Configure protected RTMP for the VOD application.
Last updated on
Apr 27, 2021
Use protected RTMP (pRTMP) to encrypt and deliver on-demand content to Flash Player and AIR.
Note:
Protected RTMP isn’t a protocol. It delivers encrypted content over the RTMP protocol.
System requirements
Protected RTMP is supported in origin-only configurations. Unlike RTMPE, pRTMP does not work in an edge-origin configuration.
Applications that share media files must use the same protected RTMP configuration settings for the shared files.
Flash Player 11.0 and AIR 3.0 are required to play protected RTMP content. Protected RTMP supports all the on-demand file formats and codecs that RTMP supports except F4M, RAW, and F4F.
Note:
In Adobe Media Server 5, protected RTMP is supported for VOD streaming, it is not supported for live streaming.
About protected RTMP
Adobe Media Server encrypts on-demand media files and embeds a Adobe Access 3.0 license in the DRM metadata of the content. Flash Player and AIR clients communicate with Adobe Media Server to play the media. Protected RTMP does not require a license server; the license is embedded in the content metadata and a client receives it along with the media.
Protected RTMP is more secure than RTMPE because it uses Adobe Access 3.0 DRM content protection. Protected RTMP encrypts the content whereas RTMPE protects the communication channel.
Because the content is encrypted, unauthorized replay is impossible. Protected RTMP content can be decrypted only by Flash Player and AIR clients that have the Protected Streaming private key.
There is no way to use an RTMPE connection between servers and decrypt the content on Adobe Media Server. Different applications that access common media files must have consistent setup with respect to Protected RTMP. That is, you should not access the same media file over both protected and unprotected RTMP.
Separate applications that include common media files must have consistent settings with respect to Protected RTMP. When AMS receives requests for media file playback (VOD) it applies the application-specified protection to the media and then caches it in memory. Each time the server receives a new request for an already cached media file it compares the protection settings of the cached media with the settings of the application in the new request. If those settings are inconsistent AMS replaces the cached media with content processed according to the settings of the application of the current request and then sends the media to the client. AMS generates an error log entry every time it identifies inconsistency between cached media settings and requested media settings.
Protected RTMP simplifies deployment and increases security because:
Adobe Media Server is the only server required.
No license server is required.
No domain server is required.
All media can be packaged with the same common key.
Content is encrypted with Adobe Access 3.0 DRM protection.
Protected RTMP uses 128-bit AES encryption. RTMPE uses 128-bit RC4.
Configure protected RTMP at the vhost, application, or application instance level. Use the Application.xml file, Server-Side ActionScript, and the Authorization Plug-in to configure protected RTMP.
Note:
The DRM used for Protected RTMP is the same DRM used for Protected HTTP streaming..
Quick start: Use protected RTMP to play on-demand media
To complete this tutorial, install the following software:
For information about installing the server, see Installing the server.
This tutorial requires Flash Player 11.
Configure protected RTMP on Adobe Media Server
-
-
Open amsrootinstall/applications/vod/Application.xml in a text editor.
-
Add the <ProtectedRTMP enabled="true"></ProtectedRTMP> element. The Application.xml file looks like this:
<Application> <ProtectedRTMP enabled="true"></ProtectedRTMP> ... </Application> -
Save and close the file.
-
If the VOD application is running, close it to reload the Application.xml file. If the Adobe Media Server Start Screen is open, the VOD application is running. Closing the Start Screen closes the VOD application (unless another client is also connected to the VOD application).
Play on-demand media
-
Double-click the Adobe Media Server Sample Video Player to open it in a browser: amsrootinstall/samples/videoPlayer/videoplayer.html.
-
Click any link in the /applications/vod/media list. Every file that the VOD application streams uses protected RTMP.
Configure protected RTMP
You can configure protected RTMP in the following locations:
Application.xml file:
Configure the Application.xml file in an application folder to configure pRTMP for a single application.
Configure the Application.xml file in a vhost folder to configure pRTMP for all applications in a virtual host.
Server-Side ActionScript:
Set properties on the application object.
Authorization plug-in:
Set fields in the in the E_APPSTART event of the Authorization plug-in.
Use the Application.xml file to configure protected RTMP
To configure protected RTMP, add a <ProtectedRTMP> section to the Application.xml file at the application level or at the vhost level and set the enabled attribute to "true". The other pRTMP parameters have default values. You can use the default values or set the parameters to new values. The following is a sample <ProtectedRTMP> section:
<Application>
<ProtectedRTMP enabled="true">
<CommonKeyFile>creds/common-key.bin</CommonKeyFile>
<UpdateInterval>60</UpdateInterval>
<SWFVerification enabled="true">
<WhiteListFolder>whitelists</WhiteListFolder>
</SWFVerification>
</ProtectedRTMP>
</Application>
Use the following parameters in an Application.xml file to configure protected RTMP:
|
Parameter |
Description |
Default |
|
CommonKeyFile |
A relative path to a file containing a base key. The path is relative to the folder that contains the Application.xml file. The server generates the base key file during installation. The server uses the base key (along with the content ID) to generate the final content encryption key. The key data is scrambled and Base64 encoded using the scramble tool. The server generates the content ID automatically. |
rootinstall/creds/common-key.bin |
|
UpdateInterval |
Optional configuration that specifies how often (in minutes) the server updates the DRM metadata. |
60 |
|
SWFVerification |
Container for SWFVerification. To enable SWF verification, set the enabled attribute to “true”. |
“false” |
|
WhiteListFolder |
The folder that contains the SWF whitelist for SWF verification. The folder can contain more than one whitelist file. Relative paths are relative to the application folder. |
The folder containing the application folder. |
Use the Authorization plug-in to configure protected RTMP
To configure protected RTMP at the plug-in level, write code in the E_APPSTART event to set the F_APP_PRTMP field to true. The other pRTMP fields have default values. You can use the default values or set the fields to new values. Protected RTMP settings in the Application.xml file are overridden in the Authorization plug-in.
The E_APPSTART event is an application-level event that supports reading all application-level fields, including the following:
|
Field |
Description |
Read/Write |
|
F_APP_URI |
The URI of the application to which the client connected. The value does not include the server name or port information. |
Read-only |
|
F_APP_NAME |
The application name. |
Read-only |
|
F_APP_NAME |
The application instance name. |
Read-only |
The E_APPSTART event supports the following new fields for protected RTMP:
|
Field |
Description |
Read/Write |
|
F_APP_PRTMP |
A Boolean value indicating whether RTMP streaming is protected. |
Read/Write |
|
F_APP_PRTMP_COMMON_KEY_FILE |
A string to specify the path to the common key file. The path can be absolute or relative. Relative paths are relative to the location of the application folder. |
Read/Write |
|
F_APP_PRTMP_UPDATE_INTERVAL |
A number to specify how often (in minutes) the DRM metadata will be updated. |
Read/Write |
|
F_APP_PRTMP_SWF_VERIFICATION |
A Boolean value indicating whether SWF Verification is enabled. |
Read/Write |
|
F_APP_PRTMP_SWF_WHITELIST_FOLDER |
A string to specify the path to the whitelist folder for SWF verification. The path can be absolute or relative. Relative paths are relative to the location of the application folder. |
Read/Write |
|
F_APP_PRTMP_SWF_WHITELIST |
A string containing one or more SWF digests, separated by '\n'. SWF digests are sha256 hashes of the SWF, base64 encoded. You generate a whitelist using the whitelist tool that ships with AMS. This string can also contain the comments and empty lines that are in the whitelist generated by the tool, which are ignored. |
Read/Write |
|
F_APP_PRTMP_AIR_WHITELIST |
A string containing one or more AIR identifiers, separated by '\n'. AIR identifiers are derived from the signature.xml file that is used to sign an AIR app. You generate a whitelist using the whitelist tool that ships with AMS. This string can also contain the comments and empty lines that are in the whitelist generated by the tool, which are ignored. |
Read/Write |
The E_PRTMP_WHITELIST event is an application-level event that AMS calls every n minutes (according to the update interval), enabling you to update the SWF/AIR whitelists through the F_APP_PRTMP_SWF_WHITELIST and F_APP_PRTMP_AIR_WHITELIST fields.
Use Server-side ActionScript to configure protected RTMP
Use the following Server-side ActionScript properties to configure protected RTMP:
|
Property |
Data type |
|
application.prtmpEnabled |
Boolean |
|
application.prtmpCommonKeyFile |
String |
|
application.prtmpUpdateInterval |
Int |
|
application.prtmpSWFVEnabled |
Boolean |
|
application.prtmpSwfWhitelistFolder |
String |
Note:
The prtmpCommonKeyFile and prtmpSwfWhitelistFolder properties specify a path to a file or folder. The server resolves relative paths to an application directory.
These properties are filled in by values retrieved from configuration files during the application.onAppStart() event. You can also set values in this event, as follows:
application.onAppStart = function()
{
trace ("----------prtmp on start----------");
trac e("prtmp " + application.prtmpEnabled);
trace("prtmpCommonKeyFile " + application.prtmpCommonKeyFile);
trace("prtmpUpdateInterval " + application.prtmpUpdateInterval);
trace("prtmpSwfVerification " + application.prtmpSWFVEnabled);
trace("prtmpSwfWhitelist " + application.prtmpSwfWhitelistFolder);
trace ("------------prtmp on start------- -");
application.prtmpEnabled = false;
application.prtmpCommonKeyFile = "TEST ";
application.prtmpUpdateInterval = 12000 ;
application.prtmpSWFVEnabled = true;
application.prtmpSwfWhitelistFolder = "";
}
Trace the new values in the application.onConnect() event:
{
trace("----------prtmp on connect----------");
trace("prtmp " + application.prtmpEnabled);
trace("prtmpCommonKeyFile " + application.prtmpCommonKeyFile);
trace("prtmpUpdateInterval " + application.prtmpUpdateInterval);
trace("prtmpSwfVerification " + application.prtmpSWFVEnabled);
trace("prtmpSwfWhitelist " + application.prtmpSwfWhitelistFolder);
trace("------------prtmp on connect--------");
}
The previous code prints an application.log file similar to the following:
#Version: 1.0 #Start-Date: 2011-10-19 12:20:41 #Software: Adobe Media Server 5 d430 x64 #Date: 2011-10-19 #Fields: date time x-pid x-status x-ctx x-comment 2011-10-19 12:20:41 7832 (s)2641173 ----------prtmp on start---------- - 2011-10-19 12:20:41 7832 (s)2641173 prtmp true - 2011-10-19 12:20:41 7832 (s)2641173 prtmpCommonKeyFile c:\Program Files\Adobe\Adobe Media Server 5\conf\_defaultRoot_\_defaultVHost_\streamtest\creds\common-key.bin - 2011-10-19 12:20:41 7832 (s)2641173 prtmpUpdateInterval 3600000 - 2011-10-19 12:20:41 7832 (s)2641173 prtmpSwfVerification false - 2011-10-19 12:20:41 7832 (s)2641173 prtmpSwfWhitelist c:\Program Files\Adobe\Adobe Media Server 5\conf\_defaultRoot_\_defaultVHost_\streamtest - 2011-10-19 12:20:41 7832 (s)2641173 ------------prtmp on start-------- - 2011-10-19 12:20:41 7832 (s)2641173 ----------prtmp on connect---------- - 2011-10-19 12:20:41 7832 (s)2641173 prtmp false - 2011-10-19 12:20:42 7832 (s)2641173 prtmpCommonKeyFile c: \Program Files\Adobe\Adobe Media Server 5\conf\_defaultRoot_\_defaultVHost_\streamtest\TEST - 2011-10-19 12:20:42 7832 (s)2641173 prtmpUpdateInterval 12000 - 2011-10-19 12:20:42 7832 (s)2641173 prtmpSwfVerification true - 2011-10-19 12:20:42 7832 (s)2641173 prtmpSwfWhitelist c:\Program Files\Adobe\Adobe Media Server 5\WhiteListFolder - 2011-10-19 12:20:42 7832 (s)2641173 ------------prtmp on connect-------- -
Tune server performance
The pRTMP operations that use the most CPU power are generating the DRM metadata and generating a license. Adobe Media Server generates DRM metadata the first time a client requests a media file. The server caches the metadata and reuses it for subsequent request for the same media file.
The media license in the DRM metadata imposes a 24-hour time limit on media playback from the point at which the license was generated. Therefore, the server refreshes the license periodically and generates new DRM metadata with a new time-stamp. Configure the <UpdateInterval> parameter to control how often the server generates DRM metadata. The default value is 60 minutes. To use less CPU power, generate the license less frequently.
Certificates and policy files
All certificates and the policy file for protected RTMP are installed to the Adobe Media Server rootinstall/creds folder.
Add Protected Streaming certificates
Adobe Media Server uses Protected Streaming certificates (.cer files) for protected RTMP. The server installs with three Protected Streaming certificates. It uses different certificates for desktop, mobile, and set-top.
In the event of a security breach, Adobe will release a security alert telling you to download new Protected Streaming certificates.
To add a Protected Streaming certificate, copy it to the rootinstall/creds/sd folder.
Understand static security files
The following files are installed with Adobe Media Server to the rootinstall/creds/static folder. Do not replace or modify these files.
Policy file
Adobe Media Server installs with the policy file rootinstall/creds/static/creds_24hr_policy.pol. The policy is set as:
anonymous; not use license chaining; 24 hours limited license caching; and Protected Streaming is permitted.
This policy file lets clients start playing content within 24 hours from when the server generated the DRM metadata. Users can continue watching the content until the end, even if that time is beyond the 24 hour window. The 24 hour window starts when the server generates the DRM metadata and stores it in a cache. The <UpdateInterval> parameter in the Application.xml file determines the frequency at which the server generates DRM metadata. The default value is 60 minutes.
License server certificate
An Adobe-issued DER-encoded license server certificate. The license server certificate specifies the private key used to sign the license.
Transport certificate
An Adobe-issued DER-encoded X.509 transport certificate file. The transport certificate file is used when the client communicates with a server (for example, an authentication server). This feature is not supported in Adobe Media Server 5 but the certificate is still required.
Packager credential
An Adobe-issued packager server credential (a certificate and its associated key) PFX file. The server uses this file to apply a signature to the metadata while encrypting content files.
Certificate expiry
A month before a DRM certificate expires, the server generates a relevant message in the Apache error logs and on the console. The message is generated only when content is requested by a client and the frequency of this message is only once per hour.
