This document details the steps required to become a Readium LCP license provider, i.e. install an LCP license server as part of an EPUB distribution service.
Step 1 : Choose an LCP license server
An organisation may choose to develop its own LCP license server, from the public specifications found on the Readium Foundation website under the name “Licensed Content Protection” (LCP) and “License Status Document “ (LSD).
To ease deployments of LCP solutions, EDRLab has developed an open-source license server, using the Golang language. The software is multi-platform; it has been successfully tested on MacOS, Linux and Windows.
You’Il find it on https://github.com/readium/readium-lcp-server, distributed with a BSD-3 license. A major evolution will be released during the summer 2018, with the user of an ORM for handling more database solutions and a better administrative GUI. The currently supported databases are SQLite, MySQL and SQLServer.
In the next section, we’ll detail the use of this open-source solution. Alternative commercial solutions, with a professional support, have also been developed by EDRLab partners (members of our association); the are listed in the annex of this document.
Organisations having developed their own server solution will jump to step 5.
Step 2 : install the license server in “test” mode
Please study the project Wiki as a first step, on https://github.com/readium/readium-lcp-server/wiki.
This software suite is made of one utility and three server deamons :
- The content encryption utility can a integrated in any distribution workflow. It takes a few parameters and outputs an EPUB file with encrypted content, plus the corresponding encryption key. Optionally, it can send a notification to the license server. The encrypted content can be put online securely on the Web, if the encryption key is correctly protected.
- The license server (aka LCP server) is positioned in the local network of the company, and should not be directly accessible from the Web. Its role is to generate licenses on demand. It keeps no information about license users, but it stores the content encryption keys: that is why its database must be properly protected.
- The status document server (aka LSD server) is positioned in the DMZ and visible to the Web: client applications will exchange messages with him. This server must be able to communicate with the LCP server via a REST API.
- The “frontend” server mimics a library or bookseller platform and provides some administrative functionalities. It is not intended to be used in production, but to test the LCP and LSD servers. It can serve as a base for the development of an internal administration tool.
It is possible to deploy these servers on different machines, possibly via Docker containers (EDRLab has prepared such a deployment, but needs to update it). For testing, it is also possible to install all servers on the same machine.
By default, the downloaded LCP server runs in “test” mode: the LCP specification defines it as a “basic” profile. The server will be switched to “production” mode later, after confidential information has been set.
Step 3 : integrate the license server into the distribution platform
The Readium LCP server project wiki contains a description of the REST API of the different servers and the overall architecture of a complete solution.
When a user is acquiring a publication, the provider’s platform must generate a license request and pass the necessary information to the LCP server, retrieve the license, and return it to the calling system. Encrypted content may be fetched directly from the provider’s storage or throught a reverse-proxy server depending the architecture of the provider’s platform. Events related to the evolution of the license (register, renew, return) will be directly handled by the LSD server.
Step 4 : test the integration
Readium open-source reader software support the Readium LCP DRM in “test” mode. It is possible to compile them from the Readium Github and use them to test a newly installed license server.
R2 Reader software for iOS and Android and Readium Desktop also support this type of license, which makes testing even easier. Just load them from:
Readium Desktop : the Readium Github / Readium Desktop offers pre-compiled releases [here].
EDRLab is responsible for managing the “Readium LCP network”, i.e. all the interoperable nodes of this distributed solution. EDRLab therefore manages the certificates of the LCP PKI, and must check all reading applications and license servers of this network for compliance with the specifications.
Signing the LCP ToUs also requires license providers to allow EDRLab to verify each year the conformity of their solution, and to pay each year to EDRLab a certain amount for this task.
Step 6 : move the license server to “production” mode
Once the ToUs are signed, EDRLab securely delivers to the license provider:
- an X509 certificate that identifies the provider, to be integrated in the LCP server;
- the corresponding private key, to be integrated in the LCP server;
- a small software library to integrate into the LCP server code;
- a script that makes it easy to patch the LCP server code.
This information is confidential and must be protected by the license provider.
Step 7 : test the “production” integration
R2 Reader software for iOS and Android, Readium Desktop, Lisa reader, Baobab reader, all support “production” grade LCP licenses. Simply load them from their respective stores to test the final integration.
Step 8 : ask EDRLab to certify the solution
Once the system has been properly tested by the integrator, the license provider will have to provide EDRLab with somelicense samples:
3 licences of type “buy” (no start/end date)
- b1 = ready state, any print or copy constraints
- b2 = cancelled state
- b3 = revoked state.
2 licences of type “loan” (with start/end dates)
- l1 = ready state, loan duration between one week and one month
- l2 = expired state.
If the platform provides EPUB files embedding their LCP license:
- e1 = protected EPUB file with a “buy” license.
The supplier must provide the passphrase associated with each license.
Once all tests have passed positively, EDRLab will return a test report and an “LCP Certified” logo to the supplier which can be displayed on a website for example.
One of the main advantages of Readium LCP is that its users avoid any vendor lock-in. But what is vendor lock-in?