Protect streams for iOS and Apple devices with EZDRM and the Wowza Video REST API
Playback of protected streams on iOS or Apple TV devices requires Apple's FairPlay DRM. You can access this DRM through our integration with EZDRM and configure stream encryption using the Wowza Video REST API.
You’ll use your EZDRM user name and password, as well as a FairPlay asset ID, to configure your stream for DRM protection with Wowza Video and EZDRM FairPlay DRM.
Info
In addition to completing the steps in this topic, you might also want to protect streams on Google or Microsoft devices or players.
Before you start
You should complete the following tasks:
-
Create a
live stream
or a
transcoder
. You'll need the
resulting
live_stream_id
ortranscoder_id
to schedule a broadcast. View our connect a source topics to learn how to create a live stream or transcoder for RTMP, RTSP, IP camera, SRT encoder, UDP encoder, WebRTC, and Wowza Streaming Engine.
-
Create an EZDRM account, configured appropriately for the device
types you want to stream to. For FairPlay, you'll need verification
from Apple that you're approved to use FairPlay.
Refer to EZDRM
and their documentation for more information about EZDRM account
setup.
Info
Because this solution involves navigating multiple service providers, we recommend engaging with Professional Services for assistance with setup. Schedule a call.
1. Generate an EZDRM key
An EZDRM key contains the asset ID you’ll use to configure your stream for DRM protection.
This step assumes:
- You do not already have an asset ID. If you have one, you can skip to Configure the stream for DRM protection .
- You do not want to pass an existing asset ID in the key generation request. EZDRM allows for passing existing asset IDs, but you should refer the EZDRM KeyZ API guide on the EZDRM site for reasons why you’d want to and the correct syntax for the call should you choose to.
Info
We provide instructions for generating the EZDRM key for ease of use. However, EZDRM is third-party software and we recommend that you refer to the EZDRM KeyZ API guide on the EZDRM site for the most-up-to-date information.
There are two ways to create an EZDRM DRM key:
- Using the EZDRM Key Servers API
- Using a scripted curl web service call
In both cases, you’ll need to provide your EZDRM user name and password.
(Option 1) Request a DRM key with the EZDRM Key Servers API
- Use the advanced REST client (ARC) plugin for Chrome to open a session.
- In the left panel, select HTTP request .
-
Change the
Method
to
POST
, and then enter the following
request URL:
https://fps.ezdrm.com/api/keys?u=[ezdrm-account-username]&p=[ezdrm-account-password]
Where:
- [ezdrm-account-username] is your EZDRM user name
- [ezdrm-account-password] is your EZDRM password
Make note of the following values in the response from EZDRM:
- The AssetID . You'll use this to configure the stream protection in Wowza Video.
- The LicensesUrl value. You'll use this when you playback a stream encrypted for FairPlay.
(Option 2) Request a DRM key with a curl script
Run the following curl script, or another scripted web service call, to retrieve the DRM values from the EZDRM web service:
curl -X POST 'https://fps.ezdrm.com/api/keys/?u=[ezdrm-account-username]&p=[ezdrm-account-password]' -d ' '
where:
- [ezdrm-account-username] is your EZDRM user name
- [ezdrm-account-password] is your EZDRM password
Info
The two quotation marks with a space between (' ') are required in place of passing the optional existing content ID. The call doesn’t work without it.
Make note of the following values in the response from EZDRM:
- The AssetID . You'll use this to configure the stream protection in Wowza Video.
- The LicensesUrl value. You'll use this when you playback a stream encrypted for FairPlay.
2. Configure the stream for DRM protection
To protect a stream using the EZDRM key you obtained in the previous step, you’ll need to set the following EZDRM properties on the transcoder using the Wowza Video REST API.
Info
Depending on your workflow, you might want to consider where these properties are and are not available:
- They are not available in the user interface.
- They are only available for transcoders. If you're using the live stream workflow, you set these properties on the transcoder for your live stream.
You can use the following sample request, making sure to:
-
Set
username
to your EZDRM user name. -
Set
password
to your EZDRM password. -
Set
asset_id_from_ezdrm
to the asset ID you generated from EZDRM. -
Set
transcoder_id
to the id for the transcoder. -
Change any values unique to your broadcast, using the API reference
documentation as a resource. See the
Endpoint Reference
button
below.
Info
Wowza Video does not validate the EZDRM values you specify in these properties. Make sure you enter the correct values.
Sample request
curl -X PATCH \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${WV_JWT}" \
-d '{
"transcoder": {
"properties": [
{
"key": "username",
"section": "ezdrm",
"value": "[your_ezdrm_username]"
},
{
"key": "password",
"section": "ezdrm",
"value": "[your_ezdrm_password]"
},
{
"key": "fairPlayAssetId",
"section": "ezdrm",
"value": "[asset_id_from_ezdrm]"
}
]
}
}' "${WV_HOST}/api/${WV_VERSION}/transcoders/[transcoder_id]"
3. (Optional) Block RTMP direct playback for enhanced security
Direct playback through RTMP is enabled by default, but you might want to block RTMP direct playback to ensure that only the devices and platforms intended to decrypt your stream can access it.
You can use the following sample request, making sure to:
-
Set
transcoder_id
to the id for the transcoder. - Change any values unique to your broadcast, using the API reference documentation as a resource. See the Endpoint Reference button below.
Sample request
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${WV_JWT}" \
-d '{
"property": {
"section": "rtmp",
"key": "allowDirectPlayback",
"value": false
}
}' "${WV_HOST}/api/${WV_VERSION}/transcoders/[transcoder_id]/properties"
4. Test playback with encryption
- Start your transcoder and your stream.
-
Verify that the stream encryption works as you expect on an Apple
device or service. To test your playback, you'll need a test player
and some other information. The tips below are based on the user
interface for
https://developer-tools.jwplayer.com/stream-tester/
in Safari set to
Fairplay
:
- File URL – The URL for your protected stream.
- Certificate URL – Part of onboarding for your EZDRM account with FairPlay DRM. You'll need to generate a FairPlay certificate through an Apple Developer account and then post the resulting certificate on a publicly accessible endpoint. The URL to this endpoint is the value for this field.
-
Process SPC URL
– Build this URL from the EZDRM response
when you generated the asset ID. The format is
https://[LicensesUrl]/[AssetID]
.
- Refer to the EZDRM Apple FairPlay DRM Setup and EZDRM Testing Playback guides on the EZDRM site for information about how to deliver the FairPlay license and approve viewers, proxy URLs you’ll need for playback, and sample players.
- Stop your transcoder when your testing is complete.
Troubleshooting: If you experience playback issues on a Mac and you have an external monitor connected, there might be issues with the HDCP handhake. See macworld.com for more information.
More resources
- Set advanced properties with the Wowza Video REST API
- EZDRM KeyZ API – Refer to the EZDRM KeyZ API guide on the EZDRM site for information about generating DRM keys and detailed information about responses returned in the key generation process.
- EZDRM Apple FairPlay DRM Setup – Refer to the EZDRM Apple FairPlay DRM Setup guide on the EZDRM site for more information about how to deliver the FairPlay license and approve viewers.
- EZDRM Testing Playback – Refer to the EZDRM Testing Playback guide on the EZDRM site for information about sample players and proxy URLs.
- About digital rights management in Wowza Video