KDM rejected for SMPTE content and Barco ICMP / ALCHEMY servers

Question

KDM rejected for SMPTE content and Barco ICMP / ALCHEMY servers

Closed this issue a year ago · 3 comments

With MT1 or DCI specific KDM, content can not play with error following.
The integrator talks about KDM signature error. Easy DCP KDM works fine.
Enclosed DOM & Easy DCP KDM.
SMPTE_KDM.zip

Aug 12 08:10:20 icmp-17261b user.err SM: SM- uploadKdm error: valdidity window outside signer range
Aug 12 08:10:20 icmp-17261b user.err SMS: Player- KDM [a43888fc-bdd6-42fb-9364-fde7701275ff] Security validation error: player - invalid key signer chain - key rejected
Aug 12 08:10:20 icmp-17261b user.err SMS: Player- CPL [SejourMtFuchun_FTR_F-178_CMN-FR_FR_51_2K_GAL_20200611_LJM_SMPTE_OV] Security validation error: no valid key found
Aug 12 08:10:20 icmp-17261b user.err SMS: Player- CPL [SejourMtFuchun_FTR_F-178_CMN-FR_FR_51_2K_GAL_20200611_LJM_SMPTE_OV] validation error: player - no valid key found - cannot play - aborting validation
Aug 12 08:10:20 icmp-17261b user.err SMS: Player- Player error: player - no valid key found - cannot play
Aug 12 08:10:20 icmp-17261b user.err SMS: SMS- Playlist Security validation failed: no valid key found

Answer 1 · 2020-08-12T22:52:39.000Z

Hi Lilian,

That's strange. The error suggests that the KDM validity period is outside the signer cert validity period, but on your DoM KDM the certs are valid from 04/01/2019 - 11/12/2118 and the KDM validity is from 10/08/2020 to 17/08/2021.

Is the DoM KDM you attached the same one mentioned in the error? I can find the KDM ID that the error mentions (a43888fc-bdd6-42fb-9364-fde7701275ff).

Did you create DoM's signer certificate chain yourself, and import it into DCP-o-matic?

Answer 2 · 2020-08-17T22:17:13.000Z

Hi Carl,

Yes it's strange.
Only this server complains for now.
Here is the right KDM the log is referring to.
KDM_SejourMtFuchun_FTR_F-178_CMN-FR_FR_51_2K_GAL_20200611_LJM_SMPTE_OV_GRIGNOUX_Cameo_2-2020-08-10_23-31.xml.zip
It concerns 8 KDM for 8 different servers.
Yes I did create the signer certificate myself with the make-dc-certificate-chain.rb tool.
I use this cert and chain with easyDCP tools without issues.

Lilian

Answer 3 · 2020-09-07T07:36:28.000Z

Hi Lilian,

So this error is specific to this one server, and in general you are finding that DCP-o-matic KDMs work?
Is it possible to do more tests with that server?

You say you use this (signer) cert and chain in easyDCP - but you didn't in this case, is that right?

Thank you,
Carl