Print this page as document

Recommendation: security backup for (D)KDMs

Affects all Users of easyDCP KDM Generator+

This page contains:

1 Licenses and Certificates

2 Threat of loss of all (D)KDMs caused by hardware change / fault

3 Create a Backup machine using a Complementary License

4 Workflow Description

4.1 Standard (D)KDM Generation Process

4.2 Recommended Workflow utilizing a Backup Unit (BU)

4.3 Using the Backup Unit to recover (D)KDMs

5 How to activate your complementary license for easyDCP KDM Generator+ Backup

1 Licenses and Certificates

In order to run properly, each installation of easyDCP KDM Generator+ needs three different sets of files issued separately for each installation:

1. License – enables all commercial features
2. Signer Certificates – required to digitally sign (D)KDMs issued with the software
3. Server Certificates – An identification of the particular hardware easyDCP KDM Generator+ is installed on. (D)KDMs are issued for certain Server Certificates

During the activation process all of those files are generated using appropriate functions in the easyDCP web shop at http://www.easyDCP.com. Licenses and Server Certificates are bound to the particular hardware easyDCP KDM Generator+ is running on. Signer certificates are not tied to the hardware.

2 Threat of loss of all (D)KDMs caused by hardware change / fault

Important: If some hardware components in the production machine are changed or the machine stops operating at all, the license and server certificates will not work anymore. Using the migration function in the easyDCP web shop, a license can be ported to another machine. However, a server certificate cannot be used on another hardware. Likewise, it is not possible to re-use the certificates if certain hardware components get replaced on the system. And once the server certificates cannot be used anymore.

ALL (D)KDMs ISSUED FOR THESE SERVER CERTIFICATES ARE LOST AND CANNOT BE RECOVERED.

3 Create a Backup machine using a Complementary License

We recommend our easyDCP KDM Generator+ customers to set-up a second computer serving as backup machine for their (D)KDMs. If used properly, existing (D)KDMs can be recovered and ported to a fresh installation, in case the production machine is not working anymore. The set-up is simple and your existing (D)KDM workflow requires only small changes.

1. Every easyDCP KDM Generator+ client gets a complementary license for a second installation of the software (called the Backup Unit - BU)
2. From now on, we recommend to issue a backup DKDM for the Backup Unit once you receive a (D)KDM for your production system. For this, it is important that the Backup Unit must be installed on another physical hardware.
3. Once the production machine stops working for some reason, all (D)KDMs can be recovered using the Backup Unit.

NOTE: You can use your existing easyDCP KDM Generator+ instance to issue backup-(D)KDMs of your existing (D)KDMs for your new backup easyDCP KDM Generator+ instance. This is a one-time-only job and should be performed as soon as possible.

4 Workflow Description

This chapter gives an overview over the recommended workflow when using two instances of easyDCP KDM Generator+ in parallel.

Figure 1 shows a block diagram comprising two activated instances of the software, both identified by their Server Certificate. As mentioned above, the Server Certificate is bound to a specific hardware and installation of the operating system and cannot be used on another installation.

Figure 1: Two activated instances of easyDCP KDM Generator+ running on different hardware

4.1 Standard (D)KDM Generation Process

Figure 2 shows one of the common applications using easyDCP KDM Generator+. Here, the Main Unit (MU) receives certain input data:

1. A (D)KDM or easyDCP Digest from either the previous DCP compiling step or from another facility (step 1). An input (D)KDM can only be processed if it has been issued to the Server Certificate of the MU (compare Figure 1).
2. Certificates from various Cinema Servers that serve to identify the output (D)KDM’s recipients (step 2).
   
   

Figure 2: Standard KDM generation process using one installation of easyDCP KDM Generator+

As result easyDCP KDM Generator+ generates a batch of KDMs for the selected Cinema Servers (step 3).

4.2 Recommended Workflow utilizing a Backup Unit (BU)

Based on the workflow described above, we recommend generating a Backup DKDM for the Backup Unit (BU) shown in Figure 1 whenever a new key is used as input format (step 1). Basically, the processing-steps are identical to the description given in 4.1, but instead of only ingesting certificates from the Cinema Servers we also point our Main Unit of easyDCP KDM Generator+ to the Server Certificate of our Backup Unit (Figure 3, step 2). By doing this, easyDCP KDM Generator+ issues a Backup DKDM that can be read from the Backup Unit later. In case the MU is not available anymore, the Backup KDM can be used to recover the original keys that were used to encrypt the DCP.

Figure 3: KDM Generation Process using the Backup Unit (BU)

4.3 Using the Backup Unit to recover (D)KDMs

In case of a hardware crash or when the system components used to assemble the Main Unit’s system hash change, it is possible that the Server Certificates of the Main Unit cannot be accessed anymore. In this case it is possible to move the main unit onto a new hardware or issue a new set of license and certificates for the new configuration of the main unit. In any case, the previous Main Unit’s Server Certificates must be replaced. Through the easyDCP-web shop it is possible to get new licenses and certificates on the fly. Indeed, none of the old (D)KDMs of the former Main Unit (MU) will work with the new installation, called New Main Unit (NMU) here, since the new Main Unit is identified by a new Server Certificate. In order to get (D)KDMs working on the NMU it is necessary to use the BU as shown in Figure 4. Please note that the BU of KDM Generator+ is used instead of the MU.

Figure 4: Issuing DKDMs for the New Main Unit (NMU) using the Backup Unit (BU)

By ingesting both, all Backup-KDMs (1) as well as the Server Certificate from the New Main Unit (NMU – step 2) new DKDMs for the New Main Unit are generated.

5 How to activate a complementary license of easyDCP KDM Generator+ Backup

Step 1. Download the easyDCP KDM Generator+ Installer for your target OS from your license status again and install it.

Step 2. Request a license and certificate and send it as usual to www.easyDCP.com (see also:How do I activate my easyDCP Product?.) 

Step 3. www.easydcp.com will offer you: "Activate your complementary license". Select it for activation.

Now your license status shows a new entry called: "easyDCP KDM Generator+ Backup"

Step 4: Download the license and certificate data set and import it into your easyDCP KDM Generator+ Backup system. 

NOTE: The complementary license is locked for migration. If you need to migrate your easyDCP KDM Generator+ Backup system please contact us at info@easyDCP.com. 

easyDCP applications require different kinds of certificates

Server Certificates:

Is required to be able to receive KDMs. If a partner wants to send you an encrypted DCP, they will need your public server certificate so that they can issue a DKDM for. 

Signer Certificate:

Will be used to digitally sign content of encrypted DCPs or KDMs. Generally, all DCPs should be digitally signed to ensure that they will be ingested without any problems into a digital cinema server. Only for unencryted DCPs with Interop conformity, a signature is optional.

Which easyDCP application needs which certificates?

How you get your Signer- and Server- certificate?

1. Subscription licenses will receive automatically online for every application on each hardware indiviudal certificates.  
   
   
2. From easyDCP Player(+) 2.0.X, easyDCP Creator(+) 2.2.X, easyDCP KDM Generator 1.4.15(+) and IMF Studio with permanent licenses and Offline License activation.
   

   During „License & Certificate Request“ and activation via webshop www.easydcp.com Signer- and Server Certificates will be provided in "License & Certificate".

   What kind of certificate are required, if at all, depends on the easyDCP application.

3. Older Standalone easyDCP versions
   
   Please use license status on www.easydcp.com: New server certificate/manage certificate
   
   

How I can access to my previous Signer- and Server Certificates?

Please use license status on www.easydcp.com: Manage certificates
This option is available for customers with valid service extension

Comments:

• If you update to a newer easyDCP version, previous certificates should be maintained. When filling in a new license & certificate request, you will be prompted to enter the password that protects your current certificate. If the password can be verified, the new request will contain information, that you don´t need a new certificate.
• Server certificates are bound to the hardware via the system hash. If you migrate to another system, you always need new server certificates.
• Signer certificates are bound to a person rather than to a system.  However, each " License and Certificate set" contains a new signer certificate for technical reasons.

Please note: Every "Certificate Request" will be secured with a password specified by you.

You select the password when you fill in the request and will be prompted to enter it again, whey you import the License & Certificate Set and whenever a KDM is accessed. 

The password cannot be recovered!

This instrucions informs you how to export your public server certificates for internal or external use e.g. for partners who want to create DKDMs for your application.

HINT: Every easyDCP Application uses different Server Certificates. DKDMs issued for one easyDCP application cannot be used in any other easyDCP application.  

The content decryption context menu is available in the

• easyDCP Creator+
• easyDCP Player+
• easyDCP KDM Generator+

The menu option File -> Content Decryption -> Export Public Server Certificate

will copy both the public leaf certificate (easydcpcreator_ _.cert.sha256.crt) and the signature chain (easydcpcreator _ _.chain.sha256.pem) to the selected folder. The signature chain contains the leaf certificate as well as intermediate certificates and the root certificate.
You may safely distribute these certificates to content providers who want to issue a Distribution KDM to your easyDCP + installation.

Note: When issuing (D)KDMs with easyDCP KDM Generator+, place only the leaf certificate file (*.crt) into the server certificate’s folder or just drag and drop it into the corresponding input form.

HINT: Every easyDCP Application uses different Server Certificates. KDMs issued for one easyDCP application cannot be used in any other easyDCP application.  

The generation of personalized signer certificates for certain easyDCP applications is a free service provided by Fraunhofer IIS.

New personalized signer certificates will be issued with every License & Certificate Request during new installation of after migration of the software.

Requirements to get personalized signer certificates issued by Fraunhofer IIS are:

• The email-domain used for your web-account at http://www.easyDCP.com and the requested domain within the License & Certificate Set-request must match.
• Requested domain for validation is not a public address like e. g. gmail.com, t-online.de etc. Blacklist is supported.
• If a comprehensible reason exist that email domain and requested domain cannot match please contact info@easydcp.com 

How do I activate the new online roaming services if I have already activated the new easyDCP version in the Offline mode?

• The affected easyDCP Plus / IMF Studio (Version ≥ 4.0.1) is already installed and activated as Offline License.

The reset to the online activation takes place in 2 steps. 

Step 1: Preparation of the easyDCP Plus / IMF Studio Program

• Navigate to Preferences/Options > Activation Status 
• Press the Button "Remove License & Certificates"
  (older versions use alternate "Remove from settings")

• Restart the affected easyDCP program and it will start again in online login mode.
  NOTE: You can't start the application with Online Activation without reset it also in your account settings 

Step 2: Re-activate the online activation in the webshop www.easyDCP.com

1. 1. Login in your account at www.easyDCP.com
   2. Select My Products
   3. Select the product you need to remove offline license 
   4. Select: "Remove Offline License"

Note:

• Since server certificates are tied to the system hash, they become inaccessible after a migration. New certificates will be automatically created, but all KDMs issued to the old cerificates will no longer be accessible. Please check our FAQ: Server- and Signer- Certificates.
• The offline license and legacy licenses you may have activated as parent to the offline license will be removed as well. 
• When may receive the message that migration ist not available. This will occure when you have migrated a offline license within the last 6 month before. 

Usually, on the cinema server manufacturers' FTP servers you can find both the public server certificates and the signature chain that were used to sign the certificates.

If you decide to trust the certificate by examining the signature chain, you only need the server certificate to create a KDM. The server certificate usually has either a *.pem or a *.crt suffix.

easyDCP KDM Generator will accept either, but do not use both.

Furthermore, there may be pairs of certificate and chain that state "mpeg", "sha1" and "sha256".
Like with DCPs, there are SMPTE ("sha256") and Interop ("sha1" / "mpeg") KDMs.

Almost all modern cinema servers prefer SMPTE KDMs - even for Interop DCPs. So mostly the "sha256" version is used.

Only if you surely know your recipient only accepts Interop KDMs, use the "sha1" certificate and remember to check the "Enable Interop mode" option in the easyDCP KDM Generator's options tab.

Please see also: Where can I get the server certificates needed to create the KDMs?

Licenses of easyDCP software prepared for offline mode can be installed only on one computer system.

Hint: Sometimes this method is required as well to solve license issues when the hashcode doesn't match to the previous license anymore or you have lost the password. 

However, if you need to move the easyDCP license to another computer or operating system you can do this easily using Migration function in the web shop:

1. Login in your account at www.easyDCP.com
2. Select license status
3. Select the product you need to migrate
4. Select: "migrate license"
   
   

easyDCP Resolve Plug-In customers can get additional important informations for migration here. 

After the migration is complete you can generate a new license for the new ware system. Please refer to the following FAQ on how to activate your product.

• How to activate my easyDCP product?
• How to activate my easyDCP Resolve Plugin?
• You find a video tutorial easyDCP from V3.6 - Software Activation Tutorial here.

Note:

• There is a limit of one automatic migration in six months. If you require a second migration within the six months period, please inform us via email why it´s necassary.
• Since server certificates are tied to the system hash, they become inaccessible after a migration. New certificates will be automatically created, but all KDMs issued to the old cerificates will no longer be accessible. Please check our FAQ: Server- and Signer- Certificates.

Migration with older Versions: For version easyDCP Creator(+)2.1.X and older, easyDCP Player(+)1.9.X and older, and easyDCP KDM Generator(+)1.47 and older, be prepared to use the new hashcode of your target hardware/software.

The procedure is different in every country. We can't send you the certificates.

• The best way is to ask the cinema owners directly. They should have current certificates of their projection systems in their screening rooms or tell you the model and serial number.
• Another option is to contact the server manufacturer directly.
• If you have the model and serial number, you can contact the server manufacturer and ask for access to their database.

easyDCP 3.6.0 and above will be activated within the application/preferences.

For macOS users: minimum macOS 10.12 is required for easyDCP ≤ 3.8.9 products. easyDCP Plus / IMF Studio ≥ 4.0 require macOS 10.14. 

Please watch our video tutorial or proceed as follows:

1. Download and install the latest installer from your account at www.easyDCP.com license status.
   
        
   
   
2. If Select "Preferences (OSX)" or "Options (WINDOWS)" in the installed easyDCP application option "Activation Status" and select "Request License&Certificates"
   If you have a version ≥ 4.0 start the program in demo mode to enable activation
   
        
   
   
3. Fill out the form according to the instructions displayed and select "Send request". Your license-and-certificate-request will be processed after you log in and have select the license you intend to activate.
   
   
         
   
   
4. Then you can download your "License & Certificate" Data Set from your license status and import it with the corresponding easyDCP option "Import License & Certificates"
   
        

Note: This way of activating your easyDCP Product is only available from easyDCP Version 3.6 or higher.

• If you use a easyDCP Creator(+) from 2.2.X, easyDCP Player(+) from 2.0.X and easyDCP KDM Generator(+) from 1.4.1X till easyDCP Version 3.5.8, you find help here.
• If you use an Version below easyDCP Creator(+) 2.2.X, easyDCP Player(+) 2.0.X and easyDCP KDM Generator(+) 1.4.1X, you find help here.
• If you use an easyDCP Resolve Plugin version, you find help here.
• If you use an easyDCP SAM Rio Plugin version, you find help here.

easyDCP Creator(+) from 2.2.X, easyDCP Player(+) from 2.0.X and easyDCP KDM Generator(+) from 1.4.1X and above can be directly activated from within the application.

Known limitations:
macOS: Only easyDCP 3.5.5 or higher can be run as of macOS 10.12 (Sierra)
Windows: Only easyDCP 3.4.10 ot higher can run on Windows 10

Please watch our video tutorial or proceed as follows:

1. Download and install the latest installer from your account at www.easyDCP.com license status.
   
        
   
   
2. Select in the installed easyDCP application at "Help" the function "Request License & Certificate" (or use F3)
   
        
   
   
3. Fill out the form according to the instructions displayed and select "Send request". Your license-and-certificate-request will be processed after you log in and have select the license you intend to activate.
   
        
   
        
   
   
4. Then you can download your "License & Certificate" Data Set in the license status pane and install them via Drag and Drop into your easyDCP application.
   Alternatively, you may store the license-and-certificate file (*.easydcp) to a disk and import it into the corresponding easyDCP application by using "Help" the function "Import License & Certificates" (or press F4).
   
        

Note: This way of activating your easyDCP Product is only available from easyDCP Creator(+) 2.2.X, easyDCP Player(+) 2.0.X and easyDCP KDM Generator(+) 1.4.1X or higher.

• If you use a easyDCP Verion 3.6 or higher, you find help here.
• If you use a Version lower as easyDCP Creator(+) 2.2.X, easyDCP Player(+) 2.0.X or easyDCP KDM Generator(+) from 1.4.1X, you find help here.
• If you use an easyDCP Resolve Plugin version, you find help here.
• If you use an easyDCP SAM Rio Plugin version, you find help here.

Different versions of easyDCP can be installed side-by-side

However be aware that the all share the same user application data folder, where state settings, KDMs, server and signer certificate and license are stored.  

DKDMs are used for the exchange of encrypted DCPs between postproduction houses. Processing DKDMs needs the same operation and security requirements that are used in the creation and operation of KDMs for the digital cinema.
easyDCP Creator+ enables to encrypt digital cinema content and the standard accessory easyDCP KDM Generator generates KDMs and DKDMs for the transfer of digital cinema content to postproduction houses or cinemas.

For further information please refer to:

• easyDCP Creator+
• easyDCP KDM Generator

For automatic generating and distribution of KDMs the online service KDM Studio is available at www.dcptools.com. 
KDM Studio is developed by the DCPtools Team based on easyDCP KDM Gnerator+.