Once: Content Security

Product(s)
SSAI
Role(s)
API Developer
Task(s)
Manage Videos
Protect Videos
Topic(s)
Authentication
DRM

This document explains content security supported by Once.

Token Authentication

Currently Once supports Token Authentication for the following CDNs:

  • Akamai EdgeAuth 1.0
  • Level 3

Contact your Brightcove representative for assistance on configurations.

Akamai EdgeAuth 1.0

This section covers the required information for Brightcove Once to handle token authentication through Akamai, but assumes all the configurations between the customer and CDN have been complete.

Customer Requirements:

  • Akamai shared secret
  • Customer common shared secret
  • CDN hostname
  • Hashing requirements for full or partial
  • Full (host/path/resource?key=value)
  • Partial (path/resource?key=value)
  • Failover URL for unauthenticated requests (optional)

Shared Secrets

The Once token authentication system utilizes two shared secrets that are required; the CDN shared secret and a customer defined shared secret. The customer shared secret is used by Once as a gateway to authentication through the Once API and should not be confused by the CDN shared secret for resource access. By default, the same shared secret is used for both layers of authentication, but if desired can be different on an application basis.

Appending token authentication parameters

The following parameters are necessary for utilizing token authentication.

Parameter Required Description
umsstime Yes Start time of authorized content. (UNIX epoch time)
umsetime Yes, if umsttl is not used End time of authorized content. (UNIX epoch time)
umsttl Yes, if umsttl is not used Number in seconds after the start time to keep the content authorized.
umshash Yes HMAC-SHA1 hash of URL path and query - using the common shared secret

Level 3

This section covers the required information for Brightcove Once to handle token authentication through Level 3, but assumes all the configurations between the customer and CDN have been complete.

Customer Requirements:

  • Level 3 shared secret(s) (Up to 10 active keys)
  • Customer common shared secret
  • CDN hostname
  • Hashing requirements for full or partial
  • Full (host/path/resource?key=value)
  • Partial (path/resource?key=value)
  • Failover URL for unauthenticated requests (optional)

Shared Secrets

The Once token authentication system utilizes two shared secrets that are required; the CDN shared secret and a customer defined shared secret. The customer shared secret is used by Once as a gateway to authentication through the Once API and should not be confused by the CDN shared secret for resource access. By default, the same shared secret is used for both layers of authentication, but if desired can be different on an application basis.

Shared Secret Configuration:

It is important that the key and entry associations must be the same between the CDN and the Once system. If multiple tokens are available in the same window, the Once system will choose the first available to utilize for the hashing the authentication request.

Entry Secret (up to 64 chars) Not Valid Before Not Valid After
0 sharedsecret0 20071113050000 20081225080000
1 sharedsecret1 20081225080000 20090211120000
2      

Appending token authentication parameters:

The following parameters are necessary for utilizing token authentication.

Parameter Required Description
umsstime Yes Start time of authorized content. (UNIX epoch time)
umsetime Yes, if umsttl is not used End time of authorized content. (UNIX epoch time)
umsttl Yes, if umsttl is not used Number in seconds after the start time to keep the content authorized.
umshash Yes HMAC-SHA1 hash of URL path and query - using the common shared secret