Basic steps to troubleshoot HLS encryption in FMS

Http live streaming support in FMS provides you “right” to protect you content in its Interactive and Enterprise edition. You may refer technical documentation for the configurations required for this.

Here I would like to present some basic steps for troubleshooting:

How to validate that stream is protected or not:

  1. Place the m3u8 request in firefox/IE from Desktop.
  2. Download the m3u8. This is plain text file. So you may read it in any text editor.
  3. If downloaded m3u8 list another m3u8. Repeat the step 1 and 2 for the listed m3u8.
  4. Otherwise, check whether m3u8 contains the key file information. For this, check whether file has #EXT-X-KEY: tag.

In that case first few lines of your m3u8 must look like this:






Troubleshooting configurations:

1 . Check for hls-vod or hls-live (whichever is applicable) in httpd.conf, HLSEncryptionScope is either set to server or content. By default, this configuration is commented-out.

2. If set to server, check HLSEncryptCipherKeyFile configuration is set and points to valid path of the key file. Check whether key file exist at that path. In case path is relative, absolute path must be resolved as <Apache Installation Folder>/<relative path>.

3. If set to server, check HLSEncryptKeyURI configuration is mentioned. Note: since key file is stored scrambled on the disk, so the key file request must go through the module.

4. If set to content, check both KeyFile and KeyURI are mentioned in jit.conf (in case of hls-vod) or keyfile and keyuri are mentioned in application.xml or event.xml (in case of hls-live). Key file must point to the valid path. If relative, absolute path must resolve to <XML file path>/../<key-file path>.

5. If set to content, both key file and key uri configuration must be present in a single file. For example, in case of live either both must be present in application.xml or event.xml. If present in event.xml, application.xml should “allow” the encryption override in its encryption config.

6. If set to content, remember to validate that your xmls or jit.conf is a valid xml after edit. Opening file in any web-browser will do that.

7. If set to content, for hls-vod, jit.conf must be placed along with the content file.

8. In case you have configured a different key other than that comes with default installation, Note: key must have been generated via scrambler tool inside <FMS installation>/tools/scramble.

9. You may like to check the error logs inside <Apache>/logs folder for any other errors while encrypting your streams.

10. You may validate the m3u8 as described above to find whether stream is getting encrypted or not.

Troubleshooting key file serving.

You may find even though m3u8 has encryption information, you are not able to play the encrypted stream. So in that case, if you find no key request listed in access logs (inside <Apache>/logs) or key file wasn’t served with 200 http code, you need to debug the key file serving.

1. First try with a key uri on http protocol and not on https protocol.

2. Make sure httpd-hls-secure.conf file in included in httpd.conf. Uncomment “Include conf/httpd-hls-secure.conf

3. Make sure configurations inside <hls-key> tag inside httpd-hls-secure.conf file are good. If your key file is being served on http make sure these three setting are on  and disable other configurations inside hls-key tag:

HLSEncryptHostCipherKey true
HLSFmsDirPath “..”
HLSEncryptKeyRepository “../phls”

HLSEncryptKeyRepository must point to a folder where you key files are placed.

4. Restart Apache server and now try subscribing again. If things play fine.. then move to next step of serving key files on https protocol.

5. Make sure module is installed in <Apache>/modules folder and is enabled in httpd.conf. “LoadModule ssl_module modules/” should not be commented or absent.

6. Make sure you have generated the correct server certificates. Server certificates must have fully qualified domain name.

7. Make sure server certificates are properly installed on the ios-client.

8. Make sure SSLCertificateFile file in httpd-hls-secure.conf points to correct server certificate.

9. Make sure ServerName in httpd-hls-secure.conf is FQDN name of the server.

10. For other ssl specific errors, log ssl requests and errors. For this uncomment, “CustomLog logs/ssl_request.log “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CLIENT_CERT}x %{SSL_CLIENT_S_DN_CN}x \”%r\” %b” inside httpd-hls-secure.conf.

Hope this helps. Best of luck.. 🙂


Posted on November 11, 2011, in Uncategorized. Bookmark the permalink. 2 Comments.

  1. I use more than one key for encryption?
    HLSEncryptionScope is my “server”
    HLSEncryptKeyURI the flag can only specify a single path to the key.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: