The Axinom Mosaic platform allows you to protect your video content by encoding them with the Encoding Service and applying DRM to them. Learn how to configure the encoding settings in the management system.

Setting Up Encoding Profiles

The Axinom Encoding Service allows to encode videos while DRM protects them. This can be done by utilizing the encoding API directly or by using the Mosaic Encoding workflows. This documentation describes the process to configure the encoding settings in the Management System.

To be able to use the Encoding Service, you must create a new Axinom Encoding Service account here, in Portal. If you want to protect your videos with DRM, you need to sign up for the DRM service from the Portal as well. Please store the acquired credentials in a secure location. You cannot retrieve them again once they have been created (a reset is possible).

To configure all the encoding settings in the Management System, you have to open your Management System UI in a web browser. From the home screen, navigate to Settings and find this section:

settings hub
Figure 1. Video encoding under Settings
Note
For security reasons, all the secrets (besides the Encoding Service Tenant Key) must be encrypted using the credentials protection approach. Secret values are encrypted by the Encoding Service’s public key certificate. This way, your secrets can only be decrypted by the video decoder process - but not by anybody else. The Mosaic CLI offers a command that encrypts your secret values, so you can add them to the Mosaic Video Encoding configuration.

Encoding Service Settings

This section allows you to configure the Axinom Encoding Service settings.

settings profile
Figure 2. Example Encoding Service Settings

You received all the required values when you signed up for the Axinom Encoding Service.

  • The API URL - the URL to the encoder API in the desired region. This API is used to start a new encoding job.

  • Tenant Key - the secret key used to authorize the encoding job. This value must not be protected with credentials protection.

DRM Settings

If you want to use DRM protection, you can configure the access details here.

drm profile
Figure 3. Example DRM Settings

You received all the required values when you signed up for the Axinom DRM Service.

The DRM settings are only required if the encoded videos should be DRM-protected. When DRM protection is enabled, the encoder gets one/multiple DRM Content Keys from the Axinom DRM Key Service to protect the video and audio streams. Further information on the Axinom DRM integration can be found in the DRM integration and DRM Key Service Management API documentation.

Acquisition Profile

This profile defines the settings of how the Axinom Encoder can acquire the source video files in the content acquisition processing step.

Two different security boundaries are involved here:

  • The encoder side: the video encoder process runs in a secure processing environment without any outside process reaching into it. This process needs READ permissions to access the source video files.

  • The management side: The Mosaic UI can show a list of all the videos that are available in the source storage location. This service must not receive the read permissions but only LIST permissions. This way, it cannot access the valuable video source files. In addition to the LIST permissions, you may also give it WRITE permissions. This would be required if the management side should upload videos that are going to be encoded. For security reasons, those should not be valuable videos but rather trailers or other short video clips.

acquisition profile
Figure 4. Example Acquisition Profile

The table below describes the properties in the acquisition profile.

Setting Description

Title

A human-readable profile identifier.

Storage Provider

The storage provider type. Currently, we support Azure Storage Account (Azure). More options will become available in the future.

Storage Account Name

The username/account name

Storage Account Key (Protected)

The corresponding password/access key for the account name above. Must be encrypted with credentials protection.

Container Name

A storage Container name. This is the storage location from which video files are taken. Each video should have all its files located in its own (virtual) folder within this container.

SAS Token

This is an Azure Storage SAS Token which is not encrypted with Credentials Protection. This token is used to access the storage during management operations, but not for encoding.

Root Path

An optional value that is used to define some sub-folder from which the videos should be downloaded. If no value is specified, the videos are acquired from the root of storage container. If a value is specified, it must be a single folder name or a path, e.g folderName/anotherFolder. In this case, the videos are acquired relatively to this folder.

Azure Storage Credentials

To retrieve the values for the above settings, go to the Azure Portal and your Storage Account. Navigate to Security + networkingAccess keys, click Show keys, and get a connection string, similar to one below:

DefaultEndpointsProtocol=https;AccountName=examplestoragename;AccountKey=pCFqwDE0AwVa3LS4Fg3ypAqHbCFTidv6kbtDbDfGWb2wwRaL7F7kccze3OAVAHLSZn+QwId5SaCMy1vUPWlBIQ==;EndpointSuffix=core.windows.net.

The important values are listed in the table below.

Value Description

AccountName (examplestoragename)

Goes into the Storage Account Name field.

AccountKey (<account_key>)

Needs to be credentials-protected with the Mosaic CLI. The resulting value would go to the Storage Account Key (Protected) field.

Note
For security reasons, the acquisition profile storage and the publishing profile should be different storages. Technically, both could also point to the same storage location but this should only be used for development or testing.

SAS Token Creation

The SAS Token that allows to list and upload (but not read/download) files must be generated with specific permissions. The management token is responsible for two operations:

  • Listing folders

  • Uploading a file to the storage

To allow these operations, navigate to your Storage account in the Azure Portal. From there, go to Security + networking and Shared access signature. The following permissions must be set:

  • Allowed services - Blob

  • Allowed resource types - Container and Object

  • Allowed permissions - Write and List

  • The End date has to be at some point in the future

sas token
Figure 5. SAS token setup example

Processing Profile

A processing profile defines how the desired video, audio, subtitle, and closed caption tracks can be found. You can define more than one processing profile to allow different use cases. One of the available profiles must be selected before the video encoding process can start encoding a new video. After clicking the Processing tile, the user sees a list of all configured profiles in the profiles explorer like below:

processing profiles explorer
Figure 6. Preview of the Processing Profiles explorer station

After selecting a profile, you can manage its settings.

processing profile
Figure 7. Preview of a completed Processing Profile

The default profile is filled out with a set of reasonable values that you can adjust to your needs. A description of all the properties can be found in the content processing and media mapping documentation. You can find a short summary from the table below.

Field Description

Title

A human-readable profile identifier. This can also be used as a profile identifier for customizable software integrations (e.g. during an ingest process of a customizable service).

Video Stream Expression

A regular expression for finding the file that contains the main video stream. Provided expression can be checked/verified by clicking a button next to the input field - the opened inline menu enables opening a new browser tab where regex can be tested.

Audio File Language Expression

A regular expression for finding the files that contain the audio tracks. Expression validation opportunity is also provided.

Subtitle File Language Expression

A regular expression for finding the files that contain the subtitle tracks and their language mapping. Expression validation opportunity is also provided.

Closed Captions File Language Expression

A regular expression for finding the files that contain the closed caption tracks and their language mapping. Expression validation opportunity is also provided.

Output Format

This field defines the output format of the encoded video, which could be one of the following:

  • DASH - creates a DASH video that allows to use the Widevine and PlayReady DRM technologies.

  • HLS - creates a HLS video that allows to use the FairPlay DRM technology.

  • CMAF - creates a CMAF video that allows to use the FairPlay, Widevine, and PlayReady DRM technologies.

  • DASH & HLS - produces two videos: one HLS and one DASH video.

  • Dash on Demand - a special version of the DASH output using the so-called "On-Demand profile".

DRM Protection

Choose whether the video should not be DRM-protected, use a single key to protect the video, or use the Multiple Keys to protect the video.

Tar Mode

Select a tar mode, also known as Archiving approach.

Delete after Processing

This option tells the Encoding job to remove the source content from the acquisition location, once the processing is completed.

Publishing Profile

publishing profile
Figure 8. Preview of a completed Publishing profile

This profile defines the content publishing settings, where the encoder can store the encoded video files. It is defined very similarly to the Acquisition profile, so the descriptions about how to get the credentials apply here as well. They are also listed in the table below.

Field Description

Title

A human-readable profile identifier.

Storage Provider

The storage provider type. Currently, we support Azure Storage Account (Azure). More options will become available in the future.

Storage Account Name

The username/account name

Storage Account Key (Protected)

The corresponding password/access key for the account name above. Must be encrypted with credentials protection.

Container Name

A storage Container name. This is the storage location where the encoded video files are stored at. Each video will have all its files located in its own (virtual) folder within this container.

Check the section Azure Storage Credentials to learn how to get the details for Azure Blob Storage credentials.

For security reasons, the acquisition profile storage and the publishing profile should be different storages. Technically, they both could also point to the same storage location but this should only be used for development or testing.