KMS Config
- Ramya Raman (Unlicensed)
In this section, the KMS configuration is described.
Key Manager Server (KMS) manages authentication keys and certificates securely through encryption. TAG's MCS solution works with KMS systems and not through Digital Rights Management (DRM) systems. The MCS has several KMS integrations that allow the users to directly connect to their local or remote KMS systems to retrieve the relevant keys to descramble their sources.
Configuration and Usage
You can add new KMS type based on your preference from the list highlighted. It is same as the MCM9000 KMS.
Simulcrypt
Simulcrypt enables scramblers and content protection systems to exchange information about the encryption keys.
Originally the DVB Common Scrambling Algorithm (DVB-CSA) was used in conjunction with Simulcrypt for DVB satellite, cable, and terrestrial pay-TV operations. However, since the introduction of commercial IPTV services more than ten years ago by telecommunications companies ("telcos") using their managed networks, Simulcrypt deployments that utilize the Advanced Encryption Standard (AES) algorithm are also common.
The fields shown in the below figure are mandatory for Simulcrypt KMS. Fill in the details and click on save.
Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (Simulcrypt). |
Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
Huawei PlayReady
The fields shown in the below figure are mandatory for Playready KMS. In MCS, you directly mention the .pem file in the Certificate and Private Key unlike MCM9000 where certificates are seperately created. Fill in the details and click on save.
Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (Huawei PlayReady). |
Port | Port number. |
Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
Certificate | Certificate for negotiating with the KMS (.pem file). |
Private Key | Private Key for negotiating with the KMS (.pem file). |
Verimatrix VMX
Verimatrix (VMX) provides content security for digital television services. It includes software and IP-based security through its Verimatrix Video Content Authority System (VCAS). The MCM9000 connects directly to the VCAS or MCAS systems to retrieve the key for descrambling VMX encrypted sources.
The fields shown in the below figure are mandatory for Verimatrix KMS. Fill in the details and click on save.
Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (Verimatrix, VMX). |
Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
Key Server Manifest URL | The Manifest URL from which to retrieve the Manifest files. |
Replacement URL | The URL to replace within the Manifest files. |
Verimatrix MultiRights
The fields shown in the below figure are mandatory for Verimatrix MultiRights KMS. Fill in the details and click on save.
Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (Verimatrix, MultiRights). |
Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
Host URL | The Host URL to connect to. |
Token | The Token to use for the connection to the server. |
SKY CKS
The Customer Key Server (CKS) is a system that the customer hosts entirely on their premises in the container-storing platform of their choice.
Among the fields shown in the below figure, Host URL and Asset Ids are mandatory for SKY CKS KMS. It is essential to input the fields in the below format. Fill in the details and click on save.
Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (SKY, CKS). |
Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
Host URL | The Host URL to connect to (Please follow the suggested URL structure - https://cks_url/cpix/v2/configAlias/${asset_id}?keyIdFormat=uuid-littleendian). |
Username | Username to access the KMS. |
Password | The password to access the KMS. |
Asset IDs | Asset IDs to be replaced in the URL. |
Session Life Time | The repetition Rate field indicates the period of time that will be used by the system to re-inquire for the Keys. Click on the toggle switch to disable the Session Life time. |
Irdeto
Irdeto offers Security Key Server Technology solutions enabling customers to access premium content from any device securely.
Among the fields shown in the below figure, Host URL and Token Request URL are mandatory for Irdeto KMS. It is essential to input the fields in the below format.
Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (Irdeto). |
Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
Host URL | The Host URL to connect to. (Please follow the suggested URL structure https://irdeto_url//v1/test/contents/${content_id}/contentKeys/${key_id}) |
Token Request URL | Token URL to use when negotiating a connection. |
Grant Type | A URL that is used to send the request to the KMS system. |
Username | Username to access the KMS. |
Password | The password to access the KMS. |
Audience | Audience URL to use when sending the request to the KMS system. |
Client ID | Client ID to use when sending the request to the KMS system. |
Realm | Realm ID to use when sending the request to the KMS system. |
ATD-C
** MCS is compatible with MCM9000 version 6.2 onwards, CPIX is referred to as ATD-C.
A CPIX document contains keys and DRM information used for encrypting and protecting content and can be used for exchanging this information among entities needing it in many possibly different workflows for preparing, for example, DASH or HLS content.
From MCS version 1.1.1 onwards, CPIX certificate and CPIX private key options are available compatible with MCM9000 version 6.3.1.
Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (CPIX). |
Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
Host URL | The Host URL, in the format of: https://<server>:<port>/<directory> path to the authentication server. For example, https://test_server.com:4443/ovrm/ovrr/ |
Asset Ids | Asset IDs to be replaced in the URL. |
Options | Yet to be implemented. |
Session Life Time | The Session Life time field indicates the period of time that will be used by the system to re-inquire for the Keys. Click on the toggle switch to disable the Session Life time. |
TSL Key Pair | |
Certificate | Certificate for negotiating with the KMS (.pem file). |
Private Key | Private Key for negotiating with the KMS (.pem file). |
Generate Self Signed | Self signed when enabled. |
CPIX Key Pair | |
Use CPIX Encryption | When checked, CPIX encryption is enabled. |
Certificate | CPIX Certificate for negotiating with the KMS (.pem file). |
Private Key | CPIX Private Key for negotiating with the KMS (.pem file). |
Generate Self Signed | Self signed when enabled. |
BISS-2
Basic Interoperable Scrambling System (BISS) is a point to point encryption for use on digital contribution circuits (satellite, IP etc.).
Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (BISS2). |
Private Key (BISS2-CA) | This is an autogenerated configuration by MCM, hence, please keep this field empty. When creating a new “BISS2-CA KMS”, the MCM generates a public/private key pair. The public key should be copied and sent to the sender. (The private key is not visible on the GUI/API - can not be read. it is exported to the XML - but encrypted. This keeps it over a software upgrade) On the channel config, it should be detected during the scan as “BISS-2” and the relevant KMS should be configured to the channel. |
Public Key (BISS2-CA) | This is an autogenerated configuration by MCM, hence, please keep this field empty. When creating a new “BISS2-CA KMS”, the MCM generates a public/private key pair. The public key should be copied and sent to the sender. |
Session Key (BISS2-E) | BISS-2-E: When creating a new “BISS KMS” - paste the static SK (session key) - 32 char long hex value. BISS-2-1: Paste the 16 char constant key to the channel configuration key field. |
**A new event #431 is triggered for any key/descrambling issues with the BISS sources.
SynMedia
SynMedia doesn’t use certificate or key for authentication. It uses asset_id for key retrieval. Configure both KMS type and ID on channel settings.
Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (SynMedia). |
Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
Host URL | The Host URL provided by SynMedia, in the format of: https://synmedia_url/cpix/v2/configAlias/${asset_id} path to the authentication server. |
Asset Ids | Asset IDs to be replaced in the URL. For HLS source, add the asset ID (if it’s more then 1 separate them with comma). For MPEG-Dash source, asset ID is not required. |
Session Life Time | The Session Life time field indicates the period of time that will be used by the system to re-inquire for the Keys. Click on the toggle switch to disable the Session Life time. |
Axinom
Axinom uses key for communication signing and retrives the keys based on asset_id. Configure both KMS type and ID on channel settings.
Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (Axinom). |
Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
Tenant ID | Tenant ID provided from Axinom. |
Management Key | Management Key provided from Axinom. |
Widevine Protection Info | Widevine Protection Info URL in the format: https://key-server-management.axtest.net/api/WidevineProtectionInfo |
Widevine Protection Info Credentials | Widevine Protection Info Credentials URL in the format: https://key-server-management.axtest.net/api/WidevineProtectionInfoCredentials |
Key Request | Query structure of the key request json. |
Asset Ids | The asset IDs of the streams from the Packager. |
Session Life Time | The session life time field indicates the period of time that will be used by the system to re-inquire for the Keys. Click on the toggle switch to disable the session life time. |
Static
Static KMS adds the list of keys to the key-db. It doesn’t require any settings on the channel side.
Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (Static). |
Static Keys | Configure a static KMS with the format <keyid>=<key>:<iv>,<keyid>=<key>:<iv>. Can add more than one entry by using “,” or “;” For example, 221bd4b8e8413a18a6663f1dad126d86=726f1f4a7cc6420dee6e8db7314e64c8:510ac1a9694f0e63c92bd851147aaf3f |
Kaltura UDRM
Kaltura UDRM uses private key for communication, uses asset_id to request the key. Configure both KMS type and ID (if using per channel asset_id).
Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (Kaltura UDRM). |
Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
Host URL | The Host URL provided by Kaltura in the format: <configured_url>?custom_data=<base64query>&signature=<base64Signature> For example, https://udrmv3.kaltura.com/cenc/widevine/encryption |
Private Key | The private key is the key used for the signature in base64. For example, MahHgAP2AUbXGF32TXJVPOHCMtPTIyKh1xXLL5AWfRA= |
Query Options | Yet to be implemented. |
Asset Ids | Asset Ids are the content ids / asset ids for the key pulling (can be defined with the channel). For example, CNN_1082 |
Session Life Time | The Session Life Time field indicates the period of time that will be used by the system to re-inquire for the Keys. Click on the toggle switch to disable the Session Life Time. |
Buy DRM
Buy DRM uses certificate and key for initial authentication with KMS, requests the key based on key-id from manifest. Doesn’t use or require asset-id. Channel needs to be configured with specific KMD id.
Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (Buy DRM). |
Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
Certificate | Certificate for negotiating with the KMS. |
Private Key | Private Key for negotiating with the KMS. |
Host URL | The Host URL, in the format of: https://<server>:<port>/<directory> path to the authentication server. For example, https://buydrmv3.testkaltur:4443/ovrm/ovrr/ |
Options | Yet to be implemented. |
B-HLS
** B_HLS encryption is available on MCS from version 1.1 onwards.
M7
** M7 encryption is available on MCM9000 from version 6.2 onwards.
Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (M7). |
Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
Server URL | The Server URL to connect to (Please follow the suggested URL structure). |
Options | Yet to be implemented. |
Download repetition Rate | The repetition Rate field indicates the period of time that will be used by the system to re-inquire for the Keys. Click on the toggle switch to disable the Download repetition Rate. |