Get SSL certificates from the Wowza Streaming Engine StreamLock service

Wowza StreamLock™ service is a security option for network encryption that provides near-instant provisioning of free 2048-bit Secure Sockets Layer (SSL) certificates for use with Wowza Streaming Engine™ media server software. StreamLock-provisioned SSL certificates provide the best security when used with RTMP and they can also be used for secure HTTP streaming (HTTPS).

Note: Wowza StreamLock certificates are available to users with Subscription, Perpetual, or Developer licenses for Wowza Streaming Engine. Alternatively, using your own SSL certificate is available to all Wowza Streaming Engine licenses, including Trials.

Setup


If you don't have an account, sign up for a Wowza account, and then apply for StreamLock SSL certificates on the StreamLock tab on your Account Management page.

If you already have a Wowza account to manage your Subscription license for the server software, you don't need to set up a separate StreamLock account. See Log in with your Subscription account credentials.

Request and download a StreamLock certificate

After you log in, you'll be presented with a form to apply for an SSL certificate. If there are any SSL certificates already associated with your license keys, they'll be listed in a table on the webpage. The certificate table provides detailed information about each certificate including the StreamLock hostname, when it was issued, and who it's registered to. If your license key has been allocated the maximum number of SSL certificates (2 for Subscription, 1 for Perpetual, 1 for Developer), contact Customer Service.

To request and download a StreamLock certificate, do the following:

  1. Enter a qualified license key in the License Key box.
     
  2. Enter the IP address for the certificate in the IP Address box.
     
  3. Enter a unique password in the Certificate Password field and re-enter the password in the Confirm Password field. Be sure to remember the certificate password that you enter as you'll use it for the SSLConfig/KeyStorePassword property value when you configure a host port to use the certificate. (See Configure a host port to use the StreamLock certificate.)
     
  4. Click Apply for SSL Certificate. It may take up to an hour for your certificate to become available for download.
    After the certificate is created, the webpage displays a message that the certificate was created and the certificate is highlighted in bold in the My SSL certificates table.
     
  5. To download the certificate, click download certificate for each certificate that you want to download.  
Notes:
  • In the My SSL certificates table, be sure to note the StreamLock hostname value for the certificate under Hostname. You'll use it when you configure client applications to connect to Wowza Streaming Engine over an SSL connection (RTMPS or HTTPS).
     
  • If an error occurs when you're requesting the certificate, follow the instructions on the page. If you still have problems acquiring a certificate, contact Customer Service.

Configuring Wowza Streaming Engine to use your StreamLock certificate


Install your StreamLock certificate

Copy the downloaded certificate (.jks) file to the [install-dir]/conf folder on your Wowza Streaming Engine host.

Configure a host port to use the StreamLock certificate for Wowza Streaming Engine

Note: If you upgrade your Wowza Media Server to Wowza Streaming Engine, you can migrate your existing StreamLock certificates to software and configure them with these instructions.
  1. In Wowza Streaming Engine Manager, click the Server tab, and then click Virtual Host Setup in the contents panel.


     
  2. In the Virtual Host Setup page, click Edit.
     
  3. Scroll down to Host Ports settings area and click Add Host Port.

     
  4. In the Add a new host port dialog box, enter the following data, and then click Add:
     
    • Name – Enter StreamLock (or any other custom name).
       
    • Type – Select Streaming.
       
    • IP Address – Enter the wildcard character (*). A wildcard (*) allows listening for traffic on all network interfaces. You can specify the IP address of a specific network interface, which will limit traffic to the specified interface.
       
    • Port(s) – Enter 443.
       
    • Select Enable SSL/StreamLock, and then do the following:
      • Keystore Path – Specify the location of your StreamLock certificate (.jks file). If your StreamLock certificate is in the [install-dir]/conf directory, as described above, enter ${com.wowza.wms.context.VHostConfigHome}/conf/[name].streamlock.net.jks, where [name] is replaced with the name of your StreamLock certificate. Note that the path can't contain less-than (<), greater-than (>), quotation (' and "), backslash (\), pipe (|), question mark (?), and asterisk (*) characters.
      • Keystore password – Enter the StreamLock certificate password. 
      • Use WebRTC - (Wowza Streaming Engine 4.8.5 and later) Select this setting to enable the host port to support WebRTC signaling. After enabling the host port for WebRTC, use the Applications tab and WebRTC page to configure your application to ingest and play WebRTC streams.

    VHost configuration dialog

    Notes:
    • These instructions specify placing the downloaded StreamLock certificate in the default Wowza Streaming Engine [install-dir]/conf folder, where [install-dir] is the full path of your Wowza Streaming Engine installation.

       
    • The StreamLock certificate password is the password that you entered and applied to the StreamLock certificate when it was created or modified at Wowza.com.
  5. Click Save.


     
  6. Restart the virtual host (VHost) when prompted to apply the changes.
     

Configuring secure RTMP playback


When using SSL certificates provisioned by Wowza StreamLock, RTMP-based players must be configured to connect to Wowza Streaming Engine over an SSL connection. If a player encounters a URL with an RTMPS URL prefix (rtmps://) and it's not configured correctly, the connection may fail and the player may fall back to use the RTMPT protocol (RTMP tunneling via HTTP) over SSL (RTMPTS). RTMPTS is much less efficient than RTMPS and can cause Wowza Streaming Engine to consume a lot of the computer's CPU resources. For this reason, it's important to properly configure client applications to connect to Wowza Streaming Engine using RTMPS.

Adobe Flash Player

To configure Adobe Flash Player applications to connect to Wowza Streaming Engine using RTMPS, you must set the NetConnection.proxyType property to "best" before calling NetConnection.connect([url]). The following example shows how to do this:
var nc:NetConnection = new NetConnection();
nc.proxyType = "best";
nc.connect("rtmps://[hostname]/[application]");

[hostname] is the StreamLock hostname ([StreamLockID].streamlock.net) and [application] is the name of your application (for example, live). You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default file name for the downloaded SSL certificate (.jks) file, which is in the format [hostname].jks ([StreamLockID].streamlock.net.jks).

The above code example enables a Flash Player that encounters an RTMPS URI to communicate securely with Wowza Streaming Engine over port 443. If you configure any port other than 443 as secure (for example, port 1935), the client must specify the port in the URI. For example:

var nc:NetConnection = new NetConnection();
nc.proxyType = "best";
nc.connect("rtmps://[hostname]:1935/[application]");
Note: If the player can't make a direct connection to the server over the default port (443) or another port that you specify, and if a proxy server is in place, the player tries to use the CONNECT method. If that attempt fails, the player tunnels over HTTPS. Some users have reported problems with certain browsers not being able to make this switch. If you continue to experience problems, consult your player documentation. If you're using Adobe Flash Player, see the proxyType property reference for more information about the different proxy types.

Playback

To test RTMPS playback using Adobe Flash Player, double-click [install-dir]/examples/VideoOnDemandStreaming/FlashRTMPPlayer/player.html, enter the information below, and then click Connect or Start.

Serverrtmps://[hostname]/vod
Streammp4:sample.mp4

Flowplayer

Flowplayer is an open source Flash-based player. To configure Flowplayer applications to connect to Wowza Streaming Engine using RTMPS, do the following:
 
  1. Download Flowplayer Flash and extract the contents from the downloaded compressed (zipped) file.
     
  2. Download the RTMP Streaming Plugin (.swf) and copy it to the unzipped Flowplayer folder. (Be sure to copy it to the inner flowplayer folder that contains the flowplayer-3.x.x.swf file.)
     
  3. Edit the flowplayer/example/index.html file in the root directory of the unzipped archive, and make the following changes to the <script> section to enable RTMPS playback for either video on-demand or live streaming:

    Video-on-demand streaming

    Change:

    <script>
    flowplayer("player", "../flowplayer-3.2.15.swf");
    </script>

    To:

    <script type="text/javascript">
      flowplayer("player", "../flowplayer-3.2.15.swf",
        {
          clip: {
            url: 'mp4:sample.mp4',
            provider: 'rtmp'
          },
          plugins: {
            rtmp: {
            url: '../flowplayer.rtmp-3.2.11.swf',
              proxyType: 'best',
              netConnectionUrl: 'rtmps://[hostname]/[application]'
            }
          }
        }
      );
    </script>

    Live streaming

    Change:

    <script>
        flowplayer("player", "../flowplayer-3.2.15.swf",
    </script>

    To:

    <script type="text/javascript">
      flowplayer("player", "../flowplayer-3.x.x.swf",
        {
          clip: {
          url: 'myStream',
          live: true,
          provider: 'rtmp'
        },
        plugins: {
          rtmp: {
          url: '../flowplayer.rtmp-3.2.11.swf',
          proxyType: 'best',
          netConnectionUrl: 'rtmps://[hostname]/[application]'
          }
        }
      }
    );
    </script>

Where:

  • flowplayer() includes the relative path to the Flowplayer .swf file in the flowplayer/example folder (flowplayer-3.2.15.swf). Make sure this file name matches the version in your example folder.
     
  • clip: url is the name of the sample video that ships with Wowza Streaming Engine (mp4:sample.mp4).
     
  • plugins: url is the relative path to the RTMP Streaming Plugin (.swf) file that you copied to the flowplayer/example folder (flowplayer.rtmp-3.2.11.swf). Make sure this file name matches the version in your example folder.
     
  • plugins: proxyType is set to 'best'. This property setting enables Flowplayer to connect to Wowza Streaming Engine over a native SSL connection.
     
  • plugins: netConnectionUrl is the RTMPS URI to a video on-demand application ([application]) on your Wowza Streaming Engine. ([hostname] is the StreamLock hostname ([StreamLockID].streamlock.net).)
  • flowplayer() includes the relative path to the Flowplayer .swf file in the flowplayer/example folder (flowplayer-3.2.15.swf). Make sure this file name matches the version in your example folder.
     
  • clip: url is the stream name of the live stream (myStream).
     
  • clip: live is set to true. This property setting enables Flowplayer to stream live video data from an RTMP streaming server.
     
  • plugins: url is the relative path to the RTMP Streaming Plugin (.swf) file that you copied to the flowplayer/example folder (flowplayer.rtmp-3.2.11.swf). Make sure this file name matches the version in your example folder.
     
  • plugins: proxyType is set to 'best'. This property setting enables Flowplayer to connect to Wowza Streaming Engine over a native SSL connection.
     
  • plugins: netConnectionUrl is the RTMPS URI to a live application ([application]) on your Wowza Streaming Engine. ([hostname] is the StreamLock hostname ([StreamLockID].streamlock.net).)
Notes:
  • You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default file name for the downloaded SSL certificate (.jks) file, which is in the format [hostname].jks ([StreamLockID].streamlock.net.jks).
     
  • If you configure any port other than 443 as secure (for example, port 1935), you must include the port value in the netConnectionUrl property value. For example:
    netConnectionUrl: 'rtmps://[hostname]:1935/[application]'

Playback

To test RTMPS playback using Flowplayer, copy the flowplayer folder to a web server and then open the following URL in a web browser:
 
http://[web-server-address]/flowplayer/example/index.html

JW Player

To configure JW Player applications to connect to Wowza Streaming Engine using RTMPS, see Use JW Player with Wowza Streaming Engine.

Configuring secure HTTP playback


You can use your StreamLock SSL certificate for secure HTTP (HTTPS) streaming using the Adobe HDS protocol to Adobe Flash Player and Microsoft Smooth Streaming protocol to Microsoft Silverlight.

Adobe Flash Player

Using a text editor, edit [install-dir]/conf/crossdomain.xml and change the <allow-access-from> line to <allow-access-from domain="*" secure="false" />. The modified contents should look like the following:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <allow-access-from domain="*" secure="false" />
    <site-control permitted-cross-domain-policies="all"/>
</cross-domain-policy>

Playback

To test HTTPS playback using Adobe Flash Player, double-click [install-dir]/examples/VideoOnDemandStreaming/FlashHTTPPlayer/player.html, enter the URL below, and then click Connect or Start.
 
https://[hostname]/vod/mp4:sample.mp4/manifest.f4m

[hostname] is the StreamLock hostname (StreamLockID.streamlock.net). You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default file name for the downloaded SSL certificate (.jks) file, which is in the format:

hostname].jks ([StreamLockID].streamlock.net.jks).

Microsoft Silverlight

Using a text editor, edit the <domain uri> values in the [install-dir]/conf/clientaccesspolicy.xml file. The modified content should look like the following:

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
    <cross-domain-access>
        <policy>
            <allow-from http-request-headers="*">
                <domain uri="http://*"/>
                <domain uri="https://*"/>
            </allow-from>
            <grant-to>
                <resource path="/" include-subpaths="true"/>
            </grant-to>
        </policy>
    </cross-domain-access>
</access-policy>

Playback

To test HTTPS playback using Microsoft Silverlight, double-click [install-dir]/examples/VideoOnDemandStreaming/SilverlightPlayer/player.html, enter the URL below, and then click Connect or Start.

https://[hostname]/vod/mp4:sample.mp4/Manifest

[hostname] is the StreamLock hostname (StreamLockID.streamlock.net). You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default file name for the downloaded SSL certificate (.jks) file, which is in the format:

[hostname].jks ([StreamLockID].streamlock.net.jks).

More resources