使用媒體服務動態加密保護您的內容Protect your content with Media Services dynamic encryption

使用 Azure 媒體服務説明保護媒體從介質離開電腦一直通過存儲、處理和交付時起的安全。Use Azure Media Services to help secure your media from the time it leaves your computer all the way through storage, processing, and delivery. 使用媒體服務,您就能傳遞利用進階加密標準 (AES-128) 或下列三個主要數位版權管理 (DRM) 系統中任一個所動態加密的即時與隨選內容:Microsoft PlayReady、Google Widevine 和 Apple FairPlay。With Media Services, you can deliver your live and on-demand content encrypted dynamically with Advanced Encryption Standard (AES-128) or any of the three major digital rights management (DRM) systems: Microsoft PlayReady, Google Widevine, and Apple FairPlay. 媒體服務也提供服務,可傳遞 AES 金鑰和 DRM (PlayReady、Widevine 和 FairPlay) 授權給授權用戶端。Media Services also provides a service for delivering AES keys and DRM (PlayReady, Widevine, and FairPlay) licenses to authorized clients. 如果內容使用 AES 清除金鑰進行加密,並且通過 HTTPS 發送,則在到達用戶端之前不會清除內容。If content is encrypted with an AES clear key and is sent over HTTPS, it is not in clear until it reaches the client.

在媒體服務 v3 中,內容金鑰與流式處理器相關聯(請參閱此示例)。In Media Services v3, a content key is associated with Streaming Locator (see this example). 如果使用媒體服務金鑰傳遞服務,則可以讓 Azure 媒體服務為您生成內容金鑰。If using the Media Services key delivery service, you can let Azure Media Services generate the content key for you. 如果您使用的是金鑰傳遞服務,或者需要處理高可用性方案,需要在兩個資料中心中具有相同的內容金鑰,則應自行生成內容金鑰。The content key should be generated yourself if you're using you own key delivery service, or if you need to handle a high availability scenario where you need to have the same content key in two data centers.

播放程式要求串流時,媒體服務便會使用 AES 清除金鑰或 DRM 加密,使用指定的金鑰動態加密您的內容。When a stream is requested by a player, Media Services uses the specified key to dynamically encrypt your content by using AES clear key or DRM encryption. 為了將串流解密,播放程式會向媒體服務金鑰傳遞服務或您指定的金鑰傳遞服務要求金鑰。To decrypt the stream, the player requests the key from Media Services key delivery service or the key delivery service you specified. 要確定使用者是否有權獲取金鑰,該服務將評估您為金鑰指定的內容金鑰策略。To decide if the user is authorized to get the key, the service evaluates the content key policy that you specified for the key.

您可以使用 REST API 或媒體服務用戶端程式庫,來設定授權和金鑰的授權和驗證原則。You can use the REST API, or a Media Services client library to configure authorization and authentication policies for your licenses and keys.

下圖說明瞭媒體服務內容保護的工作流:The following image illustrates the workflow for Media Services content protection:

媒體服務內容保護工作流

*動態加密支援 AES-128 清除金鑰、CBCS 和 CENC。有關詳細資訊,請參閱支援矩陣* Dynamic encryption supports AES-128 clear key, CBCS, and CENC. For details, see the support matrix.

本文介紹了説明您瞭解媒體服務內容保護的概念和術語。This article explains concepts and terminology that help you understand content protection with Media Services.

內容保護系統的主要元件Main components of a content protection system

要成功完成內容保護系統,您需要充分瞭解工作範圍。To successfully complete your content protection system, you need to fully understand the scope of the effort. 以下各節概述了您需要實現的三個部分。The following sections give an overview of three parts that you need to implement.

注意

我們強烈建議您在進入下一部分之前,對以下部分進行重點集中並完全測試每個部分。We highly recommended that you focus and fully test each part in the following sections before you move on to the next part. 要測試內容保護系統,請使用各節中指定的工具。To test your content protection system, use the tools specified in the sections.

媒體服務代碼Media Services code

DRM 示例演示如何使用 .NET 使用媒體服務 v3 實現多 DRM 系統。The DRM sample shows you how to implement a multi-DRM system with Media Services v3 by using .NET. 它還演示如何使用媒體服務許可證/金鑰交付服務。It also shows how to use the Media Services license/key delivery service.

您可以使用多種加密類型 (AES-128、PlayReady、Widevine、FairPlay) 來加密每項資產。You can encrypt each asset with multiple encryption types (AES-128, PlayReady, Widevine, FairPlay). 要查看組合什麼有意義,請參閱流協定和加密類型To see what makes sense to combine, see Streaming protocols and encryption types.

下列範例示範如何:The example shows how to:

  1. 創建和配置內容金鑰策略Create and configure a content key policy.

    創建內容金鑰策略以配置內容金鑰(提供對資產的安全訪問)如何傳遞到最終用戶端:You create a content key policy to configure how the content key (which provides secure access to your assets) is delivered to end clients:

    • 定義許可證交付授權。Define license delivery authorization. 基於 JSON Web 權杖 (JWT) 中的聲明指定授權檢查的邏輯。Specify the logic of the authorization check based on claims in JSON Web Token (JWT).

    • 配置播放就緒寬文和/或公平播放許可證。Configure PlayReady, Widevine, and/or FairPlay licenses. 範本允許您為每個 DRM 配置許可權和許可權。The templates let you configure rights and permissions for each of the DRMs.

      ContentKeyPolicyPlayReadyConfiguration playReadyConfig = ConfigurePlayReadyLicenseTemplate();
      ContentKeyPolicyWidevineConfiguration widevineConfig = ConfigureWidevineLicenseTempate();
      ContentKeyPolicyFairPlayConfiguration fairPlayConfig = ConfigureFairPlayPolicyOptions();
      
  2. 創建配置為資料流加密資產的流式處理器。Create a streaming locator that's configured to stream the encrypted asset.

    流式處理器必須與流式處理策略相關聯。The streaming locator has to be associated with a streaming policy. 在此示例中,我們將設置為StreamingLocator.StreamingPolicyName"Predefined_MultiDrmCencStreaming"策略。In the example, we set StreamingLocator.StreamingPolicyName to the "Predefined_MultiDrmCencStreaming" policy.

    應用 PlayReady 和 Widevine 加密,並根據配置的 DRM 許可證將金鑰傳遞到播放用戶端。The PlayReady and Widevine encryptions are applied, and the key is delivered to the playback client based on the configured DRM licenses. 如果還希望使用 CBCS (FairPlay) 加密流,請使用"Predefined_MultiDrmStreaming"策略。If you also want to encrypt your stream with CBCS (FairPlay), use the "Predefined_MultiDrmStreaming" policy.

    流式處理器還與您定義的內容金鑰策略相關聯。The streaming locator is also associated with the content key policy that you defined.

  3. 建立測試權杖。Create a test token.

    該方法GetTokenAsync演示如何創建測試權杖。The GetTokenAsync method shows how to create a test token.

  4. 建置串流 URL。Build the streaming URL.

    該方法GetDASHStreamingUrlAsync演示如何生成流 URL。The GetDASHStreamingUrlAsync method shows how to build the streaming URL. 在此案例中,URL 會串流處理 DASH 內容。In this case, the URL streams the DASH content.

具有 AES 或 DRM 用戶端的播放機Player with an AES or DRM client

以播放器 SDK (原生或以瀏覽器為基礎) 為基礎的影片播放器應用程式必須符合下列需求:A video player app based on a player SDK (either native or browser-based) needs to meet the following requirements:

  • 播放機 SDK 支援所需的 DRM 用戶端。The player SDK supports the needed DRM clients.
  • 播放機 SDK 支援所需的流式處理協定:平滑、DASH 和/或 HTTP 即時流式處理 (HLS)。The player SDK supports the required streaming protocols: Smooth, DASH, and/or HTTP Live Streaming (HLS).
  • 播放機 SDK 可以處理在授權擷取請求中傳遞 JWT 權杖。The player SDK can handle passing a JWT token in a license acquisition request.

您可以使用 Azure 媒體播放器 API 來建立播放器。You can create a player by using the Azure Media Player API. 使用 Azure 媒體播放器的 ProtectionInfo API 來指定要在不同的 DRM 平台上使用哪個 DRM 技術。Use the Azure Media Player ProtectionInfo API to specify which DRM technology to use on different DRM platforms.

若要測試 AES 或 CENC (Widevine 和/或 PlayReady) 加密的內容,您可以使用 Azure 媒體播放器 (英文)。For testing AES or CENC (Widevine and/or PlayReady) encrypted content, you can use Azure Media Player. 請確保選擇 "高級"選項並檢查加密選項。Make sure that you select Advanced options and check your encryption options.

如果您想要測試 FairPlay 加密內容,請使用此測試播放程式If you want to test FairPlay encrypted content, use this test player. 播放機支援 Widevine、PlayReady 和 FairPlay DRM,以及 AES-128 清除金鑰加密。The player supports Widevine, PlayReady, and FairPlay DRMs, along with AES-128 clear key encryption.

選擇正確的瀏覽器來測試不同的 DRM:Choose the right browser to test different DRMs:

  • 鉻,歌劇,或火狐為維德文。Chrome, Opera, or Firefox for Widevine.
  • 微軟邊緣或互聯網瀏覽器11為播放準備。Microsoft Edge or Internet Explorer 11 for PlayReady.
  • 在 macOS 上為公平遊戲進行野生動物園。Safari on macOS for FairPlay.

安全權杖服務Security token service

安全權杖服務 (STS) 發出 JWT 作為後端資源訪問的訪問權杖。A security token service (STS) issues JWT as the access token for back-end resource access. 可以使用 Azure 媒體服務許可證/金鑰傳遞服務作為後端資源。You can use the Azure Media Services license/key delivery service as the back-end resource. STS 必須定義以下事項:An STS has to define the following things:

  • 發行人和受眾(或範圍)。Issuer and audience (or scope).
  • 聲明,這些聲明取決於內容保護中的業務需求。Claims, which are dependent on business requirements in content protection.
  • 用於簽名驗證的對稱或非對稱驗證。Symmetric or asymmetric verification for signature verification.
  • 金鑰滾動支援(如有必要)。Key rollover support (if necessary).

您可以使用此STS 工具測試 STS。You can use this STS tool to test the STS. 它支援所有三種類型的驗證金鑰:對稱、非對稱或 Azure 活動目錄 (Azure AD)與金鑰滾動。It supports all three types of verification keys: symmetric, asymmetric, or Azure Active Directory (Azure AD) with key rollover.

串流通訊協定和加密類型Streaming protocols and encryption types

您可以使用媒體服務,來傳遞藉由使用 PlayReady、Widevine 或 FairPlay 並透過 AES 未加密金鑰或 DRM 加密所動態加密的內容。You can use Media Services to deliver your content encrypted dynamically with AES clear key or DRM encryption by using PlayReady, Widevine, or FairPlay. 目前,您可以加密 HLS、MPEG DASH 和平滑流式處理格式。Currently, you can encrypt the HLS, MPEG DASH, and Smooth Streaming formats. 每個協定都支援以下加密方法。Each protocol supports the following encryption methods.

HLSHLS

HLS 協定支援以下容器格式和加密方案:The HLS protocol supports the following container formats and encryption schemes:

容器格式Container format 加密配置Encryption scheme URL 示例URL example
全部All AESAES https://amsv3account-usw22.streaming.media.azure.net/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(format=m3u8-aapl,encryption=cbc)
MPG2-TSMPG2-TS CBCS(公平播放)CBCS (FairPlay) https://amsv3account-usw22.streaming.media.azure.net/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(format=m3u8-aapl,encryption=cbcs-aapl)
CMAF(fmp4)CMAF(fmp4) CBCS(公平播放)CBCS (FairPlay) https://amsv3account-usw22.streaming.media.azure.net/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(format=m3u8-cmaf,encryption=cbcs-aapl)
MPG2-TSMPG2-TS CENC (PlayReady)CENC (PlayReady) https://amsv3account-usw22.streaming.media.azure.net/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(format=m3u8-aapl,encryption=cenc)
CMAF(fmp4)CMAF(fmp4) CENC (PlayReady)CENC (PlayReady) https://amsv3account-usw22.streaming.media.azure.net/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(format=m3u8-cmaf,encryption=cenc)

以下設備上支援 HLS/CMAF – 公平播放(包括 HEVC/H.265):HLS/CMAF + FairPlay (including HEVC/H.265) is supported on the following devices:

  • iOS 11 或更高版本。iOS 11 or later.
  • iPhone 8 或更高版本。iPhone 8 or later.
  • MacOS 高塞拉與英特爾第七代 CPU。MacOS High Sierra with Intel 7th Generation CPU.

MPEG-DASHMPEG-DASH

MPEG-DASH 協定支援以下容器格式和加密方案:The MPEG-DASH protocol supports the following container formats and encryption schemes:

容器格式Container format 加密配置Encryption scheme URL 示例URL Examples
全部All AESAES https://amsv3account-usw22.streaming.media.azure.net/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(format=mpd-time-csf,encryption=cbc)
CSF(fmp4)CSF(fmp4) CENC (Widevine + PlayReady)CENC (Widevine + PlayReady) https://amsv3account-usw22.streaming.media.azure.net/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(format=mpd-time-csf,encryption=cenc)
CMAF(fmp4)CMAF(fmp4) CENC (Widevine + PlayReady)CENC (Widevine + PlayReady) https://amsv3account-usw22.streaming.media.azure.net/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(format=mpd-time-cmaf,encryption=cenc)

Smooth StreamingSmooth Streaming

平滑流式處理協定支援以下容器格式和加密方案。The Smooth Streaming protocol supports the following container formats and encryption schemes.

通訊協定Protocol 容器格式Container format 加密配置Encryption scheme
fMP4fMP4 AESAES https://amsv3account-usw22.streaming.media.azure.net/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(encryption=cbc)
fMP4fMP4 CENC (PlayReady)CENC (PlayReady) https://amsv3account-usw22.streaming.media.azure.net/00000000-0000-0000-0000-000000000000/ignite.ism/manifest(encryption=cenc)

瀏覽器Browsers

通用瀏覽器支援以下 DRM 用戶端:Common browsers support the following DRM clients:

瀏覽器Browser 加密Encryption
ChromeChrome WidevineWidevine
微軟邊緣, 互聯網瀏覽器 11Microsoft Edge, Internet Explorer 11 PlayReadyPlayReady
FirefoxFirefox WidevineWidevine
OperaOpera WidevineWidevine
SafariSafari FairPlayFairPlay

控制內容訪問Controlling content access

您可以設定內容金鑰原則來控制可存取內容的人員。You can control who has access to your content by configuring the content key policy. 媒體服務支援多種方式來授權提出金鑰要求的使用者。Media Services supports multiple ways of authorizing users who make key requests. 用戶端 (播放器) 必須先符合原則,系統才會將金鑰傳遞給用戶端。The client (player) must meet the policy before the key can be delivered to the client. 內容金鑰原則可具有開啟權杖限制。The content key policy can have open or token restriction.

當您希望未經授權向任何人頒發許可證時,可能會使用開放限制的內容金鑰策略。An open-restricted content key policy may be used when you want to issue license to anyone without authorization. 例如,如果您的收入是基於廣告的,而不是基於訂閱的。For example, if your revenue is ad-based and not subscription-based.

使用權杖限制的內容金鑰策略,內容金鑰僅發送到在許可證/金鑰請求中顯示有效的 JWT 權杖或簡單 Web 權杖 (SWT) 的用戶端。With a token-restricted content key policy, the content key is sent only to a client that presents a valid JWT token or a simple web token (SWT) in the license/key request. 此權杖必須由 STS 頒發。This token must be issued by an STS.

您可以將 Azure AD 用作 STS 或部署自訂 STSYou can use Azure AD as an STS or deploy a custom STS. STS 必須設定為建立使用指定的索引鍵和問題宣告您在權杖限制組態中指定簽署的權杖。The STS must be configured to create a token signed with the specified key and issue claims that you specified in the token restriction configuration. 如果存在以下兩個條件,媒體服務許可證/金鑰交付服務會將請求的許可證或金鑰返回給用戶端:The Media Services license/key delivery service returns the requested license or key to the client if both of these conditions exist:

  • 權杖有效。The token is valid.
  • 權杖中的聲明與為許可證或金鑰配置的聲明匹配。The claims in the token match those configured for the license or key.

設定權杖限制的原則時,您必須指定主要驗證金鑰、簽發者和對象參數。When you configure the token-restricted policy, you must specify the primary verification key, issuer, and audience parameters. 主要驗證金鑰包含簽署權杖用的金鑰。The primary verification key contains the key that the token was signed with. 簽發者為發行權杖的 STS。The issuer is the STS that issues the token. 訪問群體(有時稱為作用域)描述權杖或權杖授權訪問的資源的意圖。The audience, sometimes called scope, describes the intent of the token or the resource that the token authorizes access to. 媒體服務許可證/金鑰交付服務驗證權杖中的這些值與範本中的值匹配。The Media Services license/key delivery service validates that these values in the token match the values in the template.

權杖重播預防Token replay prevention

權杖重播防止功能允許媒體服務客戶對同一權杖可用於請求金鑰或許可證的次數設置限制。The Token Replay Prevention feature allows Media Services customers to set a limit on how many times the same token can be used to request a key or a license. 客戶可以在權杖中添加類型urn:microsoft:azure:mediaservices:maxuses聲明,其中值是權杖可用於獲取許可證或金鑰的次數。The customer can add a claim of type urn:microsoft:azure:mediaservices:maxuses in the token, where the value is the number of times the token can be used to acquire a license or key. 所有對金鑰傳遞具有相同權杖的後續請求都將返回未經授權的回應。All subsequent requests with the same token to Key Delivery will return an unauthorized response. 瞭解如何在DRM 示例中添加聲明。See how to add the claim in the DRM sample.

考量Considerations

  • 客戶必須控制權杖生成。Customers must have control over token generation. 聲明需要放在權杖本身中。The claim needs to be placed in the token itself.
  • 使用此功能時,過期時間超過一小時,並且使用未經授權的回應拒絕具有過期時間超過一小時的權杖的請求。When using this feature, requests with tokens whose expiry time is more than one hour away from the time the request is received are rejected with an unauthorized response.
  • 權杖由其簽名唯一標識。Tokens are uniquely identified by their signature. 對負載的任何更改(例如,更新到到期時間或聲明)都會更改權杖的簽名,它將算作金鑰交付以前未遇到的新權杖。Any change to the payload (for example, update to the expiry time or the claim) changes the signature of the token and it will count as a new token that Key Delivery hasn't come across before.
  • 如果權杖已超過客戶設置的值,maxuses則重播將失敗。Playback fails if the token has exceeded the maxuses value set by the customer.
  • 此功能可用於所有現有的受保護內容(只需更改頒發的權杖)。This feature can be used for all existing protected content (only the token issued needs to be changed).
  • 此功能適用于 JWT 和 SWT。This feature works with both JWT and SWT.

使用自訂 STSUsing a custom STS

客戶可能選擇使用自訂 STS 來提供權杖。A customer might choose to use a custom STS to provide tokens. 原因包括:Reasons include:

  • 客戶使用的標識提供程式 (IDP) 不支援 STS。The identity provider (IDP) used by the customer doesn't support STS. 在此情況下,自訂 STS 可能是一個選項。In this case, a custom STS might be an option.

  • 客戶在整合 STS 與客戶的訂閱者計費系統時,可能需要更多彈性或更緊密的控制。The customer might need more flexible or tighter control to integrate STS with the customer's subscriber billing system.

    例如,OTT服務運營商可能提供多個訂閱者包,如高級、基本和體育。For example, an OTT service operator might offer multiple subscriber packages, such as premium, basic, and sports. 業者可能需要讓權杖中的宣告與訂閱者套件相符,如此一來,只有正確套件中的內容可供使用。The operator might want to match the claims in a token with a subscriber's package so that only the contents in a specific package are made available. 在此情況下,自訂 STS 提供所需的彈性和控制。In this case, a custom STS provides the needed flexibility and control.

  • 在權杖中包含自訂聲明,以選擇具有不同 DRM 許可證參數的不同 ContentKeyPolicy 選項(訂閱許可證與租賃許可證)。To include custom claims in the token to select between different ContentKeyPolicyOptions with different DRM license parameters (a subscription license versus a rental license).

  • 包括表示權杖授予存取權限的金鑰的內容金鑰識別碼的聲明。To include a claim representing the content key identifier of the key that the token grants access to.

當您使用自訂的 STS 時,必須進行兩項變更:When you use a custom STS, two changes must be made:

  • 為資產設定授權傳遞服務時,您必須指定自訂 STS 用來驗證的安全性金鑰,而不是 Azure AD 的目前金鑰。When you configure license delivery service for an asset, you need to specify the security key used for verification by the custom STS instead of the current key from Azure AD.
  • 產生 JTW 權杖時,會指定安全性金鑰,而不是 Azure AD 中目前 x509 憑證的私密金鑰。When a JTW token is generated, a security key is specified instead of the private key of the current X509 certificate in Azure AD.

有兩種類型的安全性金鑰:There are two types of security keys:

  • 對稱金鑰:會使用相同的金鑰來產生及驗證 JWT。Symmetric key: The same key is used to generate and to verify a JWT.
  • 非對稱金鑰:搭配使用 x509 憑證中的私密-公開金鑰組,私密金鑰用來加密/產生 JWT,公開金鑰則用來驗證權杖。Asymmetric key: A public-private key pair in an X509 certificate is used with a private key to encrypt/generate a JWT and with the public key to verify the token.

如果您使用 .NET Framework/C# 作為開發平台,用於非對稱安全性金鑰的 x509 憑證之金鑰長度必須至少為 2048。If you use .NET Framework/C# as your development platform, the X509 certificate used for an asymmetric security key must have a key length of at least 2048. 此金鑰長度是類系統的要求。標識模型.tokens.X509A對稱安全金鑰在 .NET 框架中。This key length is a requirement of the class System.IdentityModel.Tokens.X509AsymmetricSecurityKey in .NET Framework. 否則,將引發以下異常:IDX10630:用於簽名的"System.身份模型.Tokens.X509A對稱安全金鑰"不能小於"2048"位。Otherwise, the following exception is thrown: IDX10630: The 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey' for signing can't be smaller than '2048' bits.

自訂金鑰和授權擷取 URLCustom key and license acquisition URL

如果要指定其他許可證/金鑰交付服務(而不是媒體服務),請使用以下範本。Use the following templates if you want to specify a different license/key delivery service (not Media Services). 範本中的兩個可替換欄位都在那裡,以便您可以跨多個資產共用流式處理策略,而不是按資產創建流式處理策略。The two replaceable fields in the templates are there so that you can share your streaming policy across many assets instead of creating a streaming policy per asset.

  • EnvelopeEncryption.CustomKeyAcquisitionUrlTemplate:向最終使用者播放機提供金鑰的自訂服務的 URL 的範本。EnvelopeEncryption.CustomKeyAcquisitionUrlTemplate: Template for the URL of the custom service that delivers keys to end-user players. 當您使用 Azure 媒體服務頒發金鑰時,它不需要。It isn't required when you're using Azure Media Services for issuing keys.

    該範本支援服務將在運行時使用特定于請求的值更新的可替換權杖。The template supports replaceable tokens that the service will update at runtime with the value specific to the request. 當前支援的權杖值包括:The currently supported token values are:

    • {AlternativeMediaId},替換為流式處理Id.替代媒體Id 的值。{AlternativeMediaId}, which is replaced with the value of StreamingLocatorId.AlternativeMediaId.
    • {ContentKeyId},替換為請求的金鑰的識別碼的值。{ContentKeyId}, which is replaced with the value of the identifier of the requested key.
  • StreamingPolicyPlayReadyConfiguration.CustomLicenseAcquisitionUrlTemplate:向最終使用者播放機提供許可證的自訂服務的 URL 的範本。StreamingPolicyPlayReadyConfiguration.CustomLicenseAcquisitionUrlTemplate: Template for the URL of the custom service that delivers licenses to end-user players. 當您使用 Azure 媒體服務頒發許可證時,它不需要。It isn't required when you're using Azure Media Services for issuing licenses.

    該範本支援服務將在運行時使用特定于請求的值更新的可替換權杖。The template supports replaceable tokens that the service will update at runtime with the value specific to the request. 當前支援的權杖值包括:The currently supported token values are:

    • {AlternativeMediaId},替換為流式處理Id.替代媒體Id 的值。{AlternativeMediaId}, which is replaced with the value of StreamingLocatorId.AlternativeMediaId.
    • {ContentKeyId},替換為請求的金鑰的識別碼的值。{ContentKeyId}, which is replaced with the value of the identifier of the requested key.
  • StreamingPolicyWidevineConfiguration.CustomLicenseAcquisitionUrlTemplate:與以前的範本相同,僅適用于 Widevine。StreamingPolicyWidevineConfiguration.CustomLicenseAcquisitionUrlTemplate: Same as the previous template, only for Widevine.

  • StreamingPolicyFairPlayConfiguration.CustomLicenseAcquisitionUrlTemplate:與以前的範本相同,僅適用于公平播放。StreamingPolicyFairPlayConfiguration.CustomLicenseAcquisitionUrlTemplate: Same as the previous template, only for FairPlay.

例如:For example:

streamingPolicy.EnvelopEncryption.customKeyAcquisitionUrlTemplate = "https://mykeyserver.hostname.com/envelopekey/{AlternativeMediaId}/{ContentKeyId}";

ContentKeyId具有請求的金鑰的值。ContentKeyId has a value of the requested key. AlternativeMediaId如果要將請求映射到您身邊的實體,則可以使用。You can use AlternativeMediaId if you want to map the request to an entity on your side. 例如,AlternativeMediaId可用於説明您查找許可權。For example, AlternativeMediaId can be used to help you look up permissions.

有關使用自訂許可證/金鑰獲取 URL 的 REST 示例,請參閱流式處理策略 - 創建For REST examples that use custom license/key acquisition URLs, see Streaming Policies - Create.

注意

Widevine 是 Google Inc. 所提供的服務,並受到 Google Inc. 的服務條款和隱私權原則所約束。Widevine is a service provided by Google Inc. and subject to the terms of service and Privacy Policy of Google, Inc.

疑難排解Troubleshoot

如果收到錯誤,MPE_ENC_ENCRYPTION_NOT_SET_IN_DELIVERY_POLICY請確保指定適當的流式處理策略。If you get the MPE_ENC_ENCRYPTION_NOT_SET_IN_DELIVERY_POLICY error, make sure that you specify the appropriate streaming policy.

如果收到以_NOT_SPECIFIED_IN_URL結尾的錯誤,請確保在 URL 中指定加密格式。If you get errors that end with _NOT_SPECIFIED_IN_URL, make sure that you specify the encryption format in the URL. 例如 …/manifest(format=m3u8-cmaf,encryption=cbcs-aapl)An example is …/manifest(format=m3u8-cmaf,encryption=cbcs-aapl). 請參閱流式處理協定和加密類型See Streaming protocols and encryption types.

提出問題、提供意見反應、取得更新Ask questions, give feedback, get updates

請參閱 Azure 媒體服務社群文章,以了解詢問問題、提供意見反應及取得媒體服務相關更新的不同方式。Check out the Azure Media Services community article to see different ways you can ask questions, give feedback, and get updates about Media Services.

後續步驟Next steps