Viewing Policy Manager
Ingest
Scte224

SCTE-224 ingest

Prisma has been designed to natively support SCTE-224 ingest and provision programming event metadata. Prisma supports SCTE-224 version 2015.

SCTE-224 resources such as Media, Media Point, Audience, Viewing Policy and Policy shall be sent to Prisma at the following based URL endpoint: http://[prisma.controller.ip]:[port]/api/esni/viewingPolicyManagers/[prisma.service.name]

Example: http://10.1.2.3:8080/api/esni/viewingPolicyManagers/FOX (opens in a new tab) … where FOX is the name provided to the Viewing Policy Manager service (see figure below).

To configure SCTE-224 ingest, follow these steps:

  1. Add a Viewing Policy Manager service.
  2. Configure a Name: the name is important as it will be part of the endpoint used by the content provider to push SCTE-224 resources (Media, Media Points, Viewing Policy, Policy and Audience).
  3. Select SCTE-224 (ESNI) from the Import type drop-down list.
  4. Click Save and exit to save your service configuration and go back to the Services page.
  5. Assign a server to run your service.

Once the service is started, SCTE-224 resources can be sent to Prisma at designated endpoint.

Note: Compared to Manual configuration, instead of manually configuring programming event data (blackout restriction, ad playlist etc.), everything will be ingested automatically.

The following sections shows simple resources samples that are loaded onto Prisma, and the results from a web UI standpoint.

Example of Media element configuration

To configure Media element, proceed as follows:

  1. Click the Media tab.

  2. Click the Add button to add a media resource.

    Adding Media resource for SCTE-224 ingest

    Note: Please refer to Configure a Media element for a description of the different fields.

  3. Click Ok to validate.

Examples of Audience configuration

The examples below are basic use cases of SCTE-224 audience resources sent by the programmer to Prisma (specifying HTTP command, endpoint, as well as the body of the request, which is the resource itself).

Audience “State of Florida”

  • Audience “State of Florida” is a list of ZIP codes
  • Audience ID: /fox/audience/location/fl
PUT  http://10.1.2.3:8080/api/esni/viewingPolicyManagers/FOX/fox/audience/location/fl
<Audience lastUpdated="2020-04-03T12:59:10.395Z" description="State of Florida" id="/fox/audience/location/fl" match="ANY" xml:base="/api/esni/viewingPolicyManagers/FOX" xmlns:audience="urn:scte:224:audience">
    <Zip>33002</Zip>
    <Zip>33018</Zip>
</Audience>

To configure the Audience element, follow these steps:

  1. go to the Audience tab and edit the resource to check the results:

    Audience "State of Florida

    Note: Please refer to Configure an Audience for a description of the different fields.

Audience “No Travel Restrictions”

  • Audience “No Travel Restrictions” is a single ZIP with Match set to None
  • Audience ID: /fox/audience/location/any
PUT  http://10.1.2.3:8080/api/esni/viewingPolicyManagers/FOX/fox/audience/location/any
<Audience lastUpdated="2020-04-03T12:59:10.395Z" match="NONE" description="No Travel Restrictions"id="/fox/audience/location/any" xml:base="/api/esni/viewingPolicyManagers/FOX" xmlns:audience="urn:scte:224:audience">
    <audience:Zip>00000</audience:Zip>
</Audience>

Example of viewing policy configuration

Blackout Viewing Policy:

  • Viewing policy “Blackout users in Florida”
  • Action of type content (default blackout urn) over “State of Florida” audience
PUT  http://10.1.2.3:8080/api/esni/viewingPolicyManagers/FOX/fox/viewingPolicy/location/fl/blackout
<ViewingPolicy lastUpdated="2020-04-03T12:59.10.395Z" description="Blackout users in Florida" id="/fox/viewingpolicy/location/fl/blackout" xml:base="/api/esni/viewingPolicyManagers/FOX" xmlns:action="urn:scte:224:action" xmlns:xlink="http://www.w3.org/1999/xlink">
    <action:Content>urn:scte:224:action:blackout</action:Content>
    <Audience xlink:href="/fox/audience/location/fl"></Audience>
</ViewingPolicy>

To configure a Viewing policy, follow these steps:

  1. Go to the Viewing Policy tab, and edit the resource to check the results:

    Note: Please refer to Configure a Viewing Policy for a description of the different fields.

Examples of policy

Policy “blackout”

  • Policy “Blackout users in Florida”

    PUT  http://10.1.2.3:8080/api/esni/viewingPolicyManagers/FOX/fox/Policy/location/fl/blackout
    <Policy lastUpdated="2020-04-03T12:59:10.395Z" description="Blackout users in Florida" id="/fox/policy/location/fl/blackout" xml:base="/api/esni/viewingPolicyManagers/FOX" xmlns:xlink="http://www.w3.org/1999/xlink">
    <ViewingPolicy xlink:href="/fox/viewingpolicy/location/fl/blackout"></ViewingPolicy>
</Policy>

To configure Policy element, follow these steps:

  1. Go to the Policy tab, and edit the resource to check the results:

    Policy "Blackout users in Florida

    Note: Please refer to Configure a Policy for a description of the different fields.

Example of Media Point

Audience, viewing policy and policy resources are positioned. Media points can be provisioned to schedule the application or removal of a given policy to enable blackout for instance. This scheduling can be:

  • Time-based (using @matchTime for instance)
  • And/or Signal-based (using @matchSignal)

Two media points are usually created to identify the beginning and end of a given event restriction:

  • Media point start
  • Media point end

Media point start

  • @matchTime indicating the time blackout is supposed to start
  • @effective and @expires define the validity window for the SCTE-35 to be
  • @matchSignal indicates SCTE-35 matching criteria (SegmentationTypeID = 16 (program start))
PUT  http://10.1.2.3:8080/api/esni/viewingPolicyManagers/FOX/fox/media/foxNews/mp/11/start
<MediaPoint matchTime="2020-09-18T12:10:42.826Z" effective="2020-09-18T12:10:12:826Z" expires="2020-09-18T12:11:12.826Z" lastUpdated="2020-09-18T10:10:30.826Z" id="/mp/11/start" xml:base="/api/esni/viewingPolicyManagers/FOX" xmlns:xlink="http://www.w3.org/1999/xlink">
    <Apply>
        <Policy xlink:href="/fox/policy/location/fl/blackout"></Policy>
    </Apply>
    <MatchSignal match="ANY">
        <Assert>/SpliceInfoSection/SegmentationDescriptor[@segmentationTypeId = 16]</Assert>
    </MatchSignal>
</MediaPoint>

Media point end

  • @matchTime indicating the time blackout is supposed to end
  • @matchSignal indicates SCTE-35 matching criteria (SegmentationTypeID = 17 (program start))
PUT  http://10.1.2.3:8080/api/esni/viewingPolicyManagers/FOX/fox/media/foxNews/mp/11/end
<MediaPoint matchTime="2020-09-18T12:15:46.888Z" effective="2020-09-18T12:14:46.888Z" expires="2020-09-18T12:16:46.888Z" id="/mp/11/end" lastUpdated="2020-09-18T12:59:10.888Z" xml:base="/api/esni/viewingPolicyManagers/FOX" xmlns:xlink="http://www.w3.org/1999/xlink">
    <Remove>
        <Policy xlink:href="/fox/policy/location/fl/blackout"></Policy>
    </Remove>
    <MatchSignal match="ANY">
        <Assert>/SpliceInfoSection/SegmentationDescriptor[@segmentationTypeId = 17]</Assert>
    </MatchSignal>
</MediaPoint>

  1. Click the timeline button to access the timeline of events scheduled via media point:

  2. Mediapoints are identified by the flags. Clicking on it will provide information regarding @matchTime, validity window (using @effective and @expires), SCTE-35 matching criteria (@matchSignal), as well as the policy being applied (or removed).

Configure ESAM HTTPS request with certificates

The Viewing Policy Manager can use a signing request process so that when it receives a request, it performs the same steps and then compares its calculated signature to the one in the Authorization header. The Viewing Policy Manager supports two type of signing process: SCTE-224 standard (opens in a new tab) and AWS signature version 4 (opens in a new tab). HTTPS must be enabled in order to add the following request header Check-Signature: true to tell The Viewing Policy Manager it needs to check the SCTE-224 signature.

To validate the signature, the Viewing Policy Manager needs to get the secret key for the credential defined in the authorization header. All the secret keys are stored in:

  • the Kubernetes Secrets named prisma-viewing-policy-manager-worker-auth for CRPM deployments.
  • /opt/ericsson/viewing-policy-manager-worker/etc/authentication.json for rpm deployments.

The authentication object has the following syntax:

{ 
    "auth": [ 
        { 
            "service": "my-service-name-01", 
            "authentication": [{ 
                "type": "awsv4", 
                "credential": "example.com/esni", 
                "secret": "6405080ac57843ff9b5bf97acfd9bc15", 
                "rootId": "/example.com" 
                } 
            ] 
 
        }, { 
            "service": "my-service-name-02", 
            "authentication": { 
                "type": "none", 
                "rootId": "/source" 
            } 
        } 
    ] 
}
ParameterTypeListDescription
authListMandatoryList of service authentication.
ParameterTypeListDescription
serviceStringMandatoryName of the VPM service.
authenticationListMandatoryList of authentication objects.
ParameterTypeListDescription
typeStringMandatoryType of authentication.
credentialObjectMandatoryIdentifier used in the authorization header for signing.
typeStringMandatoryKey used to hash the payload for the signature.
typeStringOptionalIdentifier prepended to all 224 entity ids to prevent possible collisions with any other providers.

Usage

  • At the start of the service:
    • The vpm worker gets from the settings.ini the path of the authentication file (default is /opt/ericsson/viewing-policy-manager-worker/etc/authentication.json) and gets the list of authentications for this service.
    • If no authentication is defined for this service, a NOTICE alarm must be raised.
  • When a SCTE-224 request is received:
    • The signature is checked only if “Check-Signature” header is set to true.
    • Check and read if algorithm, credential, signedHeaders and signature are defined in the request authorization header. If not, vpm returns a HTTP 401 Unauthorized body.
    • The vpm checks if the credential from authorization header matches one of the credentials in the authentication list. If not, vpm returns a HTTP 401 Unauthorized body %credential% not allowed.
    • If a “none” authentication type is defined, the request is accepted and processed as usual.
    • If a rootId is defined, the vpm checks that the resource path matches the rootId. If not vpm returns a HTTP 401 Unauthorized body Invalid rootId.
    • If the algorithm is not supported, vpm returns a HTTP 401 Unauthorized body: Not supported algorithm.
    • Then the vpm will calculate the signature:
      • If the signature matches, the vpm processes the request as usual.
      • Else, the vpm return a HTTP 401 Unauthorized body with body = invalid signature.

SCTE224 signing example

We want to send the following request:

PUT /api/esni/viewingPolicyManagers/224_SIGN_TEST/turner/audience/1 HTTP/1.1 
Host: my-host.com:8080 
Connection: keep-alive 
Accept-Encoding: gzip, deflate 
Accept: application/json, */* 
User-Agent: HTTPie/1.0.3 
Content-Type: application/xml 
Content-Length: 261 
Date: Wed, 11 Oct 2023 14:36:25 GMT 
Check-Signature: true 

<?xml version="1.0" encoding="UTF-8"?> 
<Audience xmlns="http://www.scte.org/schemas/224/2015" xmlns:audience="urn:scte:224:audience" id="/source/audience/1" match="ANY" lastUpdated="2022-03-23T12:00:00+00:00"> 
    <audience:Zip>30062</audience:Zip> 
</Audience>

With content-type, date and host as signed headers.

  1. Create a canonical request:The hashed payload is:

    HashedPayload = Lowercase(HexEncode(Hash(requestPayload))) 
68de4b9fc06b055c601d0c5b61add5891bb8fe5e4db6487cc55cbbfa473d9bf4

    The canonical request is:

    PUT 
/api/esni/viewingPolicyManagers/224_SIGN_TEST/turner/audience/1 

content-type:application/xml 
date:Wed, 11 Oct 2023 14:36:25 GMT 
host:my-host.com:8080 
content-type;date;host 
68de4b9fc06b055c601d0c5b61add5891bb8fe5e4db6487cc55cbbfa473d9bf4

    The hashed canonical request is:

    HashedCanonicalRequest = Lowercase(HexEncode(Hash(canonicalrequest))) 
8a93629d3776ca0c87313f4b234f41424e705df435f66c11a95965f8eab37d44

  2. Create a string to sign:

    The signing key is:

    secretKey for credential turner.com is 6405080ac57843ff9b5bf97acfd9bc 
signing_key = HMAC(secretKey,"esni")

  3. Calculate the signature:

    The signature is:

    signature = HexEncode(HMAC(signing, HashedCanonicalRequest)) 
signature = 0c77387ae1ccca4a63c106fc27b39b381c61686b95ae9be0834d58902ea05ce7

  4. Add signature header to the http request:To make the request acceptable, we need to add the Authorization header:

    Authorization: HMAC-SHA256 Credential=turner.com/esni,SignedHeaders=content-type;date;host,Signature= 0c77387ae1ccca4a63c106fc27b39b381c61686b95ae9be0834d58902ea05ce7
Scte18 EasSCTE-224 proxy