMAF content.
MediaPackage integration
Content can be encrypted in real time in conjunction with services such as AWS MediaLive which can upload HLS.
Note: In order to perform DRM packaging in MediaPackage, you must turn off Encryption in the Output Group of MediaLive.
Create MediaPackage IAM role
-
Create the same as MediaConvert IAM Authorization, and create only Role Name with SPEKEAccess.
-
On the Roles tab, select SPEKEAccess role and click the Edit trust relationship button on the Trust relationships tab.
SPEKEAccess role -
Change the value of Principal.Service to mediapackage.amazonaws.com and click the Update button.
Update role
Create MediaPackage Channel
-
In the AWS Console, select the MediaPackage service.
-
At the endpoints, press the Add button to set the endpoint.
-
Set the endpoint name, packager settings, etc. according to the desired content specification.
-
Configure Encryption and Outputs in the same way as MediaConvert Output groups setting no. 4.
-
Enter the SPEKEAccess Role created in Role ARN.
Support for key rotation
- Key rotation via MediaPackage is currently not supported. Therefore, you must uncheck the
Key rotation
ofAdditional Configuration
in the Encryption option of a MediaPackage Endpoint.