Protect streams for Google Widevine and Microsoft PlayReady devices with EZDRM and the Wowza Streaming Cloud REST API

Playback of protected streams on Google Widevine and Microsoft PlayReady players or platforms requires the Widevine or PlayReady DRM. The EZDRM Universal DRM combines Google Widevine DRM with Microsoft PlayReady DRM. Both use linked Common Encryption (CENC) keys of MPEG-DASH streaming to enable the content owner to encrypt the media once with CENC keys and deliver either a PlayReady or a Widevine license based on the player and platform requesting a license.

You can access the Universal DRM through our integration with EZDRM and configure stream encryption using the Wowza Streaming Cloud REST API.

You’ll use your EZDRM user name and password, as well as a content ID, to configure your stream for DRM protection with Wowza Streaming Cloud and EZDRM Universal DRM.

Tip: In addition to completing this topic, you might also want to use EZDRM FairPlay to protect streams on iOS or Apple TV.

Before you start


You should complete the following tasks:

  • Create a live stream or a transcoder. You'll need the resulting live_stream_id or transcoder_id to schedule a broadcast. View our Connect a source topics to learn how to create a live stream or transcoder for RTMP, RTSP, IP camera, SRT encoder, UDP encoder, WebRTC, and Wowza Streaming Engine.
  • Create an EZDRM account, configured appropriately for the device types you want to stream to. For FairPlay, you'll need verification from Apple that you're approved to use FairPlay. Refer to EZDRM and their documentation for more information about EZDRM account setup.

    Note: Because this solution involves navigating multiple service providers, we recommend engaging with Professional Services for assistance with setup. Contact 720.279.8163 or schedule a call.

Video tutorial: Protect DASH live streams with EZDRM using Widevine and PlayReady


Generate an EZDRM key

An EZDRM key contains the asset ID you’ll use to configure your stream for DRM protection.

This step assumes:

  • You do not already have a content ID. If you have one, you can skip to Configure the stream for DRM protection.
  • You do not want to pass an existing content ID in the key generation request. EZDRM allows for passing existing content IDs, but you should refer the EZDRM KeyZ API guide on the EZDRM site for reasons why you’d want to and the correct syntax for the call should you choose to.
Note: We provide instructions for generating the EZDRM content key for ease of use. However, EZDRM is third-party software and we recommend that you refer to the EZDRM KeyZ API guide on the EZDRM site for the most-up-to-date information.

There are two ways to create an EZDRM DRM key:

  • using the EZDRM web service
  • using a scripted curl web service call

In both cases, you’ll need to provide your EZDRM user name and password.

(Option 1) Request a DRM key with the EZDRM web service

  1. Use the EZDRM web service in a browser.
  2. Enter your EZDRM user name (U) and password (P), then click Invoke.

Make note of the following values in the response from EZDRM:

  • The ContentID. You'll use this to configure the stream protection in Wowza Streaming Cloud.
  • The ServerURL value. You'll use this when you playback a stream encrypted for Widevine.
  • The LAURL value. You'll use this when you playback a stream encrypted for PlayReady.

(Option 2) Request a DRM key with a curl script

Run the following curl script, or another scripted web service call, to retrieve the DRM values from the EZDRM web service:

curl -v 'https://wvm.ezdrm.com/ws/LicenseInfo.asmx/GenerateKeys?u=[ezdrm-account-username]&p=[ezdrm-account-password]&c=""'

where:

  • [ezdrm-account-username] is your EZDRM user name
  • [ezdrm-account-password] is the password associated with your EZDRM user name
Note: In the curl script, &c="" is required in place of passing the optional existing content ID. The call doesn’t work without it.

Make note of the following values in the response from EZDRM:

  • The ContentID. You'll use this to configure the stream protection in Wowza Streaming Cloud.
  • The ServerURL value. You'll use this when you playback a stream encrypted for Widevine.
  • The LAURL value. You'll use this when you playback a stream encrypted for PlayReady.

Configure the stream for DRM protection

To protect a stream using the EZDRM key you obtained in the previous step, you’ll need to set the following EZDRM properties on the transcoder using the Wowza Streaming Cloud REST API.

Note: Depending on your workflow, you might want to consider where these properties are and are not available:
  • They are not available in the user interface.
  • They are only available for transcoders. If you're using the live stream workflow, you set these properties on the transcoder for your live stream.

You can use the following sample request, making sure to:

  • Set username to your EZDRM user name.
  • Set password to your EZDRM password.
  • Set content_id_from_ezdrm to the content ID you generated from EZDRM.
  • Change any values unique to your broadcast, using the API reference documentation as a resource. See the Endpoint Reference button below.

Sample request

Endpoint Reference

curl -X PATCH \
-H "Content-Type: application/json" \
-H "wsc-api-key: ${WSC_API_KEY}" \
-H "wsc-access-key: ${WSC_ACCESS_KEY}" \
-d '{
    "transcoder": {
      "properties": [
        { 
          "key": "username", 
          "section": "ezdrm", 
          "value": "[your_ezdrm_username]" 
        }, 
        { 
          "key": "password", 
          "section": "ezdrm", 
          "value": "[your_ezdrm_password]" 
        }, 
        { 
          "key": "wideVineContentId", 
          "section": "ezdrm", 
          "value": "[content_id_from_ezdrm]" 
        } 
     ]
   }
}' "${WSC_HOST}/api/${WSC_VERSION}/transcoders/[transcoder_id]"

Enable MPEG-DASH streaming

EZDRM Universal DRM encrypts MPEG-DASH streams, and MPEG-DASH is only available on Fastly stream targets. HLS is the default delivery protocol for Fastly stream targets, so you must enable MPEG-DASH.

Note: Enabling MPEG-DASH will incur additional egress charges. Egress is incurred per protocol.  Enabling MPEG-DASH through the REST API is available only in v 1.7 (beta). 

You can use the following sample request, making sure to:

  • Set id to the id for the fastly stream target id.
  • Change any values unique to your broadcast, using the API reference documentation as a resource. See the Endpoint Reference button below.

Sample request

Endpoint Reference

curl -X PATCH \
-H "Content-Type: application/json" \
-H "wsc-api-key: ${WSC_API_KEY}" \
-H "wsc-access-key: ${WSC_ACCESS_KEY}" \
-d '{
     "stream_target_fastly": {
        "delivery_protocols": [
            "hls",
            "dash"
      	] 
      } 
}' "${WSC_HOST}/api/${WSC_VERSION}/stream_targets/fastly/[ID]"

Sample response

Make note of the DASH playback URL in the response, because you'll use this when you test playback.

Tip: Make sure the MPEG-DASH enabled stream target is added to the transcoder you configured for stream protection.
{
    "stream_target_fastly": {
        "id": "zfqvyv4f",
        "name": "My Target",
        "state": "activated",
        "stream_name": "OG40YnNQ",
        "delivery_protocols": [
            "hls",
            "dash"
        ],
        "playback_urls": {
            "hls": [
                {
                    "name": "default",
                    "url": "https://domain.wowza.com/1/VGl5YVpjNjJXSCt4/OG40YnNQ/hls/live/playlist.m3u8"
                }
            ],
            "dash": [
                {
                    "name": "default",
                    "url": "https://domain.wowza.com/1/VGl5YVpjNjJXSCt4/OG40YnNQ/dash/live/manifest.mpd"
                }
            ]
        },
        ...
    }
}

(Optional) Block RTMP direct playback for enhanced security

Direct playback through RTMP is enabled by default, but you might want to block RTMP direct playback to ensure only devices and platforms that can decrypt your stream can access it.

You can use the following sample request, making sure to:

  • Set the transcoder_id to the id for the transcoder.
  • Change any values unique to your broadcast, using the API reference documentation as a resource. See the Endpoint Reference button below.

Sample request

Endpoint Reference

curl -X POST \
-H "Content-Type: application/json" \
-H "wsc-api-key: ${WSC_API_KEY}" \
-H "wsc-access-key: ${WSC_ACCESS_KEY}" \
-d '{
     "property": {
        "section": "rtmp", 
        "key": "allowDirectPlayback", 
        "value": true 
      } 
}' "${WSC_HOST}/api/${WSC_VERSION}/transcoders/[transcoder_id]/properties"

Test playback with encryption

  1. Start your transcoder and your stream.
  2. Using the MPEG-DASH playback URL returned in the response when you enabled MPEG-DASH, verify that the stream encryption works as you expect on a player or platform that requires a PlayReady or Widevine license. To test your playback, you'll need a test player and some other information. The tips below are based on the user interface for https://demo.theoplayer.com/ezdrm-demo on Chrome (Widevine) or Internet Explorer (PlayReady):
    • Streaming protocol – Set to MPEG-DASH.
    • Stream URL – The URL for your protected stream.
    • License Acquisition URL – This URL is returned in the EZDRM response when you generated the content ID.
      • Widevine – The value from the ServerURL parameter. The format is https://widevine-dash.ezdrm.com/proxy?pX=[XXXXXX].
         
      • PlayReady – The value from the LAURL parameter. The format is https://playready.ezdrm.com/cency/preauth.aspx?pX=[XXXXXX].

        Refer to the EZDRM Universal DRM Setup  and EZDRM Testing Playback guides on the EZDRM site for information about how to deliver the Widevine or PlayReady license and approve viewers, proxy URLs you’ll need for playback, and sample players.
  3. Stop your transcoder when your testing is complete.

More resources