Learn how to integration Axinom Key Service with AWS MediaPackage and AWS MediaLive using SPEKE.

Axinom Key Service SPEKE and AWS Integration

It is possible to integrate Axinom Key Service Secure Packager and Encoder Key Exchange (SPEKE) with Amazon Web Services MediaLive and MediaPackage. The following article provides you step-by-step guidelines for doing so.

Start

Log in to the AWS Management Console at: https://console.aws.amazon.com

API Gateway Setup

This is the main point of integration with Axinom Key Service. The API Gateway is configured to provide an endpoint that proxies key requests between various AWS media services (such as MediaPackage and MediaConvert) and Axinom Key Service. Information is exchanged according to the SPEKE specification.

For information on SPEKE, see the AWS documentation: https://docs.aws.amazon.com/speke/latest/documentation/what-is-speke.html

  1. Open the AWS API Gateway console: https://console.aws.amazon.com/apigateway

  2. Create a new API:

    1. Choose Get Started and OK (if creating the first API) or Create API (if creating a subsequent API).

    2. Set general API settings:

      • Protocol: REST.

      • API creation method: New API.

      • API name: "Axinom Key Server SPEKE".

      • Endpoint type: Regional.

        GatewayAPI General
    3. Choose Create API.

  3. Add a POST method to the API:

    1. Select ResourcesActionsCreate Method.

      GatewayAPI CreateMethod
    2. Select POST from the dropdown and save the selection.

      GatewayAPI Configuration
    3. Configure the POST method:

      1. Integration type: HTTP.

      2. Use HTTP Proxy integration: yes.

      3. HTTP method: POST.

      4. Endpoint URL: https://key-server-management.axtest.net/api/Speke (this is the Axinom Key Service SPEKE endpoint).

      5. Content Handling: Passthrough.

      6. Use Default Timeout: yes.

        GatewayAPI ConfigurePost
      7. Choose Save.

  4. Add an authorization header to the POST method:

    1. Go to the POST - Method Execution pane and choose Integration Request.

      GatewayAPI IntegrationRequest
    2. Expand HTTP Headers and choose Add header.

    3. Specify the Basic HTTP authentication header using your Axinom Key Service Management API credentials:

      • Name: "Authorization".

      • Mapped from: 'Basic <credentials>', where <credentials> is the base64 encoding of your Tenant ID and Management Key GUID strings joined by a colon. The single quotes must be included.

        Example:

        If the Tenant ID is 2028718f-1edd-482a-b6b5-8067e93cfbfa and the Management Key is e0b81b34-dd82-4897-89f2-bdf32d7023f7 then the resulting "Mapped from" value should be 'Basic MjAyODcxOGYtMWVkZC00ODJhLWI2YjUtODA2N2U5M2NmYmZhOmUwYjgxYjM0LWRkODItNDg5Ny04OWYyLWJkZjMyZDcwMjNmNw=='.

        GatewayAPI AddHeaders2
    4. Save the changes.

  5. Test the API configuration:

    1. Choose TEST in the POST - Method Execution pane.

      GatewayAPI Test
    2. Paste a valid SPEKE request inside the Request Body box.

      An example of a valid SPEKE request:
      <?xml version="1.0" encoding="UTF-8"?>
      <cpix:CPIX id="Test" xmlns:cpix="urn:dashif:org:cpix" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:speke="urn:aws:amazon:com:speke">
      	<cpix:ContentKeyList>
      		<cpix:ContentKey kid="c158dedd-2d45-43b7-a7ac-aed65511a884"/>
      	</cpix:ContentKeyList>
      	<cpix:DRMSystemList>
      		<cpix:DRMSystem kid="c158dedd-2d45-43b7-a7ac-aed65511a884" systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed">
      			<cpix:ContentProtectionData />
      			<speke:ProtectionHeader />
      			<cpix:PSSH />
      			<cpix:URIExtXKey />
      			<speke:KeyFormat />
      			<speke:KeyFormatVersions />
      		</cpix:DRMSystem>
      	</cpix:DRMSystemList>
      </cpix:CPIX>
    3. Choose Test.

      GatewayAPI IntegrationTest
      • If the configuration is correct and a valid SPEKE request was provided, Axinom Key Service returns 200 OK with the SPEKE response in the response body.

      • If there’s an issue with authentication then Axinom Key Service returns 401 Unauthorized. In that case, re-check the authorization header.

  6. Deploy the API:

    1. Select ResourcesActionsDeploy API.

      GatewayAPI DeployAPI
    2. Deployment stage: [New Stage].

    3. Stage name: "TestStage".

      GatewayAPI DeployAPI2
    4. Choose Deploy.

      • If the configuration is later changed, the API should be redeployed for the update to be visible to other services.

    5. Note down the API Invoke URL. This is provided to AWS media services as the key service URL.

      GatewayAPI InvokeURL

IAM (Identity and Access Management) Setup

Before configuring MediaPackage, it is necessary to create an IAM role that allows MediaPackage to call the API Gateway.

  1. Open the AWS IAM console: https://console.aws.amazon.com/iam

  2. Create a new role:

    1. Choose Roles from the left menu.

    2. Choose Create role.

      IAM CreateRole
    3. Select AWS service entity type → MediaConvert service → MediaConvert use case (we use a modified MediaConvert role since MediaPackage doesn’t have a suitable default role).

      IAM MediaConvertTemplate
    4. Choose Next: PermissionsNext: TagsNext: Review.

    5. Provide role information:

      1. Role name: "MediaPackageRole".

      2. Role description: "Allows MediaPackage to call API Gateway on your behalf."

        IAM CreateRole2
      3. Choose Create role.

  3. Configure the role:

    1. Select the new MediaPackageRole from the list of existing roles.

    2. Choose the Trust relationships tab.

      1. Choose Edit trust relationships.

      2. Replace "mediaconvert.amazonaws.com" in the JSON with "mediapackage.amazonaws.com".

        IAM TrustRelationships
      3. Choose Update Trust Policy.

    3. Choose the Permissions tab.

      1. Detach the AmazonS3FullAccess policy. For this demo, MediaPackage doesn’t need S3 access.

        IAM DeleteS3
  4. Note down the MediaPackageRole Role ARN. It is used in the following steps.

    IAM RoleArn

MediaPackage Setup

MediaPackage takes a live stream sent by the MediaLive service (configured in the next section) and then packages it as DASH and CMAF content while obtaining keys from Axinom Key Service via the previously configured API Gateway proxy service.

Encrypted DASH content is created for playback with Widevine and PlayReady DRM; encrypted CMAF (HLS + fMP4) for playback with FairPlay. Clear versions of both types of content are also created.

  1. Open the AWS MediaPackage console: https://console.aws.amazon.com/mediapackage

  2. Create a new channel:

    1. Choose Next step in the Create a new channel pane.

    2. Configure the channel:

      • ID: "MediaPackage-Channel01"

      • Input type: Apple HLS

      • Choose Create. A channel with two inputs is created.

        MediaPackage Inputs
        Note
        Note down the URL, username and password of both inputs. They are used later when configuring MediaLive.
  3. Add an endpoint for clear DASH content:

    1. Choose Add endpoints.

      MediaPackage AddEndpoints
    2. Configure the endpoint:

      • ID: "DASH-Clear".

      • Manifest Name: "Manifest".

      • Packager settings → Type: select DASH-ISO.

      • Package encryption → select No encryption.

        MediaPackage ConfigureClear
    3. Choose Save.

  4. Add an endpoint for the encrypted DASH content:

    1. Choose Add/edit endpoints.

    2. Choose Add.

      MediaPackage AddEndpoint2
    3. Configure the endpoint:

      • ID: "DASH-Encrypted".

      • Manifest Name: "Manifest".

      • Packager settings → Type: select DASH-ISO.

      • Package encryption → select Encrypt content and provide the following:

        • Resource ID: "EncryptionTest" (an arbitrary value that MediaPackage uses for generating content key IDs).

        • System IDs:

          • "edef8ba9-79d6-4ace-a3c8-27dcd51d21ed" (Widevine Modular System ID)

          • "9a04f079-9840-4286-ab92-e65be0885f95" (PlayReady System ID)

        • URL: <API Gateway Invoke URL for Axinom Key Service> (the value from the API Gateway setup).

        • Role ARN: <IAM MediaPackage role ARN> (the value from the IAM setup).

          MediaPackage EncryptedEndpoint
      • Disable key rotation to simplify license token generation for testing purposes:

        • Expand Additional configuration and unselect Key rotation interval (sec).

          MediaPackage KeyRotation
    4. Choose Save.

  5. Add an endpoint for clear CMAF content:

    1. Choose Add/edit endpoints.

    2. Choose Add.

    3. Configure the endpoint:

      • ID: "CMAF-Clear".

      • Manifest Name: "Manifest".

      • Packager settings → Type: select Common Media Application Format (CMAF).

      • HLS manifest → ID: "CMAF-Clear".

      • Package encryption → select No encryption.

    4. Choose Save.

  6. Add an endpoint for the encrypted CMAF content:

    1. Choose Add/edit endpoints.

    2. Choose Add.

    3. Configure the endpoint:

      • ID: "CMAF-Encrypted".

      • Manifest Name: "Manifest".

      • Packager settings → Type: select Common Media Application Format (CMAF).

      • HLS manifest → ID: "CMAF-Encrypted".

      • Package encryption → select Encrypt content and provide the following:

        • Resource ID: "EncryptionTest" (an arbitrary value that MediaPackage uses for generating content key IDs).

        • System IDs: "94CE86FB-07FF-4F43-ADB8-93D2FA968CA2" (FairPlay System ID).

        • URL: <API Gateway Invoke URL for Axinom Key Service> (the value from the API Gateway setup).

        • Role ARN: <IAM MediaPackage role ARN> (the value from the IAM setup).

      • Disable key rotation to simplify license token generation for testing purposes:

        • Expand Additional configuration and unselect Key rotation interval (sec).

    4. Choose Save.

  7. Note down the endpoints URLs. These are used when testing playback.