Get SSL certificates from the Wowza Streaming Engine StreamLock service

Wowza StreamLock™ AddOn is a security option for network encryption that provides near-instant provisioning of free 2048-bit Secure Sockets Layer (SSL) certificates for use with Wowza Streaming Engine™ media server software. StreamLock-provisioned SSL certificates provide the best security when used with RTMP and they can also be used for secure HTTP streaming (HTTPS).

Note: Wowza StreamLock is available to Subscription and Perpetual licensees running Wowza Streaming Engine or Wowza Media Server™ 3.x. It's not available for Trial and Developer editions of the software. RTMPS using your own SSL certificate is available to all licensees.

Setup


If you don't have an account, sign up for a Wowza account, and then apply for StreamLock SSL certificates on the StreamLock tab on your Account Management page.

If you already have a Wowza account to manage your Subscription license for the server software, you don't need to set up a separate StreamLock account. See Log in with your Subscription account credentials.

Managing your StreamLock certificates


Log in with your StreamLock account credentials

If you already have a StreamLock account, in a web browser, log in to the StreamLock tab for your Wowza account. Enter your account information (email address and password) that you used when you created your StreamLock account.

Note: Be sure to click Yes for the option that asks if you already have an account.

Log in with your Subscription account credentials

If you already have a Wowza Streaming Engine Subscription license, you don't need to create a StreamLock account. Instead, you can use the same account credentials that you use to log in and manage your Subscription account on the Account Management page.

On the StreamLock tab, enter the email address and password associated with your Subscription account. If you don't know this information, contact billing@wowza.com.

Notes:
  • Be sure to click Yes for the option that asks if you have an account.
     
  • If you have a StreamLock account and a Subscription license for Wowza Streaming Engine, you must log in using your Subscription account credentials.

Request and download a StreamLock certificate

After you log in, you'll be presented with a form to apply for an SSL certificate. If there are any SSL certificates already associated with your license keys, they'll be listed in a table on the webpage. The certificate table provides detailed information about each certificate including the StreamLock hostname, when it was issued, and who it's registered to. If your license key has been allocated the maximum number of SSL certificates (2 for Subscription, 1 for Perpetual), contact billing@wowza.com.

To request and download a StreamLock certificate, do the following:

  1. Enter a qualified license key in the License Key box.
     
  2. Enter the IP address for the certificate in the IP Address box.
     
  3. Enter a unique password in the Certificate Password field and re-enter the password in the Confirm Password field. Be sure to remember the certificate password that you enter as you'll use it for the SSLConfig/KeyStorePassword property value when you configure a host port to use the certificate. (See Configure a host port to use the StreamLock certificate.)
     
  4. Click Apply for SSL Certificate. After the certificate is created, the webpage displays a message that the certificate was created and the certificate is highlighted in bold in the My SSL certificates table.
     
  5. To download the certificate, click download certificate for each certificate that you want to download.  
Notes:
  • In the My SSL certificates table, be sure to note the StreamLock hostname value for the certificate under Hostname. You'll use it when you configure client applications to connect to Wowza Streaming Engine over an SSL connection (RTMPS or HTTPS).
     
  • If an error occurs when you're requesting the certificate, follow the instructions on the page. If you still have problems acquiring a certificate, contact billing@wowza.com.

Change the StreamLock certificate password

You must use the unique password that you create for an installed certificate as the SSLConfig/KeyStorePassword property value when you configure a host port to use the certificate. If you forget the password value, you can change it in the Certificate Management webpage. After you do this, you must download a new certificate associated with the new password, install the new certificate (see Install your StreamLock certificate), and then reconfigure the host port to use it (see Configure a host port to use the StreamLock certificate).

To change the certificate password, do the following:

  1. Log in to your StreamLock account using your StreamLock account credentials or your Subscription account credentials. If you have both accounts, you must log in using your Subscription account credentials.
     
  2. In the My SSL certificates table, under Certificate Information, click Change certificate password for the certificate.
     
  3. Enter a new unique password for the certificate in both boxes. You must enter the same password in both boxes.
     
  4. Click OK. Updates are effective immediately.

Change the server IP address

To change the IP address of the Wowza Streaming Engine instance that's associated with your StreamLock certificate, do the following:

  1. Log in to your StreamLock account.
     
  2. In the My SSL certificates table, under IP Address, click Change next to the IP address that you want to change.
     
  3. Enter the new IP address, and then click OK. Updates are effective immediately.

Renew an expiring StreamLock certificate

StreamLock certificates are valid for 365 days and are eligible for renewal within 28 days of expiring. To renew an existing certificate, do the following:

  1. Log in to your StreamLock account.
  2. On the StreamLock tab, scroll down to the My SSL Certificates section.
  3. Find the appropriate hostname entry, and click Renew. If no option to renew is visible, your certificate does not require renewal yet.

Note: We highly recommend that you install the new certificate on the applicable server immediately to avoid interruption of streaming from that server when the old certificate expires.

Configuring Wowza Streaming Engine to use your StreamLock certificate


Install your StreamLock certificate

Copy the downloaded certificate (.jks) file to the [install-dir]/conf folder on your Wowza Streaming Engine host.

Configure a host port to use the StreamLock certificate for Wowza Streaming Engine

Note: If you upgrade your Wowza Media Server to Wowza Streaming Engine, you can migrate your existing StreamLock certificates to software and configure them with these instructions.
  1. In Wowza Streaming Engine Manager, click the Server tab, and then click Virtual Host Setup in the contents panel.


     
  2. In the Virtual Host Setup page, click Edit.
     
  3. Scroll down to Host Ports settings area and click Add Host Port.

     
  4. In the Add a new host port dialog box, enter the following data, and then click Add:
     
    • Name: Enter StreamLock (or any other custom name).
       
    • Type: Select Streaming.
       
    • IP Address: Enter the wildcard character (*). A wildcard (*) allows listening for traffic on all network interfaces. You can specify the IP address of a specific network interface, which will limit traffic to the specified interface.
       
    • Port(s): Enter 443.
       
    • Select the Enable SSL/StreamLock option, and then enter the directory path to your StreamLock certificate in Keystore Path and StreamLock certificate password in Keystore password.

     
    Notes:
    • These instructions specify placing the downloaded StreamLock certificate in the default Wowza Streaming Engine [install-dir]/conf folder. This is the default directory path:

      ${com.wowza.wms.context.VHostConfigHome}/conf


       
    • The StreamLock certificate password is the password that you entered and applied to the StreamLock certificate when it was created or modified at Wowza.com.
  5. Click Save.


     
  6. Restart the virtual host (VHost) when prompted to apply the changes.
     

Configuring secure RTMP playback


When using SSL certificates provisioned by Wowza StreamLock, RTMP-based players must be configured to connect to Wowza Streaming Engine over an SSL connection. If a player encounters a URL with an RTMPS URL prefix (rtmps://) and it's not configured correctly, the connection may fail and the player may fall back to use the RTMPT protocol (RTMP tunneling via HTTP) over SSL (RTMPTS). RTMPTS is much less efficient than RTMPS and can cause Wowza Streaming Engine to consume a lot of the computer's CPU resources. For this reason, it's important to properly configure client applications to connect to Wowza Streaming Engine using RTMPS.

Adobe Flash Player

To configure Adobe Flash Player applications to connect to Wowza Streaming Engine using RTMPS, you must set the NetConnection.proxyType property to "best" before calling NetConnection.connect([url]). The following example shows how to do this:
var nc:NetConnection = new NetConnection();
nc.proxyType = "best";
nc.connect("rtmps://[hostname]/[application]");

[hostname] is the StreamLock hostname ([StreamLockID].streamlock.net) and [application] is the name of your application (for example, live). You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default file name for the downloaded SSL certificate (.jks) file, which is in the format [hostname].jks ([StreamLockID].streamlock.net.jks).

The above code example enables a Flash Player that encounters an RTMPS URI to communicate securely with Wowza Streaming Engine over port 443. If you configure any port other than 443 as secure (for example, port 1935), the client must specify the port in the URI. For example:

var nc:NetConnection = new NetConnection();
nc.proxyType = "best";
nc.connect("rtmps://[hostname]:1935/[application]");
Note: If the player can't make a direct connection to the server over the default port (443) or another port that you specify, and if a proxy server is in place, the player tries to use the CONNECT method. If that attempt fails, the player tunnels over HTTPS. Some users have reported problems with certain browsers not being able to make this switch. If you continue to experience problems, consult your player documentation. If you're using Adobe Flash Player, see the proxyType property reference for more information about the different proxy types.

Playback

To test RTMPS playback using Adobe Flash Player, double-click [install-dir]/examples/VideoOnDemandStreaming/FlashRTMPPlayer/player.html, enter the information below, and then click Connect or Start.

Server: rtmps://[hostname]/vod
Stream: mp4:sample.mp4

Flowplayer

Flowplayer is an open source Flash-based player. To configure Flowplayer applications to connect to Wowza Streaming Engine using RTMPS, do the following:
 
  1. Download Flowplayer Flash and extract the contents from the downloaded compressed (zipped) file.
     
  2. Download the RTMP Streaming Plugin (.swf) and copy it to the unzipped Flowplayer folder. (Be sure to copy it to the inner flowplayer folder that contains the flowplayer-3.x.x.swf file.)
     
  3. Edit the flowplayer/example/index.html file in the root directory of the unzipped archive, and make the following changes to the <script> section to enable RTMPS playback for either video on-demand or live streaming:

    Video-on-demand streaming

    Change:

    <script>
        flowplayer("player", "../flowplayer-3.2.15.swf");
    </script>

    To:

    <script type="text/javascript">
        flowplayer("player", "../flowplayer-3.2.15.swf",
            {
                clip: {
                    url: 'mp4:sample.mp4',
                    provider: 'rtmp'
                },
                plugins: {
                    rtmp: {
                    url: '../flowplayer.rtmp-3.2.11.swf',
                        proxyType: 'best',
                        netConnectionUrl: 'rtmps://[hostname]/[application]'
                    }
                }
            }
        );
    </script>
    • flowplayer() includes the relative path to the Flowplayer .swf file in the flowplayer/example folder (flowplayer-3.2.15.swf). Make sure this file name matches the version in your example folder.
       
    • clip: url is the name of the sample video that ships with Wowza Streaming Engine (mp4:sample.mp4).
       
    • plugins: url is the relative path to the RTMP Streaming Plugin (.swf) file that you copied to the flowplayer/example folder (flowplayer.rtmp-3.2.11.swf). Make sure this file name matches the version in your example folder.
       
    • plugins: proxyType is set to 'best'. This property setting enables Flowplayer to connect to Wowza Streaming Engine over a native SSL connection.
       
    • plugins: netConnectionUrl is the RTMPS URI to a video on-demand application ([application]) on your Wowza Streaming Engine. ([hostname] is the StreamLock hostname ([StreamLockID].streamlock.net).)

    Live streaming

    Change:

    <script>
        flowplayer("player", "../flowplayer-3.2.15.swf",
    </script>

    To:

    <script type="text/javascript">
        flowplayer("player", "../flowplayer-3.x.x.swf",
            {
                clip: {
                    url: 'myStream',
                    live: true,
                    provider: 'rtmp'
                },
                plugins: {
                    rtmp: {
                    url: '../flowplayer.rtmp-3.2.11.swf',
                    proxyType: 'best',
                    netConnectionUrl: 'rtmps://[hostname]/[application]'
                    }
                }
            }
        );
    </script>
    • flowplayer() includes the relative path to the Flowplayer .swf file in the flowplayer/example folder (flowplayer-3.2.15.swf). Make sure this file name matches the version in your example folder.
       
    • clip: url is the stream name of the live stream (myStream).
       
    • clip: live is set to true. This property setting enables Flowplayer to stream live video data from an RTMP streaming server.
       
    • plugins: url is the relative path to the RTMP Streaming Plugin (.swf) file that you copied to the flowplayer/example folder (flowplayer.rtmp-3.2.11.swf). Make sure this file name matches the version in your example folder.
       
    • plugins: proxyType is set to 'best'. This property setting enables Flowplayer to connect to Wowza Streaming Engine over a native SSL connection.
       
    • plugins: netConnectionUrl is the RTMPS URI to a live application ([application]) on your Wowza Streaming Engine. ([hostname] is the StreamLock hostname ([StreamLockID].streamlock.net).)
Notes:
  • You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default file name for the downloaded SSL certificate (.jks) file, which is in the format [hostname].jks ([StreamLockID].streamlock.net.jks).
     
  • If you configure any port other than 443 as secure (for example, port 1935), you must include the port value in the netConnectionUrl property value. For example:
    netConnectionUrl: 'rtmps://[hostname]:1935/[application]'

Playback

To test RTMPS playback using Flowplayer, copy the flowplayer folder to a web server and then open the following URL in a web browser:
 
http://[web-server-address]/flowplayer/example/index.html

JW Player

To configure JW Player applications to connect to Wowza Streaming Engine using RTMPS, see Use JW Player with Wowza Streaming Engine.

Configuring secure HTTP playback


You can use your StreamLock SSL certificate for secure HTTP (HTTPS) streaming using the Adobe HDS protocol to Adobe Flash Player and Microsoft Smooth Streaming protocol to Microsoft Silverlight.

Adobe Flash Player

Using a text editor, edit [install-dir]/conf/crossdomain.xml and change the <allow-access-from> line to <allow-access-from domain="*" secure="false" />. The modified contents should look like the following:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <allow-access-from domain="*" secure="false" />
    <site-control permitted-cross-domain-policies="all"/>
</cross-domain-policy>

Playback

To test HTTPS playback using Adobe Flash Player, double-click [install-dir]/examples/VideoOnDemandStreaming/FlashHTTPPlayer/player.html, enter the information below, and then click Connect or Start.
 
Stream: https://[hostname]/vod/mp4:sample.mp4/manifest.f4m

[hostname] is the StreamLock hostname (StreamLockID.streamlock.net). You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default file name for the downloaded SSL certificate (.jks) file, which is in the format [hostname].jks ([StreamLockID].streamlock.net.jks).

Microsoft Silverlight

Using a text editor, edit the <domain uri> values in the [install-dir]/conf/clientaccesspolicy.xml file. The modified content should look like the following:

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
  <cross-domain-access>
    <policy>
      <allow-from http-request-headers="*">
        <domain uri="http://*"/>
    <domain uri="https://*"/>
      </allow-from>
      <grant-to>
        <resource path="/" include-subpaths="true"/>
      </grant-to>
    </policy>
  </cross-domain-access>
</access-policy>

Playback

To test HTTPS playback using Microsoft Silverlight, double-click [install-dir]/examples/VideoOnDemandStreaming/SilverlightPlayer/player.html, enter the URL below, and then click Connect or Start.
 
Stream: https://[hostname]/vod/mp4:sample.mp4/Manifest

[hostname] is the StreamLock hostname (StreamLockID.streamlock.net). You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default file name for the downloaded SSL certificate (.jks) file, which is in the format [hostname].jks ([StreamLockID].streamlock.net.jks).

Troubleshooting StreamLock-provisioned SSL certificates


SSL connections

Use the following OpenSSL commands to test your Wowza Streaming Engine server's SSL connection, where [client-id] is the full DNS name:

To test the SSL connection to the server:

openssl s_client -connect [client-id].streamlock.net:443

To test the SSL connection and display the certificates:

openssl s_client -showcerts -connect [client-id].streamlock.net:443

Hostname substitution

When you configure player applications to establish a secure connection to Wowza Streaming Engine, and you substitute the hostname for your domain in place of the StreamLock hostname that's associated with the SSL certificate in the call to NetConnection.connect([url]), clients that connect to your secure stream may receive the following security alert:
 
The certificate you are viewing does not match the name of the site you are trying to view.

StreamLock SSL certificates are bound to the StreamLock.net domain; therefore, you must use the StreamLock hostname that's associated with the SSL certificate in the call to NetConnection.connect([url]). For more information about how to do this, see Configuring secure RTMP (RTMPS) streaming playback.

If you must use your own domain name in [hostname], then you must create your own SSL certificate. For more information about how to do this, see Create a self-signed SSL certificate for Wowza Streaming Engine.

Unable to connect to streamlock.net

If one or more clients report that they can't connect using a StreamLock certificate configuration, while the majority of clients don't have this problem, this is more than likely a problem with the DNS server on the client side.

For a StreamLock certificate to function properly, the client must be able to access the streamlock.net domain. In some cases, the DNS configuration associated with the client doesn't provide a record for streamlock.net, which prevents a successful connection. You can confirm this by issuing a nslookup command from the client computer using a command line:
 
nslookup [client-id].streamlock.net

If the nslookup command doesn't return a response that includes the Wowza Streaming Engine server's IP address, this is evidence of a DNS problem.
 
Note: Depending on your firewall settings, you might also be able to test this by issuing a ping command from the client computer using a command line:
 
ping streamlock.net

If the ping command doesn't return a response, this is evidence of a DNS problem.
Wowza makes every effort to ensure that streamlock.net records are available to all public DNS servers. Unfortunately, Wowza has no control over DNS propagation in the public domain, especially when it comes to privately managed DNS servers. As a test and workaround, we suggest using an alternative DNS configuration if a client can't connect.

More resources