Frequently Asked Questions

Print this page as document

Recommendation: security backup for (D)KDMs

Affects all Users of easyDCP KDM Generator+

 

This page contains:

1 Licenses and Certificates

2 Threat of loss of all (D)KDMs caused by hardware change / fault

3 Create a Backup machine using a Complimentary License

4 Workflow Description

4.1 Standard (D)KDM Generation Process

4.2 Recommended Workflow utilizing a Backup Unit (BU)

4.3 Using the Backup Unit to recover (D)KDMs

5 How to activate your complementary license for easyDCP KDM Generator+ Backup

 

1 Licenses and Certificates

In order to run properly, each installation of easyDCP KDM Generator+ needs three different sets of files issued separately for each installation:

  1. License – enables all commercial features
  2. Signer Certificates – required to digitally sign (D)KDMs issued with the software
  3. Server Certificates – An identification of the particular hardware easyDCP KDM Generator+ is installed on. (D)KDMs are issued for certain Server Certificates

During the activation process all of those files are generated using appropriate functions in the easyDCP web shop at http://www.easyDCP.com. Licenses and Server Certificates are bound to the particular hardware easyDCP KDM Generator+ is running on. Signer certificates are not tied to the hardware.

 

2 Threat of loss of all (D)KDMs caused by hardware change / fault

Important: If some hardware components in the production machine are changed or the machine stops operating at all, the license and server certificates will not work anymore. Using the migration function in the easyDCP web shop, a license can be ported to another machine. However, a server certificate cannot be used on another hardware. Likewise, it is not possible to re-use the certificates if certain hardware components get replaced on the system. And once the server certificates cannot be used anymore.

ALL (D)KDMs ISSUED FOR THESE SERVER CERTIFICATES ARE LOST AND CANNOT BE RECOVERED.

 

3 Create a Backup machine using a Complimentary License

We recommend our easyDCP KDM Generator+ customers to set-up a second computer serving as backup machine for their (D)KDMs. If used properly, existing (D)KDMs can be recovered and ported to a fresh installation, in case the production machine is not working anymore. The set-up is simple and your existing (D)KDM workflow requires only small changes.

  1. Every easyDCP KDM Generator+ client gets a complimentary license for a second installation of the software (called the Backup Unit - BU)
  2. From now on, we recommend to issue a backup DKDM for the Backup Unit once you receive a (D)KDM for your production system. For this, it is important that the Backup Unit must be installed on another physical hardware.
  3. Once the production machine stops working for some reason, all (D)KDMs can be recovered using the Backup Unit.

NOTE: You can use your existing easyDCP KDM Generator+ instance to issue backup-(D)KDMs of your existing (D)KDMs for your new backup easyDCP KDM Generator+ instance. This is a one-time-only job and should be performed as soon as possible.

 

4 Workflow Description

This chapter gives an overview over the recommended workflow when using two instances of easyDCP KDM Generator+ in parallel.

Figure 1 shows a block diagram comprising two activated instances of the software, both identified by their Server Certificate. As mentioned above, the Server Certificate is bound to a specific hardware and installation of the operating system and cannot be used on another installation.

Figure 1: Two activated instances of easyDCP KDM Generator+ running on different hardware

 

4.1 Standard (D)KDM Generation Process

Figure 2 shows one of the common applications using easyDCP KDM Generator+. Here, the Main Unit (MU) receives certain input data:

  1. A (D)KDM or easyDCP Digest from either the previous DCP compiling step or from another facility (step 1). An input (D)KDM can only be processed if it has been issued to the Server Certificate of the MU (compare Figure 1).
  2. Certificates from various Cinema Servers that serve to identify the output (D)KDM’s recipients (step 2).

Figure 2: Standard KDM generation process using one installation of easyDCP KDM Generator+

As result easyDCP KDM Generator+ generates a batch of KDMs for the selected Cinema Servers (step 3).

 

4.2 Recommended Workflow utilizing a Backup Unit (BU)

Based on the workflow described above, we recommend generating a Backup DKDM for the Backup Unit (BU) shown in Figure 1 whenever a new key is used as input format (step 1). Basically, the processing-steps are identical to the description given in 4.1, but instead of only ingesting certificates from the Cinema Servers we also point our Main Unit of easyDCP KDM Generator+ to the Server Certificate of our Backup Unit (Figure 3, step 2). By doing this, easyDCP KDM Generator+ issues a Backup DKDM that can be read from the Backup Unit later. In case the MU is not available anymore, the Backup KDM can be used to recover the original keys that were used to encrypt the DCP.

Figure 3: KDM Generation Process using the Backup Unit (BU)

 

4.3 Using the Backup Unit to recover (D)KDMs

In case of a hardware crash or when the system components used to assemble the Main Unit’s system hash change, it is possible that the Server Certificates of the Main Unit cannot be accessed anymore. In this case it is possible to move the main unit onto a new hardware or issue a new set of license and certificates for the new configuration of the main unit. In any case, the previous Main Unit’s Server Certificates must be replaced. Through the easyDCP-web shop it is possible to get new licenses and certificates on the fly. Indeed, none of the old (D)KDMs of the former Main Unit (MU) will work with the new installation, called New Main Unit (NMU) here, since the new Main Unit is identified by a new Server Certificate. In order to get (D)KDMs working on the NMU it is necessary to use the BU as shown in Figure 4. Please note that the BU of KDM Generator+ is used instead of the MU.

Figure 4: Issuing DKDMs for the New Main Unit (NMU) using the Backup Unit (BU)

By ingesting both, all Backup-KDMs (1) as well as the Server Certificate from the New Main Unit (NMU – step 2) new DKDMs for the New Main Unit are generated.

 

5 How to activate a complementary license of easyDCP KDM Generator+ Backup

Step 1. Download the easyDCP KDM Generator+ Installer for your target OS from your license status again and install it.

Step 2. Request a license and certificate and send it as usual to www.easyDCP.com (see also:How do I activate my easyDCP Product?.) 

Step 3. www.easydcp.com will offer you: "Activate your complementary license". Select it for activation.

Now your license status shows a new entry called: "easyDCP KDM Generator+ Backup"

Step 4: Download the license and certificate data set and import it into your easyDCP KDM Generator+ Backup system. 

NOTE: The complementary license is locked for migration. If you need to migrate your easyDCP KDM Generator+ Backup system please contact us at info@easyDCP.com