Preparing to Configure VOD for the RCAS

Overview

Introduction

This guide pertains to the Remote Conditional Access System (RCAS). The RCAS provides PowerKEY™ encryption services to remote VOD Session Manager (VSM) PowerKEY Open CAS Interface (OCAI) clients.

Purpose

This guide provides instructions for preparing to switch from using the Digital Network Control System (DNCS) for Video on Demand (VOD) to using the RCAS for VOD.

Audience

This document is written for system operators of the Digital Broadband Delivery System (DBDS). Headend operators and support engineers may also find the contents of this document to be useful.

Document Version

This is the first formal release of this document.

2 4039129 Rev A

Overview of VOD with the RCAS

Overview of VOD with the RCAS Review this section to familiarize yourself with the workings of the RCAS.

RCAS Components

The RCAS is made up of the follow components:

RCAS and Transaction Encryption Device (TED) pair

VSM, with either an internal Edge Resource Manager (ERM) or an external ERM

VOD system

Video On Demand Delivery System Architecture

The RCAS provides PowerKEY encryption services to remote VSM PowerKEY OCAI clients through the OCAI V2 RPC interface. The RCAS clients use PowerKEY Interactive Session Key (ISK) entitlement management messages (EMMs), generated as a result of an OCAI request, to facilitate session-based VOD encryption. Encryption services are supplied to RCAS through a Transaction Encryption Device (TED) 3.X encryption appliance connected to RCAS by means of a private Ethernet connection.

RCAS operates on a DNCS running system release (SR) 4.2.x code. RCAS pulls a subset of the DNCS database into one of two local RCAS databases. This operation is known as database synchronization.

There are two instances of the RCAS database that contain identical tables. When one instance of the database is synchronizing with the DNCS, the other database instance is actively used by RCAS to service OCAI requests. A database synchronization operation occurs every 12 hours, by default. The synchronization schedule is controlled by an RCAS user cron job and may be adjusted. A dedicated Ethernet connection is required between the RCAS and its paired DNCS for database synchronization. The RCAS database tables are used to validate incoming OCAI requests and to provide public key material for set-tops.

For each OCAI V2 request, which comes from the associated VSM/ERM, the RCAS performs the following functions:

1 Confirms that the set-top client for the session is active and enabled for VOD services. To be eligible to receive OCAI services, a set-top must be active and have the following secure services enabled in the DNCS database: Digital Interactive Service (DIS) and Digital Multicast Service (DMS).

2 Confirms that the incoming request originates from a source that has been entered as a VASP on the DNCS. All originating VSM OCAI clients must be entered as VASPs in the DNCS connected to the RCAS.

3 Validates the set-top public key certificate in the RCAS database.

4039129 Rev A 3

Overview of VOD with the RCAS

4 Validates the encryptor’s public key if one is supplied. Once validated, this key is cached by the RCAS for subsequent OCAI requests.

5 Sends a request to the TED to generate an ISK to be used for the encrypted VOD session.

Note: At this point, the TED generates two EMMs that contain the ISK. One EMM is used for the set-top client; the other EMM is used for the encryptor.

6 Generates an entitlement control skeleton that contains a unique entitlement ID (EID) for the session.

7 Sends an OCAI response back to the OCAI client (ERM/VSM) that contains the two ISK EMMs and the ECM skeleton generated in steps 5 and 6.

Refer to the following illustration for an overview of the RCAS network design.

4 4039129 Rev A

Overview of VOD with the RCAS

The following diagram shows the RCAS process flow.

4039129 Rev A 5

Requirements

Requirements This section lists the requirements your system must meet in order to switch from using the DNCS for VOD to using the RCAS for VOD. You should check your system against these requirements the day before you switch VOD services from the DNCS to the RCAS.

RCAS Requirements

The RCAS must meet the following requirements to support VOD:

RCAS software version 1.0.0.5 or later must be installed on the RCAS.

The rcas interface must exist. This interface represents a direct connection from the TED to the RCAS.

The rcasnet interface must exist. This interface represents the network connection between the RCAS and the DNCS. This connection is used for database synchronization and provides a connection to the VOD system (VSM/ERM). This is a mandatory network connection.

Optionally, the rcaseth interface may exist. This interface represents a network connection between the RCAS connection and the outside world.

USRM/VSM Requirements

The USRM/VSM must meet the following requirements to support VOD:

USRM/VSM software version 2.1.3-5 or later must be installed on the USRM/VSM.

The following logical interface names are required for the USRM and VSM:

- Mgmt - Management interface, typically used for the web server and SNMP, etc.

- Data - Data interface, typically used for carousels, etc.

- Service - Service interface, typically used for application services, e.g., VOD, SDV, edge resource devices, etc.

- Control - Control interface, reserved for future use.

6 4039129 Rev A

Requirements

DNCS Requirements

The DNCS must meet the following requirements to support VOD:

DNCS software version 4.2.0.50p3 or later must be installed on the DNCS.

Any QAM changes need to be made and tested prior to VSM deployment.

The DNCS must be configured for RCAS:

- The following VASP entries must exist on the DNCS.

Note: VASPs are added in the following manner on the DNCS: DNCS

Administrative Console > Network Element Provisioning tab > VASP.

A VASP entry for the VSM

A VASP entry for the USRMs (the USRM is the OCAI client that connects to the RCAS)

- The /etc/hosts file contains an entry for the IP address of the interface on the RCAS with which the DNCS communicates.

- The third-party SRM option must be enabled for QPSKs by adding Option 23: SRM CAS PowerKey Interface to the license.

Multi-Stream CableCARD Requirements

To support Multi-Stream CableCARDs™ (M-Cards™), M-Card Software Version 1.5.2 3101 or later must be installed on the DNCS.

BMS Requirements

The BMS must meet the following requirements to support VOD:

Note: The ISA configuration file (isa.conf) is no longer on the BMS after the upgrade to BMS 4.0.

BMS Software Version 3.0 or later must be installed on the BMS.

The BMS should be configured for VOD.

QAMs should be configured on the BMS, for example, GigE IP addresses and service groups.

4039129 Rev A 7

Requirements

If new QAMs are added or, if SDV QAMs are to be shared with VOD QAMs, then all the Service Group IDs and QAM GigE IP addresses should be added to the BMS.

Add the VSM IP address to BMS configuration files, similar to the following example. These examples use a VSM IP address of 192.168.10.9 and are based on file locations in BMS Version 4.011.

Note: In this example, the sessiongateway/dnsc_ip parameter is commented out. Commenting out the sessiongateway/dnsc_ip address allows you to easily switch the SRM function to the DNCS in the event that this is needed.

Local Config File # Comma-delimited list of SRM IPs # BMS 3.1 property name and value sessiongateway/dncs_ip=10.253.0.1 # BMS 4.0 property name and value

Add the SRM IP address to the sessiongateway/srmIps of the BMS configuration file (/usr/local/mystro/bms/conf/local.conf), similar to the following example. This example shows an SRM IP address of 192.168.10.9.

Local Config File # Comma-delimited list of SRM IPs # BMS 3.1 property name and value sessiongateway/dncs_ip=10.253.0.1 # BMS 4.0 property name and value sessiongateway/srmIps=192.168.10.9

8 4039129 Rev A

Requirements

MAS Server Requirements

The MAS server must meet the following requirements to support VOD:

MAS Software Version 5.2.8-323 or later must be installed on the MAS server.

The SRM IP address has been changed from the DNCS IP address to the VSM IP address.

Note: You can confirm this by viewing the IP address listed for sa_networkproperties.stbnetwork.dncs.ip on the https://<IP Address of MAS Server>/settings/ window, as shown in the following example. In this example, the IP address 192.168.10.9 is used.

XOD Server Requirements

To support VOD, XOD Software Version 1.6.0.5 or later must be installed on the XOD server, and the server should be configured for VOD.

4039129 Rev A 9

Verify the RCAS Performance

Verify the RCAS Performance This section contains the procedures you will use to monitor performance and ensure the RCAS is operating as needed to support VOD.

RCAS VOD Logs

The following VOD logs should be monitored to ensure appropriate system performance. We recommend that you monitor these logs immediately after switching from the DNCS to RCAS for VOD to ensure RCAS is functioning as expected. After you ensure that RCAS is functioning properly, you should only need to view these logs to assist with troubleshooting.

SSV logs are located in this directory: /arroyo/log/c2k.log.yyymmdd

BMS log is located in this directory: /data/twc_log/twc.log

Note: Use this directory for BMS Software Version 3.0. Later versions of BMS software may have the log in a different directory.

RCAS log is located in this directory: /dvs/rcas/tmp/camEx.###

Note: This log updates and removes/deletes often by default.

CDSM log is located in this directory: /home/isa/Streaming/master/StreamServer.log

Note: You must log in as the isa superuser to access this directory.

VSM log: To access these logs, execute this command: vodsessquery –r <full session ID from VSM or USRM>

Example: vodsessquery –r 001ac326ded1/129665

Changing or Setting RCAS Logging Levels

You can control the level of detail that the system writes to process logfiles by setting the logging level of the process. The following procedure describes how this is done.

Important: When you increase the logging level, you must monitor the disk usage. The higher the logging level, the quicker the disk will fill up. To minimize the possibility that logs fill the file system and cause system outages, the variable that defines the number of days that files are saved to the log is set to 10. If you determine RCAS logs should be kept for a longer period, follow the instructions in Changing or Setting the DAYS_SAVEFILES_KEPT Variable (on page 10).

Note: This procedure pertains only to the camEx process. The camEx process executes all incoming OCAI session encryption requests. The camEx process accepts an incoming session request, validates the keys, and requests ISK EMMs from the TED so that the session can be encrypted.

10 4039129 Rev A

Verify the RCAS Performance

Log levels can be modified at anytime. Follow these instructions to set the logging level.

1 Log on to the RCAS as the administrator.

2 Type the following command and press Enter. su - rcas

3 Go to the /dvs/rcas/bin directory.

4 Type logLvl camEx and press Enter to see current levels. The RCAS provides a response, similar to the following example: camEx +EM +AL +CR +ER +WA -NO -IN -DE -PE -PI –ZIP

5 Choose one of the following options:

- To set levels for a full debug output, type logLvl camEx.cam +DE +NO +IN and press Enter.

NO = Notices, this shows the session setup with a MAC address and a timestamp.

PI = Picky, this is the ultra verbose setting.

IN = Indication

DE = Debug, this shows most of the data required for diagnostics.

ZIP = All logs are saved in /dvs/rcas/tmp/savelogs

Important: Cisco recommends that logLvl +ZIP be enabled only when attempting to capture logs for processes that are exhibiting a problem. After sufficient logs have been captured, disable this option with the command logLvl -ZIP.

- To view the session setup with time stamps only, use the +NO setting.

Changing or Setting the DAYS_SAVEFILES_KEPT Variable

Follow these instructions to change the number of days that files are kept.

1 Open an xterm window on the RCAS.

2 Use a text editor to open the /dvs/rcas/etc/manage_rcasLog file.

3 Locate the DAYS_SAVEFILES_KEPT=10 variable and change the value to the desired number of days to keep the files.

4 Save your changes and exit the file.

4039129 Rev A 11

Verify the RCAS Performance

RCAS Performance Monitoring

By placing a file named camEx.time in the following directory, you can track the number of session requests and failures that occur.

/dvs/rcas/tmp/PerformanceMonitoring

After adding the camEx.time file to this directory, open the file, enter a number greater than 15, and save your change. The number you enter represents the interval (in seconds) that RCAS session request data is captured.

The camEx.time file will use the following format:

date time, # of session requests processed, # of session requests that

failed, # of session requests with a validation failure, and # of TED

request failures

The following example shows entries in the /dvs/rcas/tmp/PerformanceMonitoring directory when 60 has been entered in the camEx.time file:

10-18-2010 13:55:22,46,0,0,0

10-18-2010 13:56:22,60,0,0,0

10-18-2010 13:57:22,13,0,0,0

For Information

If You Have Questions

If you have technical questions, call Cisco Services for assistance. Follow the menu options to speak with a service engineer.

Cisco Systems, Inc. 5030 Sugarloaf Parkway, Box 465447 Lawrenceville, GA 30042

678 277-1120 800 722-2009

www.cisco.com

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1009R) Product and service availability are subject to change without notice.

© 2011 Cisco and/or its affiliates. All rights reserved. Printed in USA August 2011 Part Number 4039129 Rev A