• How to get SSL certificates from the StreamLock service

    Wowza StreamLock™ AddOn is a security option for network encryption from Wowza® Media Systems. It provides near-instant provisioning of free 256-bit Secure Sockets Layer (SSL) certificates to verified Wowza customers for use with Wowza media servers. StreamLock-provisioned SSL certificates provide the best security when used with Real Time Messaging Protocol (RTMP). The certificates can also be used for secure HTTP streaming (HTTPS).

    Note: StreamLock is only available to Subscription and Perpetual licensees running Wowza Streaming Engine™ software or Wowza Media Server® 3 software. It's not available for Trial and Developer editions of the software.
    Setup

    Managing your StreamLock certificates

    Configuring Wowza Streaming Engine to use your StreamLock certificate

    Configuring secure RTMP (RTMPS) streaming playback

    Configuring secure HTTP (HTTPS) streaming playback

    Troubleshooting

    Setup


    Prerequisites for StreamLock

    1. Wowza Streaming Engine or Wowza Media Server 3 is required.

    2. To purchase and learn more about Monthly Subscription and Perpetual Edition licenses, see the Wowza Streaming Engine Pricing webpage. Trial and Developer licenses aren't provisioned for this feature.

    3. Download Wowza Streaming Engine from the Installers webpage. For more information about Wowza Streaming Engine installation requirements, see the "Server Installation" chapter in the Wowza Streaming Engine User's Guide.

    4. Configure Wowza Streaming Engine by following the step-by-step directions in one of our Tutorials.

    Sign up for a Wowza account

    If you don't have an account, sign up for a Wowza account, and then apply for StreamLock SSL certificates on the StreamLock tab on your Account Management page.

    If you already have a Wowza account to manage your subscription (Monthly) license for the server software, you don't need to set up a separate StreamLock account. See Log in with your subscription account credentials.

    Managing your StreamLock certificates


    Log in with your StreamLock account credentials

    If you already have a StreamLock account, in a web browser, log in to the StreamLock tab for your Wowza account. Enter your account information (email address and password) that you used when you created your StreamLock account.
    Note: Be sure to click Yes for the option that asks if you already have an account.

    Log in with your subscription account credentials

    If you already have a Wowza Streaming Engine subscription (Monthly) license, you don't need to create a StreamLock account. Instead, you can use the same account credentials that you use to log in and manage your subscription account on the Account Management page.

    On the StreamLock tab, enter the email address and password associated with your subscription account. If you don't know this information, contact billing@wowza.com.
    Notes:
    • Be sure to click Yes for the option that asks if you have an account.

    • If you have a StreamLock account AND a subscription (Monthly) account for the Wowza media server software, you MUST log in using your subscription account credentials.

    Request and download a StreamLock certificate

    After you log in, you'll be presented with a form to apply for an SSL certificate. If there are any SSL certificates already associated with your license keys, they'll be displayed in a table on the webpage. The certificate table provides detailed information about each certificate including the StreamLock hostname, when it was issued, and who it's registered to. If your license key has been allocated the maximum number of SSL certificates (2 for subscription, 1 for perpetual), contact billing@wowza.com.

    To request and download a StreamLock certificate, do the following:

    1. Enter a qualified license key in the License Key box.

    2. Enter the IP address for the certificate in the IP Address box.

    3. Enter a unique password in the Certificate Password field and re-enter the password in the Confirm Password field. Be sure to remember the certificate password that you enter as you'll use it for the SSLConfig/KeyStorePassword property value when you configure a host port to use the certificate. (See Configure a host port to use the StreamLock certificate.)

    4. Click Apply for SSL Certificate. After the certificate is created, the webpage displays a message that the certificate was created and the certificate is highlighted in bold in the My SSL certificates table.

    5. To download the certificate, click download certificate for each certificate that you want to download.

    Notes:
    • In the My SSL certificates table, be sure to note the StreamLock hostname value for the certificate under Hostname. You'll use it when you configure client applications to connect to Wowza Streaming Engine over an SSL connection (RTMPS or HTTPS).

    • If an error occurs when you're requesting the certificate, follow the instructions on the page. If you still have problems acquiring a certificate, contact billing@wowza.com.

    Change the StreamLock certificate password

    You must use the unique password that you create for an installed certificate as the SSLConfig/KeyStorePassword property value when you configure a host port to use the certificate. If you forget the password value, you can change it in the Certificate Management webpage. After you do this, you must download a new certificate associated with the new password, install the new certificate (see Install your StreamLock certificate), and then reconfigure the host port to use it (see Configure a host port to use the StreamLock certificate).

    To change the certificate password, do the following:

    1. Log in to your StreamLock account using your StreamLock account credentials or your subscription account credentials. If you have both accounts, you must log in using your subscription account credentials.

    2. In the My SSL certificates table, under Certificate Information, click Change certificate password for the certificate.

    3. Enter a new unique password for the certificate in both boxes. You must enter the same password in both boxes.

    4. Click OK. Updates are effective immediately.

    Change the server IP address

    To change the IP address of the Wowza Streaming Engine instance that's associated with your StreamLock certificate, do the following:

    1. Log in to your StreamLock account.

    2. In the My SSL certificates table, under IP Address, click Change next to the IP address that you want to change.

    3. Enter the new IP address, and then click OK. Updates are effective immediately.

    Configuring Wowza Streaming Engine to use your StreamLock certificate


    Install your StreamLock certificate

    Copy the downloaded certificate (.jks) file to the [install-dir]/conf folder on your Wowza Streaming Engine host.

    Configure a host port to use the StreamLock certificate for Wowza Streaming Engine software

    Note: If you upgrade your Wowza Media Server software to Wowza Streaming Engine, you can migrate your existing StreamLock certificates to the new media server software platform and configure them with these instructions.
    1. In Wowza Streaming Engine Manager, click the Server tab, and then click Virtual Host Setup in the contents pane.



    2. In the Virtual Host Setup page, click Edit.

    3. Scroll down to Host Ports settings area and click Add Host Port.



    4. In the Add a new host port dialog box, enter the following data, and then click Add:

      • Name: Enter StreamLock (or any other custom name).

      • Type: Select Streaming.

      • IP Address: Enter the wildcard character (*). A wildcard (*) allows listening for traffic on all network interfaces. You can specify the IP address of a specific network interface, which will limit traffic to the specified interface.

      • Port(s): Enter 443.

      • Select the Enable SSL/StreamLock option, and then enter the directory path to your StreamLock certificate in Keystore Path and StreamLock certificate password in Keystore password.




      Notes:
      • These instructions specify placing the downloaded StreamLock certificate in the default [install-dir]/conf folder in the media server software installation. This is the default directory path:

        ${com.wowza.wms.context.VHostConfigHome}/conf

      • The StreamLock certificate password is the password that you entered and applied to the StreamLock certificate when it was created or modified at Wowza.com.
    5. Click Save.



    6. Restart the virtual host (VHost) when prompted to apply the changes.


    Configure a host port to use the certificate with Wowza Media Server software

    Open the [install-dir]/conf/VHost.xml file in a text editor and make the following changes:

    1. Uncomment the <HostPort> definition for port 443 that follows the comment <!-- 443 with SSL -->. Be sure to remove the comment before <HostPort> and after </HostPort>.

    2. Update the <SSLConfig>/<KeyStorePath> property value to include the file name of your downloaded certificate (.jks) file. See the code sample below for details.

    3. In <SSLConfig>/<KeyStorePassword>, enter the certificate password that you created for this certificate. (See Request and download a StreamLock certificate.)
      Code:
      <SSLConfig>
        <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/<YOUR.CERTIFICATE.FILENAME.HERE.jks></KeyStorePath>
        <KeyStorePassword>[password]</KeyStorePassword>
        <KeyStoreType>JKS</KeyStoreType>
        <SSLProtocol>TLS</SSLProtocol>
        <Algorithm>SunX509</Algorithm>
        <CipherSuites></CipherSuites>
        <Protocols></Protocols>
      </SSLConfig>
    4. Save the updated VHost.xml file and then restart the Wowza media server to apply the changes.

    Configuring secure RTMP (RTMPS) streaming playback


    When using SSL certificates provisioned by Wowza StreamLock, RTMP-based players must be configured to connect to Wowza Streaming Engine over an SSL connection. If a player encounters a URL with an RTMPS URL prefix (rtmps://) and it's not configured correctly, the connection may fail and the player may fall back to use the RTMPT protocol (RTMP tunneling via HTTP) over SSL (RTMPTS). RTMPTS is much less efficient than RTMPS and can cause Wowza Streaming Engine to consume a lot of the computer's CPU resources. For this reason, it's important to properly configure client applications to connect to Wowza Streaming Engine using RTMPS.

    Adobe Flash Player

    To configure Adobe Flash Player applications to connect to Wowza Streaming Engine using RTMPS, you must set the NetConnection.proxyType property to "best" before calling NetConnection.connect([url]). The following example shows how to do this:
    Code:
    var nc:NetConnection = new NetConnection();
    nc.proxyType = "best";
    nc.connect("rtmps://[hostname]/[application]");
    [hostname] is the StreamLock hostname ([StreamLockID].streamlock.net) and [application] is the name of your application (for example, live). You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default file name for the downloaded SSL certificate (.jks) file, which is in the format [hostname].jks ([StreamLockID].streamlock.net.jks).

    The above code example enables a Flash Player that encounters an RTMPS URI to communicate securely with Wowza Streaming Engine over port 443. If you configure any port other than 443 as secure (for example, port 1935), the client must specify the port in the URI. For example:
    Code:
    var nc:NetConnection = new NetConnection();
    nc.proxyType = "best";
    nc.connect("rtmps://[hostname]:1935/[application]");
    Note: If the player can't make a direct connection to the server over the default port (443) or another port that you specify, and if a proxy server is in place, the player tries to use the CONNECT method. If that attempt fails, the player tunnels over HTTPS. Some users have reported problems with certain browsers not being able to make this switch. If you continue to experience problems, consult your player documentation. If you're using Adobe Flash Player, see the proxyType property reference for more information about the different proxy types.

    Playback


    To test RTMPS playback using Adobe Flash Player, double-click [install-dir]/examples/VideoOnDemandStreaming/FlashRTMPPlayer/player.html, enter the information below, and then click Connect or Start.

    Server: rtmps://[hostname]/vod
    Stream: mp4:sample.mp4

    Flowplayer

    Flowplayer is an open source pre-built Flash-based player. To configure Flowplayer applications to connect to Wowza Streaming Engine using RTMPS, do the following:

    1. Download Flowplayer Flash and extract the contents from the downloaded compressed (zipped) file.

    2. Download the RTMP Streaming Plugin (.swf) and copy it to the unzipped Flowplayer folder. (Be sure to copy it to the inner flowplayer folder that contains the flowplayer-3.x.x.swf file.)

    3. Edit the flowplayer/example/index.html file in the root directory of the unzipped archive, and make the following changes to the <script> section to enable RTMPS playback for either video on-demand or live streaming:

      Video on demand streaming


      Change:
      Code:
      <script>
          flowplayer("player", "../flowplayer-3.2.15.swf");
      </script>
      To:
      Code:
      <script type="text/javascript">
          flowplayer("player", "../flowplayer-3.2.15.swf",
              {
                  clip: {
                      url: 'mp4:sample.mp4',
                      provider: 'rtmp'
                  },
                  plugins: {
                      rtmp: {
                      url: '../flowplayer.rtmp-3.2.11.swf',
                          proxyType: 'best',
                          netConnectionUrl: 'rtmps://[hostname]/[application]'
                      }
                  }
              }
          );
      </script>
      • flowplayer() includes the relative path to the Flowplayer .swf file in the flowplayer/example folder (flowplayer-3.2.15.swf). Make sure this file name matches the version in your example folder.

      • clip: url is the name of the sample video that ships with Wowza Streaming Engine (mp4:sample.mp4).

      • plugins: url is the relative path to the RTMP Streaming Plugin (.swf) file that you copied to the flowplayer/example folder (flowplayer.rtmp-3.2.11.swf). Make sure this file name matches the version in your example folder.

      • plugins: proxyType is set to 'best'. This property setting enables Flowplayer to connect to Wowza Streaming Engine over a native SSL connection.

      • plugins: netConnectionUrl is the RTMPS URI to a video on-demand application ([application]) on your Wowza Streaming Engine. ([hostname] is the StreamLock hostname ([StreamLockID].streamlock.net).)

      Live streaming


      Change:
      Code:
      <script>
          flowplayer("player", "../flowplayer-3.2.15.swf",
      </script>
      To:
      Code:
      <script type="text/javascript">
          flowplayer("player", "../flowplayer-3.x.x.swf",
              {
                  clip: {
                      url: 'myStream',
                      live: true,
                      provider: 'rtmp'
                  },
                  plugins: {
                      rtmp: {
                      url: '../flowplayer.rtmp-3.2.11.swf',
                      proxyType: 'best',
                      netConnectionUrl: 'rtmps://[hostname]/[application]'
                      }
                  }
              }
          );
      </script>
      • flowplayer() includes the relative path to the Flowplayer .swf file in the flowplayer/example folder (flowplayer-3.2.15.swf). Make sure this file name matches the version in your example folder.

      • clip: url is the stream name of the live stream (myStream).

      • clip: live is set to true. This property setting enables Flowplayer to stream live video data from an RTMP streaming server.

      • plugins: url is the relative path to the RTMP Streaming Plugin (.swf) file that you copied to the flowplayer/example folder (flowplayer.rtmp-3.2.11.swf). Make sure this file name matches the version in your example folder.

      • plugins: proxyType is set to 'best'. This property setting enables Flowplayer to connect to Wowza Streaming Engine over a native SSL connection.

      • plugins: netConnectionUrl is the RTMPS URI to a live application ([application]) on your Wowza Streaming Engine. ([hostname] is the StreamLock hostname ([StreamLockID].streamlock.net).)

    Notes:
    • You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default file name for the downloaded SSL certificate (.jks) file, which is in the format [hostname].jks ([StreamLockID].streamlock.net.jks).

    • If you configure any port other than 443 as secure (for example, port 1935), you must include the port value in the netConnectionUrl property value. For example:
      netConnectionUrl: 'rtmps://[hostname]:1935/[application]'

    Playback


    To test RTMPS playback using Flowplayer, copy the flowplayer folder to a web server and then open the following URL in a web browser:

    http://[web-server-address]/flowplayer/example/index.html

    JW Player

    To configure JW Player applications to connect to Wowza Streaming Engine using RTMPS, see How to use JW Player with Wowza Streaming Engine.

    Configuring secure HTTP (HTTPS) streaming playback


    You can use your StreamLock SSL certificate for secure HTTP (HTTPS) streaming using the Adobe HTTP Dynamic Streaming (Adobe HDS) protocol to Adobe Flash Player and Microsoft Smooth Streaming protocol to Microsoft Silverlight.

    Adobe Flash Player

    Using a text editor, edit [install-dir]/conf/crossdomain.xml and change the <allow-access-from> line to <allow-access-from domain="*" secure="false" />. The modified contents should look like the following:
    Code:
    <?xml version="1.0"?>
    <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
    <cross-domain-policy>
        <allow-access-from domain="*" secure="false" />
        <site-control permitted-cross-domain-policies="all"/>
    </cross-domain-policy>

    Playback


    To test HTTPS playback using Adobe Flash Player, double-click [install-dir]/examples/VideoOnDemandStreaming/FlashHTTPPlayer/player.html, enter the information below, and then click Connect or Start.

    Stream: https://[hostname]/vod/mp4:sample.mp4/manifest.f4m

    [hostname] is the StreamLock hostname (StreamLockID.streamlock.net). You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default file name for the downloaded SSL certificate (.jks) file, which is in the format [hostname].jks ([StreamLockID].streamlock.net.jks).

    Microsoft Silverlight

    Using a text editor, edit the <domain uri> values in the [install-dir]/conf/clientaccesspolicy.xml file. The modified content should look like the following:
    Code:
    <?xml version="1.0" encoding="utf-8"?>
    <access-policy>
      <cross-domain-access>
        <policy>
          <allow-from http-request-headers="*">
            <domain uri="http://*"/>
        <domain uri="https://*"/>
          </allow-from>
          <grant-to>
            <resource path="/" include-subpaths="true"/>
          </grant-to>
        </policy>
      </cross-domain-access>
    </access-policy>

    Playback


    To test HTTPS playback using Microsoft Silverlight, double-click [install-dir]/examples/VideoOnDemandStreaming/SilverlightPlayer/player.html, enter the URL below, and then click Connect or Start.

    Stream: https://[hostname]/vod/mp4:sample.mp4/Manifest

    [hostname] is the StreamLock hostname (StreamLockID.streamlock.net). You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default file name for the downloaded SSL certificate (.jks) file, which is in the format [hostname].jks ([StreamLockID].streamlock.net.jks).

    Troubleshooting


    Invalid certificate password error

    After starting the Wowza media server, if you receive the following message in the access.log file, it likely means that the KeyStorePassword value in [install-dir]/conf/VHost.xml is incorrect:

    SSLConfiguration problem: java.io.IOException: Keystore was tampered with, or password was incorrect

    Hostname substitution

    When you configure player applications to establish a secure connection to the Wowza media server, and you substitute the hostname for your domain in place of the StreamLock hostname that's associated with the SSL certificate in the call to NetConnection.connect([url]), clients that connect to your secure stream may receive the following Security Alert:

    The certificate you are viewing does not match the name of the site you are trying to view.

    StreamLock SSL certificates are bound to the StreamLock.net domain; therefore, you must use the StreamLock hostname that's associated with the SSL certificate in the call to NetConnection.connect([url]). For more information about how to do this, see Configuring secure RTMP (RTMPS) streaming playback.

    If you must use your own domain name in [hostname], then you must create your own SSL certificate. For more information about how to do this, see How to create a self-signed SSL certificate.

    Unable to connect to streamlock.net

    If one or more clients report that they can't connect using a StreamLock certificate configuration, while the majority of clients don't have this problem, this is more than likely a problem with the DNS server on the client side.

    For a StreamLock certificate to function properly, the client must be able to access the streamlock.net domain. In some cases, the DNS configuration associated with the client doesn't provide a record for streamlock.net, which prevents a successful connection. You can confirm this by issuing a ping command from the client computer using a command line:

    ping streamlock.net

    If the ping command doesn't result in a response, this is evidence of a DNS problem.

    Wowza makes every effort to ensure that streamlock.net records are available to all public DNS servers. Unfortunately, in the public domain, Wowza has no control over DNS propagation, especially when it comes to privately managed DNS servers. As a test and workaround, we suggest using an alternative DNS configuration if a client can't connect.

    Intermittent HTTP/SSL padding exception

    Note: This issue has been fixed in Java 7 update 67 (JDK 7u67) or greater and Java 8 update 20 (JDK 8u20) or greater.
    A bug in the Oracle Java Development Kit (JDK) affects connections that use SSL certificates. Occasionally the SSL handshake fails during Diffie-Hellman key exchange and the connection hangs. For more information, see How to fix intermittent HTTP/SSL failure (padding exception).

    Originally Published: 10-11-2012.
    Updated: For Wowza Streaming Engine on 02-23-2015.

    Comments 19 Comments
    1. a.reza -
      Hi, Just subscribe to monthly wowza and shutdown the devpay instance so that I can use StreamLock. Unfortunately I can not login to the streamlock page even though I can login to wowza.
    1. a.reza -
      Also I may sound silly, but how does stream lock works? I understand the steps to set the certificate on the server side but what needs to be done from the website or iphone app side? How does it know which connection is authorized?
    1. rrlanham -
      With a SSL certificate installed properly you can use HTTPS sessions or RTMPS connections to Wowza as needed. Just use those protocols in your clients.

      If you have problem logging in with subscription license, open a Sales ticket by writing to sales@wowza.com. Include a link to this thread for reference

      Richard
    1. a.reza -
      Thanks Richard. I will contact the sales team. Do I still have to compile my flash player with a token key if I don't want others to steal my stream? Or does stream lock provides a better solution?
    1. rrlanham -
      Yes, you still should compile your token with the player.

      Richard
    1. gearup -
      Can streamlock be used to secure HLS streaming to Apple IOS?
    1. rrlanham -
      StreamLock (SSL) can be used to encrypt the stream by allowing you to use HTTPS

      To secure access in other ways you can use onHTTPSessionCreate
      http://www.wowza.com/forums/content....josestreaming)

      Richard
    1. ClickCentric -
      I'm a bit confused about how this is supposed to work. The hostname that's provided isn't mapped to the ip address that I provided. So how can the certificate be used? I assumed that the host would be mapped to the IP address provided via dns after registration but this didn't happen so now I'm confused.
    1. ClickCentric -
      Quote Originally Posted by ClickCentric View Post
      I'm a bit confused about how this is supposed to work. The hostname that's provided isn't mapped to the ip address that I provided. So how can the certificate be used? I assumed that the host would be mapped to the IP address provided via dns after registration but this didn't happen so now I'm confused.
      The dns resolution started working about 8 hours after the request (or at least that's when I first noticed it). I didn't realize that it would take so long. It's kind of implied in the documentation that once you have the certificate, you're good to go. It's nice that you offer this as a means of testing, though.

      I do feel like someone should point out the security implications of using certificates which you don't create yourself in a production enviroment. For those who aren't terribly concerned with security, it's good enough. But it should be pointed out that if the certificate is generated by someone else, then it is just as compromised as if someone stole it off of your servers. For anyone doing work which is particularly security focused or which is bound by regulations, you really need to get a real certificate through from a true Certificate Authority. Even if it is a pain to get it into the right format to import.
    1. drupaler -
      Uncomment the <HostPort> definition for port 443 that follows the comment <!-- 443 with SSL -->.
      Note that on Amazon EC2, there's a <HostPort> definition directly above the SSL one that has in it

      <Port>1935,80,443,554</Port>
      In order to make SSL work, you also have to remove the 443 port from that line, otherwise Wowza will be complaining about not being able to bind to the 443 port.
    1. JanEhrhardt -
      I have already got my own SSL-certificate. Is there any difference and/or (dis)advantage compared with using a Streamlock certificate?
    1. chatlumo -
      Hello something is not clear for me and in your answers. I actually use RTMPE. So with the token, only the player with the token can access to the stream.
      But with StreamLock, how does it work to protect stream only for authorized users, if there is nothing special on website or in the player ?
    1. matt_y -
      Streamlock just enables ssl via rtmps and https and does not deal with authorized users in that regard.
    1. chatlumo -
      Quote Originally Posted by matt_y View Post
      Streamlock just enables ssl via rtmps and https and does not deal with authorized users in that regard.
      So how to be sure to protect stream with https and to be sure that someone that copy/paste html/js code on local html page can't access to the stream by example 3 days later ?
      Maybe can i use Streamlock and StreamNameAlias together ? Or there is another good method to protect stream with a temporary URL ?

      Thanks,
      Julien
    1. matt_y -
      Hello Julien,

      You should check out our Media Security Guide for a good place to start as it covers both publishing and playback.

      Thanks,

      Matt
    1. aynajus -
      Hi,
      How to used for jw player?
    1. rrlanham -
      There is a guide to using JW Player 6 with Wowza here.

      Richard
    1. ravjr76 -
      Hi,

      Will StreamLock AddOn work when Amazon CloudFront is used for distribution?


      Thanks,
      Roger
    1. daren_j -
      Hi,
      It should work. A StreamLock cert is basically just a normal SSL cert, but it is wrapped up in a Java keystore container (hence the JKS file extension) for use with Wowza.
      You'd have to use Java's keytool to unpack it and get the certs into the format CloudFront needs, but it could be done.

      Hope this helps.
      Daren