Playing protected content with Nagra CONNECT - Android

Nagra CONNECT is the hardware based support for Nagra PRM. Since version 3.102.0 of the Bitmovin Player for Android, playback of Nagra CONNECT PRM-protected content is supported on devices with the necessary hardware capabilities.

Pre-requisites

Before you begin, please ensure you have access to Nagra Documentation, Nagra SSP backend for fetching required tokens and also access to Bitmovin player key to use Bitmovin player. Please refer to links below for respective documentation.

Configuration

1. Application preparation for DRM content playback and Secure Session Management

📘

Note:

The steps below describe interactions between your application and Nagra’s backend (SSP or OpenTV).

These are outside the scope of Bitmovin’s integration but are included here because they are required to obtain certain authorization tokens needed to successfully request DRM licenses from the Nagra backend.

Please refer to Nagra’s documentation portal or contact your Nagra representatives for detailed information about these application-to-backend interactions.

  1. Authorization
    Your application signs in to Nagra's backend. Upon successful sign-on, you obtain a login token.
  2. Content Token Retrieval
    Your application requests a CONTENT_TOKEN from the Nagra backend.
  3. Secure Session Setup
    Your application initiates a secure session with the Nagra SSP backend by sending the CONTENT_TOKEN to NAGRA_SSM_SETUP_URL. Upon successful setup, you receive an SSM_TOKEN.
  4. Secure Session Teardown
    Once playback finishes or you switch to another piece of content, your application terminates the secure session by calling NAGRA_SSM_TEARDOWN_URL. If you plan to play a different piece of DRM-protected content, you must first repeat the Content Token Retrieval and Secure Session Setup steps to obtain a new content token and SSM_TOKEN.

2. Bitmovin Player Configuration

Once the contentToken as well as the ssmToken are fetched, they can be used with the other required properties to create a NagraConnectConfig and load it into the player.

val contentToken: String = TODO("fetch content token")
val ssmToken: String = TODO("fetch ssm token")

val sourceConfig = SourceConfig(
    url = TODO("CONTENT_MANIFEST_URL"),
    type = SourceType.Dash,
    title = "Nagra Connect Protected Source",
    drmConfig = NagraConnectConfig.Builder()
      .build(
        licenseUrl = TODO("NAGRA_CONNECT_LICENSE_URL"),
        operatorVault = TODO("NAGRA_OPERATOR_VAULT"),
      ).apply {
        httpHeaders = mutableMapOf(
          "nv-authorizations" to "$contentToken,$ssmToken",
          "x-nagra-property" to "nagraOpVault",
          "Content-Type" to "application/json",
          "Accept" to "application/json",
      	)
    },
)

player.load(sourceConfig)

Note: the TODOs represent placeholder for the actual values, which you should have as per the Prerequisites list.

3. Extend setup with fallback to Widevine

As Nagra CONNECT relies on specific hardware, it might be necessary to handle the missing hardware support by falling back to an alternative DRM system like Widevine.

This can be done with the Bitmovin Player by conditionally configuring different DRM systems, and should be done on the configuration side.

val drmConfig = if (isNagraConnectSupported()) {
    createNagraConnectConfig(authorizationHeader)
} else {
    createWidevineConfig(authorizationHeader)
}

val sourceConfig = SourceConfig(
    url = TODO("CONTENT_MANIFEST_URL"),
    type = SourceType.Dash,
    drmConfig = drmConfig,
    title = "Nagra Protected Source",
)

The authorization header consisting of the contentToken and the ssmToken stays the same for both DRM systems, however, the configuration is slightly different (see the full code example for more details).

The full extended setup can be explored here:

And that's it. If you have any issues implementing this please reach out to your Bitmovin and Nagra representatives.