使用媒体服务动态加密保护内容Protect your content with Media Services dynamic encryption

备注

Google Widevine 内容保护服务目前在 Azure 中国区域不可用。Google Widevine content protection services are currently unavailable in the Azure China regions.

借助 Azure 媒体服务,在媒体从计算机离开到存储、处理和传送的整个过程中确保其安全。Use Azure Media Services to help secure your media from the time it leaves your computer all the way through storage, processing, and delivery. 借助媒体服务,可以传送使用高级加密标准 (AES-128) 或以下两个主要数字版权管理 (DRM) 系统中任意一个动态加密的直播和点播内容:Microsoft PlayReady 和 Apple FairPlay。With Media Services, you can deliver your live and on-demand content encrypted dynamically with Advanced Encryption Standard (AES-128) or any of the two major digital rights management (DRM) systems: Microsoft PlayReady, and Apple FairPlay. 媒体服务还提供了用于向已授权客户端传送 AES 密钥和 DRM(PlayReady 和 FairPlay)许可证的服务。Media Services also provides a service for delivering AES keys and DRM (PlayReady, and FairPlay) licenses to authorized clients. 如果内容使用 AES 明文密钥加密并通过 HTTPS 发送,则在到达客户端之前,内容不会处于明文状态。If content is encrypted with an AES clear key and is sent over HTTPS, it is not in clear until it reaches the client.

在媒体服务 v3 中,内容密钥与流定位符相关联(参阅此示例)。In Media Services v3, a content key is associated with Streaming Locator (see this example). 如果使用媒体服务密钥传送服务,可让 Azure 媒体服务自动生成内容密钥。If using the Media Services key delivery service, you can let Azure Media Services generate the content key for you. 如果使用自己的密钥传送服务,或者需要处理高可用性方案(需要在两个数据中心使用相同的内容密钥),则应自行生成内容密钥。The content key should be generated yourself if you're using you own key delivery service, or if you need to handle a high availability scenario where you need to have the same content key in two data centers.

播放器请求流时,媒体服务通过 AES 明文密钥或 DRM 加密使用指定的密钥来动态加密内容。When a stream is requested by a player, Media Services uses the specified key to dynamically encrypt your content by using AES clear key or DRM encryption. 为了解密流,播放器将从媒体服务密钥传送服务或者指定的密钥传送服务请求密钥。To decrypt the stream, the player requests the key from Media Services key delivery service or the key delivery service you specified. 为了确定是否已授权用户获取密钥,服务将评估你为密钥指定的内容密钥策略。To decide if the user is authorized to get the key, the service evaluates the content key policy that you specified for the key.

可以使用 REST API 或媒体服务客户端库来配置许可证和密钥的授权与身份验证策略。You can use the REST API, or a Media Services client library to configure authorization and authentication policies for your licenses and keys.

下图阐释了媒体服务内容保护工作流:The following image illustrates the workflow for Media Services content protection:

媒体服务内容保护工作流

* 动态加密支持 AES-128 明文密钥、CBCS 和 CENC。有关详细信息,请参阅支持矩阵* Dynamic encryption supports AES-128 clear key, CBCS, and CENC. For details, see the support matrix.

本文解释的概念和术语可帮助你了解媒体服务的内容保护功能。This article explains concepts and terminology that help you understand content protection with Media Services.

内容保护系统的主要组件Main components of a content protection system

若要成功完成内容保护系统,需要全面了解工作范围。To successfully complete your content protection system, you need to fully understand the scope of the effort. 以下各节概述了需要实施的三个组成部分。The following sections give an overview of three parts that you need to implement.

备注

我们强烈建议将重点放在以下各节所述的每个组成部分并对其进行全面的测试,然后再转到下一个组成部分。We highly recommended that you focus and fully test each part in the following sections before you move on to the next part. 若要测试内容保护系统,请使用这些章节中指定的工具。To test your content protection system, use the tools specified in the sections.

媒体服务代码Media Services code

DRM 示例演示如何在 .NET 中使用媒体服务 v3 实施多 DRM 系统。The DRM sample shows you how to implement a multi-DRM system with Media Services v3 by using .NET. 此外还演示如何使用媒体服务许可证/密钥传送服务。It also shows how to use the Media Services license/key delivery service.

可以使用多个加密类型(AES-128、PlayReady、FairPlay)来加密每个资产。You can encrypt each asset with multiple encryption types (AES-128, PlayReady, FairPlay). 若要了解有效的组合方式,请参阅流式处理协议和加密类型To see what makes sense to combine, see Streaming protocols and encryption types.

该示例演示如何:The example shows how to:

  1. 创建并配置内容密钥策略Create and configure a content key policy.

    可以创建一个内容密钥策略,用于配置如何将内容密钥(提供对资产的安全访问)传送到终端客户端:You create a content key policy to configure how the content key (which provides secure access to your assets) is delivered to end clients:

    • 定义许可证传送授权。Define license delivery authorization. 基于 JSON Web 令牌 (JWT) 中的声明指定授权检查逻辑。Specify the logic of the authorization check based on claims in JSON Web Token (JWT).

    • 配置 PlayReady 和/或 FairPlay 许可证。Configure PlayReady, and/or FairPlay licenses. 使用这些模板可为每个 DRM 配置权利和权限。The templates let you configure rights and permissions for each of the DRMs.

      ContentKeyPolicyPlayReadyConfiguration playReadyConfig = ConfigurePlayReadyLicenseTemplate();
      ContentKeyPolicyFairPlayConfiguration fairPlayConfig = ConfigureFairPlayPolicyOptions();
      
  2. 创建配置为流式传输加密资产的流定位符Create a streaming locator that's configured to stream the encrypted asset.

    流定位符必须与流式处理策略相关联。The streaming locator has to be associated with a streaming policy. 此示例将 StreamingLocator.StreamingPolicyName 设置为“Predefined_MultiDrmCencStreaming”策略。In the example, we set StreamingLocator.StreamingPolicyName to the "Predefined_MultiDrmCencStreaming" policy.

    将应用 PlayReady 加密,并根据配置的 DRM 许可证将密钥传送到播放客户端。The PlayReady encryption is applied, and the key is delivered to the playback client based on the configured DRM licenses. 如果你还想要使用 CBCS (FairPlay) 加密流,请使用“Predefined_MultiDrmStreaming”策略。If you also want to encrypt your stream with CBCS (FairPlay), use the "Predefined_MultiDrmStreaming" policy.

    流定位符还与定义的内容密钥策略相关联。The streaming locator is also associated with the content key policy that you defined.

  3. 创建测试令牌。Create a test token.

    GetTokenAsync 方法演示如何创建测试令牌。The GetTokenAsync method shows how to create a test token.

  4. 生成流 URL。Build the streaming URL.

    GetDASHStreamingUrlAsync 方法演示如何生成流 URL。The GetDASHStreamingUrlAsync method shows how to build the streaming URL. 在本例中,URL 流式传输 DASH 内容。In this case, the URL streams the DASH content.

使用 AES 或 DRM 客户端的播放器Player with an AES or DRM client

基于播放器 SDK 的视频播放器应用(本机或基于浏览器)需要满足以下要求:A video player app based on a player SDK (either native or browser-based) needs to meet the following requirements:

  • 播放器 SDK 支持所需的 DRM 客户端。The player SDK supports the needed DRM clients.
  • 播放器 SDK 支持所需的流式处理协议:Smooth、DASH 和/或 HTTP Live Streaming (HLS)。The player SDK supports the required streaming protocols: Smooth, DASH, and/or HTTP Live Streaming (HLS).
  • 播放器 SDK 可以处理许可证获取请求中 JWT 令牌的传递。The player SDK can handle passing a JWT token in a license acquisition request.

可以使用 Azure Media Player API 创建播放器。You can create a player by using the Azure Media Player API. 通过 Azure 媒体播放器的 ProtectionInfo API 指定要在不同的 DRM 平台上使用哪种 DRM 技术。Use the Azure Media Player ProtectionInfo API to specify which DRM technology to use on different DRM platforms.

若要测试 AES 或 CENC (PlayReady) 加密内容,可以使用 Azure Media PlayerFor testing AES or CENC (PlayReady) encrypted content, you can use Azure Media Player. 请务必选择“高级选项”,并检查加密选项。 Make sure that you select Advanced options and check your encryption options.

若要测试 FairPlay 加密内容,请使用此测试播放器If you want to test FairPlay encrypted content, use this test player. 该播放器支持 PlayReady 和 FairPlay DRM,以及 AES-128 明文密钥加密。The player supports PlayReady, and FairPlay DRMs, along with AES-128 clear key encryption.

选择适当的浏览器来测试不同的 DRM:Choose the right browser to test different DRMs:

  • 适用于 PlayReady 的 Microsoft Edge 或 Internet Explorer 11。Microsoft Edge or Internet Explorer 11 for PlayReady.
  • macOS 上的适用于 FairPlay 的 Safari。Safari on macOS for FairPlay.

安全令牌服务Security token service

安全令牌服务 (STS) 颁发 JWT 作为用于访问后端资源的访问令牌。A security token service (STS) issues JWT as the access token for back-end resource access. 可以使用 Azure 媒体服务许可证/密钥传送服务作为后端资源。You can use the Azure Media Services license/key delivery service as the back-end resource. STS 必须定义以下事项:An STS has to define the following things:

  • 颁发者和受众(或范围)。Issuer and audience (or scope).
  • 与内容保护中的业务要求相关的声明。Claims, which are dependent on business requirements in content protection.
  • 签名的对称或非对称验证。Symmetric or asymmetric verification for signature verification.
  • 密钥滚动更新支持(如有必要)。Key rollover support (if necessary).

可以使用此 STS 工具测试 STS。You can use this STS tool to test the STS. 此工具支持所有三种类型的验证密钥:对称、非对称,或者带有密钥滚动更新程序的 Azure Active Directory (Azure AD)。It supports all three types of verification keys: symmetric, asymmetric, or Azure Active Directory (Azure AD) with key rollover.

流式处理协议和加密类型Streaming protocols and encryption types

可以通过 Azure 媒体服务传送使用 AES 明文密钥或 DRM 加密(利用 PlayReady 或 FairPlay)动态加密的内容。You can use Media Services to deliver your content encrypted dynamically with AES clear key or DRM encryption by using PlayReady, or FairPlay. 当前可以对 HLS、MPEG DASH 和平滑流式处理格式进行加密。Currently, you can encrypt the HLS, MPEG DASH, and Smooth Streaming formats. 每个协议支持以下加密方法。Each protocol supports the following encryption methods.

HLSHLS

HLS 协议支持以下容器格式和加密方案:The HLS protocol supports the following container formats and encryption schemes:

容器格式Container format 加密方案Encryption scheme URL 示例URL example
全部All AESAES https://amsv3account-cne21.streaming.media.chinacloudapi.cn/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(format=m3u8-aapl,encryption=cbc)
MPG2-TSMPG2-TS CBCS (FairPlay)CBCS (FairPlay) https://amsv3account-cne21.streaming.media.chinacloudapi.cn/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(format=m3u8-aapl,encryption=cbcs-aapl)
CMAF(fmp4)CMAF(fmp4) CBCS (FairPlay)CBCS (FairPlay) https://amsv3account-cne21.streaming.media.chinacloudapi.cn/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(format=m3u8-cmaf,encryption=cbcs-aapl)
MPG2-TSMPG2-TS CENC (PlayReady)CENC (PlayReady) https://amsv3account-cne21.streaming.media.chinacloudapi.cn/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(format=m3u8-aapl,encryption=cenc)
CMAF(fmp4)CMAF(fmp4) CENC (PlayReady)CENC (PlayReady) https://amsv3account-cne21.streaming.media.chinacloudapi.cn/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(format=m3u8-cmaf,encryption=cenc)

以下设备支持 HLS/CMAF + FairPlay(包括 HEVC/H.265):HLS/CMAF + FairPlay (including HEVC/H.265) is supported on the following devices:

  • iOS 11 或更高版本。iOS 11 or later.
  • iPhone 8 或更高版本。iPhone 8 or later.
  • 装备 Intel 第 7 代 CPU 的 MacOS High Sierra。MacOS High Sierra with Intel 7th Generation CPU.

MPEG-DASHMPEG-DASH

MPEG-DASH 协议支持以下容器格式和加密方案:The MPEG-DASH protocol supports the following container formats and encryption schemes:

容器格式Container format 加密方案Encryption scheme URL 示例URL Examples
全部All AESAES https://amsv3account-cne21.streaming.media.chinacloudapi.cn/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(format=mpd-time-csf,encryption=cbc)
CSF(fmp4)CSF(fmp4) CENC (PlayReady)CENC (PlayReady) https://amsv3account-cne21.streaming.media.chinacloudapi.cn/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(format=mpd-time-csf,encryption=cenc)
CMAF(fmp4)CMAF(fmp4) CENC (PlayReady)CENC (PlayReady) https://amsv3account-cne21.streaming.media.chinacloudapi.cn/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(format=mpd-time-cmaf,encryption=cenc)

平滑流Smooth Streaming

平滑流式处理协议支持以下容器格式和加密方案。The Smooth Streaming protocol supports the following container formats and encryption schemes.

协议Protocol 容器格式Container format 加密方案Encryption scheme
fMP4fMP4 AESAES https://amsv3account-cne21.streaming.media.chinacloudapi.cn/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(encryption=cbc)
fMP4fMP4 CENC (PlayReady)CENC (PlayReady) https://amsv3account-cne21.streaming.media.chinacloudapi.cn/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(encryption=cenc)

浏览器Browsers

常用的浏览器支持以下 DRM 客户端:Common browsers support the following DRM clients:

浏览者Browser EncryptionEncryption
Microsoft Edge、Internet Explorer 11Microsoft Edge, Internet Explorer 11 PlayReadyPlayReady
SafariSafari FairPlayFairPlay

控制内容访问Controlling content access

可以通过配置内容密钥策略来控制谁有权访问内容。You can control who has access to your content by configuring the content key policy. 媒体服务支持通过多种方式对发出密钥请求的用户进行授权。Media Services supports multiple ways of authorizing users who make key requests. 客户端(播放器)必须符合该策略才能将密钥传送到客户端。The client (player) must meet the policy before the key can be delivered to the client. 内容密钥策略可以采用开放令牌限制。The content key policy can have open or token restriction.

若要在不授权的情况下向任何人颁发许可证,可以使用开放限制的内容密钥策略。An open-restricted content key policy may be used when you want to issue license to anyone without authorization. 例如,如果你的收入基于广告而不是基于订阅。For example, if your revenue is ad-based and not subscription-based.

使用令牌限制的内容密钥策略时,内容密钥仅发送到可在许可证/密钥请求中提供有效 JWT 令牌或简单 Web 令牌 (SWT) 的客户端。With a token-restricted content key policy, the content key is sent only to a client that presents a valid JWT token or a simple web token (SWT) in the license/key request. 此令牌必须由 STS 颁发。This token must be issued by an STS.

可以使用 Azure AD 作为 STS,或部署自定义 STSYou can use Azure AD as an STS or deploy a custom STS. 必须将 STS 配置为创建令牌,该令牌使用指定密钥以及在令牌限制配置中指定的颁发声明进行签名。The STS must be configured to create a token signed with the specified key and issue claims that you specified in the token restriction configuration. 如果满足以下两个条件,则媒体服务许可证/密钥传送服务会将请求的许可证或密钥返回到客户端:The Media Services license/key delivery service returns the requested license or key to the client if both of these conditions exist:

  • 令牌有效。The token is valid.
  • 令牌中的声明与为许可证或密钥配置的声明相匹配。The claims in the token match those configured for the license or key.

配置令牌限制策略时,必须指定主验证密钥、颁发者和受众参数。When you configure the token-restricted policy, you must specify the primary verification key, issuer, and audience parameters. 主验证密钥包含为令牌签名时使用的密钥。The primary verification key contains the key that the token was signed with. 颁发者是颁发令牌的 STS。The issuer is the STS that issues the token. 受众(有时称为范围)描述该令牌的意图,或者令牌授权访问的资源。The audience, sometimes called scope, describes the intent of the token or the resource that the token authorizes access to. 媒体服务许可证/密钥传送服务验证令牌中的这些值是否与模板中的值匹配。The Media Services license/key delivery service validates that these values in the token match the values in the template.

令牌重放防护Token replay prevention

令牌重放防护功能允许媒体服务客户对同一令牌可用于请求密钥或许可证的次数设置限制。The Token Replay Prevention feature allows Media Services customers to set a limit on how many times the same token can be used to request a key or a license. 客户可以在令牌中添加 urn:microsoft:azure:mediaservices:maxuses 类型的声明,其中值是令牌可用于获取许可证或密钥的次数。The customer can add a claim of type urn:microsoft:azure:mediaservices:maxuses in the token, where the value is the number of times the token can be used to acquire a license or key. 对密钥传送服务使用同一令牌的所有后续请求都将返回未经授权的响应。All subsequent requests with the same token to Key Delivery will return an unauthorized response. 请参阅“如何在 DRM 示例中添加声明”。See how to add the claim in the DRM sample.

注意事项Considerations

  • 客户必须控制令牌生成。Customers must have control over token generation. 声明需要放在令牌本身中。The claim needs to be placed in the token itself.
  • 使用此功能时,令牌过期时间超过接收请求时间一小时以上的请求将被拒绝,并返回未经授权的响应。When using this feature, requests with tokens whose expiry time is more than one hour away from the time the request is received are rejected with an unauthorized response.
  • 令牌由其签名唯一标识。Tokens are uniquely identified by their signature. 对有效负荷的任何更改(例如,对到期时间或声明的更新)都会更改令牌的签名,并且该令牌将算作密钥传送服务之前没有遇到过的新令牌。Any change to the payload (for example, update to the expiry time or the claim) changes the signature of the token and it will count as a new token that Key Delivery hasn't come across before.
  • 如果令牌超过了客户设置的 maxuses 值,则播放将失败。Playback fails if the token has exceeded the maxuses value set by the customer.
  • 此功能可用于所有现有的受保护内容(仅需要更改颁发的令牌)。This feature can be used for all existing protected content (only the token issued needs to be changed).
  • 此功能同时使用 JWT 和 SWT。This feature works with both JWT and SWT.

使用自定义 STSUsing a custom STS

客户可能想要使用自定义 STS 来提供令牌。A customer might choose to use a custom STS to provide tokens. 原因包括:Reasons include:

  • 客户使用的标识提供者 (IDP) 不支持 STS。The identity provider (IDP) used by the customer doesn't support STS. 在此情况下,可以选择自定义 STS。In this case, a custom STS might be an option.

  • 客户在集成 STS 与客户的订户计费系统时可能需要更多弹性或更紧密的控制。The customer might need more flexible or tighter control to integrate STS with the customer's subscriber billing system.

    例如,OTT 服务运营商可能提供多个订户套餐,如高级、基本和运动。For example, an OTT service operator might offer multiple subscriber packages, such as premium, basic, and sports. 运营商可能想要让令牌中的声明与订户套餐匹配,这样,只有特定套餐中的内容可供使用。The operator might want to match the claims in a token with a subscriber's package so that only the contents in a specific package are made available. 在此情况下,自定义 STS 可提供所需的弹性和控制度。In this case, a custom STS provides the needed flexibility and control.

  • 在令牌中包含自定义声明,以便在不同的 ContentKeyPolicyOptions 和不同的 DRM 许可证参数(订阅许可证与租赁许可证)之间选择。To include custom claims in the token to select between different ContentKeyPolicyOptions with different DRM license parameters (a subscription license versus a rental license).

  • 包含一个声明,用于表示令牌授权访问的密钥的内容密钥标识符。To include a claim representing the content key identifier of the key that the token grants access to.

使用自定义 STS 时,必须进行两项更改:When you use a custom STS, two changes must be made:

  • 为资产配置许可证传送服务时,需要指定自定义 STS 用于验证的安全密钥,而不是来自 Azure AD 的当前密钥。When you configure license delivery service for an asset, you need to specify the security key used for verification by the custom STS instead of the current key from Azure AD.
  • 生成 JTW 令牌时,需要指定安全密钥,而不是 Azure AD 中当前 X509 证书的私钥。When a JTW token is generated, a security key is specified instead of the private key of the current X509 certificate in Azure AD.

有两种类型的安全密钥:There are two types of security keys:

  • 对称密钥:使用同一密钥来生成和验证 JWT。Symmetric key: The same key is used to generate and to verify a JWT.
  • 非对称密钥:使用 X509 证书中的私钥-公钥对,私钥用于加密/生成 JWT,公钥用于验证令牌。Asymmetric key: A public-private key pair in an X509 certificate is used with a private key to encrypt/generate a JWT and with the public key to verify the token.

如果使用 .NET Framework/C# 作为开发平台,用于非对称安全密钥的 X509 证书的密钥长度必须至少为 2048。If you use .NET Framework/C# as your development platform, the X509 certificate used for an asymmetric security key must have a key length of at least 2048. 此密钥长度是 .NET Framework 中 System.IdentityModel.Tokens.X509AsymmetricSecurityKey 类的要求。This key length is a requirement of the class System.IdentityModel.Tokens.X509AsymmetricSecurityKey in .NET Framework. 否则,将引发以下异常:IDX10630:用于签名的 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey' 不能小于 '2048' 位。Otherwise, the following exception is thrown: IDX10630: The 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey' for signing can't be smaller than '2048' bits.

自定义密钥和许可证获取 URLCustom key and license acquisition URL

若要指定不同的许可证/密钥传送服务(而不是媒体服务),请使用以下模板。Use the following templates if you want to specify a different license/key delivery service (not Media Services). 模板中提供了两个可替换的字段,以便可以在许多资产之间共享流式处理策略,而无需为每个资产创建流式处理策略。The two replaceable fields in the templates are there so that you can share your streaming policy across many assets instead of creating a streaming policy per asset.

  • EnvelopeEncryption.CustomKeyAcquisitionUrlTemplate:用于向最终用户播放器传送密钥的自定义服务的 URL 模板。EnvelopeEncryption.CustomKeyAcquisitionUrlTemplate: Template for the URL of the custom service that delivers keys to end-user players. 使用 Azure 媒体服务颁发密钥时无需使用该模板。It isn't required when you're using Azure Media Services for issuing keys.

    该模板支持可替换的令牌,在运行时,服务将使用特定于请求的值更新这些令牌。The template supports replaceable tokens that the service will update at runtime with the value specific to the request. 当前支持的令牌值为:The currently supported token values are:

    • {AlternativeMediaId},将替换为 StreamingLocatorId.AlternativeMediaId 的值。{AlternativeMediaId}, which is replaced with the value of StreamingLocatorId.AlternativeMediaId.
    • {ContentKeyId},将替换为所请求密钥的标识符值。{ContentKeyId}, which is replaced with the value of the identifier of the requested key.
  • StreamingPolicyPlayReadyConfiguration.CustomLicenseAcquisitionUrlTemplate:用于向最终用户播放器传送许可证的自定义服务的 URL 模板。StreamingPolicyPlayReadyConfiguration.CustomLicenseAcquisitionUrlTemplate: Template for the URL of the custom service that delivers licenses to end-user players. 使用 Azure 媒体服务颁发许可证时无需使用该模板。It isn't required when you're using Azure Media Services for issuing licenses.

    该模板支持可替换的令牌,在运行时,服务将使用特定于请求的值更新这些令牌。The template supports replaceable tokens that the service will update at runtime with the value specific to the request. 当前支持的令牌值为:The currently supported token values are:

    • {AlternativeMediaId},将替换为 StreamingLocatorId.AlternativeMediaId 的值。{AlternativeMediaId}, which is replaced with the value of StreamingLocatorId.AlternativeMediaId.
    • {ContentKeyId},将替换为所请求密钥的标识符值。{ContentKeyId}, which is replaced with the value of the identifier of the requested key.
  • StreamingPolicyFairPlayConfiguration.CustomLicenseAcquisitionUrlTemplate:与上一个模板相同,仅适用于 FairPlay。StreamingPolicyFairPlayConfiguration.CustomLicenseAcquisitionUrlTemplate: Same as the previous template, only for FairPlay.

例如:For example:

streamingPolicy.EnvelopEncryption.customKeyAcquisitionUrlTemplate = "https://mykeyserver.hostname.com/envelopekey/{AlternativeMediaId}/{ContentKeyId}";

ContentKeyId 包含所请求密钥的值。ContentKeyId has a value of the requested key. 若要将请求映射到自己的实体,可以使用 AlternativeMediaIdYou can use AlternativeMediaId if you want to map the request to an entity on your side. 例如,可以使用 AlternativeMediaId 来帮助查找权限。For example, AlternativeMediaId can be used to help you look up permissions.

有关使用自定义许可证/密钥获取 URL 的 REST 示例,请参阅流式处理策略 - 创建For REST examples that use custom license/key acquisition URLs, see Streaming Policies - Create.

故障排除Troubleshoot

如果收到 MPE_ENC_ENCRYPTION_NOT_SET_IN_DELIVERY_POLICY 错误,请确保指定适当的流式处理策略。If you get the MPE_ENC_ENCRYPTION_NOT_SET_IN_DELIVERY_POLICY error, make sure that you specify the appropriate streaming policy.

如果收到以 _NOT_SPECIFIED_IN_URL 结尾的错误,请确保在 URL 中指定加密格式。If you get errors that end with _NOT_SPECIFIED_IN_URL, make sure that you specify the encryption format in the URL. 例如 …/manifest(format=m3u8-cmaf,encryption=cbcs-aapl)An example is …/manifest(format=m3u8-cmaf,encryption=cbcs-aapl). 参阅流式处理协议和加密类型See Streaming protocols and encryption types.

后续步骤Next steps