Documentation
StreamsPlaybackEncodingBitmovin Dashboard

Playing protected content with Nagra CONNECT - Android

Suggest Edits

Nagra CONNECT is the hardware based support for Nagra PRM. Since version 3.102.0 of the Bitmovin Player for Android, playback of Nagra CONNECT PRM-protected content is supported on devices with the necessary hardware capabilities.

Prerequisites

  • Android based device with Nagra CONNECT hardware support
  • Nagra PRM protected stream
    • CONTENT_MANIFEST_URL: URL of the DASH/HLS manifest for the content to be played
    • NAGRA_CONNECT_LICENSE_URL: Nagra license server endpoint for Nagra CONNECT license acquisition
    • NAGRA_OPERATOR_VAULT: Your Operator Vault matching the license server
    • (optional)NAGRA_WIDEVINE_LICENSE_URL: Nagra license server endpoint for widevine license acquisition. Only needed for the extended setup, with fallback to widevine
    • NAGRA_CONTENT_TOKEN_URL : Nagra endpoint for fetching content token.
    • NAGRA_SSM_SETUP_URL : Nagra SSP endpoint for setting a secure session.
    • NAGRA_SSM_TEARDOWN_URL : Nagra SSP endpoint for secure session teardown.
    • NAGRA_TENANT_ID : Nagra tenant Id.
    • NAGRA_CONTENT_ID : Nagra content Id specific for the content to be played.
  • BITMOVIN_PLAYER_KEY: You can get in touch with your Nagra or Bitmovin contact for this. You can also sign up for a trial account

Configuration

1. Application preparation for DRM content playback and Secure Session Management

📘

Note:

The steps below describe interactions between your application and Nagra’s backend (SSP or OpenTV).

These are outside the scope of Bitmovin’s integration but are included here because they are required to obtain certain authorization tokens needed to successfully request DRM licenses from the Nagra backend.

Please refer to Nagra’s own documentation portal or contact your Nagra representatives for detailed information about these application-to-backend interactions.

  1. Authorization
    Your application signs in to a SIGNON_URL endpoint using SIGNON_USERNAME, SIGNON_PASSWORD and any required device/user-agent metadata. Upon successful sign-on, you obtain a login token.
  2. Content Token Retrieval
    Using the NAGRA_CONTENT_TOKEN_URL endpoint and your NAGRA_CONTENT_ID, your application requests a CONTENT_TOKEN from the Nagra backend.
  3. Secure Session Setup
    Your application initiates a secure session with the Nagra SSP backend by sending the CONTENT_TOKEN to NAGRA_SSM_SETUP_URL. Upon successful setup, you receive an SSM_TOKEN.
  4. Secure Session Teardown
    Once playback finishes or you switch to another piece of content, your application terminates the secure session by calling NAGRA_SSM_TEARDOWN_URL. If you plan to play a different piece of DRM-protected content, you must first repeat the Content Token Retrieval and Secure Session Setup steps to obtain a new content token and SSM_TOKEN.

2. Bitmovin Player Configuration

Once the contentToken as well as the ssmToken are fetched, they can be used with the other required properties to create a NagraConnectConfig and load it into the player.

val contentToken: String = TODO("fetch content token")
val ssmToken: String = TODO("fetch ssm token")

val sourceConfig = SourceConfig(
    url = TODO("CONTENT_MANIFEST_URL"),
    type = SourceType.Dash,
    title = "Nagra Connect Protected Source",
    drmConfig = NagraConnectConfig.Builder()
      .build(
        licenseUrl = TODO("NAGRA_CONNECT_LICENSE_URL"),
        operatorVault = TODO("NAGRA_OPERATOR_VAULT"),
      ).apply {
        httpHeaders = mutableMapOf(
          "nv-authorizations" to "$contentToken,$ssmToken",
          "x-nagra-property" to "nagraOpVault",
          "Content-Type" to "application/json",
          "Accept" to "application/json",
      	)
    },
)

player.load(sourceConfig)

Note: the TODOs represent placeholder for the actual values, which you should have as per the Prerequisites list.

🦉
Player Android: Basic Nagra Connect setup
Open Recipe

3. Extend setup with fallback to Widevine

As Nagra CONNECT relies on specific hardware, it might be necessary to handle the missing hardware support by falling back to an alternative DRM system like Widevine.

This can be done with the Bitmovin Player by conditionally configuring different DRM systems, and should be done on the configuration side.

val drmConfig = if (isNagraConnectSupported()) {
    createNagraConnectConfig(authorizationHeader)
} else {
    createWidevineConfig(authorizationHeader)
}

val sourceConfig = SourceConfig(
    url = TODO("CONTENT_MANIFEST_URL"),
    type = SourceType.Dash,
    drmConfig = drmConfig,
    title = "Nagra Protected Source",
)

The authorization header consisting of the contentToken and the ssmToken stays the same for both DRM systems, however, the configuration is slightly different (see the full code example for more details).

The full extended setup can be explored here:

🔐
Player Android: Extended Nagra Connect Setup
Open Recipe

And that's it. If you have any issues implementing this please reach out to your Bitmovin and Nagra representatives.

Updated 1 day ago

What’s Next