• How to configure security using Wowza Streaming Engine Manager

    Security features that were available as separate modules and plugins in older versions of the Wowza™ media server software have been merged into a single security module in Wowza Streaming Engine™ software. This article provides an overview of the changes that have been made and how to configure the various security features in the new module using Wowza Streaming Engine Manager.

    Contents


    Getting started
    General security settingsSource SecurityPlayback SecurityCustom properties (advanced settings)Updating from Wowza Media Server software

    Getting started


    The Wowza Streaming Engine software and web-based Streaming Engine Manager application must be running before you can use Streaming Engine Manager. For more information, see How to start and stop Wowza Streaming Engine software.

    1. Start Wowza Streaming Engine Manager from any web browser by navigating to http://localhost:8088/enginemanager. If the Wowza Streaming Engine server software is running on a remote computer, substitute the IP address or domain name in place of localhost in the URL.

    2. Sign-In to the manager.

    3. In Wowza Streaming Engine Manager, click Applications at the top of the page and then click live in the contents panel.

      Notes:
      • The examples in this article use the default live application that's installed with the server software. Some security settings also apply to on-demand (VOD) application types.

      • The following alert appears after every configuration change. You can wait until all changes are complete before you restart.


    General security settings


    This section describes general security settings.

    Maximum Connections

    From the main application configuration, you can restrict the number of concurrent connections that are accepted by the application. By default, a value isn't specified so the number of connections isn't restricted.

    1. In the contents panel, click the application name to bring up the main application configuration page.



    2. To change the current setting, click Edit.



    3. Select the Limit number of connections check box to enable the setting and set the value.



    4. Click Save to save the changes or Cancel to return to the previous page without applying the changes.

    Note: This setting will not override the Server > Virtual Host Setup > Maximum Connections setting. If the server-level setting is also set, the lesser of the two values is used.

    Source Security


    From the main application configuration, you can configure options for securing source connections to live applications.

    1. In the contents panel, click Source Security to bring up the publish security options. The default settings for incoming live streams require authentication for all publishing but not restrict clients that can publish a stream to the server.



      Note: To manage source credentials, click Source Authentication in the contents panel. This will take you to the server-level Source Authentication page where you can add, edit, or remove source credentials. If using a Custom Password File location, then this must be managed manually.
    2. To change the current settings, click Edit.

    3. Each of the different security options is explained in detail below. Adjust the settings as needed and then click Save to save the changes or Cancel to return to the previous page without applying changes.



    RTMP Sources

    Select the option that you want for RTMP Sources. The default setting is to require authentication for all RTMP sources.

    Note: These settings only affect RTMP encoders that publish a stream to the server. They don't affect connections started with a Stream File.
    Open (no authentication required)

    Any RTMP encoder or Flash application enabled for publishing can publish to this application. This was the default setting for Wowza Media Server™ software when RTMP Authentication was not enabled.

    Require password authentication

    All RTMP encoders or Flash applications enabled for publishing must authenticate to publish to the application. The FlashVer value sent from an encoder must match one of the values in the Flash Version String setting.

    RTMP publishing not allowed

    All attempts to publish from an RTMP encoder or Flash application enabled for publishing will be blocked.

    RTSP Sources

    Select the option that you want for RTSP Sources. The default setting is to require authentication for all RTSP sources.

    Note: These settings only affect RTSP encoders that publish a stream to the server. They don't affect connections started with a Stream File.
    Open (no authentication required)

    Any RTSP encoder can publish to this application.

    Require password authentication

    All RTSP encoders must authenticate to publish to the application.

    RTSP publishing not allowed

    All attempts to publish from an RTSP encoder will be blocked.

    Client Restrictions

    These settings enable you to control which IP addresses encoders can connect from.

    Note: The list of IP addresses can be a comma-separated list of addresses. The wildcard (*) character can be used but it must replace a complete block of numbers and not a partial block. For example, 192.168.1.*, 10.*.*.* is valid; however, 123.2*.*.* isn't valid.
    No client restrictions

    Client connections aren't restricted by IP address. This is the default setting.

    Only allow publishing from the following IP addresses

    The IP addresses listed in the box are allowed to publish to the server after passing authentication. Connections from all other IP addresses are blocked from publishing.

    Do NOT allow publishing from the following IP addresses

    The IP addresses listed in the box are blocked from publishing. Other IP addresses are allowed to publish to the server after passing authentication.

    Duplicate Stream Names

    Use this setting to prevent a second encoder from publishing a stream with the same name as an existing stream. The default setting is disabled.

    Flash Version String

    This setting is used to identify an RTMP source to the server. If not set, the following is used:
    Wirecast/|FME/|FMLE/|Wowza GoCoder*|Lavf/|UA Teradek/|KulaByte/|VidBlaster/|XSplit/|PESA
    Most commercial encoders use one of the above values in their Flash Version String so the default setting works most of the time.

    The FlashVer value from the RTMP connection is compared with this setting to see if it starts with one of the values to determine if it's a source.

    VHost-level Flash Version String


    In Wowza Streaming Engine version 4.1.1 and later, you can add a property at the virtual host (VHost) level to enable the same custom Flash Version String setting for all applications.

    1. In Wowza Streaming Engine Manager, click the Server tab at the top of the page and then click Virtual Host Setup in the contents panel.

    2. In the Virtual Host Setup page, click the Properties tab and then click Custom in the Quick Links bar.
      Note: Access to the Properties tab in Wowza Streaming Engine Manager is limited to administrators with advanced permissions. For more information, see Manage credentials.
    3. In the Custom area, click Edit.

    4. Click Add Custom Property, specify the following custom property settings in the Add Custom Property dialog box and then click Add.

      • In Path, select /Root/VHost.

      • In Name, enter securityPublishValidEncoders.

      • In Type, select String.

      • In Value, enter Wirecast/|FME/|FMLE/|Wowza GoCoder*/|[myEncoderString]. The [myEncoderString] value is optional. You can replace this value with the Flash Version String for an additional RTMP source.

    5. In the Virtual Host Setup page, click Save and then restart the Server when prompted to apply the custom property.

    Setting this custom property in the Virtual Host Setup page overwrites the default value. To define a per-application Flash Version String that will be used instead of the VHost-level value, configure the Flash Version String setting in the application's Source Security page.

    Playback Security


    From the main application configuration, you can configure options for securing playback connections to live and VOD applications.

    1. In the contents panel, click Playback Security to bring up the playback security options. The default settings don't restrict any playback connections.

    2. To change the current settings, click Edit.



    3. Each of the different security options is explained in detail below. Adjust the settings as needed and then click Save to save the changes or Cancel to return to the previous page without applying changes.

    Note: Playback security settings are ignored if the connection FlashVer matches the Flash Version String setting on the Source Security page. The connection will be identified as a source and not a player.

    Require Secure Connection

    With this setting enabled, all RTMP players must use a secure protocol (for example, RTMPS).



    SecureToken

    This setting specifies that a private security token must be exchanged between the application and clients. Select a SecureToken option and then either enter a string of alphanumeric characters in the Shared Secret box or click Generate SecureToken Shared Secret to create a random private shared secret. This value must be used by all connections that play streams from this application. If the connection doesn't match or is not set, then the player connection will be rejected.



    In Wowza Streaming Engine 4.1.0 (and later), you can select the Protect all protocols using hash (SecureToken version 2) option to use SecureToken playback protection for all streaming protocols using a hash algorithm to generate the security token. For backward-compatibility with Flash-based players, you can use SecureToken playback protection for RTMP streams using the Tiny Encryption Algorithm (TEA) algorithm instead. For complete configuration details, see How to protect streaming using SecureToken in Wowza Streaming Engine.

    Client Restrictions

    These settings enable you to control which IP addresses players will be able to connect from.

    Note: The list of IP addresses can be a comma-separated list of addresses. The wildcard (*) character can be used but it must replace a complete block of numbers and not a partial block. For example, 192.168.1.*, 10.*.*.* is valid; however, 123.2*.*.* isn't valid.
    No client restrictions



    Client connections aren't restricted by IP address. This is the default setting.

    Only allow playback from the following IP addresses



    The IP addresses listed in the box are allowed to connect. All other IP addresses will be blocked.

    Do NOT allow playback from the following IP addresses



    The IP addresses listed in the box are blocked from connecting. All other IP addresses will be allowed.

    Custom properties (advanced settings)


    This section describes the custom properties that can be used by advanced users to configure the security module. For details about how to configure custom properties, see Configure properties.

    Note: Access to the Properties tab in Wowza Streaming Engine Manager is limited to administrators with advanced permissions. For more information, see Manage credentials.

    SecureToken Target

    Use the securitySecureTokenTarget property to define which types of operations are controlled if SecureToken is enabled.

    Path
    Name
    Type
    Value
    Root/Application securitySecureTokenTarget String play,publish,create

    If the Value is empty, the token is checked during the connect phase of the RTMP connection instead of during individual operations. The setting is a comma-separated list of operations and can have any of the following values:
    play. All RTMP connections that try to play a stream require a valid security token.
    publish. All RTMP connections that try to publish a stream require a valid security token.
    create. All RTMP connections that try to create a stream require a valid security token.

    Note: This property isn't used if the connection has a valid Flash Version String.

    Custom Password File location

    Use the securityPublishPasswordFile property to define a custom location for the publish.password file that's used to authenticate RTMP-based and RTSP-based source connections to the application.
    Path
    Name
    Type
    Value
    Root/Application securityPublishPasswordFile String ${com.wowza.wms.context.VHostConfigHome}/conf/${com.wowza.wms.context.Application}/publish.password

    The default setting for authenticating sources is to use the [install-dir]/conf/publish.password file. This file is written to by Wowza Streaming Engine Manager when you use the Server > Source Authentication page to add or edit source credentials.

    When you define a custom securityPublishPasswordFile location, the default publish.password file isn't used and you must manage your own password files for the application.

    Note: You can specify custom locations for the publish.password file using the rtmpEncoderAuthenticateFile property (for RTMP-based sources) or rtspEncoderAuthenticateFile property (for RTSP-based sources). Wowza Streaming Engine 4.1 software will first check to see if the securityPublishPasswordFile property is set. If it's not set, it will then check to see if these alternate properties are set.

    If you're running Wowza Streaming Engine 4.0 software, you must use the securityPublishPasswordFile property to authenticate RTMP-based sources and the rtspEncoderAuthenticateFile property to authenticate RTSP-based sources using publish.password in a custom location.

    If you're running Wowza Media Server software, you must use the rtmpEncoderAuthenticateFile and rtspEncoderAuthenticateFile properties to authenticate sources using publish.password in a custom location.

    For details about how to configure these alternate properties, see How to enable username/password authentication for RTMP and RTSP sources.

    Updating from Wowza Media Server software


    This section provides a list of the modules and plugins in Wowza Media Server™ software (version 3.6 and earlier) that are replaced in Wowza Streaming Engine™ software.

    Note: If you use a Wowza Media Server Application.xml file to configure an application in Wowza Streaming Engine, you should remove these modules and their properties from the Application.xml file and configure their equivalent settings in Wowza Streaming Engine Manager. Not doing so could have unexpected results.
    com.wowza.wms.security.ModuleSecureToken
    "secureTokenSharedSecret" --> Playback Security: SecureToken
    "requireSecureConnection" --> Playback Security: Options - Require Secure Connection
    "secureTokenTarget" --> Custom Property: "securitySecureTokenTarget"

    com.wowza.wms.security.ModuleRTMPAuthenticate.ModuleRTMPAuthenticate
    "rtmpEncoderAuthenticationFlashVersions" --> Source Security: Flash Version String
    "requireSecureConnection" --> Playback Security: Options - Require Secure Connection
    "secureTokenSharedSecret" --> Playback Security: SecureToken
    "usernamePasswordProviderClass" --> Custom Property: "securityPublishUsernamePasswordProviderClass"
    "rtmpEncoderAuthenticateFile" --> Custom Property: "securityPublishPasswordFile"

    com.wowza.wms.plugin.collection.module.ModuleLimitConnectionsToApplication
    com.wowza.wms.plugin.collection.modules.ModuleLimitConnectionsToApplication
    "maxApplicationConnections" --> Application: Maximum Connections

    com.wowza.wms.plugin.collection.module.ModuleOverridePlayRestrictIP
    "IpList" --> Playback Security: Client Restrictions

    com.wowza.wms.plugin.collection.module.ModuleOverridePlayBlackListIP
    "IpList" --> Playback Security: Client Restrictions

    com.wowza.wms.plugin.collection.module.ModuleOverridePublishRestrictIP
    "IpList" --> Source Security: Client Restrictions

    com.wowza.wms.plugin.collection.module.ModuleRequireSecureConnection
    com.wowza.wms.plugin.collection.modules.ModuleRequireSecureConnection
    com.wowza.wms.security.ModuleRequireSecureConnection
    Playback Security: Options - Require Secure Connection
    "AllowEncoder" --> Source Security: Flash Version String

    com.wowza.wms.plugin.collection.module.ModuleNoDuplicatePublishStreamname
    com.wowza.wms.plugin.collection.module.ModuleBlockDuplicateStreamNames
    com.wowza.wms.plugin.collection.module.ModuleOverrideReleaseStream
    Source Security: Duplicate Stream Names

    Originally Published: For Wowza Streaming Engine 4.0.0 on 02-11-2014.
    Updated: For Wowza Streaming Engine 4.5.0.02 on 10-05-2016.

    If you're having problems or want to discuss this article, post in our forum.