Watermarking: Integrate Your Irdeto Service
Forensic watermarking is an anti-piracy solution to prevent and trace illegal content redistribution and security breaches. This article describes how to integrate your Irdeto watermarking service with AoC. After integration, Packages app users can apply watermarking when sending digital packages.
It's important that you work with your Irdeto representative to set up proper access between your Irdeto service and your AoC nodes. Aspera cannot validate that you have configured your Irdeto service correctly.
- Create a watermarking profile. The profile maps your Irdeto service to AoC.
- Associate a watermarking profile with a node attached to your
You can attach any profile to one or more nodes. (A node is your cloud storage bucket that you've attached to your AoC org.)
- Enable watermarking for the AoC Packages application in each workspace where you want
Once enabled, you can make watermarking required for every package sent from that workspace, or you can allow workspace members to choose whether to apply watermarking to individual packages they send. For the Packages app user procedure showing how senders can apply watermarking, see Sending Files and Folders.
For step-by-step instructions, see the"Configure Watermarking in Aspera on Cloud" later in this article.
Watermarking with Irdeto in AoC
Watermarking combats piracy by applying an invisible yet traceable 'signature' on digital files. The watermark allows you to track that asset through the development and distribution process.
Each time an AoC user downloads a watermarked file, Irdeto updates the watermark to indicate the specific user who downloaded it. If a user who downloads a watermarked file then forwards the file using some mechanism other than AoC, the file retains the watermark identifying the user who downloaded it.
The following drawing is a schematic representation of the package upload workflow for your integration of Irdeto with AoC.
The following drawing is a schematic representation of the package download workflow for your integration of Irdeto with AoC.
- The DWM (distributed watermarking) service API endpoint address(es) that are local to your cloud storage location(s).
- The tenant ID for your organization.
- Read-only access permissions from Irdeto to your storage.
Cloud and Node Support
- Supported cloud platforms
Note: Your Irdeto account and your associated cloud storage must be in same provider region. See Irdeto documentation for more information.
- AWS S3
- N. Virginia (us-east-1); Oregon (us-west-2); N. California (us-west-1)
- Sao Paolo (sa-east-1)
- Ireland (eu-west-1); London (eu-west-2); Frankfurt (eu-central-1)
- Tokyo (ap-northeast-1); Singapore (ap-southeast-1); Sydney (ap-southeast-2)
- AWS S3
- Supported Aspera node type: Aspera-managed auto-scale clusters (ATS).
- You can enable watermarking only on nodes that do not have encryption at rest (EAR) applied.
- This EAR constraint includes both cloud-provider server-side encryption and Aspera-provided encryption at rest (whether Aspera or your own KMS manages the root key).
- If you are unsure whether a node is enabled for encryption at rest, Aspera recommends creating one or more new nodes to support your organization's watermarking needs.
- For supporting documentation, see Attaching Cloud Storage to Your AoC Organization; Attaching an AWS S3 Bucket; Use Aspera-Managed Keys for Server-Side Encryption at Rest; Bring Your Own Key for Server-Side Encryption at Rest.
Using Watermarking in AoC
This section describes how Packages app users can work with the watermarking capabilities you configure.
Receiving a Watermarking Package
Recipients of watermarked packages must log in to retrieve the package. Traceability using forensic watermarking requires that users in the content workflow be authenticated. Therefore, recipients cannot download a watermarked package from a public link.
Recipients must download watermarked packages using the Aspera on Cloud Packages app with IBM Aspera Connect.
File Types and Profiles Supported
A watermarked package must contain only these file supported types: .ts; .ps; .mpg; .mpeg; .mov; .mxf; .mp4; .m4v.
Further, these files must conform to specific profiles; see the Irdeto documentation for supported profiles. Since watermarking applies to every file in a digital package, recipients cannot download watermarked packages that contain files with unsupported profiles.
Ensure that watermarked packages do not contain files from Google Cloud Storage (GCS) that have special characters in file names.
- Recalled packages: You cannot recall a watermarked package.
- Draft packages: If a transfer fails to start, AoC moves the package to the Drafts folder. You cannot change the watermarking setting for a package in the Drafts folder.
- Forwarded packages: When you forward a watermarked package, you may be able to turn watermarking off (depending on admin settings). However, Aspera recommends that you leave watermarking on. If you turn watermarking off, the package you forward retains your watermark when your recipients download it. If you leave watermarking on, the watermark on the forwarded package is updated for each recipient who downloads it. Note that the additional pre-processing required to forward a watermarked package causes a delay in notifying recipients of the forwarded package.
- Adding recipients to a package: When you add recipients to a watermarked package, the new recipients receive packages with their watermark. Adding recipients generates an immediate notification to the new recipients.
Configure Watermarking in Aspera on Cloud
- The node secret for the node that contains the workspaces in which you want members to send watermarked packages.
- These parameters from your Irdeto account:
- Storage provider
- Storage provider region
- DWM API endpoint
- Tenant ID
Create a watermarking profile.
- In the Admin app, go to Integrations > Third-party > Watermarking > Create new.
- Give this profile a name, add a description if you wish, then enter the required data from your Irdeto account into the relevant fields.
- Click Save. AoC displays a list of nodes available to use with the Irdeto account you specified in the profile.
- Associate the profile with a node.
- Select the node; do one of the following: In the list of nodes that appears when you save the profile, click the intended node.orGo to Nodes > nodeName > Integrations
- Enter the node secret, then click Integrations.
- In the list of integrations, click the row for Watermarking.
- Select the watermarking profile to associate with this node. Click Save. AoC displays a list of workspaces on this node that have the Packages app enabled.
- Select the node; do one of the following:
- Enable watermarking for Packages in a workspace.
- In the list of workspaces that appears when you save the integration, click the
intended workspace. Or go to Workspaces > workspaceName > Applications > Packages > Integrations.
- Check Enable watermarking.
- Select Optional or Required. Select Optional to allow workspace members to apply watermarking to a package when then send it.Select Required to make watermarking automatic for every package sent from this workspace.Note: As noted previously in this article, recipients of a watermarked packages must log in to AoC to download the package. Does this workspace allow members to send to external users? If yes, and you select Required, you must also check the Packages app setting Require external users to log in when receiving packages. An external user who does not log in cannot download watermarked package contents.
- Click Save.
- In the list of workspaces that appears when you save the integration, click the intended workspace.
Errors that may occur for the transfer of watermarked packages appear in the AoC transfer monitor, on the individual transfer record.
|Error code||Error message|
|106||Service: Could not embed enough watermarks for proper detection|
|130||Service: Failed bits per sample validity check|
|131||Service: Failed Resolution validity check|
|132||Service: Failed Framerate validity check|
|133||Service: Failed Bitrate validity check|
|134||Service: Unsupported input file codec|
|165||Service: Task processing retries attempted but still failed|
|1001||Watermark: Invalid parameter value received|
|1002||Watermark: Embedder was forcefully interrupted|
|1003||Watermark: Not implemented|
|1007||Watermark: Input file not found|
|1008||Watermark: General IO error|
|1009||Watermark: Unsupported input format|
|1011||Watermark: No permissions to read input file|
|1013||Watermark: Corrupted stream|
|1014||Watermark: Cannot write variant file|
|3000||Unknown system error|