• How to get SSL certificates from the StreamLock service

    Wowza StreamLock™ AddOn is a security option for network encryption from Wowza®. It provides near-instant provisioning of free 256-bit Secure Sockets Layer (SSL) certificates to verified Wowza customers for use with Wowza servers. StreamLock-provisioned SSL certificates provide the best security when used with Real Time Messaging Protocol (RTMP). The certificates can also be used for secure HTTP streaming (HTTPS).

    Note: StreamLock is only available to Subscription and Perpetual licensees running Wowza Streaming Engine™ 4.0 or Wowza Media Server® 3.x. It's not available for the Trial and Developer editions.
    Setup


    Managing your StreamLock certificates


    Configuring Wowza Streaming Engine to use your StreamLock certificate


    Configuring secure RTMP (RTMPS) streaming playback


    Configuring secure HTTP (HTTPS) streaming playback


    Troubleshooting



    Setup



    Prerequisites for StreamLock


    1. Wowza Streaming Engine 4.0 or Wowza Media Server 3.x is required.
    2. To purchase and learn more about Subscription and Perpetual edition licenses, see the Pricing page. Trial and Developer licenses aren't provisioned for this feature.
    3. Download Wowza Streaming Engine from the Installers page. For more information about Wowza Streaming Engine installation requirements, see the "Server Installation" chapter in the Wowza Streaming Engine User's Guide.
    4. Configure Wowza Streaming Engine by following the step-by-step directions in one of our Tutorials.


    How to sign up for a Wowza account


    If you do not yet have an account, create one in the Wowza Customer Portal > StreamLock Certificates tab.

    You don't need to set up a separate StreamLock account if you already have an account for managing your Subscription licenses. See How to log in with your subscription account credentials.

    Managing your StreamLock certificates



    How to log in with your StreamLock account credentials


    If you already have a StreamLock account, in a web browser, log in to the Wowza Customer Portal. Enter your account information (email address and password) that you used when you created your StreamLock account.
    Note: Be sure to click Yes for the option that asks if you already have an account.

    How to log in with your subscription account credentials


    If you already have a Wowza Streaming Engine Subscription license, you don't need to create a StreamLock account. Instead, you can use the same account credentials that you use to log in and manage your subscription account on the Account Management page.

    From the Wowza Customer Portal, enter the email address and password associated with your subscription account. If you don't know this information, contact billing@wowza.com.
    Note: Be sure to click Yes for the option that asks if you have an account.
    Note: If you have both a StreamLock account and a subscription account, you must log in using your subscription account credentials.

    How to request and download a StreamLock certificate


    After you log in, you'll be presented with a form to apply for an SSL certificate. If there are any SSL certificates already associated with your license keys, they'll be displayed in a table on the webpage. The certificate table provides detailed information about each certificate including the StreamLock hostname, when it was issued, and who it's registered to. If your license key has been allocated the maximum number of SSL certificates (2 for subscription, 1 for perpetual), contact billing@wowza.com.

    To request and download a StreamLock certificate, do the following:

    1. Select a qualified license key and enter it in the License Key field.
    2. Enter the IP address for the certificate in the IP Address field.
    3. Enter a unique password in the Certificate Password field and re-enter the password in the Confirm Password field. Be sure to remember the certificate password that you enter as you'll use it for the SSLConfig/KeyStorePassword property value when you configure a host port to use the certificate. (See How to configure a host port to use the certificate.)
    4. Click the Apply for SSL Certificate button. After the certificate is created, the webpage displays a message that the certificate was created and the certificate is highlighted in bold in the My SSL Certificates table.
    5. To download the certificate, click the download certificate link for each certificate that you want to download.

    Note: In the My SSL certificates table, be sure to note the StreamLock hostname value for the certificate under Hostname. You'll use it when you configure client applications to connect to Wowza Streaming Engine over an SSL connection (RTMPS or HTTPS).
    Note: If an error occurs when you're requesting the certificate, follow the instructions on the screen. If you continue to have problems in acquiring a certificate, contact billing@wowza.com.

    How to change the certificate password


    You must use the unique password that you create for an installed certificate as the SSLConfig/KeyStorePassword property value when you configure a host port to use the certificate. If you forget the password value, you can change it in the Certificate Management page. After you do this, you must download a new certificate associated with the new password, install the new certificate (see How to install your certificate), and then reconfigure the host port to use it (see How to configure a host port to use the certificate).

    To change the certificate password, do the following:

    1. Log in to your StreamLock account using your StreamLock account credentials or your subscription account credentials. If you have both accounts, you must log in using your subscription account credentials.
    2. In the My SSL certificates table, under Certificate Information, click Change password for the certificate.
    3. Enter a new unique password for the certificate in both boxes. You must enter the same password in both boxes.
    4. Click the Change button. Updates are effective immediately.


    How to change the server IP address


    To change the IP address of the Wowza Streaming Engine that is associated with your StreamLock certificate, do the following:

    1. Log in to your StreamLock account.
    2. In the My SSL certificates table, under IP Address, click Change next to the IP address that you want to change.
    3. Enter the new IP address, and then click the Save button. Updates are effective immediately.


    Configuring Wowza Streaming Engine to use your StreamLock certificate



    How to install your certificate


    Copy the downloaded certificate (.jks) file to the [install-dir]/conf folder on your Wowza Streaming Engine host.

    How to configure a host port to use the certificate for Wowza Streaming Engine 4.0

    Note: An upgrade to Wowza Media Server 4.0 does not necessarily require a new or additional StreamLock certificate. Existing StreamLock certificates can be migrated from previous versions and configured using these instructions.
    1. Open Wowza Streaming Engine Manager
    2. Select Server > Virtual Host Setup



    3. Press the blue “Edit” button
    4. Scroll down to Host Ports and press the “+Add Host Port…” button

    5. Enter the following data:


      Name: StreamLock (or any other custom name)

      Type: Streaming

      IP Address:
      *

      Note: The IP Address field may contain a wildcard (*) to allow listening for traffic on all network interfaces or you can specify the IP address of a specific network interface, which will limit traffic to this specified interface.

      Port(s):
      443
    6. Select the check box labeled “Enable SSL/StreamLock
    7. Enter the directory path to your StreamLock certificate

      Note: These instructions specify placing the downloaded StreamLock certificate in the default [install-dir]/conf folder. This is the default directory path:
      ${com.wowza.wms.context.VHostConfigHome}/conf

    8. Enter Keystore password

      Note: This is the password that was entered and applied to the StreamLock certificate when it was created or modified at Wowza.com.
    9. Press the “Apply” button

    10. Press the "Save" button



    11. Restart the VHost (you will be prompted to do so by a message at the top of the window)


    How to configure a host port to use the certificate for Wowza Media Server 3.x (and earlier)


    Open [install-dir]/conf/VHost.xml in a text editor and make the following changes:

    1. Uncomment the <HostPort> definition for port 443 that follows the comment <!-- 443 with SSL -->. Be sure to remove the comment before <HostPort> and after </HostPort>.
    2. Update the SSLConfig/KeyStorePath property value to include the filename of your downloaded certificate (.jks) file. See the code sample below for details.
    3. In SSLConfig/KeyStorePassword, enter the certificate password that you created for this certificate. (See How to request and download a StreamLock certificate.)
      Code:
      <SSLConfig>
        <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/<YOUR.CERTIFICATE.FILENAME.HERE.jks></KeyStorePath>
        <KeyStorePassword>[password]</KeyStorePassword>
        <KeyStoreType>JKS</KeyStoreType>
        <SSLProtocol>TLS</SSLProtocol>
        <Algorithm>SunX509</Algorithm>
        <CipherSuites></CipherSuites>
        <Protocols></Protocols>
      </SSLConfig>
    4. Save the updated [install-dir]/conf/VHost.xml file and then restart Wowza Media Server.


    Configuring secure RTMP (RTMPS) streaming playback


    When using SSL certificates provided by Wowza StreamLock, RTMP-based players, such as Adobe® Flash® Player and Flowplayer, must be configured to connect to Wowza Streaming Engine over an SSL connection. If a player encounters a URL with an RTMPS URL prefix (rtmps://) and it's not configured correctly, the connection may fail and the player may fall back to use the RTMPT protocol (RTMP tunneling via HTTP) over SSL (RTMPTS). RTMPT over SSL (RTMPTS) is much less efficient than RTMP over SSL (RTMPS) and can cause Wowza Streaming Engine to consume a lot of the computer's CPU resources. For this reason, it's important to properly configure client applications to connect to Wowza Streaming Engine using RTMPS.

    Adobe Flash Player


    To configure Adobe Flash Player applications to connect to Wowza Streaming Engine using RTMPS, you must set the NetConnection.proxyType property to "best" before calling NetConnection.connect([url]). The following example shows how to do this:
    Code:
    var nc:NetConnection = new NetConnection();
    nc.proxyType = "best";
    nc.connect("rtmps://[hostname]/[application]");
    Where:

    [hostname] is the StreamLock hostname (StreamLockID.streamlock.net) and [application] is the name of your application (for example, live). You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default filename for the downloaded SSL certificate (.jks) file, which is in the format hostname.jks (StreamLockID.streamlock.net.jks).

    The above code example enables a Flash Player that encounters an RTMPS URI to communicate securely with Wowza Streaming Engine over port 443. If you configure any port other than 443 as secure (for example, port 1935), the client must specify the port in the URI. For example:
    Code:
    var nc:NetConnection = new NetConnection();
    nc.proxyType = "best";
    nc.connect("rtmps://[hostname]:1935/[application]");
    Note: If the player cannot make a direct connection to the server over the default port (443) or another port that you specify, and if a proxy server is in place, the player tries to use the CONNECT method. If that attempt fails, the player tunnels over HTTPS. Some users have reported problems with certain browsers not being able to make this switch. If you continue to experience problems, consult your player documentation. If you're using Adobe Flash Player, see the proxyType property reference for more information about the different proxy types.
    Playback

    To test RTMPS playback using Adobe Flash Player, double-click [install-dir]/examples/VideoOnDemandStreaming/FlashRTMPPlayer/player.html, enter the information below, and then click the Connect button.
    Code:
    Server: rtmps://[hostname]/vod
    Stream: mp4:sample.mp4

    Flowplayer


    Flowplayer is an open source pre-built Flash-based player. To configure Flowplayer applications to connect to Wowza Streaming Engine using RTMPS, do the following:

    1. Download Flowplayer Flash and extract the contents from the downloaded compressed (zipped) file.
    2. Download the RTMP Streaming Plugin (.swf) and copy it to the unzipped Flowplayer folder. (Be sure to copy it to the inner flowplayer folder that contains the flowplayer-3.x.x.swf file.)
    3. Edit the flowplayer/example/index.html file in the root directory of the unzipped archive, and make the following changes to the <script> section to enable RTMPS playback for either video on-demand or live streaming:

      For video on demand:

      Change:
      Code:
      <script>
          flowplayer("player", "../flowplayer-3.2.15.swf");
      </script>
      To:
      Code:
      <script type="text/javascript">
          flowplayer("player", "../flowplayer-3.2.15.swf",
              {
                  clip: {
                      url: 'mp4:sample.mp4',
                      provider: 'rtmp'
                  },
                  plugins: {
                      rtmp: {
                      url: '../flowplayer.rtmp-3.2.11.swf',
                          proxyType: 'best',
                          netConnectionUrl: 'rtmps://[hostname]/[application]'
                      }
                  }
              }
          );
      </script>
      Where:
      • flowplayer() includes the relative path to the Flowplayer .swf file in the flowplayer/example folder (flowplayer-3.2.15.swf). Make sure that this filename matches the version in your example folder.
      • clip: url is the name of the sample video that ships with Wowza Streaming Engine(mp4:sample.mp4).
      • plugins: url is the relative path to the RTMP Streaming Plugin (.swf) file that you copied to the flowplayer/example folder (flowplayer.rtmp-3.2.11.swf). Make sure that this filename matches the version in your example folder.
      • plugins: proxyType is set to best. This property setting enables Flowplayer to connect to Wowza Streaming Engine over a native SSL connection.
      • plugins: netConnectionUrl is the RTMPS URI to a video on-demand application ([application]) in Wowza Streaming Engine ([hostname] is the StreamLock hostname (StreamLockID.streamlock.net.)

      For live:

      Change:
      Code:
      <script>
          flowplayer("player", "../flowplayer-3.2.15.swf",
      </script>
      To:
      Code:
      <script type="text/javascript">
          flowplayer("player", "../flowplayer-3.x.x.swf",
              {
                  clip: {
                      url: 'myStream',
                      live: true,
                      provider: 'rtmp'
                  },
                  plugins: {
                      rtmp: {
                      url: '../flowplayer.rtmp-3.2.11.swf',
                      proxyType: 'best',
                      netConnectionUrl: 'rtmps://[hostname]/[application]'
                      }
                  }
              }
          );
      </script>
      Where:
      • flowplayer() includes the relative path to the Flowplayer .swf file in the flowplayer/example folder (flowplayer-3.2.15.swf). Make sure that this filename matches the version in your example folder.
      • clip: url is the stream name of the live stream (myStream).
      • clip: live is set to true. This property setting enables Flowplayer to stream live video data from an RTMP streaming server.
      • plugins: url is the relative path to the RTMP Streaming Plugin (.swf) file that you copied to the flowplayer/example folder (flowplayer.rtmp-3.2.11.swf). Make sure that this filename matches the version in your example folder.
      • plugins: proxyType is set to best. This property setting enables Flowplayer to connect to Wowza Streaming Engine over a native SSL connection.
      • plugins: netConnectionUrl is the RTMPS URI to a live application ([application]) on your Wowza Streaming Engine. ([hostname] is the StreamLock hostname (StreamLockID.streamlock.net.)

    Note: You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default filename for the downloaded SSL certificate (.jks) file, which is in the format hostname.jks (StreamLockID.streamlock.net.jks).
    Note: If you configure any port other than 443 as secure (for example, port 1935), you must include the port value in the netConnectionUrl property value. For example:
    Code:
    netConnectionUrl: 'rtmps://[hostname]:1935/[application]'
    Playback

    To test RTMPS playback using Flowplayer, copy the flowplayer folder to a web server and then open the following URL in a web browser:
    Code:
    http://[webserver-address]/flowplayer/example/index.html

    Configuring secure HTTP (HTTPS) streaming playback


    You can use your StreamLock SSL certificate for secure HTTP (HTTPS) streaming using the Adobe HTTP Dynamic Streaming (HDS) protocol to Adobe Flash Player and Microsoft® Smooth Streaming protocol to Microsoft Silverlight®.

    Adobe Flash Player


    Using a text editor, edit [install-dir]/conf/crossdomain.xml and change the <allow-access-from> line to <allow-access-from domain="*" secure="false" />. The modified contents should look like the following:
    Code:
    <?xml version="1.0"?>
    <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
    <cross-domain-policy>
        <allow-access-from domain="*" secure="false" />
        <site-control permitted-cross-domain-policies="all"/>
    </cross-domain-policy>
    Playback

    To test HTTPS playback using Adobe Flash Player, double-click [install-dir]/examples/VideoOnDemandStreaming/FlashHTTPPlayer/player.html, enter the information below, and then click the Connect button.
    Code:
    Stream: https://[hostname]/vod/mp4:sample.mp4/manifest.f4m
    Where:

    [hostname] is the StreamLock hostname (StreamLockID.streamlock.net). You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default filename for the downloaded SSL certificate (.jks) file, which is in the format hostname.jks (StreamLockID.streamlock.net.jks).

    Microsoft Silverlight


    Using a text editor, edit the <domain uri> values in the [install-dir]/conf/clientaccesspolicy.xml file. The modified content should look like the following:
    Code:
    <?xml version="1.0" encoding="utf-8"?>
    <access-policy>
      <cross-domain-access>
        <policy>
          <allow-from http-request-headers="*">
            <domain uri="http://*"/>
        <domain uri="https://*"/>
          </allow-from>
          <grant-to>
            <resource path="/" include-subpaths="true"/>
          </grant-to>
        </policy>
      </cross-domain-access>
    </access-policy>
    Playback

    To test HTTPS playback using Microsoft Silverlight, double-click [install-dir]/examples/VideoOnDemandStreaming/SilverlightPlayer/player.html, enter the URL below, and then click the Connect button.
    Code:
    https://[hostname]/vod/mp4:sample.mp4/Manifest
    Where:

    [hostname] is the StreamLock hostname (StreamLockID.streamlock.net). You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default filename for the downloaded SSL certificate (.jks) file, which is in the format hostname.jks (StreamLockID.streamlock.net.jks).

    Troubleshooting



    Invalid certificate password error


    After starting Wowza Streaming Engine, if you receive the following message in the access.log, it likely means that the KeyStorePassword value in [install-dir]/conf/VHost.xml is incorrect:
    Code:
    SSLConfiguration problem: java.io.IOException: Keystore was tampered with, or password was incorrect

    Hostname substitution


    When you configure player applications to establish a secure connection to Wowza Streaming Engine, and you substitute the hostname for your domain in place of the StreamLock hostname that is associated with the SSL certificate in the call to NetConnection.connect([url]), clients that connect to your secure stream may receive the following Security Alert:
    The certificate you are viewing does not match the name of the site you are trying to view.

    StreamLock SSL certificates are bound to the StreamLock.net domain; therefore, you must use the StreamLock hostname that is associated with the SSL certificate in the call to NetConnection.connect([url]). For more information about how to do this, see Configuring secure RTMP (RTMPS) streaming playback.

    If you must use your own domain name in [hostname], then you must create your own SSL certificate. For more information about how to do this, see How to create a self-signed SSL certificate.

    Unable to connect to streamlock.net


    If one or more clients are reporting that they are unable to connect using a StreamLock certificate configuration, while others (majority) have no problem, this is more than likely a problem with the DNS server on the client side.

    In order for a StreamLock certificate to function properly, the client must be able to access the streamlock.net domain. In some instances, the DNS configuration associated with the client does not provide a record for streamlock.net, which prevents a successful connection.

    This can be confirmed by issuing a ping command from the client computer using a command line:

    Code:
    ping streamlock.net
    If the ping returns with negative results (i.e. no response), this is evidence of a DNS problem.

    Wowza makes every effort to ensure that streamlock.net records are available to all public DNS servers. Unfortunately, in the public domain, Wowza has no control over DNS propagation, especially when it comes to privately managed DNS servers.

    As a test and workaround, we suggest using an alternative DNS configuration in the event of a client not being able to connect.

    How to fix intermittent HTTP/SSL padding exception


    A bug has been discovered in the Oracle Java Development Kit (JDK) that affects connections that use Secure Sockets Layer (SSL) certificates. Occasionally the SSL handshake fails during Diffie-Hellman key exchange and the connection hangs. The problem only exists in newer versions of Java 7. For more information, see How to fix intermittent HTTP/SSL failure (padding exception).

    Updated: For Wowza Streaming Engine 4.0 on 02-11-2014
    Comments 19 Comments
    1. a.reza -
      Hi, Just subscribe to monthly wowza and shutdown the devpay instance so that I can use StreamLock. Unfortunately I can not login to the streamlock page even though I can login to wowza.
    1. a.reza -
      Also I may sound silly, but how does stream lock works? I understand the steps to set the certificate on the server side but what needs to be done from the website or iphone app side? How does it know which connection is authorized?
    1. rrlanham -
      With a SSL certificate installed properly you can use HTTPS sessions or RTMPS connections to Wowza as needed. Just use those protocols in your clients.

      If you have problem logging in with subscription license, open a Sales ticket by writing to sales@wowza.com. Include a link to this thread for reference

      Richard
    1. a.reza -
      Thanks Richard. I will contact the sales team. Do I still have to compile my flash player with a token key if I don't want others to steal my stream? Or does stream lock provides a better solution?
    1. rrlanham -
      Yes, you still should compile your token with the player.

      Richard
    1. gearup -
      Can streamlock be used to secure HLS streaming to Apple IOS?
    1. rrlanham -
      StreamLock (SSL) can be used to encrypt the stream by allowing you to use HTTPS

      To secure access in other ways you can use onHTTPSessionCreate
      http://www.wowza.com/forums/content....josestreaming)

      Richard
    1. ClickCentric -
      I'm a bit confused about how this is supposed to work. The hostname that's provided isn't mapped to the ip address that I provided. So how can the certificate be used? I assumed that the host would be mapped to the IP address provided via dns after registration but this didn't happen so now I'm confused.
    1. ClickCentric -
      Quote Originally Posted by ClickCentric View Post
      I'm a bit confused about how this is supposed to work. The hostname that's provided isn't mapped to the ip address that I provided. So how can the certificate be used? I assumed that the host would be mapped to the IP address provided via dns after registration but this didn't happen so now I'm confused.
      The dns resolution started working about 8 hours after the request (or at least that's when I first noticed it). I didn't realize that it would take so long. It's kind of implied in the documentation that once you have the certificate, you're good to go. It's nice that you offer this as a means of testing, though.

      I do feel like someone should point out the security implications of using certificates which you don't create yourself in a production enviroment. For those who aren't terribly concerned with security, it's good enough. But it should be pointed out that if the certificate is generated by someone else, then it is just as compromised as if someone stole it off of your servers. For anyone doing work which is particularly security focused or which is bound by regulations, you really need to get a real certificate through from a true Certificate Authority. Even if it is a pain to get it into the right format to import.
    1. drupaler -
      Uncomment the <HostPort> definition for port 443 that follows the comment <!-- 443 with SSL -->.
      Note that on Amazon EC2, there's a <HostPort> definition directly above the SSL one that has in it

      <Port>1935,80,443,554</Port>
      In order to make SSL work, you also have to remove the 443 port from that line, otherwise Wowza will be complaining about not being able to bind to the 443 port.
    1. JanEhrhardt -
      I have already got my own SSL-certificate. Is there any difference and/or (dis)advantage compared with using a Streamlock certificate?
    1. chatlumo -
      Hello something is not clear for me and in your answers. I actually use RTMPE. So with the token, only the player with the token can access to the stream.
      But with StreamLock, how does it work to protect stream only for authorized users, if there is nothing special on website or in the player ?
    1. matt_y -
      Streamlock just enables ssl via rtmps and https and does not deal with authorized users in that regard.
    1. chatlumo -
      Quote Originally Posted by matt_y View Post
      Streamlock just enables ssl via rtmps and https and does not deal with authorized users in that regard.
      So how to be sure to protect stream with https and to be sure that someone that copy/paste html/js code on local html page can't access to the stream by example 3 days later ?
      Maybe can i use Streamlock and StreamNameAlias together ? Or there is another good method to protect stream with a temporary URL ?

      Thanks,
      Julien
    1. matt_y -
      Hello Julien,

      You should check out our Media Security Guide for a good place to start as it covers both publishing and playback.

      Thanks,

      Matt
    1. aynajus -
      Hi,
      How to used for jw player?
    1. rrlanham -
      There is a guide to using JW Player 6 with Wowza here.

      Richard
    1. ravjr76 -
      Hi,

      Will StreamLock AddOn work when Amazon CloudFront is used for distribution?


      Thanks,
      Roger
    1. daren_j -
      Hi,
      It should work. A StreamLock cert is basically just a normal SSL cert, but it is wrapped up in a Java keystore container (hence the JKS file extension) for use with Wowza.
      You'd have to use Java's keytool to unpack it and get the certs into the format CloudFront needs, but it could be done.

      Hope this helps.
      Daren