Protect streams for Google Widevine and Microsoft PlayReady devices with EZDRM and the Wowza Streaming Cloud REST API

Playback of protected streams on Google Widevine and Microsoft PlayReady players or platforms requires the Widevine or PlayReady DRM. The EZDRM Universal DRM combines Google Widevine DRM with Microsoft PlayReady DRM. Both use linked Common Encryption (CENC) keys of MPEG-DASH streaming to enable the content owner to encrypt the media once with CENC keys and deliver either a PlayReady or a Widevine license based on the player and platform requesting a license.

You can access the Universal DRM through our integration with EZDRM and configure stream encryption using the Wowza Streaming Cloud REST API.

You’ll use your EZDRM user name and password, as well as a content ID, to configure your stream for DRM protection with Wowza Streaming Cloud and EZDRM Universal DRM.

Tip: In addition to completing this topic, you might also want to use EZDRM FairPlay to protect streams on iOS or Apple TV.

Video tutorial: Protect DASH live streams with EZDRM using Widevine and PlayReady

Prerequisite

To protect streams in Wowza Streaming Cloud using EZDRM, you must have an EZDRM account, configured appropriately for the device types you want to stream to. Refer to EZDRM and their documentation for more information about EZDRM account setup.

Note: Because this solution involves navigating multiple service providers, we recommend engaging with Professional Services for assistance with setup. Contact 720.279.8163 or schedule a call.

Generate an EZDRM key

An EZDRM key contains the asset ID you’ll use to configure your stream for DRM protection.

This step assumes:

  • You do not already have a content ID. If you have one, you can skip to Configure the stream for DRM protection.
  • You do not want to pass an existing content ID in the key generation request. EZDRM allows for passing existing content IDs, but you should refer the EZDRM KeyZ API guide on the EZDRM site for reasons why you’d want to and the correct syntax for the call should you choose to.
Note: We provide instructions for generating the EZDRM content key for ease of use. However, EZDRM is third-party software and we recommend that you refer to the EZDRM KeyZ API guide on the EZDRM site for the most-up-to-date information.

There are two ways to create an EZDRM DRM key:

  • using the EZDRM web service
  • using a scripted curl web service call

In both cases, you’ll need to provide your EZDRM user name and password.

(Option 1) Request a DRM key with the EZDRM web service

  1. Use the EZDRM web service in a browser.
  2. Enter your EZDRM user name (U) and password (P), then click Invoke.

Make note of the following values in the response from EZDRM:

  • The ContentID. You'll use this to configure the stream protection in Wowza Streaming Cloud.
  • The ServerURL value. You'll use this when you playback a stream encrypted for Widevine.
  • The LAURL value. You'll use this when you playback a stream encrypted for PlayReady.

(Option 2) Request a DRM key with a curl script

Run the following curl script, or another scripted web service call, to retrieve the DRM values from the EZDRM web service:

curl -v 'https://wvm.ezdrm.com/ws/LicenseInfo.asmx/GenerateKeys?u=[ezdrm-account-username]&p=[ezdrm-account-password]&c=""'

where:

  • [ezdrm-account-username] is your EZDRM user name
  • [ezdrm-account-password] is the password associated with your EZDRM user name
Note: In the curl script, &c="" is required in place of passing the optional existing content ID. The call doesn’t work without it.

Make note of the following values in the response from EZDRM:

  • The ContentID. You'll use this to configure the stream protection in Wowza Streaming Cloud.
  • The ServerURL value. You'll use this when you playback a stream encrypted for Widevine.
  • The LAURL value. You'll use this when you playback a stream encrypted for PlayReady.

Configure the stream for DRM protection

To protect a stream using the EZDRM key you obtained in the previous step, you’ll need to set the following EZDRM properties on the transcoder using the Wowza Streaming Cloud REST API. These properties are not available in the user interface.

Section Key Value Description
ezdrm username string Your EZDRM user name
ezdrm password string Your EZDRM password
ezdrm wideVineContentId string The content ID you generated from EZDRM.
 
Note: While the key name indicates this value is for Widevine, this sets the value for both Widevine and PlayReady DRM.
 
Note: Wowza Streaming Cloud does not validate the EZDRM values you specify in these properties. Make sure you enter the correct values.

You can configure the EZDRM properties when you create a transcoder or by updating an existing transcoder.

Tip: If you haven't used the Wowza Streaming Cloud REST API previously, consider reviewing About the Wowza Streaming Cloud REST API, specifically the information about using environment variables for the API and access keys.

Configure DRM when creating a new transcoder

curl -X POST \
-H "Content-Type: application/json" \
-H "wsc-api-key: ${WSC_API_KEY}" \
-H "wsc-access-key: ${WSC_ACCESS_KEY}" \
-d '{
   "transcoder": {
     "billing_mode": "pay_as_you_go",
     "broadcast_location": "us_west_california",
     "buffer_size": "4000",
     "delivery_method": "push",
     "name": " MyTranscoder",
     "protocol": "rtmp",
     "transcoder_type": "transcoded",
     "properties": [
     { 
        "key": "username", 
        "section": "ezdrm", 
        "value": "[your_ezdrm_username]" 
      }, 
      { 
        "key": "password", 
        "section": "ezdrm", 
        "value": "[your_ezdrm_password]" 
      }, 
      { 
        "key": "wideVineContentId", 
        "section": "ezdrm", 
        "value": "[content_id_from_ezdrm]" 
      } 
     ]
   } 
}' "${WSC_HOST}/api/${WSC_VERSION}/transcoders"

Configure DRM on an existing transcoder

curl -X PATCH \
-H "Content-Type: application/json" \
-H "wsc-api-key: ${WSC_API_KEY}" \
-H "wsc-access-key: ${WSC_ACCESS_KEY}" \
-d '{
    "transcoder": {
      "properties": [
        { 
          "key": "username", 
          "section": "ezdrm", 
          "value": "[your_ezdrm_username]" 
        }, 
        { 
          "key": "password", 
          "section": "ezdrm", 
          "value": "[your_ezdrm_password]" 
        }, 
        { 
          "key": "wideVineContentId", 
          "section": "ezdrm", 
          "value": "[content_id_from_ezdrm]" 
        } 
     ]
   }
}' "${WSC_HOST}/api/${WSC_VERSION}/transcoders/[transcoder_id]"
 
Troubleshooting: If you've already set the EZDRM user name and password properties when setting up FairPlay, you only need to set the wideVineContentId now. Setting the same property again, like username and password, will result in a 500 error. See Set advanced properties with the Wowza Streaming Cloud REST API to learn how to set a single transcoder property.

Enable MPEG-DASH streaming

EZDRM Universal DRM encrypts MPEG-DASH streams, and MPEG-DASH is only available on Fastly stream targets. HLS is the default delivery protocol for Fastly stream targets, so you must enable MPEG-DASH.

Note: Enabling MPEG-DASH will incur additional egress charges. Egress is incurred per protocol.

You can enable MPEG-DASH when you create a Fastly stream target or by updating an existing Fastly stream target. 

Note: Enabling MPEG-DASH through the REST API is available only in v 1.7 (beta). Alternately, you can enable MPEG-DASH through the Wowza Streaming Cloud user interface when you create or edit a Fastly stream target.

Enable when creating a new Fastly stream target

curl -X POST \
-H "Content-Type: application/json" \
-H "wsc-api-key: ${WSC_API_KEY}" \
-H "wsc-access-key: ${WSC_ACCESS_KEY}" \
-d '{
     "stream_target_fastly": {
        "name": "Fastly HLS/DASH Target", 
        "delivery_protocols": [
            "hls",
            "dash"
      	] 
      } 
}' "${WSC_HOST}/api/${WSC_VERSION}/stream_targets/fastly"

Sample response

Make note of the DASH playback URL in the response, because you'll use this when you test playback.

Tip: Make sure the MPEG-DASH enabled stream target is added to the transcoder you configured for stream protection.
{
    "stream_target_fastly": {
        "id": "zfqvyv4f",
        "name": "My Target",
        "state": "activated",
        "stream_name": "OG40YnNQ",
        "delivery_protocols": [
            "hls",
            "dash"
        ],
        "playback_urls": {
            "hls": [
                {
                    "name": "default",
                    "url": "https://domain.wowza.com/1/VGl5YVpjNjJXSCt4/OG40YnNQ/hls/live/playlist.m3u8"
                }
            ],
            "dash": [
                {
                    "name": "default",
                    "url": "https://domain.wowza.com/1/VGl5YVpjNjJXSCt4/OG40YnNQ/dash/live/manifest.mpd"
                }
            ]
        },
        ...
    }
}
 

Enable when updating an existing Fastly stream target

curl -X PATCH \
-H "Content-Type: application/json" \
-H "wsc-api-key: ${WSC_API_KEY}" \
-H "wsc-access-key: ${WSC_ACCESS_KEY}" \
-d '{
     "stream_target_fastly": {
        "delivery_protocols": [
            "hls",
            "dash"
      	] 
      } 
}' "${WSC_HOST}/api/${WSC_VERSION}/stream_targets/fastly/[ID]"

Sample response

Make note of the DASH playback URL in the response, because you'll use this when you test playback.

Tip: Make sure the MPEG-DASH enabled stream target is added to the transcoder you configured for stream protection.
{
    "stream_target_fastly": {
        "id": "zfqvyv4f",
        "name": "My Target",
        "state": "activated",
        "stream_name": "OG40YnNQ",
        "delivery_protocols": [
            "hls",
            "dash"
        ],
        "playback_urls": {
            "hls": [
                {
                    "name": "default",
                    "url": "https://domain.wowza.com/1/VGl5YVpjNjJXSCt4/OG40YnNQ/hls/live/playlist.m3u8"
                }
            ],
            "dash": [
                {
                    "name": "default",
                    "url": "https://domain.wowza.com/1/VGl5YVpjNjJXSCt4/OG40YnNQ/dash/live/manifest.mpd"
                }
            ]
        },
        ...
    }
}
 

(Optional) Block RTMP direct playback for enhanced security

Direct playback through RTMP is enabled by default, but you might want to block RTMP direct playback to ensure only devices and platforms that can decrypt your stream can access it.

Configure RTMP playback when creating a new transcoder

curl -X POST \
-H "Content-Type: application/json" \
-H "wsc-api-key: ${WSC_API_KEY}" \
-H "wsc-access-key: ${WSC_ACCESS_KEY}" \
-d '{
   "transcoder": {
     "billing_mode": "pay_as_you_go",
     "broadcast_location": "us_west_california",
     "buffer_size": "4000",
     "delivery_method": "push",
     "name": " MyTranscoder",
     "protocol": "rtmp",
     "transcoder_type": "transcoded",
     "properties": [
     { 
        "section": "rtmp", 
        "key": "allowDirectPlayback", 
        "value": false 
      }
     ]
   } 
}' "${WSC_HOST}/api/${WSC_VERSION}/transcoders"

Configure RTMP playback on an existing transcoder

curl -X POST \
-H "Content-Type: application/json" \
-H "wsc-api-key: ${WSC_API_KEY}" \
-H "wsc-access-key: ${WSC_ACCESS_KEY}" \
-d '{
     "property": {
        "section": "rtmp", 
        "key": "allowDirectPlayback", 
        "value": true 
      } 
}' "${WSC_HOST}/api/${WSC_VERSION}/transcoders/[transcoder_id]/properties"

Test playback with encryption

  1. Start your transcoder and your stream.
  2. Using the MPEG-DASH playback URL returned in the response when you enabled MPEG-DASH, verify that the stream encryption works as you expect on a player or platform that requires a PlayReady or Widevine license. To test your playback, you'll need a test player and some other information. The tips below are based on the user interface for https://demo.theoplayer.com/ezdrm-demo on Chrome (Widevine) or Internet Explorer (PlayReady):
    • Streaming protocol – Set to MPEG-DASH.
    • Stream URL – The URL for your protected stream.
    • License Acquisition URL – This URL is returned in the EZDRM response when you generated the content ID.
      • Widevine – The value from the ServerURL parameter. The format is https://widevine-dash.ezdrm.com/proxy?pX=[XXXXXX].
         
      • PlayReady – The value from the LAURL parameter. The format is https://playready.ezdrm.com/cency/preauth.aspx?pX=[XXXXXX].

        Refer to the EZDRM Universal DRM Setup  and EZDRM Testing Playback guides on the EZDRM site for information about how to deliver the Widevine or PlayReady license and approve viewers, proxy URLs you’ll need for playback, and sample players.
  3. Stop your transcoder when your testing is complete.

More resources