- Some of the security technologies that are described in the articles only work with the following Wowza media server software versions:
- Wowza Streaming Engine™
- Wowza Media Server™ 3.5 and later
- Wowza Streaming Engine™
- Security features such as SecureToken, RTMP authentication, RTSP authentication, StreamNameAlias, and secure streaming (RTMPTE and RTMPS) that are provided in the MediaSecurity AddOn for Wowza Media Server 3.1.2 and earlier are built-in with later versions of the server software. For more information about how to get the Media Security AddOn for these older Wowza Media Server software versions, see How to get MediaSecurity AddOn (playback and publish security for RTMP and RTSP).
Media security in Wowza Streaming Engine
Security features that were available as separate modules and plugins in older Wowza media server software versions are merged into a single security module in Wowza Streaming Engine 4.0. This article describes the changes and provides instructions for configuring the features in the new security module using Wowza Streaming Engine Manager:
StreamLock, SSL, HTTPS, RTMPS, and RTMPE
StreamLock, SSL, HTTPS, RTMPS and RTMPE are methods for protecting a stream as it's transmitted across a network. All traffic that flows over a protected connection is encrypted during transit.
- StreamLock: Wowza StreamLock™ AddOn is a security option for network encryption provided by Wowza™. It provides near-instant provisioning of free 256-bit Secure Sockets Layer (SSL) certificates to verified Wowza customers for use with Wowza media server software. StreamLock-provisioned SSL certificates provide the best security when used with RTMP. The certificates can also be used for secure HTTP streaming (HTTPS).
- HTTPS: HTTPS is HTTP over Secure Sockets Layer (SSL). It's a method for securing HTTP streaming such as Apple HTTP Live Streaming (HLS), Adobe HTTP Dynamic Streaming (HDS), and Microsoft Smooth Streaming. HTTPS by itself doesn't secure media streams but when used in conjunction with some type of token-based authentication system, it can more fully protect streaming.
- RTMPS: RTMPS is RTMP over Secure Sockets Layer (SSL). It's a method for securing Adobe Flash RTMP streaming. It can be used in conjunction with SecureToken to protect Flash streaming.
- RTMPE: RTMPE is RTMP over an encrypted connection and is another method for securing Flash RTMP streaming. It can be used in conjunction with SecureToken to protect Flash streaming. RTMPE is less secure than RTMPS. To provide the best security for RTMP streaming, we recommend the Wowza StreamLock AddOn.
- How to get SSL certificates from the StreamLock service
- How to request an SSL certificate from a certificate authority
- How to create a self-signed SSL certificate
- How to improve SSL configuration
- How to connect to Wowza Streaming Engine Manager over HTTPS
- How to set up Adobe HDS playback across HTTPS (SSL)
- How to set up Microsoft Smooth Streaming playback across HTTPS (SSL)
- How to fix intermittent HTTP/SSL failure (padding exception)
- How to configure multiple SSL certificates (per domain) on a single Host Port (SNI)
- How to import an existing SSL certificate and private key
- How to troubleshoot SSL certificate configuration
Digital Rights Management (DRM)
Digital Rights Management (DRM) is a protection mechanism for securing streaming media. There are many different DRM technologies such as Microsoft PlayReady and Verimatrix Video Content Authority System (VCAS). The following articles describe how Wowza media server software can be configured to work with several DRM technologies.
- Wowza DRM overview
- How to set up and test BuyDRM KeyOS DRM (PlayReady)
- How to set up EZDRM PlayReady DRM
- How to set up Verimatrix DRM
- How to secure Apple HLS streaming using DRM encryption
- How to secure Apple HTTP Live Streaming (AES-128 - external method)
- How to test AES encryption for Apple HLS streams
- How to secure Smooth Streaming using PlayReady DRM (Silverlight)
- How to decrypt PlayReady encrypted video on demand content on the fly
- How to secure MPEG-DASH streaming using Common Encryption (CENC)
SecureToken playback protection
SecureToken is a challenge/response system that helps to protect content against spoofing threats. Each connection is protected by a random single-use key and a password (shared secret). Wowza Streaming Engine 4.0 and Wowza Media Server software provide SecureToken playback protection for Flash RTMP streams. Wowza Streaming Engine 4.1 software extends SecureToken playback protection to all streaming protocols supported by the server and includes new hashing options for generating the security token that's exchanged between the server and clients.
- How to protect streaming using SecureToken in Wowza Streaming Engine
- How to protect RTMP streaming using SecureToken (ModuleSecureToken)
- How to add SecureToken protection to JW Player
Note: Some software can defeat the SecureToken security mechanism and record Flash content over RTMP. To protect your Flash content over RTMP, we suggest that you combine SecureToken with Wowza StreamLock AddOn, RTMPS, or RTMPE.
Authentication for RTMP and RTSP publishing
RTMP and RTSP user name and password authentication is described in the following articles:
- How to enable username/password authentication for RTMP and RTSP publishing (ModuleRTMPAuthenticate)
- How to secure publishing from an RTMP encoder that does not support authentication (ModuleSecureURLParams)
- How to integrate Wowza user authentication with external authentication systems (ModuleRTMPAuthenticate)
- How to use a per application publish.password file
- How to do file-based authentication with RTMP client with credentials passed as parameters of NetConnection connect
- How to do file-based authentication with RTMP client and credentials in querystring of NetConnection connect RTMP URL
Hotlinking is another word for embedding. For example, YouTube provides embed code for video so that you can embed a YouTube video on your website. A user can look at your webpage source code, copy the embed/object tags (or swfobject), and place that in a webpage on their website. The same can be done with IMG tags. If you want users to do this, it's called embedding; if you don't want them to do it, it's called hotlinking. The following articles describe the options to help you prevent hotlinking:
- How to combat hotlinking your Adobe Flash SWF file
- How to protect your SWF files by loading them from Wowza Media Server
Server-Side API to control access
The following articles describe methods for controlling access to different streaming protocols such as RTMP, Adobe HDS, Apple HLS, and Smooth Streaming. These API examples can be used to develop custom authentication systems for controlling access to streaming media. When used with transport protection mechanisms such as Wowza StreamLock AddOn, SSL, HTTP, RTMPS, or RTMPE, they can provide a secure way for controlling access to streaming.
- How to control access to an HTTP stream (cupertinostreaming, smoothstreaming, sanjosestreaming, mpegdashstreaming)
- How to control access to an RTSP/RTP stream
- How to control access to Apple HTTP Streaming (cupertinostreaming)
- How to control access to Microsoft Smooth Streaming (smoothstreaming)
- How to control access to Adobe HTTP Dynamic Streaming (sanjosestreaming)
- How to limit playback by IP address
- How to limit publishing of live streams by IP list
- How to blacklist by IP
- How to override publish to remap a stream name
- How to modify or control a stream by overriding playback
- How to block a duplicate publish stream
- How to require a secure RTMP connection (ModuleRequireSecureConnection)
- How to do user authentication for Flash RTMP client using JDBC connection to MySQL database
Stream name alias solutions
Stream name aliasing is a method for intercepting content requests and redirecting them to some other content. Aliasing is another method that can be used to protect streaming media by controlling access to certain content based on user credentials.
How to get MediaSecurity AddOn (playback and publish security for RTMP and RTSP)
The MediaSecurity AddOn package includes features that help you secure Wowza Media Server 3.1.2 and earlier and the media that you want to stream through the server. The package includes several features to help you secure your content, including SecureToken, RTMP authentication, RTSP authentication, StreamNameAlias, and secure streaming (RTMPE, RTMPTE and RTMPS).
Important: The MediaSecurity AddOn features are built-in with Wowza Media Server™ software (version 3.5 and later) and Wowza Streaming Engine™ software. You shouldn't use the AddOn packages below with these server software versions as unexpected results can occur.
Version for Wowza Media Server 2.0.0 to Wowza Media Server 3.1.2.x
Version for Wowza Media Server Pro 1.7.x
To learn more about how to install and use MediaSecurity AddOn, see the WowzaMediaServerMediaSecurity_UsersGuide.pdf file that's included in the MediaSecurity AddOn download.