Watermarking: Integrate Your Irdeto Service

Forensic watermarking is an anti-piracy solution to prevent and trace illegal content redistribution and security breaches. This article describes how to integrate your Irdeto watermarking service with AoC. After integration, Packages app users can apply watermarking when sending digital packages.

It's important that you work with your Irdeto representative to set up proper access between your Irdeto service and your AoC nodes. Aspera cannot validate that you have configured your Irdeto service correctly.

Once that access is properly configured, there are three tasks to complete within the AoC Admin app:
  1. Create a watermarking profile.
    The profile maps your Irdeto service to AoC.
  2. Associate a watermarking profile with a node attached to your organization.
    You can attach any profile to one or more nodes. (A node is your cloud storage bucket that you've attached to your AoC org.)
  3. Enable watermarking for the AoC Packages application in each workspace where you want watermarking available.
    Once enabled, you can make watermarking required for every package sent from that workspace, or you can allow workspace members to choose whether to apply watermarking to individual packages they send. For the Packages app user procedure showing how senders can apply watermarking, see Sending Files and Folders.

For step-by-step instructions, see the"Configure Watermarking in Aspera on Cloud" later in this article.

Watermarking with Irdeto in AoC

Watermarking combats piracy by applying an invisible yet traceable 'signature' on digital files. The watermark allows you to track that asset through the development and distribution process.

Each time an AoC user downloads a watermarked file, Irdeto updates the watermark to indicate the specific user who downloaded it. If a user who downloads a watermarked file then forwards the file using some mechanism other than AoC, the file retains the watermark identifying the user who downloaded it.

The following drawing is a schematic representation of the package upload workflow for your integration of Irdeto with AoC.

This drawing shows the Aspera, Irdeto, customer, and user components. It includes arrows showing the information flows between these components during an upload.

The following drawing is a schematic representation of the package download workflow for your integration of Irdeto with AoC.

This drawing shows the Aspera, Irdeto, customer, and user components. It includes arrows showing the information flows between these components during a download.


Work with your Irdeto representative to establish the following:
  • The DWM (distributed watermarking) service API endpoint address(es) that are local to your cloud storage location(s).
  • The tenant ID for your organization.
  • Read-only access permissions from Irdeto to your storage.
Important: AoC cannot validate that your Irdeto service is configured correctly. You must work with Irdeto to validate your Irdeto implementation.

Cloud and Node Support

This section details support and constraints for Irdeto watermarking in Aspera on Cloud.
  • Supported cloud platforms
    • AWS S3
      • N. Virginia (us-east-1); Oregon (us-west-2); N. California (us-west-1)
      • Sao Paolo (sa-east-1)
      • Ireland (eu-west-1); London (eu-west-2); Frankfurt (eu-central-1)
      • Tokyo (ap-northeast-1); Singapore (ap-southeast-1); Sydney (ap-southeast-2)
    • GCS
      • us-central1
    Note: Your Irdeto account and your associated cloud storage must be in same provider region. See Irdeto documentation for more information.
  • Supported Aspera node type: Aspera-managed auto-scale clusters (ATS).
  • You can enable watermarking only on nodes that do not have encryption at rest (EAR) applied.

Using Watermarking in AoC

This section describes how Packages app users can work with the watermarking capabilities you configure.

Watermarking applies to content in the AoC Packages app only. A watermarked package shows an identifying icon on the row of the packages listing:

Receiving a Watermarking Package

Recipients of watermarked packages must log in to retrieve the package. Traceability using forensic watermarking requires that users in the content workflow be authenticated. Therefore, recipients cannot download a watermarked package from a public link.

Recipients must download watermarked packages using the Aspera on Cloud Packages app with IBM Aspera Connect.

File Types and Profiles Supported

A watermarked package must contain only these file supported types: .ts; .ps; .mpg; .mpeg; .mov; .mxf; .mp4; .m4v.

Further, these files must conform to specific profiles; see the Irdeto documentation for supported profiles. Since watermarking applies to every file in a digital package, recipients cannot download watermarked packages that contain files with unsupported profiles.

GCS Caveat

Ensure that watermarked packages do not contain files from Google Cloud Storage (GCS) that have special characters in file names.

Package Actions

  • Recalled packages: You cannot recall a watermarked package.
  • Draft packages: If a transfer fails to start, AoC moves the package to the Drafts folder. You cannot change the watermarking setting for a package in the Drafts folder.
  • Forwarded packages: When you forward a watermarked package, you may be able to turn watermarking off (depending on admin settings). However, Aspera recommends that you leave watermarking on. If you turn watermarking off, the package you forward retains your watermark when your recipients download it. If you leave watermarking on, the watermark on the forwarded package is updated for each recipient who downloads it. Note that the additional pre-processing required to forward a watermarked package causes a delay in notifying recipients of the forwarded package.
  • Adding recipients to a package: When you add recipients to a watermarked package, the new recipients receive packages with their watermark. Adding recipients generates an immediate notification to the new recipients.

Configure Watermarking in Aspera on Cloud

To complete this procedure, you need the following:
  • The node secret for the node that contains the workspaces in which you want members to send watermarked packages.
  • These parameters from your Irdeto account:
    • Storage provider
    • Storage provider region
    • DWM API endpoint
    • Tenant ID
  1. Create a watermarking profile.
    1. In the Admin app, go to Integrations > Third-party > Watermarking > Create new.
    2. Give this profile a name, add a description if you wish, then enter the required data from your Irdeto account into the relevant fields.
    3. Click Save.
      AoC displays a list of nodes available to use with the Irdeto account you specified in the profile.
  2. Associate the profile with a node.
    1. Select the node; do one of the following:
      In the list of nodes that appears when you save the profile, click the intended node.
      Go to Nodes > nodeName > Integrations
    2. Enter the node secret, then click Integrations.
    3. In the list of integrations, click the row for Watermarking.
    4. Select the watermarking profile to associate with this node. Click Save. AoC displays a list of workspaces on this node that have the Packages app enabled.
  3. Enable watermarking for Packages in a workspace.
    1. In the list of workspaces that appears when you save the integration, click the intended workspace.
      Or go to Workspaces > workspaceName >  Applications > Packages > Integrations.
    2. Check Enable watermarking.
    3. Select Optional or Required.
      Select Optional to allow workspace members to apply watermarking to a package when then send it.
      Select Required to make watermarking automatic for every package sent from this workspace.
      Note: As noted previously in this article, recipients of a watermarked packages must log in to AoC to download the package. Does this workspace allow members to send to external users? If yes, and you select Required, you must also check the Packages app setting Require external users to log in when receiving packages. An external user who does not log in cannot download watermarked package contents.
    4. Click Save.
if your Irdeto configuration is valid, Packages app users in the workspace can send watermarked packages.


Errors that may occur for the transfer of watermarked packages appear in the AoC transfer monitor, on the individual transfer record.

The table below lists watermarking-related errors that may occur. For troubleshooting procedures, see the Irdeto documentation.
Error code Error message
106 Service: Could not embed enough watermarks for proper detection
130 Service: Failed bits per sample validity check
131 Service: Failed Resolution validity check
132 Service: Failed Framerate validity check
133 Service: Failed Bitrate validity check
134 Service: Unsupported input file codec
165 Service: Task processing retries attempted but still failed
1001 Watermark: Invalid parameter value received
1002 Watermark: Embedder was forcefully interrupted
1003 Watermark: Not implemented
1007 Watermark: Input file not found
1008 Watermark: General IO error
1009 Watermark: Unsupported input format
1011 Watermark: No permissions to read input file
1013 Watermark: Corrupted stream
1014 Watermark: Cannot write variant file
3000 Unknown system error