This plugin brings Opencast Stream Security to the Wowza Media Server. More information about Opencast Stream Security can be found in the Opencast Administration Guide
You need to install Wowza Streaming Engine on the machine where you want to build the Wowza Stream Security module. This module is tested with Wowza 4.5+. You can use a free trial or developer version to build this module. In fact, as we are onlylinking the libraries from Wowza and do not need to start the software, Wowza does not even have to be registered.
Please follow the installation instructions from Wowza.
Usually Wowza should now be installed to /usr/local/WowzaStreamingEngine.
The Wowza Stream Security component is based on Java. Compiling it is therefore very similar to compiling Opencast. Note that in order to build the Wowza component, dependencies will be linked from an online Nexus repo or your local M2_REPO if it contains the dependencies already. If you are not running an Opencast release version that is provided by the nexus, you have to build Opencast first on your local machine.
Check out the Wowza Stream Security code first.
git clone https://bitbucket.org/opencast-community/wowza-stream-security-plugin.git
cd wowza-stream-security-plugin
You need to have a Java build environment with JDK and Maven on your machine. If have this already you can skip these steps!
yum install git java-1.8.0-openjdk java-1.8.0-openjdk-devel
cd /opt
wget http://apache.sunsite.ualberta.ca/maven/maven-3/3.3.3/binaries/apache-maven-3.3.3-bin.tar.gz
tar -xvf apache-maven-3.3.3-bin.tar.gz
export PATH=/opt/apache-maven-3.3.3/bin:$PATH
Build and Install the Wowza Stream Security Component
mvn clean install -Dopencast.version=<your opencast version> [-Dpackage.dir=<output directory>] [-Dwowza.path=<path to your Wowza installation>]
-Dopencast.versionspecifies the Opencast version that you are using. Make sure this version matches to the Opencast version that you are using (i.e.-Dopencast.version=4.2)-Dpackage.dirspecifies the output directory for the build plugin. This parameter is optionally, with predefined value of${project.basedir}/build/-Dwowza.pathspecifies the path to your local Wowza installation. If you installed Wowza to the default path you do not need to set this.
The build module and all the dependencies will be copied to the output directory you specified with package.dir parameter or per default to the build directory. Next you have to copy the jar files from the output to Wowza lib directory, default path /usr/local/WowzaStreamingEngine/lib.
cp build/*.jar /usr/local/WowzaStreamingEngine/lib/
You can use the Wowza Engine Manager on http://localhost:8088 to setup the Opencast Application.
Select "Applications" from the main menu and click on VOD (Video On Demand).
Then enter a name for you application, i.e. "opencast".
Within the setup details of the application it is recommended to deactivate all unsupported "Playback Types" and only activate MPEG-DASH, Apple HLS and Adobe RTMP.
You also need to set the content directory to the org.opencastproject.streaming.directory defined in the Opencast configuration.
Now you need to add an addition module to your application. Open the "Modules" tab, choose "Edit" and "+ Add Module ..."
The new module needs these settings:
- Name: StreamSecurity
- Description: Opencast Stream Security Module
- Fully Qualified Class Name: org.opencastproject.wowza.StreamSecurityWowzaPlugin
Now you need to save these settings and restart the application.
The signing keys and secrets have to be configured in a separate file named streamsecurity.properties which must be placed inside Wowza’s configuration directory (usually /usr/local/WowzaStreamingEngine/conf).
The file simply contains a collection of key-value pairs, one per line:
demoKeyOne=6EDB5EDDCF994B7432C371D7C274F
demoKeyTwo=C843C21ECF59F2B38872A1BCAA774
As with the HTTPd component, the entries in this file need to have the same values as used for the Signing Providers configuration.
URLs can be whitelisted by defining regular expressions in a file called pugin.properties, which will also have to be placed in the Wowza's configuration directory. URLs matching this pattern will not be checked for a correct signature. The patterns will be defined in the file in the following way:
whitelist.<name>=<pattern>
This can be used to whitelist the segment URLs for HLS and Dash streaming since they are often not signed correctly or not signed at all. Example:
whitelist.hls=.*media_.*\.ts.*
whitelist.hls2=.*chunklist_.*\.m3u8.*
whitelist.mpd=.*segment_.*\.m4s.*
To secure the RTMP links the $OPENCAST_HOME/etc/org.opencastproject.security.urlsigning.provider.impl.WowzaUrlSigningProvider.cfg has to be adjusted:
id.1=demoKeyOne
key.1=6EDB5EDDCF994B7432C371D7C274F
url.1=rtmp
But as the adaptive streaming URLs are HTTP links you have to use the $OPENCAST_HOME/etc/org.opencastproject.security.urlsigning.provider.impl.GenericUrlSigningProvider.cfg configuration to secure these links:
id.2=demoKeyOne
key.2=6EDB5EDDCF994B7432C371D7C274F
url.2=http://localhost:1935/secure
organization.2=mh_default_org