Configure security using Wowza Streaming Engine Manager

This article explains how to configure the source and playback security options in Wowza Streaming Engine™ Manager.

Source security options


Limit maximum connections

You can restrict the number of concurrent connections that are accepted by the Wowza Streaming Engine live and VOD applications. By default, the number of connections isn't restricted.

  1. In Wowza Streaming Engine Manager, click Applications at the top of the page and then select your application, such as live, in the contents panel.
  2. On the Setup tab of the application page, click Edit.


     
  3. Under Maximum Connections, select the Limit number of connections box and set a value.


     
  4. Click Save and then restart the application.
Note: Changing the maximum number of connections in the Wowza Streaming Engine application does not override the Server > Virtual Host Setup > Maximum Connections setting. If the server-level setting is also set, the lesser of the two values is used.

Secure incoming sources

For live applications, you can require authentication and/or control the IP addresses that the Wowza Streaming Engine application will accept.
 
  1. Click Applications at the top of the page and then select your application, such as live, in the contents panel.
  2. In the contents panel, click Source Security.

Note: To manage source credentials, you need to edit the server's Source Authentication settings. See Enable username/password authentication for RTMP/RTSP publishing to Wowza Streaming Engine.
  1. To change the settings, click Edit.
     
  2. Adjust any of the settings as needed.

RTMP Sources

  • Open (no authentication required) – Any RTMP encoder or Flash application enabled for publishing can publish to this application.
  • Require password authentication – (Default) All RTMP encoders or Flash applications enabled for publishing must authenticate to publish to this application. The FlashVer value sent from an encoder must match one of the values in the Flash Version String setting.
  • RTMP publishing not allowed – All attempts to publish from an RTMP encoder or Flash application enabled for publishing will be blocked.
Note: These settings only affect RTMP encoders that publish a stream to the server. They don't affect connections started with a Stream File.

RTSP Sources

  • Open (no authentication required) – Any RTSP encoder can publish to this application.
  • Require password authentication – (Default) All RTSP encoders must authenticate to publish to the application.
  • RTSP publishing not allowed – All attempts to publish from an RTSP encoder will be blocked.
Note: These settings only affect RTSP encoders that publish a stream to the server. They don't affect connections started with a Stream File.

Client Restrictions

This setting controls which IP addresses encoders can connect from. You can use a comma-separated list of addresses. The wildcard (*) character can be used, but it must replace a complete block of numbers and not a partial block. For example, 192.168.1.*, 10.*.*.* is valid but 123.2*.*.* is not.

  • No client restrictions – (Default) Client connections aren't restricted by IP address.
  • Only allow publishing from the following IP addresses – The IP addresses listed in the box are allowed to publish to the server after passing authentication. Connections from all other IP addresses are blocked from publishing.
  • Do NOT allow publishing from the following IP addresses – The IP addresses listed in the box are blocked from publishing. Other IP addresses are allowed to publish to the server after passing authentication.

Duplicate Stream Names

Select Reject a second stream with the same name that's published to this application to prevent a second encoder from publishing a stream with the same name as an existing stream.

Flash Version String

This setting is used to identify an RTMP source to the server. If not set, the following is used (Wowza Streaming Engine 4.6.0.02 and later):

Wirecast/|FME/|FMLE/|Wowza GoCoder*|Lavf/|UA Teradek/|KulaByte/|VidBlaster/|XSplit/|PESA|makitoX/Most commercial encoders use one of the above values in their Flash Version String so the default setting works most of the time.

The FlashVer value from the RTMP connection is compared with this setting to see if it starts with one of the values to determine if it's a source.

VHost-level Flash version string

In Wowza Streaming Engine version 4.1.1 and later, you can add a property at the virtual host (VHost) level to enable the same custom Flash Version String setting for all applications.

  1. In Wowza Streaming Engine Manager, click the Server tab at the top of the page and then click Virtual Host Setup in the contents panel.
     
  2. In the Virtual Host Setup page, click the Properties tab and then click Custom in the Quick Links bar.
    Note: Access to the Properties tab in Wowza Streaming Engine Manager is limited to administrators with advanced permissions. For more information, see Manage credentials.
  3. In the Custom area, click Edit.
     
  4. Click Add Custom Property, specify the following custom property settings in the Add Custom Property dialog box and then click Add.
     
    • In Path, select /Root/VHost.
       
    • In Name, enter securityPublishValidEncoders.
       
    • In Type, select String.
       
    • In Value, enter Wirecast/|FME/|FMLE/|Wowza GoCoder*/|[myEncoderString]. The [myEncoderString] value is optional. You can replace this value with the Flash Version String for an additional RTMP source.
  5. In the Virtual Host Setup page, click Save and then restart the Server when prompted to apply the custom property.
Setting this custom property in the Virtual Host Setup page overwrites the default value. To define a per-application Flash Version String that will be used instead of the VHost-level value, configure the Flash Version String setting in the application's Source Security page.

  1. Click Save and then restart the application.

Playback security options


Playback security options apply to both live and VOD applications.

  1. Click Applications at the top of the page and then select your application, such as live, in the contents panel.
  2. In the contents panel, click Playback Security.

The default settings don't restrict any playback connections.

  1. To change the settings, click Edit.

  2. Adjust the settings as needed.
Note: Playback security settings are ignored if the connection FlashVer matches the Flash Version String setting on the Source Security page. The connection will be identified as a source and not a player.

Require Secure Connection – With this setting enabled, all RTMP players must use a secure protocol (for example, RTMPS).

SecureToken – This setting specifies that a private security token must be exchanged between the application and clients. Select a SecureToken option and then either enter a string of alphanumeric characters in the Shared Secret box or click Generate SecureToken Shared Secret to create a random private shared secret. This value must be used by all connections that play streams from this application. If the connection doesn't match or is not set, then the player connection will be rejected.

In Wowza Streaming Engine 4.1.0 and later, you can select Protect all protocols using hash (SecureToken version 2) to use SecureToken playback protection for all streaming protocols using a hash algorithm to generate the security token. For backward-compatibility with Flash-based players, you can use SecureToken playback protection for RTMP streams using the Tiny Encryption Algorithm (TEA) algorithm instead. For details, see Protect streaming using SecureToken in Wowza Streaming Engine.

Client Restrictions – This setting enables you to control which IP addresses players can connect from. You can use a comma-separated list of addresses. The wildcard (*) character can be used, but it must replace a complete block of numbers and not a partial block. For example, 192.168.1.*, 10.*.*.* is valid but 123.2*.*.* is not.

  • No client restrictions – (Default) Client connections aren't restricted by IP address.
  • Only allow playback from the following IP addresses The IP addresses listed in the box are allowed to connect. All other IP addresses will be blocked.
  • Do NOT allow playback from the following IP addresses – The IP addresses listed in the box are blocked from connecting. All other IP addresses are allowed.
  1. Click Save and then restart the application.

Custom properties


This section describes the custom properties that can be used by advanced users to configure security. For details about how to configure custom properties, see Configure properties.

Note: Access to the Properties tab in Wowza Streaming Engine Manager is limited to administrators with advanced permissions. For more information, see Manage credentials.

SecureToken target

Use the securitySecureTokenTarget property to define which types of operations are controlled if SecureToken is enabled.

Path
Name
Type
Value
Root/Application securitySecureTokenTarget String play,publish,create

If the Value is empty, the token is checked during the connect phase of the RTMP connection instead of during individual operations. The setting is a comma-separated list of operations and can have any of the following values:

  • play – All RTMP connections that try to play a stream require a valid security token.
  • publish – All RTMP connections that try to publish a stream require a valid security token.
  • create – All RTMP connections that try to create a stream require a valid security token.
Note: This property isn't used if the connection has a valid Flash Version String.

Custom password file location

Use the securityPublishPasswordFile property to define a custom location for the publish.password file that's used to authenticate RTMP-based and RTSP-based source connections to the application.

Path
Name
Type
Value
Root/Application securityPublishPasswordFile String ${com.wowza.wms.context.VHostConfigHome}/conf/${com.wowza.wms.context.Application}/publish.password

The default setting for authenticating sources is to use the [install-dir]/conf/publish.password file. This file is written to by Wowza Streaming Engine Manager when you use the Server > Source Authentication page to add or edit source credentials.

When you define a custom securityPublishPasswordFile location, the default publish.password file isn't used and you must manage your own password files for the application.

Note: You can specify custom locations for the publish.password file using the rtmpEncoderAuthenticateFile property (for RTMP-based sources) or rtspEncoderAuthenticateFile property (for RTSP-based sources). Wowza Streaming Engine 4.1 software will first check to see if the securityPublishPasswordFile property is set. If it's not set, it will then check to see if these alternate properties are set.

If you're running Wowza Streaming Engine 4.0, you must use the securityPublishPasswordFile property to authenticate RTMP-based sources and the rtspEncoderAuthenticateFile property to authenticate RTSP-based sources using publish.password in a custom location.

For details about how to configure these alternate properties, see Enable username/password authentication for RTMP/RTSP publishing to Wowza Streaming Engine.

 Wowza Media Server security reference


This section provides a list of the modules and plugins in Wowza Media Server™ software (version 3.6 and earlier) that are replaced in Wowza Streaming Engine.
 
Note: If you use a Wowza Media Server Application.xml file to configure an application in Wowza Streaming Engine, you should remove these modules and their properties from the Application.xml file and configure their equivalent settings in Wowza Streaming Engine Manager. Not doing so could have unexpected results.
com.wowza.wms.security.ModuleSecureToken
"secureTokenSharedSecret" --> Playback Security: SecureToken
"requireSecureConnection" --> Playback Security: Options - Require Secure Connection
"secureTokenTarget" --> Custom Property: "securitySecureTokenTarget"

com.wowza.wms.security.ModuleRTMPAuthenticate.ModuleRTMPAuthenticate
"rtmpEncoderAuthenticationFlashVersions" --> Source Security: Flash Version String
"requireSecureConnection" --> Playback Security: Options - Require Secure Connection
"secureTokenSharedSecret" --> Playback Security: SecureToken
"usernamePasswordProviderClass" --> Custom Property: "securityPublishUsernamePasswordProviderClass"
"rtmpEncoderAuthenticateFile" --> Custom Property: "securityPublishPasswordFile"

com.wowza.wms.plugin.collection.module.ModuleLimitConnectionsToApplication
com.wowza.wms.plugin.collection.modules.ModuleLimitConnectionsToApplication
"maxApplicationConnections" --> Application: Maximum Connections

com.wowza.wms.plugin.collection.module.ModuleOverridePlayRestrictIP
"IpList" --> Playback Security: Client Restrictions

com.wowza.wms.plugin.collection.module.ModuleOverridePlayBlackListIP
"IpList" --> Playback Security: Client Restrictions

com.wowza.wms.plugin.collection.module.ModuleOverridePublishRestrictIP
"IpList" --> Source Security: Client Restrictions

com.wowza.wms.plugin.collection.module.ModuleRequireSecureConnection
com.wowza.wms.plugin.collection.modules.ModuleRequireSecureConnection
com.wowza.wms.security.ModuleRequireSecureConnection
Playback Security: Options - Require Secure Connection
"AllowEncoder" --> Source Security: Flash Version String

com.wowza.wms.plugin.collection.module.ModuleNoDuplicatePublishStreamname
com.wowza.wms.plugin.collection.module.ModuleBlockDuplicateStreamNames
com.wowza.wms.plugin.collection.module.ModuleOverrideReleaseStream
Source Security: Duplicate Stream Names