Skip to main content

Search

Ravnur Knowledge Base

Create Content Key Policy

Alla Blinova
  • Updated

Create a content key policy for AES (Advanced Encryption Standard) or Digital Rights Management (DRM) with JWT (JSON Web Token) restriction and implement it in the RMS Console.

Content key policies set encryption rules and control who can access your protected media.

Alternatively to the API request approach, you can create a content Key Policy using AMSE. The interface of AMSE allows the creation of content key policies that will be available in the RMS Console.

In this article:

Step 1: Prepare the request body

Content key policy for AES

Parameters overview

Content key policy for DRM

Step 2: Submit the API Request

Step 3: Use the created policy

 

Before you begin

1. Before creating the policy, go to RMS Console > API Key Management tab and locate the following:

  • AZURE_SUBSCRIPTION_ID 
  • AZURE_RESOURCE_GROUP 
  • RAVNUR_MEDIA_SERVICES_ACCOUNT_NAME 

createcontent.png
2. Decide on a name for your content key policy. Example:my-aes-jwt-policy.

3. Obtain an access token with permissions to manage content key policies. Include the token in theAuthorizationheader of API requests. For details on how to retrieve the token, see the RMS API Authentication Documentation.

 

Step 1: Prepare the request body

Content key policy for AES

Example JSON request body for AES policy with JWT restriction:

{
  "properties": {
    "description": "AES encryption with JWT restriction",
    "options": [
      {
        "name": "my-aes-jwt-policy",
        "configuration": {
          "@odata.type": "#Microsoft.Media.ContentKeyPolicyClearKeyConfiguration"
        },
        "restriction": {
          "@odata.type": "#Microsoft.Media.ContentKeyPolicyTokenRestriction",
          "restrictionTokenType": "Jwt",
          "issuer": "your-issuer-name",
          "audience": "your-audience-name",
          "primaryVerificationKey": {
            "@odata.type": "#Microsoft.Media.ContentKeyPolicySymmetricTokenKey",
            "keyValue": "your-base64-encoded-secret-key"
          },
          "alternateVerificationKeys": [],
          "requiredClaims": [
            {
              "claimType": "your-claim-type",
              "claimValue": "your-claim-value" 
            }
          ]
        }
      }
    ]
  }
}

The policyId, created, lastModified, and systemData fields do not need to be included when creating the policy. These are generated automatically.

Parameters overview

There are 3 different @odata.type values in the request body:

  • "#Microsoft.Media.ContentKeyPolicyClearKeyConfiguration" - specifies that you're using AES Clear Key encryption for your content. Clear Key is a standardized encryption mechanism that provides basic content protection.
  • Restriction Type: "@odata.type":"#Microsoft.Media.ContentKeyPolicyTokenRestriction" - indicates you're using token-based restrictions to control access to the encrypted content. The system will validate tokens before allowing access to decryption keys.
  • Key Type: "@odata.type":"#Microsoft.Media.ContentKeyPolicySymmetricTokenKey" - specifies that a symmetric key will be used for JWT validation. Symmetric keys use the same secret for both signing and verification.

There are also JWT authentication parameters:

  • claimType - defines the type of claim that must be present in valid JWT. Example value: "env"
  • claimValue- value for the specified claim type. Example: for "claimType":"env", claimValue might be "local".
  • restrictionTokenType - use value "Jwt" to specify JSON Web as the token format for authentication, which is an industry (and RMS Console) standard to pass data.
  • issuer- identifies who created and signed the JWT. Example: "your-company-name".
  • audience - specifies who the JWT is intended for. Helps ensure tokens created for one service can't be used for another. Example: "ravnur" .
  • keyValue - a Base64-encoded string representing the secret key used to verify JWT signatures. Must be encoded to Base64 to ensure correct JWT validation. Keys shorter than 256 bits (such as 128-bit keys) are not recommended.

Content key policy for DRM

The configuration process varies depending on which DRM system(s) you need to support.

RMS Console supports 2 DRM implementation approaches:

1. Widevine DRM - Google's DRM system, supported on Android, Chrome, and various smart TVs.

2. FairPlay DRM - Apple's DRM system, supported on iOS, iPadOS, macOS, and tvOS.

PlayReady DRM is supported in the RMS API and will be added to the Console soon.

To find the request body samples, navigate to step 2 of the DRM configuration guide.

DRM Considerations

  • Each DRM system requires specific configuration parameters.
  • The use of the content key policy of the Universal DRM approach will result in 2 tabs: Widevine and FairPlay in the RMS Console.

contkey.png

  • Select a compatible streaming policy when creating a locator
    • AES content key policy for Predefined_ClearKey.
    • DRM content key policy for Predefined_MultiDrmCencStreaming or Predefined_MultiDrmStreaming.

 

Step 2: Submit the API request

Using the API endpoint:

PUT https://{apiEndpoint}.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Media/mediaServices/{accountName}/contentKeyPolicies/{contentKeyPolicyName}?api-version={api-version}

Replace the path parameters with your specific values:

  • {apiEndpoint} : RMS domain that you can find in Azure Front Door using this guide.
  • {subscriptionId}: Your AZURE_SUBSCRIPTION_ID from the RMS Console.
  • {resourceGroupName}: YourAZURE_RESOURCE_GROUP from the RMS Console.
  • {accountName}: YourRAVNUR_MEDIA_SERVICES_ACCOUNT_NAME from the RMS Console.
  • {contentKeyPolicyName}: Your desired policy name.
  • {api-version}: The API version to use. Example: 2021-06-01.

Request Headers:

  • Content-Type: application/json.
  • Authorization: Bearer {your-access-token} (obtained through the RMS API authentication).

Example Request:

PUT https://{apiEndpoint}.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mrg-mygroup/providers/Microsoft.Media/mediaServices/default/contentKeyPolicies/my-aes-jwt-policy?api-version=2021-06-01

Ensure that the JSON body is included in step 1.

 

Step 3: Use the created policy

After creating the policy, verify and use it directly in the RMS Console:

1. Navigate to the RMS Console > Assets and select an output asset with processed media.

2. Create a streaming locator.

3. From the dropdown list, select a streaming policy that supports encryption.

4. From the dropdown list, select a newly created content key policy (this should now appear in the list).

2025_04_15_13_01_58_RMS_Console (1).png

5. Click Add.

The RMS Console automatically generates JWTs valid for 1 hour for testing encrypted content, see Manage JWT.

You created a content key policy that secures your media content with encryption and JWT-based access control.

 

See more

Powered by Zendesk