Mosaic products documentation: Concepts, API Reference, Technical articles, How-to, Downloads and tools

Sharing FPS dataset with Axinom

Why you need to share the FPS dataset with the Axinom

For Widevine (WV) and PlayReady (PR) DRM systems, the necessary components are typically integrated into the software development kits (SDKs) provided by Google and Microsoft, respectively. As a result, in standard scenarios, we can utilize a single set of credentials for production purposes, and customers are not required to furnish us with their own credentials.

In the case of FairPlay, these credentials are exclusively distributed to "licensed content owners." Since Axinom specializes in DRM services and not content ownership, we are unable to obtain a universal or "generic" set of credentials that could be shared among all customers. This is because the credentials in the FairPlay system are customer-specific and not something we can access or provide on their behalf.

Therefore each customer needs to request a set of Fairplay credentials and each customer will receive a distinct set of credentials from Apple, and as a service provider like Axinom, we do not have access to these credentials. Therefore, the customer needs share the FPS package with the Axinom in order to verify the licenses signed with the customer-specific Fairplay certificates they received.

How you can share the FPS dataset

To share your FPS data with Axinom, you have two options: you can either use the FairPlay Data Set Upload Tool or utilize the Management API.

Using the FairPlay Data Set Upload Tool

In the My Mosaic - DRM section Axinom provides the possibility to upload a FairPlay Data Set to any environment.

Under My Mosaic / DRM:

  1. If you have multiple environments, select the one for which you want to upload a FairPlay Data Set

  2. Under the License Service config of the selected environment, there is a row "FairPlay Data Sets".

  3. When you click the Reveal button, you are asked to enter the Management Key. You have to enter your License Service Management Key to authorize this action.

  4. After that, you can see the uploaded certificate or use an Add button to add your FairPlay Data Set.

  5. Next, you see the window where to upload the PK, ASK, and AC.

    fair play data set upload
    Figure 1. FairPlay Data Set Upload
    1. In the Upload Application Certificate (AC) section, you need to upload the FairPlay Security Certificate.

    2. In the Upload FPS Application Certificate Private Key (PK) section, you need to upload the private clear key file.

    3. In the Insert Application Secret Key (ASK), you need to provide the ASK value as a text value.

  6. Once you submit the certificate, you can easily use the certificate with your content. Also, the certificates get uploaded to our host. Then you can find the FairPlay Streaming Certificate URL for the certificate under the License Service config. If you have a production tenant, you need to manage your certificate hosting on your side. In that case, you need to upload your FairPlay.cer into a publicly available web server with CORS support.

    fair play certificate url
    Figure 2. FairPlay Streaming Certificate URL
  7. When you click Copy to Clipboard, you get the URL with some description as seen below.

    If you registered the FairPlay certificate over the Axinom Portal and not directly over
    Axinom Licensing Service API's FairPlay data set endpoint, then you can find the
    certificate hosted for testing purposes from this URL:<some_
    values_to point_out_your_certificate>.cer
    1. From this description, you can find the FairPlay Streaming Certificate URL and use it for testing purposes.

      We recommend using this hosted URL only for testing purposes. Please manage the certificate hosting on your side if you use the certificates for production purposes.

Alternative: Using the Management API

As an alternative to the above method, Axinom provides a Management API endpoint to securely share and manage credentials.

Before submitting the PK, ASK, and AC, they must be processed and converted into a certain format. Example commands to do this are given below. The examples use OpenSSL and xxd (for Linux/Mac) or PowerShell (for Windows), but any tools with similar capabilities may be used.

  1. Remove Passphrase from Private Key

    If the PK is passphrase-protected, the passphrase must be removed before sharing it with Axinom.The passphrase can be removed with the following OpenSSL command (you are prompted to enter the passphrase):
    openssl rsa -in protected_privatekey.pem -out unprotected_privatekey.pem
  2. Convert FPS Data Set to base64 Strings

    The AC file data must be converted to a base64 string. The following command does this (-A is needed to stop OpenSSL from outputting new lines):

    openssl base64 -in applicationcert.cer -A

    After the PK passphrase has been removed, its file data must be converted to a base64 string. Use the following command for this:

    openssl base64 unprotected_privatekey.pem -A

    The ASK hex string must first be converted to the byte array it represents. Then, this must be converted to a base64 string. In the following example commands, you must replace the string of zeros with your 32-character ASK hex string (do not include 0x at the start).

    On Linux/Mac:

    echo "00000000000000000000000000000000" | xxd -r -p | openssl base64

    On Windows, from a PowerShell terminal:

    [Convert]::ToBase64String([byte[]] -split ("00000000000000000000000000000000" -replace '..', '0x$& '))
  3. Send the FPS Data Set as base64 Strings to Axinom

    The data must be sent to Axinom DRM License Service Management API’s /api/FairPlayDataSets endpoint using an HTTP POST request with the application/json content type.

    HTTP Basic Authentication should be used, with your tenant ID as the username and your management key as the password. More authentication information can be found at this link: License Service Management API.

    The request body should be JSON in the following form:

        "Name": "<FairPlay data set name>",
        "ApplicationCertificate": "<AC file bytes as base64>",
        "PrivateKey": "<PK bytes as base64>",
        "ApplicationSecretKey": "<ASK bytes as base64>"