Hi,
I'm having a little trouble getting my head around the idea of DKDMs and creating KDMs from encrypted DCPs.
Here is my scenario.
My office has 4 people who all have their own laptop and DCP-o-matic installed. My boss has created an encrypted dcp using said software. We want to be able to take this DCP into the field to test server certs before there's any KDM issues with content coming from other vendors. My understanding is that my boss's installation of DCP-o-matic will need to have the 'DCP decryption certificate' from each of the other laptops to create a DKDM for the respective machines. At this point I become fairly lost as to how to proceed. Basically we want whoever is in the field to be able to create a KDM to unlock the encrypted DCP using the cert from whichever playback server the cinema is using.
Thanks in advance for your help!
Scott
Help with DKDMs and such
-
- Posts: 2804
- Joined: Tue Apr 15, 2014 9:11 pm
- Location: Germany
Re: Help with DKDMs and such
Basically, you have it right.
You have two options - you create screens for every company machine ON every company machine. DKDMs for a specific feature then must be created for every machine in order to enable KDM creation FROM every machine. For 4 machines, that sounds like quite some work.
This all works through the DKDM/decryption certificate exchange mechanism. The best thing is to start with some data logistics. Every machine needs to get a unique name. Then, have a network share for exchange of data between all machines. You can export/backup all your machine certs and private keys to this share, within a useful folder structure. So, every machine is able to create screens by using certificates from that cert database.
You would have a folder 'mycompanycerts', and 4 subfolders 'machine1', 'machine2', 'machine3', 'machine4'. You would duplicate this structure in your screen database, cinema 'mycompany', screen 'machine1', 'machine2'...etc. Yes, KDM authorized machines are 'just' screens. You only need to setup this on one machine, then duplicate the cinemas.xml database to all machines.
The second option is, you share your settings/certificates and private keys between all your machines. As far as KDM creation is concerned, then all machines are able to create KDMs using the same certificates. Viewed backwards, the 4 machines act as a single machine, as their cert based identity is cloned from a master.
It needs some discipline to keep this all stable. This usually involves creating backups of your certificates, so, in case of reinstalls, you are able to recreate a working configuration. The good thing is, once it works, every single machine may serve as a backup of these certs in case another machine loses them.
You can test all this by creating KDMs for a specific encrypted DCP for all machines, then import that DCP into every DOM instance, assign the KDM, and check wether decryption works. Slowly, it will all come together.
- Carsten
You have two options - you create screens for every company machine ON every company machine. DKDMs for a specific feature then must be created for every machine in order to enable KDM creation FROM every machine. For 4 machines, that sounds like quite some work.
This all works through the DKDM/decryption certificate exchange mechanism. The best thing is to start with some data logistics. Every machine needs to get a unique name. Then, have a network share for exchange of data between all machines. You can export/backup all your machine certs and private keys to this share, within a useful folder structure. So, every machine is able to create screens by using certificates from that cert database.
You would have a folder 'mycompanycerts', and 4 subfolders 'machine1', 'machine2', 'machine3', 'machine4'. You would duplicate this structure in your screen database, cinema 'mycompany', screen 'machine1', 'machine2'...etc. Yes, KDM authorized machines are 'just' screens. You only need to setup this on one machine, then duplicate the cinemas.xml database to all machines.
The second option is, you share your settings/certificates and private keys between all your machines. As far as KDM creation is concerned, then all machines are able to create KDMs using the same certificates. Viewed backwards, the 4 machines act as a single machine, as their cert based identity is cloned from a master.
It needs some discipline to keep this all stable. This usually involves creating backups of your certificates, so, in case of reinstalls, you are able to recreate a working configuration. The good thing is, once it works, every single machine may serve as a backup of these certs in case another machine loses them.
You can test all this by creating KDMs for a specific encrypted DCP for all machines, then import that DCP into every DOM instance, assign the KDM, and check wether decryption works. Slowly, it will all come together.
- Carsten