The Axinom Mosaic platform allows you to protect your video content by encoding them with the Encoding Service and applying DRM to them. Learn how to configure the encoding settings in the management system.

Set up Encoding Profiles

The Axinom Encoding allows to encode videos while Axinom DRM protects them. This can be done by utilizing the Encoding API directly or by using a GUI. This documentation describes the process to configure the encoding settings in the Management System.

All Encoding Service settings are available in the Management System under Settings:

Encoding settings
Figure 1. Encoding Settings
Caution
For security reasons, all the secrets should be encrypted using the credentials protection approach. Secret values are encrypted by the Encoding API’s public key. This way, your secrets can only be decrypted by the video decoder process - but not by anybody else, including the Management System itself. See Credentials Protection Tool.

Acquisition and Publishing Profiles

Acquisition and Publishing Profiles define respectively the Input Storage and the Output Storage for the Encoder. Input Storage is where the source video files are taken from (section " Content Acquisition" in a job request). Output Storage is where the processed video files are stored (section " Content Publishing" in a job request).

Caution
For security reasons, the acquisition profile and the publishing profile should use different storages. In development environments it is ok to share the same storage account and differentiate by container or by a sub-folder, but for production it is advisable to use separate storage accounts with different credentials.
Warning
Encoding Service supports many different Storage Providers, including Azure Blob Storage, Amazon S3, FTPS. Profiles configured in the GUI currently support Azure Blob Storage and AWS S3. Support for FTP will be added later. Also, as of today, only a single acquisition profile and a single publishing profile are supported. This will be extended later.
Tip
We recommend to create your storage using Mosaic Hosting Service. Alternatively, you can create storage using Microsoft Azure or AWS.

Both, acquisition profile and publishing profile define the following properties.

Table 1. Properties common for every storage provider
Property Description

Title

A human-readable profile identifier

Storage Provider

The storage provider type

Table 2. Azure Storage specific properties
Property Description

Storage Account Name

The username/account name

Storage Account Key

The corresponding password/access key for the storage account above. It is a secret and must be encrypted, see credentials protection

Container Name

Which storage container to use. A Storage Account can have multiple Containers used for different purpose

Table 3. AWS specific properties
Property Description

Access Key Id

Access Key Id

Access Key

The corresponding password/access key. It is a secret and must be encrypted, see credentials protection

Bucket name

Which bucket to use. Multiple buckets can be accessible with the same access key for different purpose

Region

AWS Region to use for data storage. We recommend to use eu-west-1, as the encoding service also runs in this region

Acquisition Profile

Acquisition Profile defines an Input Storage. Encoding Service assumes, that for every video all input files will be placed to the same folder. All video folders should be nested under a root folder inside the specified container.

Table 4. Additional properties of an Acquisition Profile common for every storage provider
Property Description

Root Path

An optional value that is used to define some sub-folder from which the videos should be downloaded. If no value is specified, the videos are acquired from the root of storage container/bucket. If a value is specified, it must be a single folder name or a path, e.g folderName/anotherFolder. In this case, the videos are acquired relatively to this folder.

Two different security boundaries are involved here:

  • The encoder side: the video encoder process runs in a secure processing environment without any outside process reaching into it. This process needs read permissions to access the Input Storage (in Azure: READ, in AWS: HeadBucket, ListObjects. GetObject).

  • The management side: The Mosaic GUI can show a list of all the videos that are available in the source storage location. This service, strictly speaking, only needs permissions to list sub-folders in the root folder. In Azure it can be achieved with a SAS-token with LIST permissions. In AWS this level of granularity is unfortunately not reachable (see below).

Table 5. Additional properties of an Acquisition Profile in Azure
Property Description

SAS Token

This is an Azure Storage SAS Token used by the Management System GUI to list the folders in the input storage. It must not be encrypted with Credentials Protection and it is not passed to the encoder. The token shall have LIST permissions. It is advisable not to provide it any other permissions, such as a READ permission to reduce the exposure of non-protected video content.

Acquisition Profile / Azure
Figure 2. Acquisition Profile / Azure
Table 6. Additional properties of an Acquisition Profile in AWS
Property Description

Management Access Key

This is the same as the "Access Key" above, just in an unencrypted form. Unlike the Access Key, the Management Access Key is used by Mosaic Management System to access the list of sub-folders under the root. We are working on a solution to avoid duplication of credentials and better credentials protection.

Acquisition Profile / AWS
Figure 3. Acquisition Profile / AWS
Note
Once the GUI will be extended with a capability to upload video directly, it will additionally need a WRITE permission. For security reasons, those should not be valuable videos but rather trailers or other short video clips.

Publishing Profile

Publishing Profile defines an Output Storage. For every processed video, the Encoding Service will create a folder in the root of the Output Storage.

Note
The folder name will be generated randomly, it will not be the same as the input folder name. You can find the folder name in the job details.
Publishing Profile / Azure
Figure 4. Publishing Profile / Azure

Processing Profile

A processing profile defines how the desired video, audio, subtitle, and closed caption tracks can be found. You can define more than one processing profile to allow different use cases. One of the available profiles must be selected before the video encoding process can start encoding a new video. After clicking the Processing tile, you see a list of all configured profiles in the profiles explorer. After selecting a profile, you can manage its settings.

Processing Profile
Figure 5. Processing Profile

The default profile is filled out with a set of reasonable values that you can adjust to your needs. A description of all the properties can be found in the content processing and media mapping documentation. You can find a short summary from the table below. There is also a mapping to the sections and properties of a job request (see Encoding API).

Field Job Request Mapping Description

Title

A human-readable profile identifier. This can also be used as a profile identifier for customizable software integrations (e.g. during an ingest process of a customizable service).

Video Stream Expression

MediaMappings.VideoStreamExpression

A regular expression for finding the file that contains the main video stream. Provided expression can be checked/verified by clicking a button next to the input field - the opened inline menu enables opening a new browser tab where regex can be tested.

Audio File Language Expression

MediaMappings.AudioFileLanguageExpression

A regular expression for finding the files that contain the audio tracks. Expression validation opportunity is also provided.

Subtitle File Language Expression

MediaMappings.SubtitleFileLanguageExpression

A regular expression for finding the files that contain the subtitle tracks and their language mapping. Expression validation opportunity is also provided.

Closed Captions File Language Expression

MediaMappings.CaptionFileLanguageExpression

A regular expression for finding the files that contain the closed caption tracks and their language mapping. Expression validation opportunity is also provided.

Output Format

ContentProcessing.OutputFormat

This field defines the output format of the encoded video, which could be one of the following:

  • DASH - creates a DASH video that allows to use the Widevine and PlayReady DRM technologies

  • HLS - creates a HLS video that allows to use the FairPlay DRM technology

  • CMAF - creates a CMAF video that allows to use the FairPlay, Widevine, and PlayReady DRM technologies

  • DASH & HLS - produces two videos: one HLS and one DASH video

  • Dash-on-Demand - a special version of the DASH output using the so-called " On-Demand Profile"

DRM Protection

ContentProcessing.DrmProtection

Choose whether the video should DRM-protected (single key or multiple keys) or not. Before DRM protection can be used, DRM Settings have to be set

Tar Mode

ContentProcessing.Archiving

Select a tar mode, also known as Archiving approach.

Note
If you want to use more fine-grained control over the jobs, use the Encoding API directly.

DRM Settings

If you want to protect your videos with DRM, you need DRM credentials for your environment. (If you don’t plan to protect videos with DRM you don’t have to fill out this section.) If you didn’t do it yet, go to My Mosaic, DRM on the left side and Acquire Credentials. All the data you need below will be provided under the "Key Service" section.

Caution
Don’t lose the management keys, they can’t be restored (but you can request their reset - raise a support request).

DRM settings for the Encoding Service include the access data for the Axinom DRM Key Service. Encoding Service will then acquire the necessary encryption keys from the Key Service. For details see DRM integration.

DRM Settings
Figure 6. DRM Settings

You can find a short summary from the table below:

Field Description

Management API URL

URL of the Key Service Management API, e.g. https://key-server-management.axprod.net/api

Tenant ID

Your Key Service tenant ID, UUID

Management Key

Your Key Service management key, must be encrypted, see credentials protection

Key Seed ID

The ID of the Key Seed from which they keys will be derived. Usually, you have only one Key Seed created automatically during DRM setup. But you can create more Key Seeds and decide which to use. Must be encrypted, see credentials protection.