• How to get SSL certificates from the StreamLock service

    Wowza StreamLock™ AddOn is a security option for network encryption. It provides near-instant provisioning of free 256-bit Secure Sockets Layer (SSL) certificates to verified Wowza customers for use with Wowza media servers. StreamLock-provisioned SSL certificates provide the best security when used with Real Time Messaging Protocol (RTMP). The certificates can also be used for secure HTTP streaming (HTTPS).

    Note: StreamLock is only available to Subscription and Perpetual licensees running Wowza Streaming Engine™ software or Wowza Media Server™ 3 software. It's not available for Trial and Developer editions of the software.
    Setup

    Managing your StreamLock certificates

    Configuring Wowza Streaming Engine to use your StreamLock certificate

    Configuring secure RTMP (RTMPS) streaming playback

    Configuring secure HTTP (HTTPS) streaming playback

    Troubleshooting StreamLock-provisioned SSL certificates

    Setup


    Prerequisites for StreamLock

    1. Wowza Streaming Engine or Wowza Media Server 3 is required.

    2. To purchase and learn more about Subscription and Perpetual licenses, see the Wowza Streaming Engine Pricing webpage. Trial and Developer licenses aren't provisioned for this feature.

    3. Download Wowza Streaming Engine from the Installers webpage. For more information about Wowza Streaming Engine installation requirements, see the "Server Installation" chapter in the Wowza Streaming Engine User's Guide.

    4. Configure Wowza Streaming Engine by following the step-by-step directions in one of our Tutorials.

    Sign up for a Wowza account

    If you don't have an account, sign up for a Wowza account, and then apply for StreamLock SSL certificates on the StreamLock tab on your Account Management page.

    If you already have a Wowza account to manage your Subscription license for the server software, you don't need to set up a separate StreamLock account. See Log in with your Subscription account credentials.

    Managing your StreamLock certificates


    Log in with your StreamLock account credentials

    If you already have a StreamLock account, in a web browser, log in to the StreamLock tab for your Wowza account. Enter your account information (email address and password) that you used when you created your StreamLock account.
    Note: Be sure to click Yes for the option that asks if you already have an account.

    Log in with your Subscription account credentials

    If you already have a Wowza Streaming Engine Subscription license, you don't need to create a StreamLock account. Instead, you can use the same account credentials that you use to log in and manage your Subscription account on the Account Management page.

    On the StreamLock tab, enter the email address and password associated with your Subscription account. If you don't know this information, contact billing@wowza.com.
    Notes:
    • Be sure to click Yes for the option that asks if you have an account.

    • If you have a StreamLock account AND a Subscription license for the Wowza media server software, you MUST log in using your Subscription account credentials.

    Request and download a StreamLock certificate

    After you log in, you'll be presented with a form to apply for an SSL certificate. If there are any SSL certificates already associated with your license keys, they'll be displayed in a table on the webpage. The certificate table provides detailed information about each certificate including the StreamLock hostname, when it was issued, and who it's registered to. If your license key has been allocated the maximum number of SSL certificates (2 for Subscription, 1 for Perpetual), contact billing@wowza.com.

    To request and download a StreamLock certificate, do the following:

    1. Enter a qualified license key in the License Key box.

    2. Enter the IP address for the certificate in the IP Address box.

    3. Enter a unique password in the Certificate Password field and re-enter the password in the Confirm Password field. Be sure to remember the certificate password that you enter as you'll use it for the SSLConfig/KeyStorePassword property value when you configure a host port to use the certificate. (See Configure a host port to use the StreamLock certificate.)

    4. Click Apply for SSL Certificate. After the certificate is created, the webpage displays a message that the certificate was created and the certificate is highlighted in bold in the My SSL certificates table.

    5. To download the certificate, click download certificate for each certificate that you want to download.

    Notes:
    • In the My SSL certificates table, be sure to note the StreamLock hostname value for the certificate under Hostname. You'll use it when you configure client applications to connect to Wowza Streaming Engine over an SSL connection (RTMPS or HTTPS).

    • If an error occurs when you're requesting the certificate, follow the instructions on the page. If you still have problems acquiring a certificate, contact billing@wowza.com.

    Change the StreamLock certificate password

    You must use the unique password that you create for an installed certificate as the SSLConfig/KeyStorePassword property value when you configure a host port to use the certificate. If you forget the password value, you can change it in the Certificate Management webpage. After you do this, you must download a new certificate associated with the new password, install the new certificate (see Install your StreamLock certificate), and then reconfigure the host port to use it (see Configure a host port to use the StreamLock certificate).

    To change the certificate password, do the following:

    1. Log in to your StreamLock account using your StreamLock account credentials or your Subscription account credentials. If you have both accounts, you must log in using your Subscription account credentials.

    2. In the My SSL certificates table, under Certificate Information, click Change certificate password for the certificate.

    3. Enter a new unique password for the certificate in both boxes. You must enter the same password in both boxes.

    4. Click OK. Updates are effective immediately.

    Change the server IP address

    To change the IP address of the Wowza Streaming Engine instance that's associated with your StreamLock certificate, do the following:

    1. Log in to your StreamLock account.

    2. In the My SSL certificates table, under IP Address, click Change next to the IP address that you want to change.

    3. Enter the new IP address, and then click OK. Updates are effective immediately.

    Configuring Wowza Streaming Engine to use your StreamLock certificate


    Install your StreamLock certificate

    Copy the downloaded certificate (.jks) file to the [install-dir]/conf folder on your Wowza Streaming Engine host.

    Configure a host port to use the StreamLock certificate for Wowza Streaming Engine software

    Note: If you upgrade your Wowza Media Server software to Wowza Streaming Engine, you can migrate your existing StreamLock certificates to the new media server software platform and configure them with these instructions.
    1. In Wowza Streaming Engine Manager, click the Server tab, and then click Virtual Host Setup in the contents panel.



    2. In the Virtual Host Setup page, click Edit.

    3. Scroll down to Host Ports settings area and click Add Host Port.



    4. In the Add a new host port dialog box, enter the following data, and then click Add:

      • Name: Enter StreamLock (or any other custom name).

      • Type: Select Streaming.

      • IP Address: Enter the wildcard character (*). A wildcard (*) allows listening for traffic on all network interfaces. You can specify the IP address of a specific network interface, which will limit traffic to the specified interface.

      • Port(s): Enter 443.

      • Select the Enable SSL/StreamLock option, and then enter the directory path to your StreamLock certificate in Keystore Path and StreamLock certificate password in Keystore password.




      Notes:
      • These instructions specify placing the downloaded StreamLock certificate in the default [install-dir]/conf folder in the media server software installation. This is the default directory path:

        ${com.wowza.wms.context.VHostConfigHome}/conf

      • The StreamLock certificate password is the password that you entered and applied to the StreamLock certificate when it was created or modified at Wowza.com.
    5. Click Save.



    6. Restart the virtual host (VHost) when prompted to apply the changes.


    Configure a host port to use the certificate with Wowza Media Server software

    Open the [install-dir]/conf/VHost.xml file in a text editor and make the following changes:

    1. Uncomment the <HostPort> definition for port 443 that follows the comment <!-- 443 with SSL -->. Be sure to remove the comment before <HostPort> and after </HostPort>.

    2. Update the <SSLConfig>/<KeyStorePath> property value to include the file name of your downloaded certificate (.jks) file. See the code sample below for details.

    3. In <SSLConfig>/<KeyStorePassword>, enter the certificate password that you created for this certificate. (See Request and download a StreamLock certificate.)
      <SSLConfig>
        <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/<YOUR.CERTIFICATE.FILENAME.HERE.jks></KeyStorePath>
        <KeyStorePassword>[password]</KeyStorePassword>
        <KeyStoreType>JKS</KeyStoreType>
        <SSLProtocol>TLS</SSLProtocol>
        <Algorithm>SunX509</Algorithm>
        <CipherSuites></CipherSuites>
        <Protocols></Protocols>
      </SSLConfig>
    4. Save the updated VHost.xml file and then restart the Wowza media server to apply the changes.

    Configuring secure RTMP (RTMPS) streaming playback


    When using SSL certificates provisioned by Wowza StreamLock, RTMP-based players must be configured to connect to Wowza Streaming Engine over an SSL connection. If a player encounters a URL with an RTMPS URL prefix (rtmps://) and it's not configured correctly, the connection may fail and the player may fall back to use the RTMPT protocol (RTMP tunneling via HTTP) over SSL (RTMPTS). RTMPTS is much less efficient than RTMPS and can cause Wowza Streaming Engine to consume a lot of the computer's CPU resources. For this reason, it's important to properly configure client applications to connect to Wowza Streaming Engine using RTMPS.

    Adobe Flash Player

    To configure Adobe Flash Player applications to connect to Wowza Streaming Engine using RTMPS, you must set the NetConnection.proxyType property to "best" before calling NetConnection.connect([url]). The following example shows how to do this:
    var nc:NetConnection = new NetConnection();
    nc.proxyType = "best";
    nc.connect("rtmps://[hostname]/[application]");
    [hostname] is the StreamLock hostname ([StreamLockID].streamlock.net) and [application] is the name of your application (for example, live). You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default file name for the downloaded SSL certificate (.jks) file, which is in the format [hostname].jks ([StreamLockID].streamlock.net.jks).

    The above code example enables a Flash Player that encounters an RTMPS URI to communicate securely with Wowza Streaming Engine over port 443. If you configure any port other than 443 as secure (for example, port 1935), the client must specify the port in the URI. For example:
    var nc:NetConnection = new NetConnection();
    nc.proxyType = "best";
    nc.connect("rtmps://[hostname]:1935/[application]");
    Note: If the player can't make a direct connection to the server over the default port (443) or another port that you specify, and if a proxy server is in place, the player tries to use the CONNECT method. If that attempt fails, the player tunnels over HTTPS. Some users have reported problems with certain browsers not being able to make this switch. If you continue to experience problems, consult your player documentation. If you're using Adobe Flash Player, see the proxyType property reference for more information about the different proxy types.

    Playback


    To test RTMPS playback using Adobe Flash Player, double-click [install-dir]/examples/VideoOnDemandStreaming/FlashRTMPPlayer/player.html, enter the information below, and then click Connect or Start.

    Server: rtmps://[hostname]/vod
    Stream: mp4:sample.mp4

    Flowplayer

    Flowplayer is an open source pre-built Flash-based player. To configure Flowplayer applications to connect to Wowza Streaming Engine using RTMPS, do the following:

    1. Download Flowplayer Flash and extract the contents from the downloaded compressed (zipped) file.

    2. Download the RTMP Streaming Plugin (.swf) and copy it to the unzipped Flowplayer folder. (Be sure to copy it to the inner flowplayer folder that contains the flowplayer-3.x.x.swf file.)

    3. Edit the flowplayer/example/index.html file in the root directory of the unzipped archive, and make the following changes to the <script> section to enable RTMPS playback for either video on-demand or live streaming:

      Video on demand streaming


      Change:
      <script>
          flowplayer("player", "../flowplayer-3.2.15.swf");
      </script>
      To:
      <script type="text/javascript">
          flowplayer("player", "../flowplayer-3.2.15.swf",
              {
                  clip: {
                      url: 'mp4:sample.mp4',
                      provider: 'rtmp'
                  },
                  plugins: {
                      rtmp: {
                      url: '../flowplayer.rtmp-3.2.11.swf',
                          proxyType: 'best',
                          netConnectionUrl: 'rtmps://[hostname]/[application]'
                      }
                  }
              }
          );
      </script>
      • flowplayer() includes the relative path to the Flowplayer .swf file in the flowplayer/example folder (flowplayer-3.2.15.swf). Make sure this file name matches the version in your example folder.

      • clip: url is the name of the sample video that ships with Wowza Streaming Engine (mp4:sample.mp4).

      • plugins: url is the relative path to the RTMP Streaming Plugin (.swf) file that you copied to the flowplayer/example folder (flowplayer.rtmp-3.2.11.swf). Make sure this file name matches the version in your example folder.

      • plugins: proxyType is set to 'best'. This property setting enables Flowplayer to connect to Wowza Streaming Engine over a native SSL connection.

      • plugins: netConnectionUrl is the RTMPS URI to a video on-demand application ([application]) on your Wowza Streaming Engine. ([hostname] is the StreamLock hostname ([StreamLockID].streamlock.net).)

      Live streaming


      Change:
      <script>
          flowplayer("player", "../flowplayer-3.2.15.swf",
      </script>
      To:
      <script type="text/javascript">
          flowplayer("player", "../flowplayer-3.x.x.swf",
              {
                  clip: {
                      url: 'myStream',
                      live: true,
                      provider: 'rtmp'
                  },
                  plugins: {
                      rtmp: {
                      url: '../flowplayer.rtmp-3.2.11.swf',
                      proxyType: 'best',
                      netConnectionUrl: 'rtmps://[hostname]/[application]'
                      }
                  }
              }
          );
      </script>
      • flowplayer() includes the relative path to the Flowplayer .swf file in the flowplayer/example folder (flowplayer-3.2.15.swf). Make sure this file name matches the version in your example folder.

      • clip: url is the stream name of the live stream (myStream).

      • clip: live is set to true. This property setting enables Flowplayer to stream live video data from an RTMP streaming server.

      • plugins: url is the relative path to the RTMP Streaming Plugin (.swf) file that you copied to the flowplayer/example folder (flowplayer.rtmp-3.2.11.swf). Make sure this file name matches the version in your example folder.

      • plugins: proxyType is set to 'best'. This property setting enables Flowplayer to connect to Wowza Streaming Engine over a native SSL connection.

      • plugins: netConnectionUrl is the RTMPS URI to a live application ([application]) on your Wowza Streaming Engine. ([hostname] is the StreamLock hostname ([StreamLockID].streamlock.net).)

    Notes:
    • You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default file name for the downloaded SSL certificate (.jks) file, which is in the format [hostname].jks ([StreamLockID].streamlock.net.jks).

    • If you configure any port other than 443 as secure (for example, port 1935), you must include the port value in the netConnectionUrl property value. For example:
      netConnectionUrl: 'rtmps://[hostname]:1935/[application]'

    Playback


    To test RTMPS playback using Flowplayer, copy the flowplayer folder to a web server and then open the following URL in a web browser:

    http://[web-server-address]/flowplayer/example/index.html

    JW Player

    To configure JW Player applications to connect to Wowza Streaming Engine using RTMPS, see How to use JW Player with Wowza Streaming Engine.

    Configuring secure HTTP (HTTPS) streaming playback


    You can use your StreamLock SSL certificate for secure HTTP (HTTPS) streaming using the Adobe HTTP Dynamic Streaming (Adobe HDS) protocol to Adobe Flash Player and Microsoft Smooth Streaming protocol to Microsoft Silverlight.

    Adobe Flash Player

    Using a text editor, edit [install-dir]/conf/crossdomain.xml and change the <allow-access-from> line to <allow-access-from domain="*" secure="false" />. The modified contents should look like the following:
    <?xml version="1.0"?>
    <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
    <cross-domain-policy>
        <allow-access-from domain="*" secure="false" />
        <site-control permitted-cross-domain-policies="all"/>
    </cross-domain-policy>

    Playback


    To test HTTPS playback using Adobe Flash Player, double-click [install-dir]/examples/VideoOnDemandStreaming/FlashHTTPPlayer/player.html, enter the information below, and then click Connect or Start.

    Stream: https://[hostname]/vod/mp4:sample.mp4/manifest.f4m

    [hostname] is the StreamLock hostname (StreamLockID.streamlock.net). You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default file name for the downloaded SSL certificate (.jks) file, which is in the format [hostname].jks ([StreamLockID].streamlock.net.jks).

    Microsoft Silverlight

    Using a text editor, edit the <domain uri> values in the [install-dir]/conf/clientaccesspolicy.xml file. The modified content should look like the following:
    <?xml version="1.0" encoding="utf-8"?>
    <access-policy>
      <cross-domain-access>
        <policy>
          <allow-from http-request-headers="*">
            <domain uri="http://*"/>
        <domain uri="https://*"/>
          </allow-from>
          <grant-to>
            <resource path="/" include-subpaths="true"/>
          </grant-to>
        </policy>
      </cross-domain-access>
    </access-policy>

    Playback


    To test HTTPS playback using Microsoft Silverlight, double-click [install-dir]/examples/VideoOnDemandStreaming/SilverlightPlayer/player.html, enter the URL below, and then click Connect or Start.

    Stream: https://[hostname]/vod/mp4:sample.mp4/Manifest

    [hostname] is the StreamLock hostname (StreamLockID.streamlock.net). You can get the [hostname] associated with the SSL certificate from your Certificate Management page on the Wowza website. You can also get the [hostname] from the default file name for the downloaded SSL certificate (.jks) file, which is in the format [hostname].jks ([StreamLockID].streamlock.net.jks).

    Troubleshooting StreamLock-provisioned SSL certificates


    SSL connections

    Use the following OpenSSL commands to test your Wowza media server's SSL connection, where [client-id] is the full DNS name:

    To test the SSL connection to the server:
    openssl s_client -connect [client-id].streamlock.net:443
    To test the SSL connection and display the certificates:
    openssl s_client -showcerts -connect [client-id].streamlock.net:443

    Hostname substitution

    When you configure player applications to establish a secure connection to the Wowza media server, and you substitute the hostname for your domain in place of the StreamLock hostname that's associated with the SSL certificate in the call to NetConnection.connect([url]), clients that connect to your secure stream may receive the following Security Alert:

    The certificate you are viewing does not match the name of the site you are trying to view.

    StreamLock SSL certificates are bound to the StreamLock.net domain; therefore, you must use the StreamLock hostname that's associated with the SSL certificate in the call to NetConnection.connect([url]). For more information about how to do this, see Configuring secure RTMP (RTMPS) streaming playback.

    If you must use your own domain name in [hostname], then you must create your own SSL certificate. For more information about how to do this, see How to create a self-signed SSL certificate.

    Unable to connect to streamlock.net

    If one or more clients report that they can't connect using a StreamLock certificate configuration, while the majority of clients don't have this problem, this is more than likely a problem with the DNS server on the client side.

    For a StreamLock certificate to function properly, the client must be able to access the streamlock.net domain. In some cases, the DNS configuration associated with the client doesn't provide a record for streamlock.net, which prevents a successful connection. You can confirm this by issuing a nslookup command from the client computer using a command line:

    nslookup [client-id].streamlock.net

    If the nslookup command doesn't return a response that includes the Wowza Streaming Engine media server's IP address, this is evidence of a DNS problem.

    Note: Depending on your firewall settings, you might also be able to test this by issuing a ping command from the client computer using a command line:

    ping streamlock.net

    If the ping command doesn't return a response, this is evidence of a DNS problem.
    Wowza makes every effort to ensure that streamlock.net records are available to all public DNS servers. Unfortunately, in the public domain, Wowza has no control over DNS propagation, especially when it comes to privately managed DNS servers. As a test and workaround, we suggest using an alternative DNS configuration if a client can't connect.

    Additional troubleshooting

    For additional troubleshooting information about SSL certificates and the configuration of Wowza media servers to use SSL certificates, see How to troubleshoot SSL certificate configuration.

    Originally Published: 10-11-2012.
    Updated: For Wowza Streaming Engine on 08-17-2016.

    If you're having problems or want to discuss this article, post in our forum.