Watermarking: Integrate your Irdeto service

Edit online

Forensic watermarking is an anti-piracy solution to prevent and trace illegal content redistribution and security breaches. This article describes how to integrate your Irdeto watermarking service with Aspera on Cloud. After integration, Packages app users can apply watermarking when sending digital packages.

It's important that you work with your Irdeto representative to set up proper access between your Irdeto service and your AoC nodes. Aspera cannot validate that you have configured your Irdeto service correctly.

Once that access is properly configured, use the Aspera on Cloud Admin app to configure watermarking for your organization and for the specific workspaces in which you want watermarked packages. The Admin app UI flow accomplishes these actions:
  1. Create a watermarking profile.
    Name the profile that maps your Irdeto service to AoC.
  2. Associate the watermarking profile with a node attached to your organization.
    You can attach any watermarking profile to one or more nodes. (A node is your cloud storage bucket that you've attached to your AoC org.)
  3. Enable watermarking for the AoC Packages application in each workspace where you want watermarking available.
    Once enabled, you can make watermarking required for every package sent from that workspace, or you can allow workspace members to choose whether to apply watermarking to individual packages they send.
    For the Packages app user procedure showing how senders can apply watermarking, see Sending: Detailed procedure. For a more in-depth treatment, see the relevant section in Sending: Become an expert.

For step-by-step instructions, see "Configure watermarking in Aspera on Cloud" later in this article.

Watermarking with Irdeto in Aspera on Cloud

Edit online

Watermarking combats piracy by applying an invisible yet traceable 'signature' on digital files. The watermark allows you to track that asset through the development and distribution process.

Each time an AoC user downloads a watermarked file, Irdeto updates the watermark to indicate the specific user who downloaded it. If a user who downloads a watermarked file then forwards the file using some mechanism other than AoC, the file retains the watermark identifying the user who downloaded it.

The following drawing is a schematic representation of the package upload workflow for your integration of Irdeto with AoC.

This drawing shows the Aspera, Irdeto, customer, and user components. It includes arrows showing the information flows between these components during an upload.

The following drawing is a schematic representation of the package download workflow for your integration of Irdeto with AoC.

This drawing shows the Aspera, Irdeto, customer, and user components. It includes arrows showing the information flows between these components during a download.

Prerequisites

Edit online
Work with your Irdeto representative to establish the following:
  • The DWM (distributed watermarking) service API endpoint address(es) that are local to your cloud storage location(s).
  • The tenant ID for your organization.
  • Read-only access permissions from Irdeto to your storage.
Important: AoC cannot validate that your Irdeto service is configured correctly. You must work with Irdeto to validate your Irdeto implementation.

Cloud and node support

Edit online
This section details support and constraints for Irdeto watermarking in Aspera on Cloud.
  • Supported cloud platforms
    • AWS S3
      • N. Virginia (us-east-1); Oregon (us-west-2); N. California (us-west-1)
      • Sao Paolo (sa-east-1)
      • Ireland (eu-west-1); London (eu-west-2); Frankfurt (eu-central-1)
      • Tokyo (ap-northeast-1); Singapore (ap-southeast-1); Sydney (ap-southeast-2)
    • GCS
      • us-central1
    Note: Your Irdeto account and your associated cloud storage must be in same provider region. See Irdeto documentation for more information.
  • Supported Aspera node type: Aspera-managed auto-scale clusters (ATS).
  • You can enable watermarking only on nodes that do not have encryption at rest (EAR) applied.

Using watermarking in Aspera on Cloud

Edit online

This section describes how Packages app users can work with the watermarking capabilities you configure.

Watermarking applies to content in the AoC Packages app only.

Receiving a watermarked package

Recipients of watermarked packages must log in to retrieve the package. Traceability using forensic watermarking requires that users in the content workflow be authenticated. Therefore, recipients cannot download a watermarked package from a public link.

Recipients must download watermarked packages using the Aspera on Cloud Packages app with IBM Aspera Connect.

File types and profiles supported

In a watermarked package, watermarking applies only to files that conform to supported profiles. Profiles comprise not only the supported file types (.ts; .ps, .mpg; .mpeg; .mov; .mxf; .mp4), but codecs, dimensions, and more; see the Irdeto watermarking service documentation for requirements.

GCS caveat

Ensure that watermarked packages do not contain files from Google Cloud Storage (GCS) that have special characters in file names.

Package actions

  • Recalled packages: You cannot recall a watermarked package.
  • Forward packages: You cannot forward a watermarked package.
  • Save to Files app: You cannot use the Actions menu to save a watermarked package to the Files app.
  • Add recipients to a package: When you add recipients to a watermarked package, the new recipients receive packages with their watermark. Adding recipients generates an immediate notification to the new recipients.
  • Draft packages: If a transfer fails to start, AoC moves the package to the Drafts folder. You cannot change the watermarking setting for a package in the Drafts folder.

Configure watermarking in Aspera on Cloud

Edit online
To complete this procedure, you need the following:
  • The name of the workspace in which you want members to send watermarked packages.
  • The node secret for the node that contains the workspace in which you want members to send watermarked packages.
  • These parameters from your Irdeto account:
    • Storage provider
    • Storage provider region
    • DWM API endpoint
    • Tenant ID
  1. Create a watermarking profile.
    1. In the Admin app, go to Integrations > Watermarking > Create new.
    2. Give this profile a name and add a description if you wish.
    3. In the following fields, select your cloud provider and region, then enter your Irdeto DWM API endpoint and Tenant ID.
    4. Click Create.
      AoC displays a list of nodes available to use with the Irdeto account you specified in the profile.
  2. Associate the profile with a node.
    1. From the list of nodes, select the node hosting the workspace in which you want members to send watermarked packages.
    2. Enter the node secret, then click OK.
      The list of available workspaces on that node appears.
  3. Enable watermarking for Packages in a workspace.
    1. In the list of workspaces that appears, click the intended workspace to display a configuration window.
    2. Set the toggle labeled Watermarking enabled to On.
    3. Set the toggle labeled Watermarking required.
      Select Yes to make watermarking automatic for every package sent from this workspace.
      Select No if you want workspaces members to choose whether to apply watermarking to a given package as they send it.
      Note: As noted previously in this article, recipients of a watermarked package must log in to AoC to download the package. Does this workspace allow members to send to external users? If yes, and you select Required, you must also check the Packages app setting Require external users to log in when receiving packages. An external user who does not log in cannot download watermarked package contents. See Require external users to log in.
  4. Click Save.

Troubleshooting

Edit online

Errors that may occur for the transfer of watermarked packages appear in the AoC transfer monitor, on the individual transfer record.

The table below lists watermarking-related errors that may occur. For troubleshooting procedures, see the Irdeto documentation.
Error code Error message
106 Service: Could not embed enough watermarks for proper detection
130 Service: Failed bits per sample validity check
131 Service: Failed Resolution validity check
132 Service: Failed Framerate validity check
133 Service: Failed Bitrate validity check
134 Service: Unsupported input file codec
165 Service: Task processing retries attempted but still failed
1001 Watermark: Invalid parameter value received
1002 Watermark: Embedder was forcefully interrupted
1003 Watermark: Not implemented
1007 Watermark: Input file not found
1008 Watermark: General IO error
1009 Watermark: Unsupported input format
1011 Watermark: No permissions to read input file
1013 Watermark: Corrupted stream
1014 Watermark: Cannot write variant file
3000 Unknown system error