Setting up PlayReady encryption using Azure Media Explorer Tool

This blog shows you step-by-step, how you could set up PlayReady encryption using Azure Media Explorer Tool. This workflow assumes that you want to dynamically encrypt your multiple-bitrates file with PlayReady, and stream through Azure as well. If you are looking for a standalone PlayReady service to work with your on-premises encryptor or streaming server, please refer to my the other blog.

1. You could download Azure Media Explorer here. The source code is also hosted in this Github repository and it’s open source.

2. Open Azure Media Explorer, Enter account name and password to get connected to your media account. Account name and password can be found in Azure portal.

3. You can upload file by clicking on Asset tab and select one of the upload methods provided there. Watch folder is one of my favorites that you can set up a folder to be monitored by this tool. Whenever you dropped a file into the folder, the upload will start automatically.

Upload box

4. After uploading, Right click on your file and choose to encode your file into a adaptive bitrates Mp4. Choosing Encode assets with Media Encoder(system preset) would be sufficient. You could choose any H.264 Adaptive stream presets.

PR_encoding5. While waiting for the encoding to be finished, please go to the streaming endpoint tab to double check you have at least 1 reserved unit enabled. We only provide dynamic encryption with at least 1 RU enabled.


6. Come back Assets tab and you need to press “Refresh all” button at the top to make sure the encoded asset show up.
7. Right Click on your asset, and choose Add dynamic encryption and key delivery policy for the asset. A window will pop up for further configuration.

As you can see from above, I have chosen Common Encryption for PlayReady. We provide standard CENC encryption for PlayReady, and if you choose envelope encryption, that would be AES encryption. For delivery policy protocols, by default all three protocols are enabled (HLS, DASH and Smooth Streaming), which means we will dynamically encrypt the stream and package into these three protocols. If you don’t choose DASH, then DASH protocol will be blocked for streaming. Key Authorization policy defines how you could want the license/key to be authorized. We provide Token authorization or open policy. If you choose token, it means that only player which provides the right token to our license server will get to retrieve the license. It is common to have 1 token authorization policy configured on the license.

7. The next step is to generate Content Key which will be used to encrypt your file. For PlayReady, we use AES 128 bits key. You  have the choice to let this tool auto-generate for you or supply a AES-128 bits key yourself. The choose by the user option below is for customers who want to use our streaming service with external PlayReady server.
PR_ContentKey8. Next step is to configure Content Key authorization policy. As I mentioned earlier, if you choose Open policy, whoever ping the license URL with the key ID will get the license. If you want to have access control here, you could choose Token Authorization. There are a few things you need to configure:

  • • Token Type: JWT (Json Web Token) or SWT (Simple Web Token). In JWT, we support asymmetric key and symmetric key, in order to generate the signature of the token. When you choose symmetric key, key can be either supplied by your or auto-generated. If you choose asymmetric key for JWT, a X.509 cert needs to be supplied for key exchange.
  • • Audience or Scope URL: what are the audiences you are expecting for your token issuer service. We require this scope to be started with “urn:” but this restriction will be removed soon.
  • • Issuer URL: the URL for your token issuer service. We require the Issuer to be a URL for now, but will remove this restriction very soon.
    • Claim: Claim is any key value pair you want to put into the token for us to verify. Let’s say you want to put “Member:Gold” as a claim. When we receive your token, we will verify the signature first, if it is valid, we will look at the claim and see whether it contains “Member:Gold” in it. All claims need to be fulfilled in order for us to issue the key. There is one known claim called “Key identifier Claim”, which means the token needs to contain the content key’s key ID. If you are using different content key for each asset, it would mean that user with Token A can only get access to the corresponding content.

9. The last step is to configure PlayReady License Template. We provide the option of Persistent License with Start and End Date, or Non-Persistent license (License will not be valid after you shut down the player). In the second tab, you could configure other PlayReady License restrictions. We have listed out a few common ones. The only limitation for this tool is – if you want to define anything beyond the ones showed in UI, you need to either go to portal to import your PlayReady template, or use our SDK. This MSDN documentation will help you understand How to define PlayReady template.

  • 10. The next step is to publish the asset (Right Click on your asset and choose Publish). You need to define how long you want the streaming locator to be valid, by default, this tool gives you one day expiration but you can choose 1 year, or even 100 years.
  • 11. You could also playback your content by right click on it and choose Playback. It gives you all the players that can play. We recommend you to choose Azure Media Player, which will exam your browser/device capability and supply with the right player technology and stream. For instance, if you only this PlayReady protected stream in IE 11, this player will grab DASH stream and play with EME DASH Player.
  • One thing to pay attention is that we configured Token Authorization on the content key, therefore, you need to generate a test token so the player can get access to the license. There is a expiry time window you need to specify, which is also advised to be a short period time so as long as the player gets the license, this token will expire. This “Get Test Token” function essentially simulates what you should do when you build your token issuer service.
  • 12. Once you create test token, there will be a browser auto-pops up and links to Azure Media Player, with the streaming URL and test token filled in.
  • Please let me know if you have any questions.

Leave a Reply

Your email address will not be published. Please enter your name, email and a comment.