某些 Creative Cloud 应用程序、服务和功能在中国不可用。
Use Adobe Media Server 5 to serve protected content over HTTP to devices that support Apple HTTP Live Streaming.
The Adobe Media Server installer generates the required certificates and keys to the rootinstall/creds directory. To generate new keys, use the scramble tool. See Scramble tool.
The content can be protected using three modes:
Vanilla
PHLS
Adobe Access 4.0
To enable a specific encryption scheme, use the HLSProtectionScheme directive.
PHLS mode is a non-DRM solution. You do not need to set up a license or key server. The key is always served in a local mode.
Adobe Access mode offers a complete DRM solution. It supports all the Adobe Access 3.0 features, along with remote key serving for HLS. Local key serving mode also works with Adobe Access 2.0 or higher license servers. The remote key serving mode works only with an Adobe Access 4.0 compliant server.
Adobe Access SDK is a Digital Rights Management (DRM) platform that makes it possible to protect and securely deliver video and audio content for playback on consumer devices such as personal computers. Adobe Access is a flexible platform that enables content owners to protect their content and maintain control over distribution. Content owners can protect and manage their rights by creating licenses for each digital media file, ensuring that a wide variety of the highest-quality content is made available to consumers.
Adobe Access supports a wide range of business models, including video on demand, rental, and electronic sell-through. You can distribute content protected with Adobe Access by streaming through Adobe Media Server software, offering progressive download via HTTP using Adobe's HTTP Dynamic Streaming technology, or permitting downloads to a content library for local playback at the consumer's convenience.
To enable DRM support for HTTP Live Streaming, use Adobe Access iOS library. The policy files generated for Adobe Access 2.0 and Adobe Access 3.0 will also work in local key serving mode.
AMS supports different content encryption keys for content at the different levels (server, application, stream, and event). The keys are generated according to the location of the content and the location of the Common Key.
You can periodically change the encryption key and specify how often the content encryption key is to be changed.
The HLS module of AMS supports serving of BER encoded DRM metadata out-of-band. The requested URL format is same as for a playlist except that the URL format has .drmmeta instead of .m3u8 at the end of the URL. The metadata embedded in the m3u8 file is base64-encoded but the metadata served out-of-band in the .drmmeta file is binary data.
Adobe Media Server supports whitelist-based player binding when the protection scheme is PHLS. This is similar to the HTTP SWF Verification.
Adobe Media Server will support embedding leaf licenses in the DRM metadata from the policy generated using a chained license. Adobe Media Server will need the license server credential and the credential password configured so that the root license from the policy can be used to encrypt the CEK contained in the embedded leaf license.
-
Navigate to the
/Apache 2.4/conf/ directory. Edit the httpd.conf file and add the following tags under <Location hls-live>: <Location /hls-live> HLSHttpStreamingEnabled true HttpStreamingLiveEventPath "../applications" HttpStreamingContentPath "../applications" HLSMediaFileDuration 8000 HLSSlidingWindowLength 6 HLSFmsDirPath ".." HttpStreamingUnavailableResponseCode 503 HLSEncryptionScope server HLSProtectionScheme PHLS </Location>
Note:
This configuration enables PHLS at the server level.
You can configure HLS at the server level to apply content protection across all deployed applications.
Directive |
Default |
Description |
|---|---|---|
HLSEncryptionScope |
Off |
Defines the encryption scope. The following are possible values: server —Apache encryption settings are applied to all content. The server ignores content-specific encryption configurations in Event.xml and Application.xml (live) and jit.conf (on-demand). content —Apache encryption settings are ignored. The server uses encryption settings from Event.xml or Application.xml (live) or from jit.conf (on-demand). Off —Encryption is off for the whole server. |
HLSEncryptCipherKeyFile |
None |
The path of the default cipher key used to encrypt the content. |
HLSEncryptKeyURI |
None |
The URI that the client uses to fetch the encryption key. |
-
# Uncomment the following directives to enable encryption # for this location: HLSEncryptionScope server HLSEncryptionCipherKeyFile "../creds/liveeventkey.bin" HLSEncryptKeyURI "https://<ServerName>/hls-key/liveeventkey.bin" -
Follow the steps in Serve encryption keys to the client to configure the server to serve keys with or without SSL. These steps configure the /hls-key path in the HLSEncryptKeyURI directive.
-
To verify that the stream is encrypted, run the Apple Media Stream Validator Tool on the stream. See Technical Note TN2224.
Parameter |
Required With |
Default |
Description |
|---|---|---|---|
HLSProtectionScheme |
Adobe Access 4.0, PHLS |
Vanilla |
Determines the protection scheme used for content. Protection scheme can be Vanilla, AdobeAccessV4 or PHLS. HLSProtectionScheme is effective if encryption is enabled.Use HLSEncryptionScope parameter to determine the status of encryption. |
HLSEmbedMetadata |
Adobe Access 4.0, PHLS |
true for VOD and false for live |
(Optional) Enables embedding of metadata in the playlist. The possible values are "true" or "false". Note that false will only work when HLSMetaPackagingEnabled is set to true. |
HLSMetaPackagingEnabled |
Adobe Access 4.0, PHLS |
true |
(Optional) Enables just in time packaging of metadata for this location. The possible values are "true" or "false". This configuration is not valid for the Vanilla protection scheme. |
HLSMetaMaxAge |
Adobe Access 4.0, PHLS |
60*60 secs (1 hour) |
(Optional) Specifies the max-age to set in the Cache-Control header for M3U8 responses. Specified in secs. -1 means no Cache-Control header is set. If not specified, the default value will be assumed. This configuration is used only when the HLSMetaPackagingEnabled value is set to true. |
PHLSCommonKeyFile |
(Optional) PHLS |
For PHLS ../creds/commonKey.bin |
Contains the name of the Common key file in ../creds/common-key.bin. |
HLSDrmContentID/ PHLSContentID |
(Optional) PHLS |
eventId |
Content ID for mapping the license. |
HLSDrmLicenseServerURL |
Adobe Access 4.0 |
None |
URL of License server used for protecting content |
HLSDrmTransportCertFile |
Adobe Access 4.0 |
None |
Transport certificate file used for protecting content |
HLSDrmLicenseServerCertFile |
Adobe Access 4.0 |
None |
File containing license server certificate used for protecting content |
HLSDrmPackagerCredentialFile |
Adobe Access 4.0 |
None |
File containing Packager credential used for protecting content |
HLSDrmPackagerCredentialPassword |
Adobe Access 4.0 |
None |
Packager credential password for the configured packager credential file |
HLSDrmPolicyFile |
Adobe Access 4.0 |
None |
Path and Name of the Policy File to be used for protecting content |
HLSDrmKeyServerURL |
Adobe Access 4.0 |
None |
Key server URL for embedding in the served playlist. |
PHLSOutputProtection |
(Optional) PHLS |
None |
The required hardware Output Protection of media on the client. Possible values are None, BestEffort, and Required. |
PHLSPlaybackExpiration |
(Optional) PHLS |
24Hours |
The duration of the time for which the content is available for playback. Possible values are 24Hours and Unlimited. |
Edit the httpd.conf file and add the following tags under <Location hls-live>:
<Location /hls-live>
HLSHttpStreamingEnabled true
HttpStreamingLiveEventPath "../applications"
HttpStreamingContentPath "../applications"
HLSMediaFileDuration 10000
HLSSlidingWindowLength 6
HLSFmsDirPath ".."
HttpStreamingUnavailableResponseCode 503
HLSEncryptionScope server
HLSProtectionScheme PHLS
PHLSContentID httpd_conf
PHLSCommonKeyFile "../creds/liveeventkey.bin"
PHLSOutputProtection None
PHLSPlaybackExpiration Unlimited
</Location>
For details on the configuration elements, see the table mentioned above.
Edit the httpd.conf file and add the following tags under <Location hls-live>:
<Location /hls-live>
HLSHttpStreamingEnabled true
HttpStreamingLiveEventPath "../applications"
HttpStreamingContentPath "../applications"
HLSMediaFileDuration 10000
HLSSlidingWindowLength 6
HLSFmsDirPath ".."
HttpStreamingUnavailableResponseCode 503
HLSEncryptionScope server
HLSProtectionScheme AdobeAccessV4
HLSDrmContentID httpd_conf
HLSDrmCommonKeyFile "<path to common key file>"
HLSDrmLicenseServerURL "<url of license server"
HLSDrmTransportCertFile "path to transport certificate file"
HLSDrmLicenseServerCertFile "<path to license server certificate file>"
HLSDrmPackagerCredentialFile "<path to packager credential file>"
HLSDrmPackagerCredentialPassword ??????
HLSDrmPolicyFile "<path to policy file"
HLSDrmKeyServerURL "<key server url>"
</Location>
For details on the configuration elements, see the table mentioned abo
note: For local key delivery it is recommended that HLSDrmKeyServerURL be set to the dummy URL http://faxs.adobe.com.
For information on publishing and playback, see Vanilla.
You can also configure HLS at an application or event level.
Both the Application.xml file and the Event.xml file have an HLS container that holds the live vanilla encryption configuration settings. In Application.xml, the container is located under //Application/HDS/HLS. In Event.xml, the container is located under //Event/HLS.
Element |
Default |
Description |
|---|---|---|
/HLS |
None |
Container for content protection settings. |
/HLS/Encryption |
None |
Set the enabled attribute to "allow" to allow vanilla encryption configurations in the Event.xml file to override settings in the Application.xml file. Set the enabled attribute to "true" to configure vanilla encryption in the Application.xml file. These configurations apply to all live events in the application. The default value of the enabled attribute in the Application.xml file is "allow". The default value in the Event.xml file is "false". |
/HLS/Encryption/KeyFile |
None |
The path of the default cipher key used to encrypt the content. |
/HLS/Encryption/KeyURI |
None |
The URI that the client uses to fetch the encryption key. |
Configure live vanilla encryption at the application level
Open the rootinstall/Apache2.4/conf/httpd.conf file and locate the hlshttp_module:
<IfModule hlshttp_module>
...
<Location /hls-live>
...
Uncomment the HLSEncryptionScope directive and set it to content:
#Uncomment the following directives to enable encryption
# for this location:
HLSEncryptionScope content
#HLSEncryptionCipherKeyFile "../creds/liveeventkey.bin"
#HLSEncryptKeyURI "https://<ServerName>/hls-key/liveeventkey.bin"
Substitute the IP address or DNS of your Adobe Media Server for the <ServerName> parameter.Edit the Application.xml file in the rootinstall/applications/livepkgr folder to include the following:
<Application>
<HDS>
<HLS>
<Encryption enabled="true">
<KeyFile>C:\Program Files\Adobe\Adobe Media Server 5\creds\liveeventkey.bin</KeyFile>
<KeyURI>http://<server-ip>/hls-key/liveeventkey.bin</KeyURI>
</Encryption>
</HLS>
</HDS>
</Application>Follow the steps in Serve encryption keys to the clientto configure the server to serve keys with or without SSL. These steps configure the /hls-key path in the KeyURI directive.
Open Flash Media Live Encoder and publish a stream with the following settings:
Format—H.264
Keyframe Frequency—4 seconds
AMS URL—rtmp://<server-name>/livepkgr
Stream—encryption?adbe-live-event=encryption
Request the following URL from an application developed using the SDK on an iOS device:
http://<servername>/hls-live/livepkgr/_definst_/encryption/encryption.m3u8
To verify that the stream is encrypted, run the Apple Media Stream Validator Tool on the stream. See Technical Note TN2224.
note: To create a live event, create a copy of the livepkgr directory located at rootinstall/applications/livepkgr/events/_definst_/liveevent. The name of the copied directory must be the same as the name of the event.
Edit the Application.xml file in the rootinstall/applications/livepkgr folder to include the following:
<Application>
<HDS>
<HLS>
<Encryption enabled="true" protection-scheme="PHLS" >
<PHLS>
<ContentID>app_event_xml</ContentID>
<CommonKeyPath>common.bin</CommonKeyPath>
<KeyServerURL>faxs://example.com</KeyServerURL>
<OutputProtection>None</OutputProtection>
<PlaybackExpiration>Unlimited</PlaybackExpiration>
</PHLS>
</Encryption >
</HLS>
</HDS>
</Application>
For more information about the elements, see the table in the server level configuration.
For information on publishing and playback, see Vanilla.
Edit the Application.xml file in the rootinstall/applications/livepkgr folder to include the following:
<Application>
<HDS>
<HLS>
<Encryption enabled="true" protection-scheme="AdobeAccessV4" >
<AdobeAccessV4>
<ContentID>app_event_xml</ContentID>
<CommonKeyPath>common.bin</CommonKeyPath>
<LicenseServerURL>license server url </LicenseServerURL>
<TransportCertPath>transport.der</TransportCertPath>
<LicenseServerCertPath>server.der</LicenseServerCertPath>
<PackagerCredentialPath>
production_packager.pfx
</PackagerCredentialPath>
<PackagerCredentialPwd>??????</PackagerCredentialPwd>
<PolicyPath>policy.pol</PolicyPath>
<KeyServerURL>http://faxs.adobe.com</KeyServerURL>
</AdobeAccessV4>
</Encryption >
</HLS>
</HDS>
</Application>
For more information about the elements, see the table in the server level configuration.
For information on publishing and playback, see Vanilla.
-
# Uncomment the following directives to enable encryption # for this location: HLSEncryptionScope content # HLSEncryptionCipherKeyFile "../creds/liveeventkey.bin" # HLSEncryptKeyURI "https://<ServerName>/hls-key/liveeventkey.bin" -
Edit the Event.xml file in the rootinstall/applications/livepkgr/_definst_/encryption folder to include the following:
<Event> <HLS> <Encryption enabled="true"> <KeyFile> C:\Program Files\Adobe\Adobe Media Server5 \creds\liveeventkey.bin </KeyFile> <KeyURI>http://<server-ip>/hls-key/liveeventkey.bin</KeyURI> </Encryption> </HLS> </Event> -
Follow the steps in Serve encryption keys to the client to configure the server to serve keys with or without SSL. These steps configure the /hls-key path in the KeyURI directive.
-
To verify that the stream is encrypted, run the Apple Media Stream Validator Tool on the stream. See Technical Note TN2224.
Edit the Event.xml file in the rootinstall/applications/livepkgr/_definst_/encryption folder to include the following:
<Event>
<HLS>
<Encryption enabled="true" protection-scheme="PHLS" >
<PHLS>
<ContentID>app_event_xml</ContentID>
<CommonKeyPath>common.bin</CommonKeyPath>
<KeyServerURL>faxs://example.com</KeyServerURL>
<OutputProtection>None</OutputProtection>
<PlaybackExpiration>Unlimited</PlaybackExpiration>
</PHLS>
</Encryption >
</HLS>
</Event>
For more information about the elements, see the table in the server level configuration.
For more information on publishing and playback, see Vanilla.
Edit the Event.xml file in the rootinstall/applications/livepkgr/_definst_/encryption folder to include the following:<Event>
<Event>
<HLS>
<Encryption enabled="true" protection-scheme="AdobeAccessV4" >
<AdobeAccessV4>
<ContentID>app_event_xml</ContentID>
<CommonKeyPath>common.bin</CommonKeyPath>
<LicenseServerURL>license server url </LicenseServerURL>
<TransportCertPath>transport.der</TransportCertPath>
<LicenseServerCertPath>server.der</LicenseServerCertPath>
<PackagerCredentialPath>
production_packager.pfx
</PackagerCredentialPath>
<PackagerCredentialPwd>??????</PackagerCredentialPwd>
<PolicyPath>policy.pol</PolicyPath>
<KeyServerURL>http://faxs.adobe.com</KeyServerURL>
</AdobeAccessV4>
</Encryption >
</HLS>
</Event>
For more information about the elements, see the table in the server level configuration.
For more information on publishing and playback, see Vanilla.
To generate unique content encryption keys (CEKs) for Adobe Access, the URL path (relative to the configured content path) up to the stream, but not including the stream name, is used as the Content ID. For example, Content ID for path http://example.com/hls-live/livepkgr/definst/liveevent/livestream.m3u8 would be livepkgr/definst/liveevent.
Configure PHLS for on-demand streaing at the following levels:
Server—rootinstall/Apache2.4/conf/httpd.conf
Stream—create a jit.conf file and copy it to the same directory as the content.
To configure PHLS with basic settings, perform the following steps:
Navigate to <root-install>/Apache 2.4/conf/. Edit the file httpd.conf and add the tags HLSEncryptionScope and HLSProtectionScheme under the <Location /hls-vod> directive:
<Location /hls-vod>
HLSHttpSt reamingEna bled true
HLSMediaFileDuration 8000
HttpStreamingContentPath "../webroot/vod"
HLSFmsDirPath ".."
HLSJITConfAllowed true
HLSEncryptionScope server
HLSProtectionScheme PHLS
Options -Indexes FollowSymLinks
</Location>note: This configuration will enable PHLS at the server level with default configurations.
The sample1_1500kbps.f4v media file comes with the default installation of AMS under <root-install>/webroot. You can play the media file using the following URI: http://<server-ip>/hls-vod/sample1_1500kbps.f4v.m3u8
You can configure HLS at the server level to apply content protection at server level to all streams requested through the location directives.
Configure the following directives for the hlshttp_module in the Apache httpd.conf file:
Directive |
Default |
Description |
|---|---|---|
HLSEncryptionScope |
Off |
Defines the encryption scope. The following are possible values: server —Apache encryption settings are applied to all content. The server ignores content-specific encryption configurations in Event.xml and Application.xml (live) and jit.conf (on-demand). content —Apache encryption settings are ignored. The server uses encryption settings from Event.xml or Application.xml (live) or from jit.conf (on-demand). Off —Encryption is off for the whole server. |
HLSEncryptCipherKeyFile |
None |
The path of the default cipher key used to encrypt the content. |
HLSEncryptKeyURI |
None |
The URI that the client uses to fetch the encryption key. See Serve encryption keys to the client. |
To configure vanilla content protection at the server level, set HLSEncryptionScope to server in the httpd.conf file. This configuration tells the server to use the settings in the httpd.conf file for all requests to this Location directive.
-
# Uncomment the following directives to enable encryption # for this location: HLSEncryptionScope server HLSEncryptionCipherKeyFile "../creds/vodkey.bin" HLSEncryptKeyURI "https://<ServerName>/hls-key/vodkey.bin" -
Follow the steps in Serve encryption keys to the clientto configure the server to serve keys with or without SSL. These steps configure the /hls-key path in the HLSEncryptKeyURI directive.
-
To verify that the stream is encrypted, run the Apple Media Stream Validator Tool on the stream. See Technical Note TN2224.
Parameter |
Required With |
Default |
Description |
|---|---|---|---|
HLSProtectionScheme |
Adobe Access 4.0, PHLS |
Vanilla |
Determines the protection scheme used for content. Protection scheme can be Vanilla, AdobeAccessV4 or PHLS. HLSProtectionScheme is effective if encryption is enabled.Use HLSEncryptionScope parameter to determine the status of encryption. |
HLSDrmCommonKeyFile |
Adobe Access 4.0, (Optional) PHLS |
For PHLS ../creds/commonKey.bin |
Contains the name of the Common key file in ../creds/common-key.bin. |
HLSDrmContentID / PHLSContentID |
(Optional) Adobe Access 4.0 , (Optional) PHLS |
eventId |
Content ID for mapping the license. |
HLSDrmLicenseServerURL |
Adobe Access 4.0 |
None |
URL of License server used for protecting content |
HLSDrmTransportCertFile |
Adobe Access 4.0 |
None |
Transport certificate file used for protecting content |
HLSDrmLicenseServerCertFile |
Adobe Access 4.0 |
None |
File containing license server certificate used for protecting content |
HLSDrmPackagerCredentialFile |
Adobe Access 4.0 |
None |
File containing Packager credential used for protecting content |
HLSDrmPackagerCredentialPassword |
Adobe Access 4.0 |
None |
Packager credential password for the configured packager credential file |
HLSDrmPolicyFile |
Adobe Access 4.0 |
None |
Path and Name of the Policy File to be used for protecting content |
HLSDrmKeyServerURL |
Adobe Access 4.0 |
None |
Key server URL for embedding in the served playlist. |
PHLSOutputProtection |
(Optional) PHLS |
None |
The required hardware Output Protection of media on the client. Possible values are None, BestEffort, and Required. |
PHLSPlaybackExpiration |
(Optional) PHLS |
24 Hours |
The duration of the time for which the content is available for playback. Possible values are 24Hours and Unlimited. |
Edit the file httpd.conf and update the <Location /hls-vod> directive as follows:
<Location /hls-vod>
HLSHttpStreamingEnabled true
HLSMediaFileDuration 8000
HttpStreamingContentPath "../webroot/vod"
HLSFmsDirPath ".."
HLSJITConfAllowed true
HLSEncryptionScope server
HLSProtectionScheme PHLS
PHLSContentID httpd_conf
PHLSCommonKeyFile "../creds/liveeventkey.bin"
PHLSOutputProtection None
PHLSPlaybackExpiration Unlimited
</Location>
Request the following URL from an iOS device:
http://<ServerName>/hls-vod/sample2_1000kbps.f4v.m3u8
For more information on the elements, see Vanilla.
Edit the file httpd.conf and update the <Location /hls-vod> directive as follows:
<Location /hls-vod>
HLSHttpStreamingEnabled true
HLSMediaFileDuration 8000
HttpStreamingContentPath "../webroot/vod"
HLSFmsDirPath ".."
HLSJITConfAllowed true
HLSEncryptionScope server
HLSProtectionScheme AdobeAccessV4
HLSDrmContentID httpd_conf
HLSDrmCommonKeyFile "<path to common key file>"
HLSDrmLicenseServerURL "<url of license server>"
HLSDrmTransportCertFile "path to transport certificate file"
HLSDrmLicenseServerCertFile "<path to license server certificate file>"
HLSDrmPackagerCredentialFile "<path to packager credential file>"
HLSDrmPackagerCredentialPassword ??????
HLSDrmPolicyFile "<path to policy file"
HLSDrmKeyServerURL "<key server url>"
</Location>
Request the following URL from an iOS device:
http://<ServerName>/hls-vod/sample2_1000kbps.f4v.m3u8
Note:
For local key delivery, it is recommended that HLSDrmKeyServerURL be set to the dummy URL http://faxs.adobe.com.
For more information on the elements, see Vanilla.
To configure individual sets of media, in the httpd.conf file, set HLSEncryptionScope to content. This setting tells the server that configuration settings in the jit.conf file override settings in the httpd.conf file.
Configure the following elements in a jit.conf file in the same directory as the on-demand media:
Element |
Default value |
Description |
|---|---|---|
//manifest/hds:encryption |
None |
The parent element for configuration. This element has with an enabled attribute. To enable content for protection with PHLS, set the enabled attribute to "true". The value is "false" by default. |
//manifest/hds:encryption/hds:keyfile |
None |
The path of the default cipher key used to encrypt the content. |
//manifest/hds:encryption/hds:keyuri |
None |
The URI that the client uses to fetch the encryption key. See Serve encryption keys to the client. |
-
Follow the steps in Serve encryption keys to the clientto configure the server to serve keys with or without SSL. These steps configure the /hls-key path in the /hds:keyuri element.
-
To verify that the stream is encrypted, run the Apple Media Stream Validator Tool on the stream. See Technical Note TN2224.
See the following sample configuration:
<manifest xmlns="http://ns.adobe.com/f4m/1.0"
xmlns:hds="http://ns.adobe.com/hds-package/1.0">
<hds:hls>
<hds:encryption enabled="true" protection-scheme="PHLS" >
<hds:PHLS>
<hds:content-id>jit_conf</hds:content-id>
<hds:common-key-file>
root_install/creds/vodkey.bin
</hds:common-key-file>
<hds:output-protection>None</hds:output-protection>
<hds:playback-expiration>Unlimited</hds:playback-expiration>
</hds:PHLS>
</hds:encryption>
</hds:hls>
</manifest>
Request the following URL from an iOS device:
http://<ServerName>/hls-vod/sample2_1000kbps.f4v.m3u8
For configuring the server with PHLS, see the steps mentioned in the Vanilla section. For details on the configuration elements, see the table above.
See the following sample configuration:
<manifest xmlns="http://ns.adobe.com/f4m/1.0"
xmlns:hds="http://ns.adobe.com/hds-package/1.0">
<hds:hls>
<hds:encryption enabled="true" protection-scheme="AdobeAccessV4">
<hds:AdobeAccessV4>
<hds:content-id>jit_conf</hds:content-id>
<hds:common-key-file>
root_install/creds/vodkey.bin
</hds:common-key-file>
<hds:license-server-url>
http://mylicenseserver.myhost.com
</hds:license-server-url>
<hds:transport-cert-file>
production_transport.der
</hds:transport-cert-file>
<hds:license-server-cert-file>
production_license_server.der
</hds:license-server-cert-file>
<hds:packager-credential-file>
production_packager.pfx
</hds:packager-credential-file>
<hds:packager-credential-password>
??????
</hds:packager-credential-password>
<hds:policy-file>policy.pol</hds:policy-file>
<hds:key-server-url>http://faxs.adobe.com</hds:key-server-url>
</hds:AdobeAccessV4>
</hds:encryption>
</hds:hls>
</manifest>
note:
For local key delivery, it is recommended that HLSDrmKeyServerURL be set to the dummy URL http://faxs.adobe.com.
Request the following URL from an iOS device:
http://<ServerName>/hls-vod/sample2_1000kbps.f4v.m3u8
For configuring the server with PHLS, see the steps mentioned in the Vanilla section. For details on the configuration elements, see the table above.
To generate unique content encryption keys (CEKs) for Adobe Access, the URL path (relative to the configured content path) including the stream name is used as Content ID. For example, Content ID for path http://example.com/hls-vod/mymedia/sample.f4v.m3u8 would be mymedia/sample.f4v.
To change the default Content ID, specify the new Content ID in the configuration files event.xml, application.xml or jit.conf.
Multiple renditions of the same content require the same CEK for each rendition. To enable the same CEK across multiple renditions of the same content, configure the content-id in:
application.xml
event.xml (for Live Events) or jit.conf (for VOD Events).
You can protect the renditions using the Adobe Access configurations.
If the configuration for embedding the leaf license is turned off, Adobe Media Server will still support such a policy except that the leaf license will not be embedded in the DRM metadata.
Note:
The support will be limited to a single license server credential and credential-password pair.
The following table provides the configuration details:
Parameter |
Description |
Required with |
Default value |
|---|---|---|---|
HLSDrmEmbedLeafLicense (Server level) HLS/Encryption/AdobeAccessV4/EmbedLeafLicense( Application and Eventlevel) hds:hls/hds:encryption/hds:AdobeAccessV4/hds:embed-leaf-license (VOD Use case -Stream level) |
(Optional) Enables embedding of leaf licenses for policies generated using chained licenses. Possible values are "true" or "false". |
AdobeAccessV4 |
false |
HLSDrmLicenseServerCredentialFile (Server level) HLS/Encryption/AdobeAccessV4/LicenseServerCredentialFile (Application and Eventlevel) hds:hls/hds:encryption/hds:AdobeAccessV4/hds:license-server-credential-file (VOD Use case -Stream level) |
Required if HLSDrmEmbedLeafLicense is set to true. The license server credential used when protecting content at this location. |
AdobeAccessV4 |
NA |
HLSDrmLicenseServerCredentialPassword (Server level) HLS/Encryption/AdobeAccessV4/LicenseServerCredentialPassword (Application and Eventlevel) hds:hls/hds:encryption/hds:AdobeAccessV4/hds:li cense-server-credential-password (VOD Use case -Stream level) |
Required if HLSDrmEmbedLeafLicense is set to true. The license server credential password for the configured license server credential file. |
AdobeAccessV4 |
NA |
Directive |
Required with |
Default Value |
Description |
|---|---|---|---|
HLSDrmEnableKeyRotation / PHLSEnableKeyRotation (Server level) EnableKeyRotation (Application and Eventlevel) hds:hls/hds:encryption/hds:FlashAccessV4/hds:enable-key-rotation (VOD Use case -Stream leve) |
Optional with FlashAccessV4 and PHLS |
true |
Enabled by default. To enable key rotation set the attribute to "false". |
HLSDrmKeyRotationInterval / PHLSKeyRotationInterval (Server level) KeyRotationInterval (Application and Eventlevel) hds:hls/hds:encryption/hds:FlashAccessV4/hds:key-rotation-interval (VOD Use case -Stream leve) |
Optional with FlashAccessV4 and PHLS |
15 |
The key is changed after the specified number of seconds. |
For HDS streams, the key rotation does not have any impact on the performance of the client or on scaling impact of the license server because rotating the key is handled in-band.
In HLS key rotation results in a key request from the key server when using remote key delivery. For local, the rotated key is in the updated M3U8 file.
Directive |
Required |
Default Value |
Description |
|---|---|---|---|
HLSEmbedMetadata |
No |
For VOD, true For Live, false |
Enables embedding of metadata in the playlist. The false value is applicable only when HLSMetaPackagingEnabled is set to true. |
HLSMetaMaxAge |
No |
3600 seconds |
The maximum age in the Cache-Control header for m3u8 responses. A value of -1 specifies that no Cache-Control header is set. If no value is specified, default value,3600 seconds, is assumed. |
HLSMetaPackagingEnabled |
No |
true |
(Optional) Enables just in time packaging of metadata for this location. The possible values are "true" or "false". |
A whitelist file (with extension .airwhitelist) is a text file that contains multiple entries where each entry corresponds to an application identifying four fields (publisher-id, app-id, min-ver, max-ver). The publisher-id is mandatory and rest of the fields are optional. The file can be generated by passing the certificate(s) used to sign the application(s) to the whitelist tool . Currently the whitelist tool only supports extracting publisher-id but the rest of the fields (if required) can be updated manually. Player binding can be enabled by configuration and a folder needs to be specified from where Adobe Media Server can locate the whitelist files (multiple whitelist files and multiple entries in a whitelist files are supported). Adobe Media Server will add the list of identifiers picked up from the whitelist files to the license it embeds in the metadata.
To enable the feature, you must add the following configuration directives in the httpd.conf file:
Directive |
Required with |
Default Value |
Description |
|---|---|---|---|
PHLSPlayerBindingEnabled (Server level) HLS/Encryption/PHLS/PlayerBindingEnabled (Application and Eventlevel) hds:hls/hds:encryption/hds:phls/hds:player-binding (VOD Use case -Stream leve) |
PHLS |
false |
Enables player binding using white-list. Possible values are "true" or "false". |
PHLSWhitelistFolder (Server level) HLS/Encryption/PHLS/WhitelistFolder (Application and Eventlevel) hds:hls/hds:encryption/hds:phls/hds:whitelist-folder (VOD Use case -Stream leve) |
PHLS |
NA |
(Required if HLSDrmPlayerBindingEnabled is true) The directory location containing the white-list files. This will work only when HLSDrmPlayerBindingEnabled is set to true. |
HLSEncryptKeyURI
//manifest/hds:hls/hds:encryption/hds:keyuri
//Application/HDS/HLS/Encryption/KeyURI
//Event/HLS/Encryption/KeyURI
For both on-demand and live vanilla encryption, serve encryption keys to the client through the Apache HLS module. The module unscrambles the key before serving the request.
Note:
Note that the key files used for configuring encryption always needs to scrambled.
You can enable client authentication over SSL to ensure that key files are served securely. A reference configuration file and the Apple CA bundle are installed to the following locations:
rootinstall/Apache2.4/conf/httd-hls-secure.conf
rootinstall/creds/certs/ca
The httpd-hls-secure.conf file demonstrates how to configure a virtual host at the default SSL port with client authentication enabled for the location /hls-key with cipher key hosting enabled. However, this is only a reference configuration. To guarantee authentication for a production system, customize the configuration for your deployment.
Note:
The SSL certificate presented by the iOS client must be current. If the client presents an expired certificate, client authentication fails and an error message displays to the user (on the client). iOS clients with older iOS installations may encounter this problem.
-
Customize the SSL properties in the rootinstall/Apache2.4/conf/httpd-hls-secure.conf file based on the deployment. This customization includes getting an SSL certificate from a recognized CA.
Note:
The SSL certificate generated for the server must have a CN that is a FQDN (Fully Qualified Domain Name), even in a test environment. If not, the iOS client may not present its client certificate and client authentication fails. If client authentication fails, the key file is not served and the iOS client crashes. This is a known Apple bug.
-
<Location /hls-key> HLSEncryptHostCipherKey true HLSFmsDirPath ".." HLSEncryptKeyRepository "../creds" </Location>
Parameter |
Description |
Default value |
|---|---|---|
HLSEncryptHostCipherKey |
Enable (true) or disable (false) cipher key hosting from this location. |
false |
HLSEncryptKeyRepository |
The path of the folder that contains the key file. |
None |
AMS supports different content encryption keys for content at the different levels (server, application, stream, and event). The keys are generated according to the location of the content and the location of the Common Key.
The Content Encryption Key delivery mode is specified in the policy file. For the Adobe Access 4.0 protection scheme, set the policy using HLSDrmPolicyFile parameter. To select the policy file for the PHDS protection scheme, HLSDrmOutputProtection and HLSDrmPlaybackExpiration are used.
The key server URL is based on the key delivery mode specified in the policy file. For remote key serving, use the KeyServerURL parameter to specify the URL of key server. The URL format for remote key serving is https://<customers-keyserver-uri>. For example, https://faxs.adobe.com. For local key serving, the value of KeyServerURL should always be faxs://faxs.adobe.com.
note: PHLS supports only local key delivery and AMS cannot deliver CEKs as long as DRM is enabled.
In order to support adaptive bitrate, HTTP Live Streaming requires a variant playlist file that referes to individual playlist files having different renditions of the same content. The Adobe Access for iOS SDK requires that each stream referred to in a variant playlist must be encrypted using the same policy and the same content encryption key. Hence each encrypted stream will have the same DRM metadata referred in #EXT-X-FAXS-CM tag (embedded or served out of band).
The Adobe Access Server protected variant playlist also needs to include the #EXT-X-FAXS-CM tag. The value of #EXT-X-FAXS-CM tag in variant playlist is the relative URI referring to the DRM metadata of one of the individual streams.At the client, the #EXT-X-FAXS-CM tag in variant playlist will be used to create the DRM session. The same DRM session will be used for all encrypted M3U8 files inside the variant playlist.
Here’s an example of Adobe Access protected variant playlist:
#EXTM3U
#EXT-X-FAXS-CM:URI="hls-vod-faxsv4/sample_mbr_mp4_main_3_1/8_mp4_AAC_212Kbps_720_480_main_3_1.mp4.drmmeta"
#EXT-X-STREAM-INF:PROGRAM-ID=41,BANDWIDTH=212000, CODECS="avc1.77.31, mp4a.40.5" hls-vod-faxsv4/sample_mbr_mp4_main_3_1/8_mp4_AAC_212Kbps_720_480_main_3_1.mp4.m3u8
#EXT-X-STREAM-INF:PROGRAM-ID=41,BANDWIDTH=307000, CODECS="avc1.77.31, mp4a.40.5" hls-vod-faxsv4/sample_mbr_mp4_main_3_1/8_mp4_AAC_307Kbps_720_480_main_3_1.mp4.m3u8
#EXT-X-STREAM-INF:PROGRAM-ID=41,BANDWIDTH=512000, CODECS="avc1.77.31, mp4a.40.5" http://my.server.com/hls-vod-faxsv4/sample_mbr_mp4_main_3_1/8_mp4_AAC_512Kbps_720_480_main_3_1.mp4.m3u8
Note:
This variant playlist needs to be served in Adobe Access M3U8 format. For instance, you need to append ?faxs=1 to the URL like http://my.server.com/variantPlaylist.m3u8?faxs=1.