Key Server Integration
1. Introduction
This guideline provides the essential information to integrate an OTT encoder with the SSP Key Server, and retrieve content encryption keys and DRM signaling data for OTT content.
It also provides information about how to test playback of the encrypted content in order to verify the integration.
The integrator must have the following equipment:
- OTT encoder/packager 
- Origin server 
2. Integration overview
2.1. System architecture
The following diagram shows the integration points with the NAGRA SSP platform to enable an OTT video service with DRM-protected content:
- The OTT encoder/packager retrieves content keys and DRM signaling from the SSP Key Server. 
- A client application retrieves a DRM license to play out the DRM-protected content. 
- The operator accesses OTT dashboards showing metrics about content keys and DRM license delivery. 


This integration guide covers the different APIs supported by the SSP Key Server to deliver content keys and DRM signaling.
It also provides reference HTML video players that can be used to validate that the generated encrypted content can be played out using the respective DRM license service provided by SSP.
2.2. Supported streaming protocols and DRMs
The table below gives a high-level overview of compatibility between streaming protocols, DRM, and devices.
| Streaming mode | DRM type | Devices | HTML5 browsers | 
|---|---|---|---|
| HLS Sample AES | FairPlay Streaming | iOS, Apple TV, MacOS | Safari | 
| HLS AES-128 | PRM Widevine (note 1) | STB | |
| DASH CENC | Widevine PlayReady PRM | Android, Chromecast, Windows, MacOS Android, Chromecast, Windows STB, OpenTV Player | Chrome, Firefox, Opera, Edge IE11, Edge | 
| HLS / DASH CBCS | FairPlay Streaming PlayReady PRM Widevine | All devices supporting CMAF content | Safari, Chrome, Firefox | 
Note 1: Google no longer recommends or advices usage of legacy Widevine HLS v1 (mpeg-2 ts based).
2.3. Key Server interfaces
The following table lists the interfaces supported by the NAGRA Key Server, including the supported use cases, DRMs, and client authentication mode. (All interfaces rely on HTTPS for server authentication.)
| Key Server interface | Use cases | Key rotation | DRMs | Packager authentication mode | Link to Key Server API spec | 
|---|---|---|---|---|---|
| NAGRA Encoder KSS | VOD Live | Supported | All | SSP AuthN token for client authentication* | |
| Harmonic KMS | VOD Live | Supported | All | SSP AuthN token for client authentication* | |
| Conax Key Server | VOD Live | Not Supported | All | HTTP Basic Authentication | |
| AWS Elemental SPEKE | VOD Live | Supported | All | AWS IAM based authentication | |
| DASH-IF CPIX | VOD Live | Supported | All | SSP AuthN token for client authentication* | |
| Google Common Encryption | VOD Live | Not supported | PR WV | Pre-shared keys | 
| Key Server interface | Use cases | Key rotation | DRMs | Packager authentication mode | Link to Key Server API spec | 
|---|---|---|---|---|---|
| NAGRA Encoder KSS | VOD Live | Supported | All | SSP AuthN token for client authentication* | |
| AWS Elemental SPEKE | VOD Live | Supported | All | AWS IAM based authentication | |
| DASH-IF CPIX | VOD Live | Supported | All | SSP AuthN token for client authentication* | 
2.4. Packager authentication
2.4.1. SSP AuthN token
When the OTT packager authentication is based on an SSP AuthN token, this token must be sent as an HTTP header named "nv-authorizations" with the token itself as the value.
The SSP AuthN token is a JWT token that must be signed with a credential provided by NAGRA to the partner prior to starting the integration activity.
In addition, a pre-generated AuthN token to facilitate the integration testing can be provided by NAGRA. Please contact [email protected].
Details of the SSP AuthN token can be found under this page.
3. OTT packagers pre-integrated with NAGRA SSP
The following table lists the OTT encoders/packagers that have been integrated with NAGRA SSP Key Server.
| Encoder vendor | Encoder model | Key Server interface | Use case | DRMs | Packager authentication | Others | 
|---|---|---|---|---|---|---|
| Anevia (ATEME) | NEA-DVR | NAGRA KSS | VOD Live | FPS WV PR PRM | SSP AuthN token | |
| ATEME | NEA-DVR | DASH-IF CPIX | VOD Live | FPS WV PR | SSP AuthN token | |
| ATEME | NEA Live | DASH-IF CPIX | Live | FPS WV PR | SSP AuthN token | |
| ATEME | TITAN Live | DASH-IF CPIX | Live | FPS WV PR | SSP AuthN token | |
| ATEME | TITAN File | DASH-IF CPIX | VOD | FPS WV PR | SSP AuthN token | |
| AWS Elemental | MediaConvert | SPEKE | VOD | FPS WV | AWS IAM based AuthN | |
| AWS Elemental | MediaPackage | SPEKE | Live | FPS WV | AWS IAM based AuthN | |
| Bento4 | DASH-IF CPIX | VOD | FPS WV | SSP AuthN token | Customer implementation | |
| Broadpeak | BKS350 | NAGRA KSS | VOD Live | FPS WV PR PRM | SSP AuthN token | |
| Broadpeak | BKS350 | DASH-IF CPIX | VOD | FPS WV | SSP AuthN token | |
| Elemental | Delta | NAGRA KSS | VOD Live | WV | SSP AuthN token | Authentication using proxy | 
| Harmonic | PMXO 2.2 | Harmonic KMS | VOD Live | FPS WV PR | SSP AuthN token | Authentication using proxy | 
| Harmonic | VOS | Harmonic KMS | Live | FPS WV PR | SSP AuthN token | |
| Harmonic | VOS 360 | Harmonic KMS | Live | FPS WV PR | SSP AuthN token | |
| Harmonic | VOS 360 | DASH-IF CPIX | VOD Live | FPS WV PR | SSP AuthN token | CMAF supported | 
| MediaKind | MKP | NAGRA KSS | VOD Live | FPS WV PR | SSP AuthN token | Authentication using proxy | 
| MediaKind | VSPP | NAGRA KSS | VOD Live | FPS WV PR | SSP AuthN token | |
| MediaKind | Aquila | DASH-IF CPIX | VOD Live | FPS WV PR | SSP AuthN token | CMAF supported | 
| Shaka Packager | ||||||
| Vecima (Concurrent) | Vecima Origin | NAGRA KSS | VOD Live | FPS WV PR PRM | SSP AuthN token | |
| Velocix (Nokia) | VXOA | NAGRA KSS | VOD | FPS WV PR | SSP AuthN token | |
| Velocix | DASH-IF CPIX | VOD Live | FPS WV PR | SSP AuthN token | 
4. Integration platform details
4.1. Key Server URLs
| Key Server interface | Key Server endpoint URL | Link to sample requests & responses | 
|---|---|---|
| NAGRA Encoder KSS | https://<TenantId>-op.anycast.nagra.com/<TenantId>/cks-ws-keyAndSignalization/key | Sample requests and responses can be found here. | 
| NAGRA Encoder KSS with CMAF | https://<TenantId>-op.anycast.nagra.com/<TenantId>/cks-ws-keyAndSignalization/cmaf | Sample requests and responses can be found here. | 
| Harmonic KMS | https://<TenantId>-op.anycast.nagra.com/<TenantId>/cks-ws-ikey/key | Sample requests and responses can be found here. | 
| DASH-IF CPIX | https://<TenantId>-op.anycast.nagra.com/<TenantId>/nks/v1/cpix | Sample requests and responses can be found here. | 
| Conax Key Server | https://<TenantId>-op.anycast.nagra.com/<TenantId>/nks/conax | Sample requests and responses can be found here. | 
| Key Server interface | Key Server endpoint URL | Link to sample requests & responses | 
|---|---|---|
| NAGRAEncoder KSS | https://<TenantId>-op.anycast.nagra.com/<TenantId>/cks-ws-keyAndSignalization/key | Sample requests and responses can be found here. | 
Replace <TenantId>with your tenant identifier.
4.2. License Server URLs
| SSP Platform License Server URLs | |
|---|---|
| Widevine | https://<TenantId>.anycast.nagra.com/<TenantId>/wvls/contentlicenseservice/v1/licenses | 
| FairPlay | https://<TenantId>.anycast.nagra.com/<TenantId>/fpls/contentlicenseservice/v1/licenses | 
| PlayReady | https://<TenantId>.anycast.nagra.com/<TenantId>/prls/contentlicenseservice/v1/licenses | 
| Nagra PRM | https://<TenantId>.anycast.nagra.com/<TenantId>/prmls/contentlicenseservice/v1/licenses | 
Replace <TenantId>with your tenant identifier.
4.3. Test the content
NAGRA provides Dash.js- and Shaka-based reference HTML players for content playback.
Please refer to License Server integration guide.
