VCAS+for+IPTV+3.8

VCAS For IPTV

VCAS 3.8

In-depth training for the VCAS For IPTV product line

VMX-07-1101

© 2016 Verimatrix, Inc. ALL RIGHTS RESERVED

Notice: No part of this publication may be reproduced or transmitted in any form or by any means,

electronic or mechanical, including photocopying and recording, or stored in a database or retrieval system for any purpose, except as where required by law, without the express written permission of Verimatrix, Inc.

Verimatrix, Inc. reserves the right to make changes to this document at any time without notice and

assumes no responsibility for its use. Verimatrix, Inc. products and services can only be ordered under the terms and conditions of Verimatrix, Inc.'s applicable agreements. All of the features described in this

document may not be currently available. Refer to the most recent product announcement or contact Verimatrix, Inc. for information on feature and product availability.

The information contained in this document is provided AS-IS without warranty of any kind. Verimatrix reserves the right to make changes to this document and its implementation without any obligation to notify the recipient of this document. Nothing in this document shall create a warranty, either express or implied, and nothing herein shall alter the terms and conditions set forth in the applicable confidentiality and license agreement(s) for use of the Verimatrix confidential information or products.

Verimatrix and the Verimatrix logo are registered trademarks and service marks of Verimatrix, Inc. All other trademarks, service marks, company names or logos are properties of their respective owners.

Introduction

_{Course Prerequisites:}

• Successful completion of VCAS Platform course (online) incl. examination

Introduction

1) VCAS For IPTV Application Overview 2) VCAS For IPTV System Architecture 3) ViewRight Clients

4) Understanding Encryption / Decryption 5) VCAS Licensing

6) System Configuration 7) System Operations

8) VCP – VCAS Customer Profiler 9) Redundancy and Scalability 10)System Upgrade

Introduction

_{Course Objectives:}

• Understand VCAS For IPTV applications

• Understand encryption / decryption, key handling

• Design, install, configure and operate a VCAS For IPTV system

• Learn to troubleshoot a VCAS For IPTV system

• Learn how to design a redundant VCAS For IPTV system and accommodate system

growth

_{Course Pre-requisites:}

• VCAS Platform course (online)

Introduction

Lesson 1

VCAS For IPTV Application Overview

Modular System Architecture

VCAS Head-end (VCAS Single Security

Authority)

Video Head-end Delivery Networks

ViewRight and VideoMark Clients RF Broadcast Network Internet/Broadband ViewRight IPTV STB ViewRight Web Connected TV/STB ViewRight Web PC/Mac ViewRight Web iOS / Android Key & control data On-demand Content Operator Management Interface Mobile 3G/4G Linear Content Key & control data IP Path Managed IP Network 3rd_{Party Players} and DRM Environments (PlayReady and Widevine) Simulcrypt Multiplexers Scramblers Modulators ABR Encoders Encryptors VOD Servers Broadcast CSM (DVB One-way) IP CSM (IPTV and Broadcast Hybrid) Adaptive CSM + Apple FPS (HLS / DASH) PlayReady (Smooth Streaming / DASH) Entitlements DB SMS/ Middleware Entitlements Database VideoMark Payload Manager (Watermarking) ViewRight Gateway Widevine (DASH)

Red indicates the elements covered in this course

_{Which are the main applications for the VCAS For IPTV product line?}

• 1) IPTV with RTES (Real Time Encryption Server)

• 2-way IP connectivity to the client

• Linear broadcast encryption with RTES (Multicast streams) • VoD functionality

• IPTV client devices

• 2) IPTV MultiCAS with VECMG (Verimatrix ECM Generator) and mux

• 2-way IP connectivity to the client

• Linear broadcast encryption via 3rd _{party mux and VECMG (Simulcrypt)}

• VoD functionality • IPTV client devices

• 3) IP Hybrid with VECMG (Verimatrix ECM Generator) and mux

• Downstream via MPTS video (Cable TV, Satellite TV)

VCAS For IPTV Application Overview

VCAS For IPTV Application Overview

IPTV With RTES

Subscriber Mgmt / Middleware/Billing Server CSM (including EMM Spooler) IPTV Client Devices (ViewRight) OMI Services (WSE) Database RTES VEM (VPP, VRUN)

OOB EMM delivery

Multicast Video VoD assets Linear Broadcast IPTV Network

VoD server Unicast Video

_{Distinctive VCAS servers for:}

_{CSM (Content Security Manager)}

- Core services for key generation, certificate handling, EMM generation
_{OMI (Operator Management Interface)}

- Unified SOAP interface to 3rd _{parties (OMI), web services (WSE)}

_{Database (Oracle stand-alone, DataGuard, or RAC)}

_{VEM (Verimatrix Encryption Manager), optional VRUN for automatic asset ingest} - VoD asset encryption

_{RTES (Real Time Encryption Server)}

- Encryption of live broadcast streams, multicast output

_Clients

_{STBs with Verimatrix ViewRight client}

_{Connected TVs with Verimatrix ViewRight client
PCs with ViewRight Desktop}

VCAS For IPTV Application Overview

VCAS For IPTV Application Overview

IPTV MultiCAS With VECMG And Mux

Subscriber Mgmt / Middleware/Billing Server CSM (Including EMM Spooler) OMI Services (WSE) Database IP Multiplexer/ Scrambler MultiCAS/IP (VECMG) VEM (VPP, VRUN) ECMs via Simulcrypt VoD assets Linear Broadcast IPTV Client Devices (ViewRight)

OOB EMM delivery

Multicast Video IPTV Network

VoD server

Unicast Video

Elements in green are Verimatrix products

_{Distinctive VCAS servers for:}

_{CSM (Content Security Manager)}

- Core services for key generation, certificate handling, EMM generation
_{OMI (Operator Management Interface)}

- Unified SOAP interface to 3rd _{parties, web services (WSE)}

_{Database (Oracle stand-alone, DataGuard, or RAC)}

_{VEM (Verimatrix Encryption Manager), optional VRUN for automatic asset ingest} - VoD asset encryption

_{VECMG (Verimatrix ECM Generator) for broadcast encryption, use of an}

external mux/scrambler, connected via Simulcrypt. Broadcast streams encrypted by scrambler/mux, with keys and ECMs generated by VECMG

_Clients

_{STBs with Verimatrix ViewRight client}

_{Connected TVs with Verimatrix ViewRight client}

VCAS For IPTV Application Overview

VCAS For IPTV Application Overview

IP Hybrid With VECMG And Mux

Subscriber Mgmt / Middleware/Billing Server CSM (Including EMM Spooler) OMI Services (WSE) Database IP Multiplexer/ Scrambler MultiCAS/IP (VECMG And EMMG) VEM (VPP, VRUN)

ECMs and EMMs via Simulcrypt VoD assets Linear Broadcast IPTV Client Devices (ViewRight) MPTS Video incl. inband ECM/EMM

IP Network VoD server Unicast Video RF Cable/Satellite Network

Elements in green are Verimatrix products

IP Hybrid (IP/DVB)

_{Same distinctive VCAS servers as in IPTV MultiCAS application
EMMs and ECMs delivered via Simulcrypt}

- VECMG (Verimatrix ECM Generator) for ECM generation - Use of an external mux/scrambler, connected via Simulcrypt

_{Linear broadcast delivered over RF network, VoD and key management over IP}

Clients

_{IP Hybrid STBs with Verimatrix ViewRight client
2 way IP connectivity and DVB support}

_{Clients don’t require a smart card or any other hardware security device}

Network

VCAS For IPTV Application Overview

Lesson 2

_{VCAS software consists of modules}

_{These modules make up a server role (i.e. CSM, VEM, RTES, OMI)} - Flexibility in enabling different modules on each server

- Designed for scalability and redundancy

_{Controlled by VCM (Verimatrix Control Monitor)}

- VCM monitors each module, and is used to start/stop each service

- VCM provides status information of each module

_{Common modules and application modules}

_{Common modules run on each server} - VCM (Verimatrix Control Monitor)

- VLS (Verimatrix Logging Server) -> Log collection and management
_{Application modules specify the server role}

System Architecture

CSM Content Security Manager Server Role Application Modules Common Modules _{VLS VCM} VPP VRUN VEM Verimatrix Encryption Manager VLS VCM VCA VKS VCI

System Architecture

CSM Content Security Manager VLS VCM VPP VRUN VEM Verimatrix Encryption Manager VLS VCM RTES RTES

Real Time Encryption Server VLS VCM VECMG VECMG Verimatrix ECM Generator

_{CSM (Content Security Manager)}

_{Provides core VCAS functionality}

_{OMI (Operator Management Interface)}

_{Provides SOAP interface to 3}rd _{party application}

_{VEM (Verimatrix Encryption Manager)}

_{Encryption of VoD assets}

VLS VCM

VCA VKS

VCI

System Architecture

Typical Server Roles And Modules

VLS VCM WSE OMI Operator Management Interface VSA Database Database VLS VCM

_{Provides Core Services of the VCAS System}

_{Typically hosts the following application modules:} - VCI (Verimatrix Client Interface)

- VKS (Verimatrix Key Server)

- VCA (Verimatrix Certificate Authority)

_{Always hosts the following common modules:}

- VCM (Verimatrix Control Monitor) - VLS (Verimatrix Logging Server)

_{For scalability and redundancy, multiple CSMs can be in a pool behind a} load balancer

_{Real-time key distribution for the full spectrum of content services
Protects communications between:}

- Head-end system and authenticated clients (STBs/PCs) in subscriber households

- VCAS subsystem modules

VCM VKS CSM VLS VCM VCA VKS VCI

System Architecture

_{VCI – Verimatrix Client Interface}

_{VCI proxies all requests between client devices and CSM server}

_{Provides a single point of communication for all client requests to the VCAS} server.

_{Provides configuration file to clients when boot server is used}

_{Client device gets local VKS address from VCI, then pushes all broadcast} key requests to this ‘local’ VKS address.

_{Uses ports 12697 (VCI to client) and 12698 (Client to VCI)}

CSM

VLS VCM

VCA VKS

VCI

System Architecture

_{VKS – Verimatrix Key Server}

_{VKS generates keys for linear broadcast channels}

_{Sends broadcast keys directly to the STB (this is the only communication} which is not handled by VCI). Uses ports 12699 and 12700

_{Controls key expiration}

_{If VKS loses connection to the database, it continues to use the last-known} keys, even if they are expired

_{Performs live entitlements queries with the Oracle Database before handing} keys to clients CSM VLS VCM VCA VKS VCI

System Architecture

_{VCA – Verimatrix Certificate Authority}

_{VCA manages the creation and maintenance of all PKI certificates
Issues new certificates to client devices}

_{Stores client certificates in VCAS database}

_{Responsible for certificate revocation to disable specific devices
Acts as the root Certificate Authority in a PKI hierarchy}

_{Uses X.509 certificates to validate and authorize all clients and content
Prevents rogue services from interfering with VCAS operation}

CSM

VLS VCM

VCA VKS

VCI

System Architecture

_{VLS – Verimatrix Logging Server}

_{VLS centralizes log management for all application events and errors
Manages log rotation, log file size and log duration}

_{Records log messages from all VCAS server modules via UDP port 2020
Error level can be customized for maximum or minimum details}

_{All logs are stored in}

_{/var/log/vmlog}

_{VLS is a common module, it is installed on each VCAS server (e.g. CSM, OMI,} RTES, VECMG, VEM)

CSM

VLS VCM

VCA VKS

VCI

System Architecture

_{VCM – Verimatrix Control Monitor}

_{VCM manages all VCAS services on a server}

_{Starts, monitors, stops, and automatically restarts other VCAS modules in} an orderly manner

_{It is configurable to determine which VCAS modules should be started
Provides application parameters, location, and restart information.
Displays version information for each module}

CSM

VLS VCM

VCA VKS

VCI

System Architecture

_{Provides Database Services and single web services interface for}

integration with 3

rd

_{party systems}

_{Always hosts the following application modules:} - WSE (Web Services Engine)

- VSA (Verimatrix Soap Agent)

_{Always hosts the following common modules:}

- VCM (Verimatrix Control Monitor)

- VLS (Verimatrix Logging Server)

_{Single Web Services interface (SOAP) to any 3}rd _{party application (e.g.}

SMS / Middleware system) Subscriber Management System VCAS For DVB Entitlements(SOAP)

VCAS For Internet TV VCAS For IPTV

VCAS MR PlayReady OMI

System Architecture

OMI – Operator Management Interface

OMI

VLS VCM

_{WSE – Web Services Engine}

_{WSE provides a single integration point for all 3}rd _{party applications}

_{Provides a secure, user authenticated interface for local and distributed} system management

_{SOAP interface to SMS/Middleware systems to synchronize entitlements
SOAP interface to VoD systems for content ingestion}

_{SOAP based API supports any programming language with SOAP support} (C++, Java, .NET, PHP, ASP, JSP, ColdFusion, etc.) on any platform

System Architecture

OMI: WSE – Web Services Engine

WSE WSE

OMI

VLS VCM

_{VSA – Verimatrix Soap Agent}

_{VSA is an internal Soap agent
Communicates with WSE
Provides GUI functionality}

_{Involved in client revocation / authorization}

_{Distributes asset encryption requests to multiple VPPs
Private interface (internal interface only, port 8093)
Separate Tomcat server instance}

_{Is configured with}

_{jdbc.properties}

_{configuration file}

System Architecture

OMI: VSA – Verimatrix Soap Agent

OMI

VLS VCM

VSA WSE

System Architecture

_{Key requests from IPTV clients with OMI enabled}

1) SMS sends subscriber, content, and entitlement information to OMI (SOAP interface)

2) OMI populates VCAS database with information received from SMS

3) IPTV client requests decryption key from CSM (VKS) in order to decrypt a VoD asset or live channel

4) VKS checks database for ClientID and AssetID (entitlement)

5) If the OMI lookup returns a positive result (client is entitled for asset), the decryption key is sent to the IPTV client, and the requested asset can be decrypted and watched

If the OMI lookup returns a negative result (client is not entitled for asset), the key request is denied and an error is written into the log file (Verimatrix.log)

System Architecture

_Database

_{Provides database functions to all other VCAS modules
Verimatrix uses Oracle 11gR2 (11.2.0.3)}

_{Communication between VCAS modules and Oracle through ODBC}

_{Communication between 3}rd _{party applications and Oracle through jdbc}

_{Database architectures include Oracle standalone, Oracle Data Guard,} Oracle RAC (details are covered in VCAS Platform Course)

_{VCAS Platform is installed on database servers, but no services are started}

System Architecture

Database

Database

Database

_{Shared Database}

_{A common database infrastructure can be used to provide database functions to} all VCAS products

_{Each product has its own database schema}

_{Communication between VCAS products and Oracle through ODBC and} JDBC

System Architecture

_{Provides asset encryption for VoD (Video on Demand)}

_{Typically hosts the following application modules:} - VPP (Verimatrix Pre Processor)

- VRUN (Verimatrix RUN) -> optional module
_{Always hosts the following common modules:}

- VCM (Verimatrix Control Monitor) - VLS (Verimatrix Logging Server)

_{Provides an integrated and highly flexible mechanism to generate} encrypted content files in preparation for VoD delivery

_{Manages offline encryption of video files before provisioning to VoD} server

VLS VCM

VPP VRUN

VEM

System Architecture

VLS VCM VPP VRUN

VEM

_{VPP – Verimatrix Pre Processor}

_{Encrypts VoD assets}

_{For each file, a unique set of encryption keys is generated}

_{Configurable encryption percentage, independent control for audio and video
Movie file ingest via:}

- SOAP API

- VRUN automated file ingestion (FTP, disk mount) - Manual through GUI

_{Encrypts any file, provided it is encapsulated with MPEG-2 TS}

_{Flexible configuration to preserve key header fields in order to accommodate} most VoD indexing servers (required for trick play functions)

_{Optional Verimatrix VideoMark insertion}

_{Processes approx. 1GB/min on standard hardware (as defined in PROD-100} Server Appliance Specification)

System Architecture

VLS VCM

VPP VRUN

VEM

_{VRUN – Verimatrix RUN (optional module)}

_{Automated content ingestion and encryption}

_{File based and automated ingestion, offers flexible configuration options in} order to accommodate a large variety of ecosystems and unique customer requirements

_{VoD assets can be processed from local disk, SMB mount or NFS mount
VoD assets can be received and transferred via FTP, SFTP, or SCP}

_{Uses VSFTP service for receiving assets for encryption}

System Architecture

_{Provides linear broadcast encryption}

_{Always hosts the following application modules:} - RTES (Real Time Encryption Server)
_{Always hosts the following common modules:}

- VCM (Verimatrix Control Monitor) - VLS (Verimatrix Logging Server)

_{Software-based stream formatting and video encryption application for} IP based multi-channel broadcast

_{Key information and optional feature information are inserted within} each stream in ECMs (Entitlement Control Message)

_{Each RTES server can handle up to 800 Mbit/s of aggregate throughput
Independent of stream rate per channel, only aggregate limit}

_{Limit was 600 Mbit/sec prior to VCAS 3.7}

VLS VCM

RTES RTES

System Architecture

_{RTES – Real Time Encryption Server}

_{Real time encryption of linear broadcast streams
Encrypts IP multicast and unicast content in real-time}

_{Multiple RTES servers can be clustered to allow for scaling to hundreds of} simultaneous channels

_{Supports per-channel encryption configuration via GUI or SOAP API
Supports configurable key change interval and ECM insertion interval to}

allow operators to find the ideal performance to security ratio

VLS VCM

RTES

RTES

System Architecture

VLS VCM RTES RTES 1A Standby VLS VCM RTES VARC VLS VCM RTES VLS VCM RTES RTES 1B Active RTES 2A Active RTES 2B Standby RTES Cluster 1 RTES Cluster 2

_{VARC – Verimatrix Automatic Redundancy Controller}

_{Monitors all RTES servers and initiates automatic failover
VARC is installed on a dedicated server}

_{Monitors streams, NIC cards and RTES processes via SNMP}

_{Controls which RTES servers are active (streaming) and which RTES servers} are standby

_{Has it’s own GUI}

System Architecture

_{Generates keys and ECMs for linear broadcast encryption via}

Simulcrypt

_{Always hosts the following application modules:} - VECMG (Verimatrix ECM Generator)

_{Always hosts the following common modules:} - VCM (Verimatrix Control Monitor) - VLS (Verimatrix Logging Server)

_{Used in MultiCAS and IP Hybrid applications}

_{Simulcrypt interface to 3}rd _{party mux (MPEG Transport Stream scramblers)}

VLS VCM

VECMG VECMG

System Architecture

_{VECMG – Verimatrix ECM Generator}

_{ECM generation for real time encryption of linear broadcast streams via} 3rd _{party mux (Simulcrypt)}

_{The VECMG module receives Control Words (CWs) and Access Criteria from} the mux. It inserts this information into an ECM and encrypts the ECM with the Channel Key. Then it sends the ECMs to the mux for insertion into the transport stream

_{The keys used to encrypt the CWs are provided by VKS to VECMG, stored} into the database, and distributed to authorized clients

_{The VECMG NEVER touches the actual video stream. It only functions to} provide the ECM for insertion into the stream by the mux

_{Integrates high performance pay-TV head-end equipment with robust} software-based content security

_{Supports DVB-CSA and AES encryption algorithms}

VLS VCM VECMG VECMG IP Multiplexer/ Scrambler ECM Linear Broadcast Clear streams

Encrypted streams incl. ECMs Control Word

Access Criteria Simulcrypt

Interface

System Architecture

_{Enables Wholesale/Retail application with seamless end-to-end}

encryption for VoD and linear broadcast

_{Typically hosts the following application modules:} - RSM (Remote Stream Manager)

- RKE (Remote Key Extractor)

_{Always hosts the following common modules:} - VCM (Verimatrix Control Monitor) - VLS (Verimatrix Logging Server)

_{These modules can be hosted in a stand-alone server, or can be added to a CSM} at a retail location VLS VCM RSM Wholesale Retail RKE

System Architecture

IPTV Headend Wholesale CSM RTES VEM RKE RSM Retail A RKE RSM Retail B RKE RSM Wholesale Retail N Key delivery CSM Key delivery Key delivery Clients A Clients B Clients N Key delivery Key delivery Key delivery

Encrypted Broadcast Streams

CSM

System Architecture

_{RSM – Remote Stream Manager}

_{Secure delivery of broadcast channel keys to retail location}

_{RSM provides headend operators the opportunity to capitalize on their}

investment by providing seamless end-to-end centrally encrypted broadcast to downstream IPTV retailers

_{RSM can be deployed in either a one-to-one or one-to-many architecture.
Encrypted streams are distributed to the downstream IPTV retailer}

pre-encrypted VLS VCM RSM Wholesale Retail RKE

System Architecture

VLS VCM RSM

Wholesale Retail

RKE

_{RKE – Remote Key Extractor}

_{Secure delivery of VoD keys to retail location}

_{RKE provides headend operators the opportunity to capitalize on their} investment by providing seamless end-to-end centrally encrypted VoD to downstream IPTV retailers

_{RKE can be deployed in either a one-to-one or one-to-many architecture.
Encrypted VoD assets are distributed to the downstream IPTV retailer}

pre-encrypted

_{RKE acts as a client to the headend site, ingesting VoD asset keys and} making them available for local client use

_{RKE can be hosted on the retailer’s CSM or on a stand-alone server}

_{Retailers can combine locally encrypted VoD assets with VoD assets from} the remote headend

System Architecture

VLS VCM

CSM

EMM Spooler

_{EMM Spooler}

_{Generates EMMs}

_{Two ways of delivering EMMs to clients:}

- Out-Of-Band via IPTV network (EMMs sent via Multicast by EMM Spooler) - Inband via EMMG and Simulcrypt (next slide)

-> This is ecosystem dependent

_{EMMs are used for signaling functions within the client software stack, such} as on-screen messages and decryption key update/ expiration/removal.

System Architecture

_{EMMG – EMM Generator}

_{Delivers EMMs via Simulcrypt}

_{EMMG functions as an in-band signaling channel to the client device, similar} to a traditional DVB environment.

_{EMMs generated by the EMM Spooler are delivered via Simulcrypt to an} external mux/scrambler

_{Mux inserts the EMMs into encrypted streams (similar to ECM delivery)
Used in MultiCAS and IP Hybrid applications}

_{As an additional layer of security, an operator can employ an EMM function} called heartbeat. If the client loses the heartbeat signal from the server, it will cease to function

_{Identical client functionality when used over Multicast (instead of} Simulcrypt)

_{Actual key delivery is still out-of-band}

_{EMM functionality requires the use of ViewRight client 3.x. This functionality}

VLS VCM VECMG VECMG IP Multiplexer/ Scrambler ECM Linear Broadcast Clear streams

Encrypted streams incl. EMMs and ECMs Control Word Simulcrypt Interface EMM EMMG

System Architecture

VLS VCM

CSM

SoCKEM

_{SoCKEM – System on a Chip Key Encryption Manager}

_{Stores unique device keys securely and manages over-encryption}

_{Control Word Path Protection (CWPP) is an additional layer of encryption} applied inside the STB, so Control Words are never in the clear outside of the secure block of the chip set

_{Prevents Control Word sharing, a technology used by hackers to} transmit CWs to other (rogue) STBs, so all channels can be watched
_{STBs need to be integrated for Advanced Security}

System Architecture

_{SoCKEM – STB Personalization}

_{Each SoC receives its unique Device Key (KD) from the Personalization Server
Report of all Device Keys, STB SNs, and Chip IDs is sent to Verimatrix and to the}

operator

System Architecture

_{SoCKEM – ECM Structure}

_{Encryption for Advanced Security:}

_{Transport Stream is encrypted with Control Word}

_{Control Word is encrypted with Control Word Path Protection Key
ECM is encrypted with Channel Key}

_{Option: Control Word Path Protection Key is encrypted with Service} Class Key

System Architecture

Optional Modules: SoCKEM

K_C = Channel Key

K_SC = Service Class Key

K_CWPP = Control Word Path Protection Key

Header

Paylod [CW]

ECM – Standard Security

Header

[K_C]

_{SoCKEM – STB Personalization - continued –}

_{Verimatrix receives report from STB Vendor
Format: Chip ID, BSK ID, Device Key}

_{Chip ID is used as Device ID for OMI in Advanced Security (MAC} address is used in Standard Security)

_{BSK ID can be used to identify STB vendor, as Chip ID might not be} unique, or it can be used to identify encryption parameters

_{Device Key is unique for each Chip Set}

_{Formatted file is loaded onto server running SoCKEM (Normally CSM)
Example Device Key File:}

# The unique device key is defined in one line as: # CHIP_ID, BSK_ID, DEVICE_KEY

# Each fields need to be separated by comma. # BSK or Batch ID is not defined in this example # For example:

300445, , 0C67RT34Pbv098xxHq938CcLaw5Of841

System Architecture

_{VCP – VCAS Customer Profiler}

_{VCP provides information about cloned or rogue IPTV clients
Optional module, requires VCP enabled license}

_{Collects detailed client information (VCP log files)}

_{VCP log files are exported and analyzed with Clone Detection Analyzer} (CDA)

_{More information about VCP and CDA can be found in Lesson 8}

CSM

VLS VCM

VCA VKS

VCI VCP

System Architecture

_{VideoMark – Watermarking technology}

_{Fight illegal content redistribution}

_{Embedding forensic marks which enables user-specific traceability
Forensic watermarking is a key requirement for 4K/UHD}

content per Movie Labs specification
_{Inserted marks need to be:}

_Unique

_{Imperceptible
Secure}

_Robust

_{VideoMark is not designed for fingerprinting purpose}

_{Watermarking: Never visible, requires offline signal} processing for extraction

_{Fingerprinting: Visible fingerprint (i.e. operator identifier} or MAC address/ClientID), easily extractable

_{Supported with ViewRight STB 3.7 and higher and VCAS server 3.7 and} higher

System Architecture

_{VideoMark – Watermarking technology}

_{User-specific forensic watermarking technology designed to counter} copying of content by marking decompressed video streams with a unique identifier that is traceable to the place and time of viewing

_{The VCAS head-end generates the unique forensic payload used to identify} individual client device sessions with time and hardware identifiers

_{VideoMark is applied using an algorithm running on the CPU or DSP of the} STB client (after decryption / decompression)

_{The VideoMark algorithm embeds these forensic tracking IDs into the video} pixel information in a manner that is imperceptible and transparent to the viewer (Luminance is subtly modified in certain areas of the video)

_{Enabled as an optional feature in VCAS license}

_{STB needs to be integrated for VideoMark functionality’ integrated at STB} chip level

System Architecture

_{VideoMark – Watermarking technology}

_{Embedding of human readable symbols distributed in time by slight modification} of many pixels

_{Human readability provides robustness against geometric distortions}

_{Embedded VideoMark survives all types of attack and content manipulation:}

HDMI Attack, Digital Attack, Analog Attack, Camcorder Attack, Geometric Attack: Scaling, rotation, and cropping, Compression (e.g. 500 Kbps)’ Aspect ratio

manipulation

System Architecture

System Architecture

Optional Modules: VideoMark

Validated VideoMark/Reveal Service Internet/Broadband VideoMark Client Operator Management Interface Verimatrix Entitlements DB SMS/ Middleware Transaction Database VideoMark Payload Manager

_{VideoMark – Payload insertion}

_{Ranges of unique values reserved} for each operator

_{A unique value, taken from the} operator’s range, is associated to an event, for example sports, movie or a bouquet of linear channels

_{This unique value determines the} symbols inserted in the video.
_{This unique value is named}

PAYLOAD

_{Payload will change every} 24h (default)

System Architecture

_{VideoMark – Payload insertion}

_{Payload is inserted as picture
The luminance of each image}

is modified according to symbols picture contents, VideoMark™

algorithm and hardware capabilities.

System Architecture

_{VideoMark – Extraction}

_{The pirated video is analyzed by specialized software.}

_{Cumulative filtering allows to extract an image of the symbols.
Human reading allows to recover the payload.}

_{Transactions database identifies the pirate.}

_{Sample of pirated video needs to be 5 – 15 min in length}

System Architecture

_{How are all these VCAS modules connected to each other?}

_The

_/etc/hosts

_{file is used to specify the location of each module}

_{Each module’s DNS name is resolved to the IP address of the server where} the module is running

_{When one VCAS module calls another, the IP address specified in}

_/etc/hosts

is used to find the IP address of the server where that module is running
_{In redundant deployments, certain VCAS modules need to have a unique}

name, so they can be resolved separately. This applies to VKS and VPP. They are named VKS1, VKS2, VKS3, VPP1, VPP2, VPP3 and so on

System Architecture

_Configure

_/etc/hosts

_{The following steps are required for VCAS for IPTV servers only
The configuration of}

_/etc/hosts

_{depends on the server role of this server. It}

resolves the VCAS specific DNS names to IP addresses.

If this is a CSM server, the IP addresses for the core services will be it’s own IP address.

If this is a RTES, VECMG, OMI or VEM server, the CSM’s IP address will have to be used for VKS,VCI,VCA etc.

_{If multiple CSMs are installed,} the first instance of VKS (vks1) will be resolved to it’s own IP, the 2nd _{and 3}rd _{instance of VKS}

must be resolved to the IP of

CSM2 and CSM3. The same applies to VPP

System Architecture

_{This example shows:}

_Typical

_/etc/hosts

_{file for a CSM}

_{127.0.0.1 resolved to localhost.localdomain}

_{IP address of Eth0 resolved to real IP address (10.1.0.2)
CSM core modules resolved to real IP address (10.1.0.2)
2}nd _{instance of VKS resolved to IP of CSM2}

_{VPP1 resolved to 1}st _{VEM server’s IP address, VPP2 to 2}nd _{VEM’s IP address}

_{OMI and VSA resolved to OMI server’s IP address
EMMG resolved to VECMG server’s IP address}

System Architecture

_Configure

_/etc/hosts

_{Examples for}

_/etc/hosts

_{for different server roles can be found in}

/home/vmx/hosts_examples/

_{The appropriate example file can be copied for convenience (example for CSM} specific hosts file):

cp /etc/hosts /etc/hosts.sav

cat /home/vmx/host_examples/hosts.allinone >> /etc/hosts

_{Configuration of example files is still required, correct IP addresses need to be} set!

_{Available /etc/hosts examples are:} - CSM (IPTV)

- RTES (IPTV) - VECMG (IPTV) - VPP (IPTV) - ACSM (ITV)

- All-in-one (all solutions)

System Architecture

_Editing

_/etc/hosts

_{on multiple servers:}

_{Reference in each server’s}

_/etc/hosts

_{where each service is running
Use VKS1, VKS, VKS3, etc. for VKS service on multiple CSM servers
VCA, VCI, VSA always point to own IP address on each CSM}

_{vpp.verimatrix.com is the only service running on a VEM server}

_{If multiple VPPs are deployed, unique naming like VKS must be setup
RTES / VECMG point to services on CSM and VPP (no local service)}

_{Tip: By NOT using 127.0.0.1 for the local VCAS services,}

_/etc/hosts

_{file is} almost identical between the servers, and can be copied/pasted to other VCAS servers 127.0.0.1 localhost 10.1.10.2 CSM01 10.1.10.2 vca.verimatrix.com 127.0.0.1 localhost 10.1.10.3 CSM02 10.1.10.3 vca.verimatrix.com 127.0.0.1 localhost 10.1.10.5 RTES01 10.1.10.2 vca.verimatrix.com 127.0.0.1 localhost 10.1.10.4 VEM01 10.1.10.2 vca.verimatrix.com CSM01 at 10.1.10.2 CSM02 at 10.1.10.3 VEM01 at 10.1.10.4 RTES01 at 10.1.10.5

System Architecture

System Architecture

Oracle RAC

See also:

PROD-06 Oracle

RAC Deployment Standard

_{How are the distinctive servers connected to each other?}

_{In typical installations there is a dedicated VLAN for internal server} communications

_{The definitions in}

_/etc/hosts

_{allow server-server communications
This VLAN is also known as ‘Management VLAN’}

_{Also used for SSH sessions to the servers}

_{Not reachable from the client network (firewall protected)
Can also be used for SOAP connection to SMS/Middleware
Additional VLANs can be setup for:}

_{Client network (STBs)
Clear content}

_{Encrypted content}

_{Database interconnect (for Oracle RAC)
VoD file transfer}

System Architecture

System Architecture

Lesson 3

_{ViewRight is the embedded software in a client platform which}

provides the functionality to decrypt VoD assets and linear streams

_{ViewRight is developed by Verimatrix and distributed to client vendors} - Vendor performs integration into the client platform

- Verimatrix assists client vendor, and verifies overall security

_{It’s a package of portable embedded code that implements VCAS security} functions within each client in a pay-TV system

_{It’s designed to require minimum number of resources from the client hardware} and runtime environment

_{It operates without the need for smartcard or other peripheral hardware}

_{ViewRight Client Types in VCAS For IPTV:}

_{IPTV STBs (Set Top Box)
IP Hybrid STBs}

_{Connected TVs with IPTV clients
Verimatrix ViewRight Desktop for PC}

ViewRight Clients

_{ViewRight is client platform independent}

_{Supported OS: Embedded Linux, Android, VXWorks, eCoS, uCoS OS21, custom
Chipsets supported: Broadcom, ST Micro, Sigma, Intel, AMD, Conexant, TI, etc.
Over 100 vendors certified}

_{Over 350 models certified}

_{New STB platforms use dedicated chip for decryption (also known as hardware} decryption) -> faster, and doesn’t load CPU with decryption processes

_{Implementation time for new STB usually < 6 weeks}

_{Current Deployments:}

ViewRight Clients

_{ViewRight compatibility}

_{Supported ViewRight client versions with VCAS 3.7 headend:}

_{3.1.2 Support boot server and mutual authentication (default)} Don’t support NULL packets any more, only support ECM Support for EMM

_{3.2.0 Support CWPP (Control Word Path Protection)
3.3.0.x Support offline stream decryption}

_{3.5.1.x Advanced Security Integration, IPv6 support, IGMPv3 for} EMM multicast

_{3.6.0.0 3}rd _{party public authentication}

Advanced security integration (FuseMap, ChipID as NetworkDeviceID etc.)

_{3.7.0.0 VideoMark, change in client-server protocol (BMP)
No ViewRight STB Client release for VCAS 3.8}

_{New versioning scheme for ViewRight 3.3 (and higher) clients:}

_{ViewRight STB for IPTV 3.7.0.0-<STB>-<model>-[<option>-[<build#>]]}

Example:

ViewRightSTBforIPTV-3.7.0.0-tivo-gx_cm700cf-6

ViewRight Clients

_{ViewRight client compatibility}

_{Older ViewRight client versions are generally compatible with newer VCAS server} versions. Once a ViewRight client is EOL (End of life), it is no longer supported

ViewRight Clients

Compatibility

3.1.x * 3.2.x * 3.3.x.x 3.4.x.x 3.5.x.x 3.6.x.x 3.7.x.x 3.8.x.x ViewRight Client 3.1.x * _{x x x x x x x x} 3.2.x * _{x x x x x x x} 3.3.x _{x x x x x x x x}

VCAS Server Version

* EOL in Dec. 2014

_{New features in ViewRight 3.3}

_{Persistent key cache (Offline mode)}

_{Used for IP/Hybrid deployments, where the IP link is provided by a 3}rd _{party ISP}

_{STB decrypts using the latest keys if CSM server becomes unavailable
Stores all channel keys for the current day and next 24h}

_{Updates keys when CSM becomes available again}

_{Works for live broadcast. DVR and VoD keys are not stored in client
No entitlement updates during offline mode}

_{RAM-to-RAM (M2M) encrypts offline keys in NV RAM}

_{Requires 100 bytes of NV RAM per channel/service class}

ViewRight Clients

_{New features in ViewRight 3.5}

_{Advanced Security (System on a Chip)}

_{SoC is supported on the following chipsets:}

_{Broadcom’s 28nm family SOCs, such as BCM7584
ST Liege family (STiH2XX such as STiH207)}

_{Marvell BG2-Q family}

_{Entropic Kore3 family (EN7100, EN7120, EN7160, EN7190)
All new ViewRight integrations should use Advanced Security}

_{Can still work in Standard Security mode
Most flexible and future proof}

_{To be used with the SoCKEM (Security on a Chip Key Encryption Manager) in the} CSM

ViewRight Clients

Resident App

Middleware Verimatrix ViewRight Client

OS / Drivers Bootloader

Flash RAM MPEG

Decode HW Decrypt NET IFC Debug IFC SOC Hardware Middleware Set Top OS Application • Static library • Shared library • Daemon/App

ViewRight Clients

Architecture

_{What happens when a ViewRight client (e.g. STB) is booted?}

_{1) ViewRight client is booted for the first time}

_{ConfigRequest Client requests network and server configuration}

_{CreateSessionKey This starts the SSL connection between client and VCI
SaveEncryptedPassword The client has written its unique certificate in a}

file called “

verimatrix.store

” and has encrypted this file on the persistent memory of the client. The password used to encrypt / decrypt this file is sent to the VCI and stored in the VCAS database

_{2) Subsequent booting process of client}

_{Client finds “}

_{verimatrix.store}

_{” in its persistent memory
CreateSessionKey (same sequence as above)}

_{UpdateRequest The client requests the encrypted password to decrypt} “verimatrix.store” through VCI, so the certificate can be decrypted

ViewRight Clients

_{What happens when a ViewRight client (e.g. STB) is booted?}

ViewRight Clients

Communication Between CSM And Clients

STB CSM

Auto Boot Response SUBCA+VCI cert Session Key SaveEncrypted Password VCI 12698 SSL mutual authentication Saves to DB ConfigRequest VCI 12686/12687 CreateSessionKey VCI 12697

_{What happens when a ViewRight client is booted? (continued)}

_{Once the client boot process is over, the client immediately asks for all} the ChannelKeys it is entitled for. The key request is encrypted with the SessionKey.

_{GetAllChannelKeys}

_{This request is sent directly to VKS (ports 12699 and 12700)
Channel Keys for all channels the client is entitled to will be sent}

for the current day and next day

_{When a client requests a Key for a channel that it does not have in its cache} (e. g. new channel added or request for a channel from the past to play back a DVR recorded program), it will request:

_GetSingleKey

_{A single Channel Key will be sent to the client, if the client is entitled
This request is also handled by VKS}

ViewRight Clients

_{What happens when a ViewRight client (e.g. STB) is booted?}

ViewRight Clients

Communication Between CSM And Clients

STB CSM

Channel/ServiceClass keys current + next

VKS 12700 Encrypted and

stored into RAM

GetAllChannelKeys VKS 12699

_{ViewRight clients will need the following information to initiate a boot request:} BOOTSERVER= <- change to IP or DNS of CSM or load balancer PORT= <- set to 12686 (default on CSM server)

The ViewRight client is configured via an API call (vmconfig):

int VMConfig( const char *pStoreFilePath, const char* pIpAddress, unsigned short nPort,

int nTimeout, int nRetries unsigned short nlpVersionPreferred );

_{client.ini file under VCI needs to be configured for boot sequence to work} correctly

(covered in lesson 6 under VCI configuration)

ViewRight Clients

_{ViewRight Desktop as a troubleshooting tool}

_{ViewRight Desktop For PC provides the same level of content security and} revenue protection as a dedicated set-top box (STB)

_{It securely decrypts broadcast and VoD content} within VCAS protected IPTV systems using a flexible and customizable user interface

_{Integrated Verimatrix VideoMark™ user-specific} forensic watermarking, as well as on-screen display fingerprinting

_{Consult ViewRight Desktop documentation for current hardware requirements}

_{End Of Life since May 2014, no further support and distribution. But it}

will be used during hands-on VCAS training, so every participant can decrypt video on a PC

ViewRight Clients

_{VR Desktop 3.4 configuration file (Win 7):}

_{C:\Program Files (x86)\Verimatrix\ViewRight PC Player\VERIMATRIX.INI}

_{Run Notepad as Administrator to open it (right click on Notepad icon):
BOOTSERVER= <- change to IP or DNS of CSM}

_{COMPANY= <- change Company name to match your system
client.ini file under VCI needs to be configured for boot sequence to work}

correctly

(covered in lesson 6 under VCI configuration)

_{Log file and certificate can be found under (Win 7):}

_{%AppData%\Roaming\Verimatrix\}

_Logfile:

_{Verimatrix.<date>.log}

ViewRight Clients

_{Launch ViewRight Desktop}

_{Green light indicates secure connection to CSM
Go to ‘Playlist’ -> ‘Add’ to playback content}

_{Choose ‘File’ for VoD asset (asset needs to be copied to PC’s hard disk)
Choose ‘URL’ to playback multicast stream, enter: udp://<mc IP>:<port>}

For example: udp://229.1.100.23:5000
_{Plays encrypted and unencrypted content}

_{Lock next to green light indicates if content is clear or encrypted}

ViewRight Clients

_{Verimatrix distinguishes different ViewRight client types}

_{Used for licensing purposes}

_{Client types for VCAS For IPTV are:
ViewRight STB For IPTV}

_{ViewRight STB For IP Hybrid
ViewRight Desktop For PC}

_{Legacy Client Devices (ViewRight 2.x)}

_{Client Types can only be distinguished by the VCAS headend if the ViewRight} client is running ViewRight 3.x or higher

_{All STB integrations based on ViewRight 2.x fall under ‘Legacy Client Devices’.
Active client count and licensed client count for each type can be seen on the}

home screen of the VCAS GUI

ViewRight Clients

ViewRight Clients

Client Types

_{Client Types}

Lesson 4

_{How do VoD assets and linear broadcast streams get encrypted?}

_{A VoD asset or MPEG Stream is encrypted using several keys called Control} Word

_{A Control Word is used to encrypt / decrypt a certain number of MPEG packets} (approx. 50,000 packets or around 10 seconds of content)

_{The Control Word is inserted about 10 times per second in the stream or VoD} asset, in a specific packet called ECM (Entitlement Control message).

_{The ECM is encrypted using the ChannelKey. The CW is not kept in the VCAS} DB. Only the Channel Key is stored in the VCAS DB

_{The ECM is generated by the VPP for the VoD Encryption}

_{The ECM is generated by the RTES or VECMG for the Live Encryption}

_{The Scrambling of the content (with the Control Word) is done by the RTES or} the Scrambler

_{Remember: Two different keys are used, Control Word and Channel Key}

Understanding Encryption

ECM with CW4

_{ECM gets decrypted with Channel Key, so the Control Word can be read}

_{An ECM is normally carried in one Transport Stream packet, as it is less than 188} bytes in size. However, with multiple Service Classes, it can grow to more than

Understanding Encryption

Control Words And ECM

CW CW CW CW ECM with CW1 Payload ECM with CW2 Payload ECM with CW3 Payload Payload Channel Key (24h)

Understanding Encryption

1) Movie file gets encoded into a MPEG2 Transport Stream file 2) MPEG2 TS file is moved to VEM server (VPP)

3) File is encrypted by VPP, movie key is stored in Database 4) Encrypted file is moved to the VoD server

5) Entitlements are sent from the Middleware and stored in Database 6) STB requests to play the movie (subscriber purchased VoD)

7) Middleware provides RTSP URL to client device, which then requests VoD content from VoD server (Unicast stream)

8) VoD Server streams encrypted file to STB

Understanding Encryption

Understanding Encryption

1) Broadcast stream gets encoded into a MPEG2 Transport Stream 2) MPEG2 TS is sent to RTES server

3) Stream is encrypted by RTES, Channel Key is stored in Database 4) Encrypted stream is sent via Multicast IPTV network to STB

5) Entitlements are sent from the Middleware and stored in Database

6) STB detects TSC bit in MPEG header and requests Channel Key from CSM STB asks for all Channel Keys it is entitled to, to avoid future key requests 7) CSM checks entitlements, and sends all Channel Keys the STB is entitled for.

STB can now decrypt ECMs and use the decrypted CW to decrypt payload packets

Channel Keys are valid for 24 hours, and the STB will send a random key request

Understanding Encryption

Understanding Encryption

1) Broadcast stream gets encoded into a MPEG2 Transport Stream

2) Mux/scrambler sends clear Control Word and Access Criteria to VECMG (Simulcrypt)

3) VECMG inserts CW and Access Criteria into ECM, encrypts ECM, and sends it back to mux/scrambler

4) Encrypted stream is sent via Multicast IPTV network (or DVB network) to STB 5) Entitlements are sent from the Middleware and stored in Database

6) STB detects TSC bit in MPEG header and requests Channel Key from CSM STB asks for all Channel Keys it is entitled to, to avoid future key requests 7) CSM checks entitlements, and sends all Channel Keys the STB is entitled for.

STB can now decrypt ECMs and use the decrypted CW to decrypt payload

Understanding Encryption

_{What are Service Classes and how are they used?}

_{A Service Class is an additional key which imposes restrictions on the access of} the Control Word

_{Used for restricted access, for example for Pay-Per-View. The ViewRight client} (STB) will need the Channel Key to decrypt the ECM and the Service Class Key to decrypt the Control Word

_{Each Service Class in the system has a unique ID and key associated with it.} Service Classes are generated upon input information from OMI (i.e. new Pay-Per-View event with start/end time.

_{Channels are associated with Packages in OMI, and the Packages are associated} with Service Classes

_{Configuration required to enable Service Classes in global VERIMATRIX.INI file:} SERVICE_CLASS_PROVISIONING_MODE=OMI

Understanding Encryption

_{What are Service Classes and how are they used?}

_{The Control Word is encrypted with the Service Class key and the entire ECM is} encrypted with the Channel Key. The ViewRight client will need both, the

Channel Key and the Service Class Key in order to decrypt the Control Word

_{VCAS 3.5 and higher support Service Classes for nPVR and PVR (for example}

Understanding Encryption

Service Classes

ECM

Header Control Word

Encrypted with Channel Key

Encrypted with Service Class

_{What are Service Classes and how are they used?}

_{Service Classes are indicated in the private section of the ECM header}

Understanding Encryption

Understanding Encryption

_{What does Verimatrix encrypt?}

_{The VCAS system encrypts:}

_{All MPEG audio and video packets
All ECMs and EMMs}

_{All Macroblocks}

_{What does Verimatrix not encrypt?}

_{Certain fields in MPEG need to be left unencrypted}

_{MPEG header fields in order to decode stream (i.e. PES header)
Adaptation fields}

_{Start Codes and Slice headers. These are used by VoD indexers to provide} trick-play functions (Fast Forward, Rewind, Pause etc)

_{PCR clock data}

Understanding Encryption

Lesson 5

Licensing

_{How is VCAS licensed?}

_{Licenses includes the maximum amount of clients which can be connected to a} VCAS For IPTV system

_{Licenses includes the maximum amount of channels a VCAS For IPTV system can} encrypt

_{Licenses can include additional features such as:
VideoMark}

_{VoD Encryption
OSD Fingerprinting}

_{Licenses have an expiration date. Permanent licenses have an expiration date of} Dec 31, 2037. This is the end of ‘Linux time’

_{Verimatrix provides eval licenses for trials and lab installations, they typically} include:

_{90 days
25 clients
10 channels}

_{Licensing information can be viewed on the home screen of the VCAS GUI}

Licensing

_{Clients are licensed by client type}

_{Only ViewRight 3.x clients are determined by client type}

_{ViewRight 2.x clients fall into the category ‘Legacy Client Devices’
Client types for VCAS For IPTV are:}

_{ViewRight STB For IPTV
ViewRight STB For IP Hybrid
ViewRight Desktop For PC}

_{Legacy Client Devices (ViewRight 2.x)}

_{Find out which version of ViewRight client you deploy, in order to obtain} the correct licenses!

_{Client types can be pooled in a group, so any client type in the group can}

consume a license. This makes upgrades from VCAS 2.x to VCAS 3.x far more streamlined

Licensing

Site ID

corresponds

to ‘Company

Name’

Licensing

License Counts

# of clients

licensed in group

Clients licensed

Clients

types

in group 3

_{What do I need to do to get a license?}

_{Licenses are locked to the server hardware, each server will have a unique} license key

_{Licenses are locked to a ‘Company Name’. This name is unique for each operator} and is used throughout the VCAS system and the ViewRight clients

_{Verimatrix will issue an identical license (same # of clients, same number of} channels) for each server in your VCAS system

_{Provide the following information to Verimatrix Global Services:}

_{PO number or Verimatrix project number (or indicate ‘eval’ license)
Company Name}

_{License key from each installed server
Hostname from each installed server}

_{-> Global Services will send you a link to download the license(s)
How do I obtain the license key?}

Licensing

_{How do I install a license?}

_{Licenses are delivered via Verimatrix’s FTP site. You will receive a delivery email} containing a download link

_{Copy the license to the corresponding server to}

_/home/vmx/

This can be done using WinSCP

_{Move license to}

_{/opt/vcas-store/rpms/}

mv /home/vmx/<VCAS_license_file_name>.rpm /opt/vcas-store/rpms/
_{Install the license:}

cd /opt/vcas-store/rpms/ yum install <filename>.rpm Example:

yum install vcasLicense_for_TelcoABC_04JAN2014_04JAN2018_CSM01-2-1.noarch.rpm

_{Actual licenses files are in .LIC format. Once installed, they can be found under:}

/opt/vcas-store/licenses/

A link will show which license is active. All other licenses will also be listed in this directory. Example:

vcas_license_current -> TelcoABC_04JAN2014_04JAN2018_CSM01.LIC

Licensing

_{How do I check the parameters of a license?}

_{To check the parameters of a license (i.e. # of subs, # of channels, features),} issue the following command:

cd /opt/vcas/platform/bin/ ./licenseout –f /opt/vcas-store/licenses/<filename>.LIC Examples: ./licenseout –f /opt/vcas-store/licenses/TelcoABC_01MAR2013_30JUN2017_CSM01.LIC ./licenseout –f /opt/vcas-store/licenses/vcas_license_current

Licensing

Installing Licenses

_{How do I activate a new license?}

_{Licenses are automatically activated at installation. This is not service affecting.
The last installed license is the active license}

_{Before a license expires, the following warnings are issued:
Red warning message on top of VCAS GUI home page
VCAS log entries with ‘License Expiration’ warning}

_{Once a license is expired, VCAS services will shut down. Only VLS will keep} running

_{Licenses grant a buffer of 5% of the number of clients licensed}

_{VCAS log warnings are generated once 80% of the licensed number of} clients is reached and a warning is displayed in the VCAS GUI

_{VCAS log errors are generated once 100% of the licensed number of clients} are reached and an error is displayed in the VCAS GUI

_{Once 105% are reached, no new clients can be connected (certificate} requests will be denied)

_{No buffer is granted for the number of channels licensed}

Licensing

Licensed Clients

‘In-use’ Clients

ViewRight 2.x

IPTV Clients

ViewRight 3.x

IPTV Clients

(part of group)

Licensing

License Counts

Clients in

recycling period

Client license recycling

Each new ViewRight client receives a X.509 certificate from VCA at first boot-up.
The license count in VCAS is controlled by the number of certificates issued by VCA.
If a ViewRight client (STB) is disabled or removed (de-provisioned) from the

network, it’s certificate must be marked as invalid, so the license can be assigned to another STB. The de-provisioning is performed through OMI directly from the SMS (DisableDevice). This is referred to as ‘Manual Recycling’.

A 30 day lock period (License Recycling Period) is assigned to each ViewRight STB

on the date it is first provisioned. If a device is de-provisioned before the 30 days are expired, then the certificate will not be available for another STB until 30 days after the first provisioning date. Once the 30 day waiting period has expired, the license will be returned to the pool of available licenses and can be assigned to another STB.

Licensing

Licenses Recycling

Provisioning date 30 days License Recycling Period

Client license recycling

Another method to keep the license count accurate is ‘Automatic Recycling’. Once a

client certificate expires, the device is automatically de-provisioned. This allows for automatic client recycling, without OMI calls. The certificate duration can be

configured in

/opt/vcas/iptv/etc/VCI/VCI.INI

CERT_DURATION_IN_DAYS = 365 (default)

Set CERT_DURATION_IN_DAYS to a lower value (i.e. 60 days) for more rapid

certificate de-provisioning

The License Recycling Period doesn’t apply when the automatic certificate duration

expiration method is used, as long as the CERT_DURATION_IN_DAYS is set to > than 30 days. If CERT_DURATION_IN_DAYS is set to < than 30 days, then the recycling period of 30 days applies.

The VCAS GUI displays the number of Available Licenses, the number of Active

Licensing