Policy name
Last updated on
Apr 27, 2021
You can use Protected HTTP Dynamic Streaming (PHDS) or Adobe Access for protecting content for HDS.
Overview
Configure PHDS/Adobe Access for live streaming at the following levels:
Server—rootinstall/Apache2.4/conf/httpd.conf
Application—rootinstall/applications/livepkgr/Application.xml
Event—rootinstall/applications/livepkgr/events/_definst_/liveevent/Event.xml
PHDS
Use Adobe Media Server 5 to serve live and on-demand protected content to Flash Player and AIR over HTTP without using a DRM License Server. When Adobe Media Server packages the content, it generates the license and embeds it into the DRM metadata of the content stream. This feature is called Protected HTTP Dynamic Streaming (PHDS). In addition to encrypting content, PHDS also supports SWF verification for HTTP Dynamic Streaming.
The F4F packaging process for on-demand and live PHDS generates a license, embeds it in the DRM metadata, and delivers it with the media. Flash Player 11 and AIR 3 clients can retrieve the license from the content stream, which eliminates communication between the client and a License Server.
The Adobe Media Server installer generates credentials, certificates, and policy files to the rootinstall/creds directory. The installer also creates a common-key.bin file in the /creds directory. You can change the content of this file or create a new common key file. To create a common key file (common-key.bin), which is used to derive the Content Encryption Key, use the Scramble tool. See the Scramble tool.
Use the following policy files to generate licenses for on-demand and live PHDS.
|
|
Description |
|
phds_24hr_policy.pol |
24 Hour limited policy anonymous; 24 hours limited license caching. This is the default policy. Users can start playback within 24 hours of the time the content was packaged. Users can continue watching the content until the end of the content (users may pause content). The 24 hours window starts when the DRM metadata is generated. |
|
phds_policy.pol |
Unlimited policy anonymous; unlimited license caching; and binding to Protected Streaming is permitted This policy allows playback at any time. |
|
phds-24hr-OPBestEffort.pol |
(AMS 5) 24 Hours Limited / Best Effort Output Protection Policy Set in the same way as the 24 Hours Limited / No Output Protection Policy policy with an additional restriction to use hardware content protection, if available. Users are still able to playback media if the client hardware doesn't support Output Protection. If the client hardware supports Output Protection but it is disabled, Flash Player returns DRM Run Time Error: 3342 (NoDigitalProtectionAvail). |
|
phds-OPBestEffort.pol |
(AMS 5) Unlimited / Best Effort Protection Policy Set in the same way as the Unlimited / No Output Protection Policy policy with an additional restriction to use hardware content protection, if available. Users arestill able to playback media if the client hardware doesn't support Output Protection. If the client hardware supports Output Protection, but it is disabled, Flash Player returns DRM Run Time Error: 3342 (NoDigitalProtectionAvail). |
|
phds-24hr-OPRequired.pol |
(AMS 5) 24 Hours Limited / Required Output Protection Policy Set in the same way as the 24 Hours Limited / No Output Protection Policy policy with an additional restriction to use hardware content protection. Users cannot playback media if the client hardware doesn't support Output Protection. If the client hardware doesn't support Output Protection or if it supports Output Protection, but it is disabled, Flash Player returns DRM Run Time Error: 3342 (NoDigitalProtectionAvail). |
|
phds-OPRequired.pol |
(AMS 5) Unlimited / Required Output Protection Policy Set in the same way as the Unlimited / No Output Protection Policy policy with an additional restriction to use hardware content protection. Users cannot playback media if the client hardware doesn't support Output Protection. If the client hardware doesn't support Output Protection or if it supports Output Protection but, it is disabled, Flash Player returns DRM Run Time Error: 3342 (NoDigitalProtectionAvail). |
The simple unlimited policy is not intended for a regular use. It is provided as a temporary work around in case there is an issue with the network. When media is cached on network devices between Adobe Media Server and Flash Player, clients may receive expired policy data from the network instead of the expected media from the server. If media that was generated with the 24 hours policy is cached for more than 24 hours the player does not allow playback. Switch to the unlimited PHDS policy as a temporary solution until the network configuration is fixed and the caches are flushed. This solution allows you to distribute media with lower protection instead of not distributing the media. After switching to the Unlimited Policy, flush the caches to allow the unlimited license to propagate to clients.
Adobe Access
To deliver live or on-demand content with HDS, you can enable HDS with Adobe Access for protected streaming. The Adobe Access server for protected streaming is a license server implementation optimized for use with HDS. See the Adobe Access documentation for more details.
Important: Use the HDS packagers to both encrypt and fragment content. Do not use the Adobe Access packaging tools to encrypt content. The HDS packagers cannot fragment encrypted content.
Note: The Adobe Access SDK and the Adobe Access license server reference implementation can issue licenses for HDS.
After you have deployed Adobe Access Server for protected streaming, configure Adobe Media Server to package and encrypt the content in real-time.
Live use case
In httpd.conf, ContentProtection tag is specified under <Location hds-live>.
Whereas, both the Application.xml file and the Event.xml file have a ContentProtection container that holds the live PHDS configuration settings. In Application.xml, the container is located under //Application/HDS/Recording/ContentProtection. In Event.xml, the container is located under //Event/Recording/ContentProtection.
Getting Started
To quickly get started with PHDS, you need to understand the following directives:
|
Directive |
Default Value |
Description |
|
HttpStreamingEncryptionScope |
content |
Possible values are off, content, and server. When the value is off, content remains in the unprotected format. When the value is content, configuration settings in the application.xml or event.xml files are used to protect the content. When the value is server, configuration settings in the httpd.conf are used to protect the content. |
|
HttpStreamingProtectionScheme |
PHDS |
Encryption type for the content. It can be FlashAccessV3, FlashAccessV2 or PHDS. HttpStreamingProtectionScheme is applicable if encryption is enabled. Use HttpStreamingEncryptionScope to determine the scope of the encryption. |
To configure PHDS with basic settings, perform the following steps:
After installing Adobe Media Server, navigate to the <root-install>/Apache 2.4/conf/ directory. Edit the httpd.conf file and add the following tags under <Location hds-live>:
<Location /hds-live>
Note: This configuration change will enable PHDS at the server level.
HttpStreamingEnabled true
HttpStreamingLiveEventPath "../applications"
HttpStreamingContentPath "../applications"
HdsFmsDirPath ".."
HttpStreamingF4MMaxAge 2
HttpStreamingBootstrapMaxAge 2
HttpStreamingDrmmetaMaxAge 3600
HttpStreamingFragMaxAge -1
HttpStreamingEncryptionScope serverHttpStreamingProtectionScheme PHDS
</Location>Publish a live stream called “livestream?adbe-live-event=liveevent” to livepkgr.
Playback the stream using the URI http://<server-ip>:8134/hds-live/livepkgr/_definst_/liveevent/livestream.f4m.
Detailed configuration
The following sections provides detailed configurations for both PHDS and Adobe Access schemes.
Server level
Server-level configurations for live PHDS/Adobe Access
When server level configuration is specified, the protection parameters specified are applied server wide. Encryption parameters specified in Application/Event level will be ignored.
Flash Media Server 4.5.3 and higher allows setting the encryption configurations at the server level. These settings will apply to live events recorded on the server. To enable or disable encryption, configure the following directives for the f4fhttp_module in the Apache httpd.conf file:
Common configuration:
|
Directive |
Default Value |
Description |
|
HdsFmsDirPath |
None |
Relative path of the Adobe Media Server root directory. Use '..' as Relative path. |
|
HttpStreamingEncryptionScope |
content |
Possible values are off, content, and server. When the value is off, content remains in the unprotected format. When the value is content, configuration settings in the application.xml or event.xml files are used to protect the content. When the value is server, configuration settings in the httpd.conf are used to protect the content. |
|
HttpStreamingProtectionScheme |
PHDS |
Encryption type for the content. It can be FlashAccessV3, FlashAccessV2 or PHDS. HttpStreamingProtectionScheme is applicable if encryption is enabled. Use HttpStreamingEncryptionScope to determine the scope of the encryption. |
PHDS configuration
|
Directive |
Default Value |
Description |
|
PHDSCommonKeyFile |
<AMSInstallDir>/creds/common-key.bin |
A common key used to protect content at this location. PHDSCommonKeyFile path is relative to rootinstall/Apache2.4. |
|
PHDSVideoEncryptionLevel |
2 |
The level of encryption for the content (0-low,1-medium, 2-high). Lower settings provide partial encryption. A subset of the samples (like video keyframes) are encrypted. Partial encryption can improve playback performance on the client, because there are fewer frames to decrypt. |
|
PHDSPlaybackExpiration |
24Hours |
The duration within which the content playback is available. Possible values are 24Hours and Unlimited. |
|
PHDSOutputProtection |
none |
The required hardware Output Protection of media on the client. Possible values are None, BestEffort, and Required. |
|
HdsDrmContentID |
Logical path to jit.conf |
You can manually specify the content ID, which is used for all the files. |
Adobe Access configuration
|
Directive |
Default Value |
Description |
|
HdsDrmCommonKeyFile |
None |
A common key used to protect content at this location. HdsDrmCommonKeyFile path is relative to rootinstall/Apache2.4. |
|
HdsDrmLicenseServerURL |
None |
The URL of the license server used for protecting content. |
|
HdsDrmTransportCertFile |
None |
The transport certificate used for protecting content. |
|
HdsDrmLicenseServerCertFile |
None |
The License server certificate used for protecting content. |
|
HdsDrmPackagerCredentialFile |
None |
The Packager credential used for protecting content. |
|
HdsDrmPackagerCredentialPassword |
None |
The Packager credential password for the configured packager credential file. |
|
HdsDrmPolicyFile |
None |
Policy for protecting content. |
|
HdsDrmContentID |
None |
You can manually specify the content ID, which is used for all the files. |
The following example enables and configures PHDS in the httpd.conf file. These settings apply to every live event configured for this server.
<Location /hds-live>
HttpStreamingEnabled true
HttpStreamingLiveEventPath "../applications"
HttpStreamingContentPath "../applications"
HdsFmsDirPath ".."
HttpStreamingF4MMaxAge 2
HttpStreamingBootstrapMaxAge 2
HttpStreamingDrmmetaMaxAge 3600
HttpStreamingFragMaxAge -1
Options -Indexes FollowSymLinks
HttpStreamingEncryptionScope server
HttpStreamingProtectionScheme PHDS
PHDSCommonKeyFile "../creds/common-key.bin"
PHDSPlaybackExpiration 24Hours
PHDSOutputProtection None
</Location>
The following example enables and configures Adobe Access (FlashAccessV2) in the httpd.conf file. These settings apply to every live event configured for this server.
<Location /hds-live-faxs>
HttpStreamingEnabled true
HttpStreamingLiveEventPath "../applications"
HttpStreamingContentPath "../applications"
HdsFmsDirPath ".."
HttpStreamingF4MMaxAge 2
HttpStreamingBootstrapMaxAge 2
HttpStreamingDrmmetaMaxAge 3600
HttpStreamingFragMaxAge -1
HttpStreamingEncryptionScope server
HttpStreamingProtectionScheme FlashAccessV2
HdsDrmCommonKeyFile "../creds/common-key.bin"HdsDrmLicenseServerURL http://<aaxs-test-server>/HdsDrmTransportCertFile "aaxs-test-server-trnsCert.der"
HdsDrmLicenseServerCertFile "aaxs-test-server-licCert.der"
HdsDrmPackagerCredentialFile " aaxs-test-server-pkgrCert.pfx"HdsDrmPackagerCredentialPassword pwd=HdsDrmPolicyFile "sample_policy.pol"
Options -Indexes FollowSymLinks
</Location>
The following example enables and configures Adobe Access (FlashAccessV3) in the httpd.conf file. These settings apply to every live event configured for this server.
<Location /hds-live-faxs>
HttpStreamingEnabled true
HttpStreamingLiveEventPath "../applications"
HttpStreamingContentPath "../applications"
HdsFmsDirPath ".."
HttpStreamingF4MMaxAge 2
HttpStreamingBootstrapMaxAge 2
HttpStreamingDrmmetaMaxAge 3600
HttpStreamingFragMaxAge -1
HttpStreamingEncryptionScope server
HttpStreamingProtectionScheme FlashAccessV3
HdsDrmCommonKeyFile "../creds/common-key.bin"HdsDrmLicenseServerURL http://<aaxs-test-server>/HdsDrmTransportCertFile "aaxs-test-server-trnsCert.der"
HdsDrmLicenseServerCertFile "aaxs-test-server-licCert.der"
HdsDrmPackagerCredentialFile " aaxs-test-server-pkgrCert.pfx"HdsDrmPackagerCredentialPassword pwd=HdsDrmPolicyFile "sample_policy.pol"
Options -Indexes FollowSymLinks
</Location>
Application level
When Application level configuration is specified, the protection parameters specified are applied to the particular application (to all the events under the application). Encryption parameters specified in Event/Server level will be ignored.
Common configuration
|
Element |
Default |
Description |
|
HDS/Recording/ContentProtection |
"allow" in Application.xml "false" in Event.xml |
Container element for content protection configurations. In Application.xml, set the enabled attribute to "true" to enable content protection, "false" to disable content protection, or "allow" to allow settings in the Event.xml file to override the ContentProtection section of the Application.xml file. When enabled="allow", the server uses none of the settings in the ContentProtection section of the Application.xml file. If a ContentProtection section is not specified in Event.xml, content protection is disabled because the default value is "false" in Event.xml. In Event.xml, set the enabled attribute to "true"or "false". |
|
HDS/Recording/ContentProtection/ProtectionScheme |
None |
Possible values are phds, FlashAccessV2,and FlashAccessV3. For PHDS, use PHDS. |
PHDS configuration
|
Element |
Default |
Description |
|
HDS/Recording/ContentProtection/PHDS |
None |
Container for PHDS encryption settings. |
|
HDS/Recording/ContentProtection/PHDS/CommonKeyFile |
None |
A relative path to the common-key.bin file containing a base key used (along with the content ID) to generate the final content encryption key. This file is generated during installation to rootinstall/creds/common-key.bin. If you define the CommonKeyFile in the Application.xml file, the server looks for the file relative to the application directory. If you define the CommonKeyFile in the Event.xml file, the server looks for the file relative to the event folder. |
|
HDS/Recording/ContentProtection/PHDS/PlaybackExpiration |
24Hours |
The protection policy. The policy determines the duration within which content playback is available. Possible values are 24Hours and Unlimited. |
|
HDS/Recording/ContentProtection/PHDS/VideoEncryptionLevel |
2 |
The level of encryption for the content (0-low,1-medium,2-high). Lower settings mean "partial encryption", where a subset of the samples (like video keyframes) are encrypted. This can improve playback performance on the client, since there will be fewer frame to decrypt. |
|
HDS/Recording/ContentProtection/PHDS/UpdateInterval |
60 |
The frequency at which the server generates the drm metadata, in minutes. |
|
HDS/Recording/ContentProtection/PHDS/OutputProtection |
None |
The required hardware Output Protection of media on the client. Possible values are None, BestEffort, and Required. |
Adobe Access configuration
Element |
Default |
Description |
|---|---|---|
HDS/Recording/ContentProtection/FlashAccessV2 |
None |
Container for FlashAccessV2 encryption settings. |
HDS/Recording/ContentProtection/FlashAccessV3 |
None |
Container for FlashAccessV3 encryption settings. |
HDS/Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/ContentID |
None |
The content ID used when protecting the streams in the live event |
HDS/Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/CommonKeyFile |
None |
The file containing the common key |
HDS/Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/LicenseServerURL |
None |
The URL of the license server that will provide licensing services for the protected content |
HDS/Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/TransportCertFile |
None |
The file containing the transport certificate, in DER format |
HDS/Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/LicenseServerCertFile |
None |
The file containing the license server certificate, in DER format |
HDS/Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/PackagerCredentialFile |
None |
The file containing the packager credentials, in PFX format |
HDS/Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/PackagerCredentialPassword |
None |
The password for the packager credentials |
HDS/Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/ PolicyFile |
None |
The file containing the content protection policy |
Configure the httpd.conf as given below to allow protection configurations at the application level.
<Location /hds-live>
HttpStreamingEnabled true
HttpStreamingLiveEventPath "../applications"
HttpStreamingContentPath "../applications"
HdsFmsDirPath ".."
HttpStreamingF4MMaxAge 2
HttpStreamingBootstrapMaxAge 2
HttpStreamingDrmmetaMaxAge 3600
HttpStreamingFragMaxAge -1
Options -Indexes FollowSymLinks
HttpStreamingEncryptionScope content
</Location>
The following example enables and configures PHDS in the Application.xml file. These settings apply to every live event configured for this application.
<Application>
<StreamManager>
<Live>
<AssumeAbsoluteTime>true</AssumeAbsoluteTime>
<PublishTimeout>0</PublishTimeout>
<AdjustForZeroTimeStampMessages>2</AdjustForZeroTimeStampMessages>
<AdjustForRecordingRollover>false</AdjustForRecordingRollover>
</Live>
</StreamManager>
<HDS>
<Recording >
<ContentProtection enabled="true" >
<ProtectionScheme>PHDS</ProtectionScheme>
<PHDS>
<CommonKeyFile>common-key.bin</CommonKeyFile>
<VideoEncryptionLevel>2</VideoEncryptionLevel>
<PlaybackExpiration>24Hours</PlaybackExpiration>
<OutputProtection>None</OutputProtection>
</PHDS>
</ContentProtection>
</Recording>
</HDS>
</Application>
The following example enables and configures Adobe Access V2 in the Application.xml file. These settings apply to every live event configured for this application.
<Appl ication>
<S treamManager>
< Live>
<Assume Ab soluteTime> true</ AssumeAbsoluteTime>
<PublishTimeou t >0</Pu blishTimeout>
<AdjustForZeroTimeStampMessages>2< /AdjustF orZeroTimeStampMessages>
< AdjustForRe cordingRollover>false</AdjustForRecordingRollover>
</Live>
</Str eamManager>
<HDS>
<Re cording>
<ContentProtection enab led="true">
<ProtectionScheme>FlashAccessV2</ProtectionScheme>
<FlashAccessV2>
<ContentID>liveevent</ContentID>
<CommonKeyFile>common-key.bin</CommonKeyFile>
<LicenseServerURL>http://<aaxs-test-server>/</LicenseServerURL>
<TransportCertFile>
aaxs-test-server-trnsCert.der
</TransportCertFile>
<LicenseServerCertFile>
aaxs-test-server-licCert.der
</LicenseServerCertFile>
<PackagerCredentialFile>
aaxs-test-server-pkgrCert.pfx</PackagerCredentialFile>
<PackagerCredentialPassword>pwd=</PackagerCredentialPassword>
<PolicyFile>sample_policy.pol</PolicyFile>
</FlashAccessV2>
</ContentProtection>
</Recording>
</HDS>
</Application>
The following example enables and configures Adobe Access V3 in the Application.xml file. These settings apply to every live event configured for this application.
<Application >
<StreamManager>
<Live>
<AssumeAbsoluteTime>true</AssumeAbsoluteTime>
<PublishTimeout>0</PublishTimeout>
<AdjustForZeroTimeStampMessages>2</AdjustForZeroTimeStampMessages>
<AdjustForRecordingRollover>false</AdjustForRecordingRollover>
</Live>
</StreamManager>
<HDS>
<Recording>
<ContentProtection enabled="true">
<ProtectionScheme>FlashAccessV3</ProtectionScheme>
<FlashAccessV3>
<ContentID>liveevent</ContentID>
<CommonKeyFile>common-key.bin</CommonKeyFile>
<LicenseServerURL>http://<aaxs-test-server>/</LicenseServerURL>
<TransportCertFile>
aaxs-test-server-trnsCert.der
</TransportCertFile>
<LicenseServerCertFile>
aaxs-test-server-licCert.der</LicenseServerCertFile>
<PackagerCredentialFile>
aaxs-test-server-pkgrCert.pfx
</PackagerCredentialFile>
<PackagerCredentialPassword>pwd=</PackagerCredentialPassword>
<PolicyFile>sample_policy.pol</PolicyFile>
</FlashAccessV3>
</ContentProtection>
</Recording>
</HDS>
</Application>
Note:
In this case, copy the common-key.bin file from the rootinstall/creds directory to the root-install/applications/livepkgr/ directory.
Event level
When Event level configuration is specified, the protection parameters specified are applied to the particular event. Encryption parameters specified in Application/Server level will be ignored.
Common configuration
|
Element |
Default |
Description |
|
Recording/ContentProtection |
"allow" in Application.xml "false" in Event.xml |
Container element for content protection configurations. In Application.xml, set the enabled attribute to "true" to enable content protection, "false" to disable content protection, or "allow" to allow settings in the Event.xml file to override the ContentProtection section of the Application.xml file. When enabled="allow", the server uses none of the settings in the ContentProtection section of the Application.xml file. If a ContentProtection section is not specified in Event.xml, content protection is disabled because the default value is "false" in Event.xml. In Event.xml, set the enabled attribute to "true"or "false". |
|
Recording/ContentProtection/ProtectionScheme |
None |
Possible values are phds, FlashAccessV2,and FlashAccessV3. For PHDS, use PHDS. |
PHDS configuration
|
Element |
Default |
Description |
|
Recording/ContentProtection/PHDS |
None |
Container for PHDS encryption settings. |
|
Recording/ContentProtection/PHDS/CommonKeyFile |
None |
A relative path to the common-key.bin file containing a base key used (along with the content ID) to generate the final content encryption key. This file is generated during installation to rootinstall/creds/common-key.bin. If you define the CommonKeyFile in the Application.xml file, the server looks for the file relative to the application directory. If you define the CommonKeyFile in the Event.xml file, the server looks for the file relative to the event folder. |
|
Recording/ContentProtection/PHDS/PlaybackExpiration |
24Hours |
The protection policy. The policy determines the duration within which content playback is available. Possible values are 24Hours and Unlimited. |
|
Recording/ContentProtection/PHDS/VideoEncryptionLevel |
2 |
The level of encryption for the content (0-low,1-medium,2-high). Lower settings mean "partial encryption", where a subset of the samples (like video keyframes) are encrypted. This can improve playback performance on the client, since there will be fewer frame to decrypt. |
|
Recording/ContentProtection/PHDS/UpdateInterval |
60 |
The frequency at which the server generates the drm metadata, in minutes. |
|
Recording/ContentProtection/PHDS/OutputProtection |
None |
The required hardware Output Protection of media on the client. Possible values are None, BestEffort, and Required. |
Adobe Access configuration
Element |
Default |
Description |
|---|---|---|
Recording/ContentProtection/FlashAccessV2 |
None |
Container for FlashAccessV2 encryption settings. |
Recording/ContentProtection/FlashAccessV3 |
None |
Container for FlashAccessV3 encryption settings. |
Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/ContentID |
None |
The content ID used when protecting the streams in the live event |
Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/CommonKeyFile |
None |
The file containing the common key |
Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/LicenseServerURL |
None |
The URL of the license server that will provide licensing services for the protected content |
Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/TransportCertFile |
None |
The file containing the transport certificate, in DER format |
Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/LicenseServerCertFile |
None |
The file containing the license server certificate, in DER format |
Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/PackagerCredentialFile |
None |
The file containing the packager credentials, in PFX format |
Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/PackagerCredentialPassword |
None |
The password for the packager credentials |
Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/ PolicyFile |
None |
The file containing the content protection policy |
Configure the httpd.conf as given below to allow protection configurations at the event level:
<Location /hds-live>
HttpStreamingEnabled true
HttpStreamingLiveEventPath "../applications"
HttpStreamingContentPath "../applications"HdsFmsDirPath ".."
HttpStreamingF4MMaxAge 2
HttpStreamingBootstrapMaxAge 2
HttpStreamingDrmmetaMaxAge 3600
HttpStreamingFragMaxAge -1
Options -Indexes FollowSymLinks
HttpStreamingEncryptionScope content
</Location>
The following is an example of an Application.xml file that allows protection configurations at the event level and tells the server to look for configurations in the Event.xml file for each live event:
<Application>
<StreamManager>
<Live>
<AssumeAbsoluteTime>true</AssumeAbsoluteTime>
</Live>
</StreamManager>
<HDS>
<Recording>
<ContentProtection enabled="allow">
</ContentProtection>
</Recording>
</HDS>
</Application>
The following Event.xml file configures PHDS for a single live event:
<Event>
<EventID>liveevent</EventID>
<Recording>
<FragmentDuration>4000</FragmentDuration>
<SegmentDuration>400000</SegmentDuration>
<DiskManagementDuration>3</DiskManagementDuration>
<ContentProtection enabled="true">
<ProtectionScheme>PHDS</ProtectionScheme>
<PHDS>
<CommonKeyFile>common-key.bin</CommonKeyFile>
<VideoEncryptionLevel>2</VideoEncryptionLevel>
<PlaybackExpiration>24Hours</PlaybackExpiration>
<OutputProtection>None</OutputProtection>
</PHDS>
</ContentProtection>
</Recording>
</Event>
In this case, copy the common-key.bin file from the rootinstall/creds directory to the rootinstall/applications/livepkgr/events/_definst_/liveevent directory.
The following Event.xml file configures Adobe Access V2 for a single live event:<Event>
<Event>
<EventID>liveevent</EventID>
<Recording>
<FragmentDuration>4000</FragmentDuration>
<SegmentDuration>400000</SegmentDuration>
<DiskManagementDuration>3</DiskManagementDuration>
<ContentProtection enabled="true">
<ProtectionScheme>FlashAccessV2</ProtectionScheme>
<FlashAccessV2>
<ContentID>liveevent</ContentID>
<CommonKeyFile>common-key.bin</CommonKeyFile>
<LicenseServerURL>
http://<aaxs-test-server>/
</LicenseServerURL>
<TransportCertFile>
aaxs-test-server-trnsCert.der
</TransportCertFile>
<LicenseServerCertFile>
aaxs-test-server-licCert.der
</LicenseServerCertFile>
<PackagerCredentialFile>
aaxs-test-server-pkgrCert.pfx
</PackagerCredentialFile>
<PackagerCredentialPassword>pwd=</PackagerCredentialPassword>
<PolicyFile>sample_policy.pol</PolicyFile>
</FlashAccessV2>
</ContentProtection>
</Recording>
</Event>
The following Event.xml file configures Adobe Access V3 for a single live event:<Event>
<Event>
<EventID>liveevent</EventID>
<Recording>
<FragmentDuration>4000</FragmentDuration>
<SegmentDuration>400000</SegmentDuration>
<DiskManagementDuration>3</DiskManagementDuration>
<ContentProtection enabled="true">
<ProtectionScheme>FlashAccessV3</ProtectionScheme>
<FlashAccessV3>
<ContentID>liveevent</ContentID>
<CommonKeyFile>common-key.bin</CommonKeyFile>
<LicenseServerURL>
http://<aaxs-test-server>/
</LicenseServerURL>
<TransportCertFile>
aaxs-test-server-trnsCert.der
</TransportCertFile>
<LicenseServerCertFile>
aaxs-test-server-licCert.der
</LicenseServerCertFile>
<PackagerCredentialFile>
aaxs-test-server-pkgrCert.pfx
</PackagerCredentialFile>
<PackagerCredentialPassword>pwd=</PackagerCredentialPassword>
<PolicyFile>sample_policy.pol</PolicyFile>
</FlashAccessV3>
</ContentProtection>
</Recording>
</Event>
Note:
In this case, copy the common-key.bin file from the rootinstall/creds directory to the rootinstall/applications/livepkgr/events/_definst_/liveevent directory.
License chaining
Adobe Media Server will support embedding leaf licenses in the DRM metadata from the policy generated using a chained license. Adobe Media Server will need the license server credential and the credential password configured so that the root license from the policy can be used to encrypt the CEK contained in the embedded leaf license.
If the configuration for embedding the leaf license is turned off, Adobe Media Server will still support such a policy except that the leaf license will not be embedded in the DRM metadata.
Note:
The support will be limited to a single license server credential and credential-password pair.
The following table provides the required configuration:
Parameter |
Description |
Default value |
|---|---|---|
HdsDrmEmbedLeafLicense (Server level) EmbedLeafLicense (Application and event level) |
Enables embedding of leaf licenses in DRM metadata. Possible values are "true" or "false". note: The policy file must be created using a chained license.
|
false |
HdsDrmLicenseServerCredentialFile (Server level) LicenseServerCredentialFile (Application and event level) |
Required if HdsDrmEmbedLeafLicense is set to true. The license server credential used when protecting content at this location. |
NA |
HdsDrmLicenseServerCredentialPassword (Server level) LicenseServerCredentialPassword (Application and event level) |
Required if HdsDrmEmbedLeafLicense is set to true. The license server credential password for the configured license server credential file. |
NA |
The following example shows the license chaining configuration at the application level:
<Application>
<HDS>
<Recording>
<ContentProtection enabled="true">
<ProtectionScheme>FlashAccessV3</ProtectionScheme>
<FlashAccessV3>
<ContentID>liveevent</ContentID>
<CommonKeyFile>common-key.bin</CommonKeyFile>
<LicenseServerURL>http://<aaxs-test-server>/</LicenseServerURL>
<TransportCertFile>
aaxs-test-server-trnsCert.der
</TransportCertFile>
<LicenseServerCertFile>
aaxs-test-server-licCert.der
</LicenseServerCertFile>
<PackagerCredentialFile>
aaxs-test-server-pkgrCert.pfx
</PackagerCredentialFile>
<PackagerCredentialPassword>pwd=</PackagerCredentialPassword>
<PolicyFile>sample_policy.pol</PolicyFile>
<EmbedLeafLicense>true</EmbedLeafLicense>
<LicenseServerCredentialFile>
aaxs-test-server-pkgrCertLic.pfx
</LicenseServerCredentialFile>
<LicenseServerCredentialPassword>
pwd_lic=
</LicenseServerCredentialPassword>
</FlashAccessV3>
</ContentProtection>
</Recording>
</HDS>
</Application>
The following example shows the license chaining configuration at the event level:
<Event>
<Recording>
<ContentProtection enabled="true">
<ProtectionScheme>FlashAccessV3</ProtectionScheme>
<FlashAccessV3>
<ContentID>liveevent</ContentID>
<CommonKeyFile>common-key.bin</CommonKeyFile>
<LicenseServerURL>
http://<aaxs-test-server>/
</LicenseServerURL>
<TransportCertFile>
aaxs-test-server-trnsCert.der
</TransportCertFile>
<LicenseServerCertFile>
aaxs-test-server-licCert.der
</LicenseServerCertFile>
<PackagerCredentialFile>
aaxs-test-server-pkgrCert.pfx
</PackagerCredentialFile>
<PackagerCredentialPassword>
pwd=
</PackagerCredentialPassword>
<PolicyFile>sample_policy.pol</PolicyFile>
<EmbedLeafLicense>true</EmbedLeafLicense>
<LicenseServerCredentialFile>
aaxs-test-server-pkgrCertLic.pfx
</LicenseServerCredentialFile>
<LicenseServerCredentialPassword>
pwd_lic=
</LicenseServerCredentialPassword>
</FlashAccessV3>
</ContentProtection>
</Recording>
</Event>
Key rotation
Adobe Media Server 5 supports Key Rotation for protected HTTP Dynamic Streaming when used with Adobe Access and PHDS. You can encrypt content packaged with AMS 5 using a set of keys. You can periodically change the encryption key and specify how often the content encryption key is to be changed.
Server level - Adobe Access
|
Parameter |
Description |
Default value |
|
HdsDrmEnableKeyRotation |
Whether to use Key Rotation with AAXS protection scheme |
false |
|
HdsDrmKeyRotationInterval |
Key rotation interval to be used (in seconds), when enabling key rotation. |
900 seconds |
The following httpd.conf will enable key rotation at server level :
<Location /hds-live>
HttpStreamingEnabled true
HttpStreamingLiveEventPath "../applications"
HttpStreamingContentPath "../applications" HdsFmsDirPath ".."
HttpStreamingF4MMaxAge 2
HttpStreamingBootstrapMaxAge 2
HttpStreamingDrmmetaMaxAge 3600
HttpStreamingFragMaxAge -1
Options -Indexes FollowSymLinks
HttpStreamingEncryptionScope server
HttpStreamingProtectionScheme FlashAccessV3
HdsDrmCommonKeyFile "../creds/common-key.bin"
HdsDrmLicenseServerURL http://<aaxs-test-server>/
HdsDrmTransportCertFile aaxs-test-server-trnsCert.der
HdsDrmLicenseServerCertFile aaxs-test-server-licCert.der
HdsDrmPackagerCredentialFile aaxs-test-server-pkgrCert.pfx
HdsDrmPackagerCredentialPassword pwd=
HdsDrmPolicyFile sample_policy.pol
HdsDrmEnableKeyRotation true
HdsDrmKeyRotationInterval 500
</Location>
Application level - Adobe Access
|
Parameter |
Description |
Default value |
|
HDS/Recording/ContentProtection/FlashAccessV3/EnableKeyRotation |
Whether to use Key Rotation with AAXS protection scheme |
false |
|
HDS/Recording/ContentProtection/FlashAccessV3/KeyRotationInterval |
Key rotation interval to be used (in seconds), when enabling key rotation. |
900 seconds |
|
HDS/Recording/ContentProtection/FlashAccessV3/KeyRotationFilePath |
The file containing the rotation keys to be used. This file will contain a sequence of rotated keys used to encrypt content. If no file is specified, randomly generated keys will be used. The keys must be 16 bytes in length and specified as hex values. |
Randomly generated keys will be used (as described below) |
The following Application.xml will enable key rotation at Application level :
<Application>
<StreamMana ger>
<Live>
<AssumeAbsoluteTime>true</AssumeAbsoluteTime>
<PublishTimeout>0</PublishTim eout>
<Adj ustForZeroTimeStampMessages>2</AdjustForZeroTimeStampMessages>
<AdjustForRecordingRollover>false</AdjustForRecordingRollover>
</Live>
</StreamManager >
<HDS>
<Recording>
<ContentProtection enabled="true">
<ProtectionScheme>FlashAccessV3</ProtectionScheme>
<FlashAccessV3>
<ContentID >liveevent</ContentID>
<CommonKeyFile>common-key.bin</CommonKeyFile>
<LicenseServerURL>http://<aaxs-test-server>/</LicenseServerURL>
<TransportCertFile>
aaxs-test-server-trnsCert.der
</TransportCertFile>
<Licens eServerCertFile>
aaxs-test-server-licCert.der
</LicenseServerCertFile>
< PackagerCredentialFile>
aaxs-test-server-pkgrCert.pfx
</PackagerCredentialFile>
<PackagerCredentialPassword>pwd=</PackagerCredentialPassword>
<PolicyFil e>sample _policy.pol</PolicyFile>
<EnableKeyRotation>true</EnableKeyRotation>
<KeyRotationInterval>500</KeyRotationInterval>
<KeyRotationFilePath>sample_keys.txt</KeyRotationFilePath>
</FlashAccessV3>
</ContentProtection>
</Recording>
</HDS>
</Application>
Event level - Adobe Access
|
Parameter |
Description |
Default value |
|
Recording/ContentProtection/FlashAccessV3/EnableKeyRotation |
Whether to use Key Rotation with AAXS protection scheme |
false |
|
Recording/ContentProtection/FlashAccessV3/KeyRotationInterval |
Key rotation interval to be used (in seconds), when enabling key rotation. |
900 seconds |
|
Recording/ContentProtection/FlashAccessV3/KeyRotationFilePath |
The file containing the rotation keys to be used. This file will contain a sequence of rotated keys used to encrypt content. If no file is specified, randomly generated keys will be used. The keys must be 16 bytes in length and specified as hex values. |
Randomly generated keys will be used (as described below) |
The following Event.xml will enable key rotation at Event level :
<Event>
<EventID>liveevent</EventID>
<Recording>
<FragmentDuration>4000</FragmentDuration>
<SegmentDuration>400000</SegmentDuration>
<DiskManagementDuration>3</DiskManagementDuration>
<ContentProtection enabled="true">
<ProtectionScheme>FlashAccessV3</ProtectionScheme>
<FlashAccessV3>
<ContentID>liveevent</ContentID>
<CommonKeyFile>common-key.bin</CommonKeyFile>
<LicenseServerURL>http://<aaxs-test-server>/</LicenseServerURL>
<TransportCertFile>aaxs-test-server-trnsCert.der</TransportCertFile>
<LicenseServerCertFile>
aaxs-test-server-licCert.der
</LicenseServerCertFile>
<PackagerCredentialFile>
aaxs-test-server-pkgrCert.pfx
</PackagerCredentialFile>
<PackagerCredentialPassword>pwd=</PackagerCredentialPassword>
<PolicyFile>sample_policy.pol</PolicyFile>
<EnableKeyRotation>true</EnableKeyRotation>
<KeyRotationInterval>500</KeyRotationInterval>
<KeyRotationFilePath>sample_keys.txt</KeyRotationFilePath>
</FlashAccessV3>
</ContentProtection>
</Recording>
</Event>
Note:
HdsDrmKeyRotationFilePath takes path relative to <AMS-Install>/applications/<application-name>/.
Server level - PHDS
|
Parameter |
Description |
Default value |
|
PHDSEnableKeyRotation |
Whether to use Key Rotation with PHDS protection scheme |
false |
|
PHDSKeyRotationInterval |
Key rotation interval to be used (in seconds), when enabling key rotation. |
900 seconds |
The following httpd.conf will enable key rotation at server level :
<Location /hds-live>
HttpStreamingEnabled true
HttpStreamingLiveEventPath "../applications"
HttpStreamingContentPath "../applications" HdsFmsDirPath ".."
HttpStreamingF4MMaxAge 2
HttpStreamingBootstrapMaxAge 2
HttpStreamingDrmmetaMaxAge 3600
HttpStreamingFragMaxAge -1
Options -Indexes FollowSymLinks
HttpStreamingEncryptionScope server
HttpStreamingProtectionScheme PHDS
PHDSVideoEncryptionLevel 2
PHDSPlaybackExpiration 24Hours
PHDSOutputProtection None
PHDSEnableKeyRotation true
PHDSKeyRotationInterval 500
</Location>
Application level - PHDS
|
Parameter |
Description |
Default value |
|
HDS/Recording/ContentProtection/PHDS/EnableKeyRotation |
Whether to use Key Rotation with PHDS protection scheme |
false |
|
HDS/Recording/ContentProtection/PHDS/KeyRotationInterval |
Key rotation interval to be used (in seconds), when enabling key rotation. |
900 seconds |
The following Application.xml will enable key rotation at Application level :
<Application>
<StreamMana ger>
<Live>
<AssumeAbsoluteTime>true</AssumeAbsoluteTime>
<PublishTimeout>0</PublishTim eout>
<Adj ustForZeroTimeStampMessages>2</AdjustForZeroTimeStampMessages>
<AdjustForRecordingRollover>false</AdjustForRecordingRollover>
</Live>
</StreamManager >
<HDS>
<Recording>
<ContentProtection enabled="true">
<ProtectionScheme>PHDS</ProtectionScheme>
<PHDS>
<VideoEncryptionLevel>2</VideoEncryptionLevel>
<OutputProtection>None</OutputProtection>
<PlaybackExpiration>24Hours</PlaybackExpiration>
<EnableKeyRotation>true</EnableKeyRotation>
<KeyRotationInterval>500</KeyRotationInterval>
</PHDS>
</ContentProtection>
</Recording>
< /HDS>
</Application>
Event level - PHDS
|
Parameter |
Description |
Default value |
|
Recording/ContentProtection/PHDS/EnableKeyRotation |
Whether to use Key Rotation with PHDS protection scheme |
false |
|
Recording/ContentProtection/PHDS/KeyRotationInterval |
Key rotation interval to be used (in seconds), when enabling key rotation. |
900 seconds |
The following Event.xml will enable key rotation at Event level :<Event>
<Event>
<EventID>liveevent</EventID>
<Recording>
<FragmentDuration>4000</FragmentDuration>
<SegmentDuration>400000</SegmentDuration>
<DiskManagementDuration>3</DiskManagementDuration>
<ContentProtection enabled="true">
<ProtectionScheme>PHDS</ProtectionScheme>
<PHDS>
<VideoEncryptionLevel>2</VideoEncryptionLevel>
<OutputProtection>None</OutputProtection>
<PlaybackExpiration>24Hours</PlaybackExpiration>
<EnableKeyRotation>true</EnableKeyRotation>
<KeyRotationInterval>500</KeyRotationInterval>
</PHDS>
</ContentProtection>
</Recording>
</Event>
Disable JIT encryption for F4F content
When PHDS/Adobe Access protection is enabled, the server ingests a stream and packages it into F4F stream data. The unencrypted F4F data is taken as source and encrypted using the PHDS/Adobe Access configurations.In order to force the server to store the ingested stream as encrypted F4F data, and disable the just-in-time encryption of the F4F data, a special configuration is required.
The following table contains the configuration directive for enabling and disabling JIT encryption at server level:
httpd.conf tags:
|
Directive |
Description |
Default value |
|
HttpStreamingJITEncryption |
To disable just in time encryption, set the value to “false” |
true |
<AMS-Install>conf/_defaultRoot_/_defaultVHost_/Application.xml tags:
|
Directive |
Description |
Default value |
|
HDS/Recording/JITEncryption |
To disable just in time encryption, set the value to “false” |
false |
Note:
The tags HttpStreamingJITEncryption and JITEncryption both must be set to false to disable JIT encryption.
When JITEncryption is set to false:
Specify server level encryption settings (PHDS/Adobe Access) at <AMS-Install>conf/_defaultRoot_/_defaultVHost_/Application.xml.
The ingested stream is stored as encrypted F4F content. So, DRMmeta file is stored on the server inside the F4F content.
The following configurations in httpd.conf will disable JIT encryption server wide:
<Location /hds-live>
HttpStreamingEnabled true
HttpStreamingLiveEventPath "../applications"
HttpStreamingContentPath "../applications" HdsFmsDirPath ".."
HttpStreamingF4MMaxAge 2
HttpStreamingBootstrapMaxAge 2
HttpStreamingDrmmetaMaxAge 3600
HttpStreamingFragMaxAge -1
HttpStreamingJITEncryption false
Options -Indexes FollowSymLinks
</Location>
The following configurations for <AMSInstall>conf/_defaultRoot_/_defaultVHost_/Application.xml enables PHDS protection:
<Application>
<!-- This section provides th e means to control the behavior of -->
<!-- application-specific HTTP dynamic s treaming f unctionality. -->
<HDS>
<!-- This section cont rols the behavior of HTTP live recording -->
<Recording>
<!-- The enabled attribute can be set to "true", "false" or "allow". -->
<!-- Content prote cted is enabled when the attribute is set to "true", -->
<!-- and disabled when set to "false". -->
<!-- If enabled is set to "allow", only then Event.xml have right to -->
<!-- override the ContentProtection tag completely. And none of the -->
<!-- settings inside the ContentProtection here will be used. And if -->
<!-- ContentProtection is also not specified in Event.xml, content -->
<!-- protection will be disabled by default. -->
<JITEncryption>false</JITEncryption>
<ContentProtection enabled="true">
<ProtectionScheme>PHDS</ProtectionScheme>
<PHDS>
<CommonKeyFile>common-key.bin</CommonKeyFile>
<VideoEncryptionLevel>2</VideoEncryptionLevel>
<PlaybackExpiration>24Hours</PlaybackExpiration>
<OutputProtection>None</OutputProtection>
</PHDS>
</ContentProtection>
</Recording>
</HDS>
</Application>
The following configurations at <AMS-Install>conf/_defaultRoot_/_defaultVHost_/Application.xml enables Adobe Access protection:
<Application>
<!-- This section provides t he means to control the behavior of - ->
<!-- application-specific HTTP dynamic streaming fu nctionality. -->
<HDS>
<!-- This section controls the behavior of HTTP live recording -->
<Recording>
<!-- The enabled attribute can be set to "true", "false" or "allow". -->
<!-- Content protection is enabled when the attribute is set to "true ", -->
<!-- and disabled when set to "false". -->
<!-- If enabled is set to "allow", then Event.xml will -->
<!-- override the ContentProtection tag completely. And none of the -->
<!-- settings inside the ContentProtection will be used. And if -->
<!-- ContentProtection is not specified in Event.xml, then content -->
<!-- protection will be disabled by default. -->
<JITEncryption>false</JITEncryption>
<ContentProtection enabled="true">
<ProtectionScheme>FlashAccessV2</ProtectionScheme>
< FlashAccessV2>
<ContentID>liveevent</ContentID>
<CommonKeyFile>common-key.bin</CommonKeyFile>
<LicenseServerURL>
http://<aaxs-test-server>/
</LicenseServerURL>
<TransportCertFile>
aaxs-test-server-trnsCert.der
</TransportCertFile>
<LicenseServerCertFile>
aaxs-test-server-licCert.der</LicenseServerCertFile>
<PackagerCredentialFile>
aaxs-test-server-pkgrCert.pfx
</PackagerCredentialFile>
<PackagerCredentialPassword>pwd=</PackagerCredentialPassword>
<PolicyFile>sample_policy.pol</PolicyFile>
</ FlashAccessV2>
</ContentProtection>
</Recording>
</HDS>
</Application>
Configure system for encrypted live stream in HLS and HDS
You do not need two different recording applications for HDS and HLS if JIT encryption is ON. The live content is stored unencrypted on the disk, and later encrypted dynamically using the HDS or HLS modules of Apache.By default JIT encryption is on unless the HttpStreamingJITEncryption and JITEncryption tags are set to false.Publishing one set of streams to Adobe Media Server for delivery with live PHLS and PHDS requires special configuration when JIT Encryption is off.When PHDS is enabled when JIT encryption is off , the server ingests a stream and packages it into encrpypted F4F data. However, PHLS requires unencrypted data as its source. It’s not possible to take the encrypted F4F data and encrypt it again for PHLS.To deliver protected content to Flash Player/AIR and iOS devices, configure your encoder to publish to two different applications, one for HDS and one for HLS.
Create two copies of the livepkgr application. Name them “livepkgr_hds” and “livepkgr_hls”.
Configure the <AMS-Install>/conf/_defaultRoot_/_defaultVHost_/Application.xml as following:
<Application>
<!-- This section provides the ways to control the behavi or of -->
<!-- application-specific HTTP dynamic streaming functionality. -->
< HDS>
<!-- This section controls the behavior of HTTP live recording -->
<Recording>
<!-- The enabled attribute can be set to "true", "false" or "allow" . -->
<!-- Content protected is enabled when the attribute is set to "true", -->
<!-- and disabled when set to "false". -->
<!-- If enabled is set to "allow", only then Event.xml have right to -->
<!-- override the ContentProtection tag completely. And none of the -->
<!-- settings inside the ContentProtection here will be used. And if -->
<!-- ContentProtection is also not specified in Event.xml, content -->
<!-- protection will be disabled by default. -->
< JITEncryption>false</JITEncryption>
<ContentProtection enabled="allow">
</ContentProtection>
</Recording>
</HDS>
</Application>Configure the <AMS-Install>/applications/livepkgr_hds/Application.xml as following:
<Application>
<StreamManager>
<Live>
<AssumeAbsoluteTime>true</AssumeAbsoluteTime>
<PublishTimeout>0</PublishTimeout>
<AdjustForZeroTimeStampMessages>2</AdjustForZeroTimeStampMessages>
<AdjustForRecordingRollover>false</AdjustForRecordingRollover>
</Live>
</StreamManager>
<HDS>
<Recording >
<ContentProtection enabled="true" >
<ProtectionScheme>PHDS</ProtectionScheme>
<PHDS>
<CommonKeyFile>common-key.bin</CommonKeyFile>
<VideoEncryptionLevel>2</VideoEncryptionLevel>
<PlaybackExpiration>24Hours</PlaybackExpiration>
<OutputProtection>None</OutputProtection>
</PHDS>
</ContentProtection>
</Recording>
</HDS>
</Application>Configure the httpd.conf files as follows:
For PHDS, use the following Location directive:
<Location /hds-live>
HttpStreamingEnabled true
HttpStreamingLiveEventPath "../applications/livepkgr_hds"
HttpStreamingContentPath "../applications/livepkgr_hds"
HttpStreamingURLSandboxLevel "App"
HttpStreamingF4MMaxAge 2
HttpStreamingBootstrapMaxAge 2
HttpStreamingDrmmetaMaxAge 3600
HttpStreamingFragMaxAge -1
HttpStreamingJITEncryption false
Options -Indexes FollowSymLinks
</Location>For PHLS, use the following Location directive:
<Location /hls-live>
HLSHttpStreamingEnabled true
HttpStreamingLiveEventPath "../applications/livepkgr_hls"
HttpStreamingContentPath "../applications/livepkgr_hls"
HttpStreamingURLSandboxLevel "App"
HLSMediaFileDuration 8000
HLSSlidingWindowLength 6
HLSFmsDirPath ".."
HttpStreamingUnavailableResponseCode 503
HLSEncryptionScope server
HLSProtectionScheme PHLS
</Location>Restart Apache.
Publish streams from Flash Media Live Encoder to the livepkgr_hds and livepkgr_hls applications. Use the stream name livestream%i?adbe-live-event=liveevent.
The request URL for PHDS is http://<serveruri>/hds-live/_definst_/<liveevent>.f4m and the request URL for PHLS is http://<serveruri>/hls-live/_definst_/<liveevent>.m3u8. Because the directive HttpStreamingURLSandboxLevel is set to "App", the request URL doesn’t use the application name.
note: In this case, copy the common-key.bin from <AMS Install>/creds directory to <AMS Install>/applications/livepkgr_hds/.
Similarly, by following the above mentioned steps, Adobe Access configurations can also be used with HDS and HLS.
VOD use case
Configure PHDS for on-demand streaming at the following levels:
Server—rootinstall/Apache2.4/conf/httpd.conf
Stream—create a jit.conf file and copy it to the same directory as the content.
Getting started
To quickly get started with PHDS, you need to understand the following directives:
|
Directive |
Default value |
Description |
|
EncryptionScope |
None |
Possible values are content and server. When the value is content, PHDS configuration settings in the jit.conf file override settings in the httpd.conf. file. When the value is server, the server uses configuration settings in the httpd.conf file. |
|
ProtectionScheme |
None |
A string determining the type of protection. For PHDS, use PHDS. |
The simplest way to configure on-demand PHDS is to uncomment two lines in the Apache httpd.conf file:
<IfModule jithttp_module>
<Location /hds-vod>
HttpStreamingJITPEnabled true
HttpStreamingContentPath "../webroot/vod"
JitFmsDirPath ".."
Options -Indexes FollowSymLinks
# Uncomment the following directives to enable encryption
# for this location.
EncryptionScope server
ProtectionScheme phds
</Location>
</IfModule>
Note:
This configuration will enable PHDS at the server level.
The sample1_1500kbps.f4v media file comes with the default installation of AMS under <root-install>/webroot. Play back the media file sample1_1500kbps.f4v using the following URI:http://<server-ip>/hds-vod/ sample1_1500kbps.f4v.f4m
Detailed configuration
The following sections provides details configurations for both PHDS and Adobe Access.
Server level
The following sections explain how content protection can be applied across the server:
Common configurations
|
Directive |
Default value |
Description |
|
EncryptionScope |
content |
Possible values are content and server. When the value is content, PHDS configuration settings in the jit.conf file override settings in the httpd.conf. file. When the value is server, the server uses configuration settings in the httpd.conf file. Serverwide configuration that sets encryption policy.server - ALL content is protected according to the apache configuration (jit.conf is ignored).content - Content is protected/unprotected according the to jit.conf file.off - ALL content are unprotected (jit.conf is ignored) . |
|
ProtectionScheme |
PHDS |
A string determining the type of protection. Possible values are PHDS and FlashAccessV2. |
PHDS configurations
Configure the following directives for the jithttp_module in the Apache httpd.conf file:
|
Directive |
Default value |
Description |
|
PHDSCommonKeyFile |
creds/common-key.bin This file is generated during installation. |
A common key used to protect content at this location. |
|
PHDSPlaybackExpiration |
24Hours |
The duration within which content playback is available. Possible values are 24Hours and Unlimited |
|
PHDSOutputProtection |
None |
The required hardware Output Protection of media on the client. Possible values are None, BestEffort, and Required. |
|
PHDSVideoEncryptionLevel |
2 |
The level of encryption for the content (0-low,1-medium, 2-high). Lower settings provide partial encryption. A subset of the samples (like video keyframes) are encrypted. Partial encryption can improve playback performance on the client, because there are fewer frames to decrypt. |
|
HdsDrmContentID |
Logical path to jit.conf |
You can manually specify the content ID, which is used for all the files. |
Adobe Access configurations
|
Directive |
Default Value |
Description |
|
JitDrmCommonKeyFile |
None |
A common key used to protect content at this location. JitDrmCommonKeyFile path is relative to rootinstall/Apache2.4. |
|
JitDrmLicenseServerURL |
None |
The URL of the license server used for protecting content. |
|
JitDrmTransportCertFile |
None |
The transport certificate used for protecting content. |
|
JitDrmPackagerCredentialFile |
None |
The Packager credential used for protecting content. |
|
JitDrmPackagerCredentialPassword |
None |
The Packager credential password for the configured packager credential file. |
|
JitDrmPolicyFile |
None |
Policy for protecting content. |
The following example adds a new Location directive. Request that include /phds serve protected content. This configuration doesn’t define PHDSPlaybackExpiration, PHDSVideoEncryptionLevel, or PHDSCommonKeyFile, but relies on their default values:
LoadModule jithttp_module modules/mod_jithttp.so
<IfModule jithttp_module>
<Location /phds>
HttpStreamingJITPEnabled true
HttpStreamingContentPath "../webroot/vod"
JitFmsDirPath ".."
Options -Indexes FollowSymLinks
EncryptionScope server
ProtectionScheme phds
</Location>
When a media player request content from the /webroot/vod folder, it is protected. For example, request the following URL from the sample video player:
http://localhost:8134/phds/sample1_1500kbps.f4v.f4m
To verify that the content is protected, enter the same URL into the address bar of a web browser. The XML response contains a <drmAdditionalHeader> element like the following. The drmAdditionalHeader shows the path of the file without the file name.
<?xml version="1.0" encoding="UTF-8" ?> - <manifest xmlns="http://ns.adobe.com/f4m/1.0"> <id>sample1_1500kbps.f4v</id> <streamType>recorded</streamType> <duration>114.61450000000001</duration> <bootstrapInfo profile="named" id="bootstrap776">AAABq2Fic3QAAAAAAAA</bootstrapInfo> <drmAdditionalHeader drmContentId="/hds-vod" id="drmMetadata867">AgARfEFkZGl0aW9uYWxIZWFkZXIDAAp</drmAdditionalHeader> - <media streamId="sample1_1500kbps.f4v" url="sample1_1500kbps.f4v" bootstrapInfoId="bootstrap776" drmAdditionalHeaderId="drmMetadata867"> <metadata>AgAKb25NZXRhRGF0</metadata> </media> </manifest>
Note:
The <bootstrapInfo>, <drmAdditionalHeader>, and <metadata> information has been abridged for readability.
The following example adds a new Location directive. Request that include /hds-vod-fax serve protected content through Adobe Access:
<Location /hds-vod-fax>
HttpStreamingJITPEnabled true
HttpStreamingContentPath "../webroot/vod"
HttpStreamingJITConfAllowed true
JitFmsDirPath ".."
Options -Indexes FollowSymLinks
EncryptionScope server
ProtectionScheme FlashAccessV2
JitDrmCommonKeyFile common-key.bin
// Common key to be used to protect content at this location. No default
JitDrmLicenseServerURL http:
// License server URL used when protecting content at this location. No default
JitDrmTransportCertFile aaxs-test-server-trnsCert.der
// Transport certification used when protecting content at this location. No default
JitDrmLicenseServerCertFile aaxs-test-server-licCert.der
// License server certificate used when protecting content at this location.
// No default.
JitDrmPackagerCredentialFile aaxs-test-server-pkgrCert.pfx
// Packager credential used when protecting content at this location. No default
JitDrmPackagerCredentialPassword pwd=
// Packager credential password for the configured packager credential file.
// No default
JitDrmPolicyFile sample_policy.pol
//Policy to be used when protecting content at this location . No default
</Location>
Note:
JitDrmCommonKeyFile takes path relative to <AMS-Install>/Apache2.4.
Stream level
To configure encryption parameters for individual sets of media, follow the configurations mentioned below.
Common configurations
|
Element |
Default value |
Description |
|
//manifest/hds:content-protection enabled |
false |
To enable content protection with Adobe Access or PHDS, set the enabled attribute to "true". |
|
//manifest/hds:content-protection/hds:protection-scheme |
PHDS |
The type of protection. The possible values are PHDS and FlashAccessV2 only. For PHDS, use PHDS. |
PHDS configurations
|
Element |
Default value |
Description |
|
//manifest/hds:content-protection/hds:phds/hds:common-key-file |
creds/common-key.bin |
Path to a common key file generated when the server installs. The file contains a16-byte/128-bit random key. This path can be absolute or relative to the jit.conf file. |
|
//manifest/hds:content-protection/hds:phds/hds:video-encryption-level |
2 |
The level of encryption for the content (0-low,1-medium,2-high). Lower settings provide partial encryption. A subset of the samples (like video keyframes) are encrypted. Partial encryption can improve playback performance on the client because there are fewer frames to decrypt. |
|
//manifest/hds:content-protection/hds:phds/hds:playback-expiration |
24Hours |
The protection policy. The policy determines the duration within which content playback is available. Possible values are 24Hours and Unlimited. |
|
//manifest/hds:content-protection/hds:phds/hds:output-protection |
None |
The required hardware Output Protection of media on the client. Possible values are None, BestEffort, and Required. |
Adobe Access configurations
|
Element |
Default value |
Description |
|
//manifest/hds:content-protection/hds:flash-access/hds:common-key-file |
None |
The path to common key file. File contains 16-byte/128-bit random key.The path must be absolute or relative to the jit.conf file. |
|
//manifest/hds:content-protection/hds:flash-access/hds:content-id |
None |
The Content ID to be used for content protection. If not specified, the salt is the filename. If specified, the salt is shared with all content in the directory. |
|
//manifest/hds:content-protection/hds:flash-access/hds:license-server-url |
None |
The License Server URL. |
|
//manifest/hds:content-protection/hds:flash-access/hds:transport-cert-file |
None |
The path to transport cert file. The file is in DER format.The path should be absolute or relative to the jit.conf file. |
|
//manifest/hds:content-protection/hds:flash-access/hds:license-server-cert-file |
None |
The path to license cert file. File is in DER format.The path should be absolute or relative to the jit.conf file. |
|
//manifest/hds:content-protection/hds:flash-access/hds:packager-credential-file |
None |
The path to packager credential cert file. File is in PFX format.The path should be absolute or relative to the jit.conf file. |
|
//manifest/hds:content-protection/hds:flash-access/hds:packager-credential-password |
None |
The packager credential password. |
|
//manifest/hds:content-protection/hds:flash-access/hds:policy-file |
None |
The path to a policy file. File is in Adobe Access policy format.The path should be absolute or relative to the jit.conf file. |
The following httpd.conf file sets EncryptionScope to content. This setting tells the server that configuration settings in the jit.conf file override settings in the httpd.conf file. Use this setting to configure PHDS/AdobeAccess for individual sets of media.
LoadModule jithttp_module modules/mod_jithttp.so
<IfModule jithttp_module>
<Location /hds-vod>
HttpStreamingJITPEnabled true
HttpStreamingContentPath "../webroot/vod"
JitFmsDirPath ".."
Options -Indexes FollowSymLinks
EncryptionScope content
</Location>
The following is the accompanying jit.conf file, which is in the same directory as the on-demand media files (/webroot/vod), which will enable PHDS:
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns="http://ns.adobe.com/f4m/1.0" xmlns:hds="http://ns.adobe.com/hds-package/1.0>
<frame-rate>29.97</frame-rate>
<frames-per-keyframe-interval>60</frames-per-keyframe-interval>
<hds:content-protection enabled="true">
<hds:protection-scheme>phds</hds:protection-scheme>
<hds:phds>
<hds:common-key-file>
C:\Program Files\Adobe\Adobe Media Server 5\creds\common-key.bin
</hds:common-key-file>
<hds:video-encryption-level>0</hds:video-encryption-level>
<hds:playback-expiration>unlimited</hds:playback-expiration>
</hds:phds>
</hds:content-protection>
</manifest>
The following is the accompanying jit.conf file, which is in the same directory as the on-demand media files (/webroot/vod), which will enable Adobe Access:
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns="http://ns.adobe.com/f4m/1.0" xmlns:hds="http://ns.adobe.com/hds-package/1.0">
<hds:FlashAccessV2>
<hds:content-id>jit_fax2</hds:content-id>
<hds:common-key-file>common-key.bin</hds:common-key-file>
<hds:license-server-url>http://<aaxs-test-server></hds:license-server-url>
<hds:transport-cert-file>aaxs-test-server-trnsCert.der</hds:transport-cert-file>
<hds:license-server-cert-file>aaxs-test-server-licCert.der</hds:license-server-cert-file>
<hds:packager-credential-file>aaxs-test-server-pkgrCert.pfx</hds:packager-credential-file>
<hds:packager-credential-password>pwd=</hds:packager-credential-password>
<hds:policy-file>sample_policy.pol</hds:policy-file>
</hds:FlashAccessV2>
</hds:content-protection>
</manifest>
Note:
-key-file takes path relative to <AMS-Install>/webroot/vod.
Key rotation
Adobe Media Server 5 supports Key Rotation for protected HTTP Dynamic Streaming when used with Adobe Access and PHDS. You can encrypt content packaged with AMS 5 using a set of keys. You can periodically change the encryption key and specify how often the content encryption key is to be changed.
Adobe Access Settings
|
Parameter |
Description |
Default value |
|
JitDrmEnableKeyRotation |
Whether to use Key Rotation with FAXS protection scheme. In this case, randomly generated keys are used. |
false |
|
JitDrmKeyRotationInterval |
Key rotation interval to be used (in seconds), when enabling key rotation. |
900 seconds |
The following httpd.conf will enable key rotation at server level :
<Location /hds-vod>
HttpStreamingJITPEnabled true
HttpStreamingContentPath "../webroot/vod"
HttpStreamingJITConfAllowed true
JitFmsDirPath ".."
Options -Indexes FollowSymLinks
EncryptionScope server
ProtectionScheme FlashAccessV3
JitDrmCommonKeyFile ../creds/common-key.bin
JitDrmLicenseServerURL http://ip-address:8090
JitDrmTransportCertFile dme/transport-cert-file.der
JitDrmLicenseServerCertFile dme/transport-cert-file.der
JitDrmPackagerCredentialFile dme/transport-cert-file.pfx
JitDrmPackagerCredentialPassword kY2IUPnQuG0=
JitDrmPolicyFile dme/local_chain.pol
JitDrmEnableKeyRotation true
JitDrmKeyRotationInterval 16
</Location>
Jit.conf
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns="http://ns.adobe.com/f4m/1.0" xmlns:hds="http://ns.adobe.com/hds-package/1.0">
<hds:content-protection enabled="true">
<hds:protection-scheme> FlashAccessV3 </hds:protection-scheme>
<hds:Flashaccessv3>
<hds:content-id>jit_fax3</hds:content-id>
<hds:common-key-file>../../creds/common-key.bin</hds:common-key-file> <hds:license-server-url>http://10.192.37.195:8090/</hds:license-server-url>
<hds:transport-cert-file>../dme/transport-cert-file.der</hds:transport-cert-file>
<hds:license-server-cert-file>../dme/transport-cert-file.der</hds:license-server-cert-file>
<hds:packager-credential-file>../dme/transport-cert-file.pfx</hds:packager-credential-file>
<hds:packager-credential-password>kY2IUPnQuG0=</hds:packager-credential-password>
<hds:policy-file>../dme/local_chain.pol</hds:policy-file>
<hds:enable-key-rotation>true</hds:enable-key-rotation> <hds:key-rotation-interval>900</hds:key-rotation-interval> </hds:Flashaccessv3>
</hds:content-protection>
</manifest>
PHDS - Settings
This section explains key rotation settings for PHDS.
|
Parameter |
Description |
Default value |
|
PHDSEnableKeyRotation |
Whether to use Key Rotation with PHDS protection scheme. In this case, randomly generated keys are used. |
false |
|
PHDSKeyRotationInterval |
Key rotation interval to be used (in seconds), when enabling key rotation. |
900 seconds |
The following httpd.conf will enable key rotation at server level :
<Location /hds-vod>
HttpStreamingJITPEnabled true
HttpStreamingContentPath "../webroot/vod"
HttpStreamingJITConfAllowed true
JitFmsDirPath ".."
Options -Indexes FollowSymLinks
EncryptionScope server
ProtectionScheme PHDS
PHDSCommonKeyFile ../creds/common-key.bin
PHDSEnableKeyRotation true
PHDSKeyRotationInterval 16
</Location>
Jit.conf
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns="http://ns.adobe.com/f4m/1.0" xmlns:hds="http://ns.adobe.com/hds-package/1.0">
<hds:content-protection enabled="true">
<hds:protection-scheme> PHDS </hds:protection-scheme>
<hds:PHDS>
<hds:content-id>jit_phds</hds:content-id>
<hds:common-key-file>../../creds/common-key.bin</hds:common-key-file> <hds:enable-key-rotation>true</hds:enable-key-rotation>
<hds:key-rotation-interval>900</hds:key-rotation-interval> </hds:PHDS>
</hds:content-protection>
</manifest>
License chaining
Adobe Media Server will support embedding leaf licenses in the DRM metadata from the policy generated using a chained license. Adobe Media Server will need the license server credential and the credential password configured so that the root license from the policy can be used to encrypt the CEK contained in the embedded leaf license.
If the configuration for embedding the leaf license is turned off, Adobe Media Server will still support such a policy except that the leaf license will not be embedded in the DRM metadata.
Note:
The support will be limited to a single license server credential and credential-password pair.
The following table provides the required configuration:
Parameter |
Description |
Default value |
|---|---|---|
JitDrmEmbedLeafLicense |
Enables embedding of leaf licenses in DRM metadata. Possible values are "true" or "false". note: The policy file must be created using a chained license. |
false |
JitDrmLicenseServerCredentialFile |
Required if HdsDrmEmbedLeafLicense is set to true. The license server credential used when protecting content at this location. |
NA |
JitDrmLicenseServerCredentialPassword |
Required if HdsDrmEmbedLeafLicense is set to true. The license server credential password for the configured license server credential file. |
NA |
The following httpd.conf will enable key rotation at server level :
<Location /hds-vod>
HttpStreamingJITPEnabled true
HttpStreamingContentPath "../webroot/vod"
HttpStreamingJITConfAllowed true
JitFmsDirPath ".."
Options -Indexes FollowSymLinks
EncryptionScope server
ProtectionScheme FlashAccessV3
JitDrmCommonKeyFile ../creds/common-key.bin
JitDrmLicenseServerURL http://ip-address:8090
JitDrmTransportCertFile dme/transport-cert-file.der
JitDrmLicenseServerCertFile dme/transport-cert-file.der
JitDrmPackagerCredentialFile dme/transport-cert-file.pfx
JitDrmPackagerCredentialPassword kY2IUPnQuG0=
JitDrmPolicyFile dme/local_chain.pol
JitDrmEmbedLeafLicense true
JitDrmLicenseServerCredentialFile dme/transport-cert-file.pfx
JitDrmLicenseServerCredentialPassword kY2IUPnQuG0=
</Location>
Jit.conf
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns="http://ns.adobe.com/f4m/1.0" xmlns:hds="http://ns.adobe.com/hds-package/1.0">
<hds:content-protection enabled="true">
<hds:protection-scheme> FlashAccessV3 </hds:protection-scheme>
<hds:Flashaccessv3>
<hds:content-id>jit_fax3</hds:content-id>
<hds:common-key-file>../../creds/common-key.bin</hds:common-key-file> <hds:license-server-url>http://localhost:8090/</hds:license-server-url>
<hds:transport-cert-file>../dme/transport-cert-file.der</hds:transport-cert-file>
<hds:license-server-cert-file>../dme/transport-cert-file.der</hds:license-server-cert-file>
<hds:packager-credential-file>../dme/transport-cert-file.pfx</hds:packager-credential-file>
<hds:packager-credential-password>kY2IUPnQuG0=</hds:packager-credential-password>
<hds:policy-file>../dme/local_chain.pol</hds:policy-file>
<hds:embed-leaf-license>true</hds:embed-leaf-license>
<hds:license-server-credential-file>../dme/transport-cert-file.pfx</hds:license-server-credential-file>
<hds:license-server-credential-password>kY2IUPnQuG0=</hds:license-server-credential-password>
</hds:Flashaccessv3>
</hds:content-protection>
</manifest>
SWF verification for Protected HTTP Dynamic Streaming
SWF verification prevents unauthorized SWF files from accessing content. To use SWF verification, you must enable Protected HTTP Dynamic Streaming (PHDS).
Create a list of authorized SWF files, called a whitelist. These files are specified in the embedded license and sent to the client inside the DRM metadata. On the client, SWF verification is enforced by Adobe Access inside of Flash Player and AIR.
To create the whitelist, use Whitelist tool (rootinstall/tools/Whitelist).
Workflow
-
Enable PHDS.
-
Use the whitelist tool to generate a whitelist of authorized SWF files. The whitelist file can have any name. It must have the .whitelist or .airwhitelist extension.
-
Copy the whitelist to the server.
-
Enable SWF verification and indicate the location of the whitelist in the following locations:
(Live)—Application.xml or Event.xml
(On-demand)—httpd.conf or jit.conf
-
Publish a stream to the livepkgr application on Adobe Media Server.
-
Request a stream from an OSMF media player. The syntax of the request URL does not change for SWF verification.
The server embeds the SWF hashes from the whitelist into the .drmmeta file. Flash Player attempts to verify the SWF hash during DRM authentication.
-
(Live) The server looks for the whitelist in the following order:
-
The application folder. (The default application for live HTTP streaming is rootinstall/applications/livepkgr).
-
A path in the /SWFVerification/WhitelistFolder element of Application.xml
-
A path in the /SWFVerification/WhitelistFolder element of Event.xml
-
-
(On-demand) The server looks for the whitelist in the httpd.conf/jit.conf file in the same folder as the on-demand content.
If the hashes don’t match, Flash Player throws an runtime error (3310) and the OSMF media player stops requesting fragments.
SWF verification configurations for live PHDS
To enable SWF verification for live PHDS, enable PHDS at the server level (httpd.conf), the application level (Application.xml) or the event level (Event.xml).
Configure SWF verification for live HDS at the server level (httpd.conf)
Add the following elements to the hds-live directive to enable SWF verification:
|
Element |
Description |
Default |
|
PHDSSWFVerification |
The container for SWF verification configuration. To enable SWF verification, set the enabled attribute to "true". |
"false" |
|
PHDSSWFWhiteListFolder |
Specify the location of SWF whitelist |
The application folder of the live event. |
Configure SWF verification for live HDS at the application level (Application.xml) or at the event level (Event.xml).
In Application.xml, SWFVerification is located at //Application/HDS/Recording/ContentProtection/PHDS/SWFVerification.In Event.xml, SWFVerification is located at //Event/Recording/ContentProtection/PHDS/SWFVerification.
|
Element |
Description |
Default |
|
/SWFVerification |
The container for SWF verification configuration. To enable SWF verification, set the enabled attribute to "true". |
"false" |
|
/SWFVerification/WhiteListFolder |
A path to the folder containing the whitelist. The folder can contain more than one whitelist file. The path can be absolute or relative. A relative path in the Application.xml file is relative to the application folder. A relative path in the Event.xml file is relative to the event folder. Backwards relative paths are not supported for security reasons. This configuration is optional. If no value is given, the server looks in the application folder of the live event. |
The application folder of the live event. |
Configure the following settings in the Apache httpd.conf file to configure cache control for the bootstrap, fragment, manifest and drmmeta responses:
HttpStreamingBootstrapMaxAge
HttpStreamingFragMaxAge
HttpStreamingF4MMaxAge
HttpStreamingDrmmetaMaxAge
For detailed information about each configuration, see Configure live and on-demand HTTP Streaming at the server level (httpd.conf).
SWF verification configurations for on-demand PHDS
SWF verification is configured under PHDS. To enable SWF verification, enable PHDS. You can enable on-demand PHDS at the server level (httpd.conf) or at the stream level (jit.conf).
Configure SWF verification for on-demand PHDS at the server level (httpd.conf) or at the stream level (jit.conf).
Use the following elements to enable and configure SWF verification in the httpd.conf file:
|
Element |
Description |
Default |
|
PHDSSWFVerification |
The container for SWF verification configuration. To enable SWF verification, set the enabled attribute to "true". |
"false" |
|
PHDSSWFWhiteListFolder |
Optional setting to specify where the SWF whitelist can be found. The folder can contain more than one whitelist files. This can be overridden by jit.conf if the Apache configuration is overridable. This configuration is optional. If no value is given, the server looks in the folder containing the jit.conf file. |
The folder containing the media. |
Use the following elements to enable and configure SWF verification in the jit.conf file. Copy the jit.conf file to the same directory as the on-demand media.
Element |
Description |
Default |
|---|---|---|
//manifest/hds:content-protection/hds:phds/hds:swf-verification |
The container for SWF verification configuration. To enable SWF verification, set the enabled attribute to "true". |
"false" |
//manifest/hds:content-protection/hds:phds/hds:swf-verification/hds:white-list-folder |
A path to the folder containing the whitelist. The folder can contain more than one whitelist file. The path can be absolute or relative. A relative path is relative to the folder containing the jit.conf file. Backwards relative paths are not supported for security reasons. This configuration is optional. If no value is given, the server looks in the folder containing the jit.conf file. |
The folder containing the media. |
Whitelist tool
Use the whitelist tool to generate a list of verified SWF and AIR files. The server uses the whitelist to perform SWF verification for Flash Player and AIR applications.
The whitelist tool takes SWF files, AIR certificate files, and AIR signature files and creates a SHA256 hash for each file. The tool writes the hashes as Base64 encoded text to one or more text files and outputs the text files. The text files use the filename extensions .whitelist and .airwhitelist.
The whitelist tool is located in the following directory:
rootinstall/tools/Whitelist
Use the following command line syntax to run the whitelist tool:
whitelist --in <file|dir> [--outDir <output dir>] [--out <output file>] [--version]
The following table lists the command line options and arguments for the whitelist tool:
|
Option |
Optional |
Description |
|
--in <file|dir> |
No |
A SWF file, an AIR signature file, or an AIR certificate file. A directory containing SWF files. The dir parameter does not support AIR files. To specify multiple files or directories, use multiple --in options. For SWF files, the tool outputs a file with the extension .whitelist. For AIR signature and certificate files, the tool outputs a file with the extension .airwhitelist. |
|
--log <file|dir> |
Yes |
An existing directory path where default whitelist.properties file is present or the full path name to the properties file. Customize logging in the .properties file. The whitelist tool supports log4j Apache logging. By default, logging messages are routed to the console. To reroute them, use the --log option. |
|
--out <output file> |
Yes |
The name for the .whitelist file and the .airwhitelist file. If --out is not specified, creates .whitelist and .airwhitelist files for each .swf file and .xml file. If --out is specified, --outDir is ignored and the file is saved to the directory the tool is being run from. |
|
--outDir <outputdir> |
Yes |
Creates an output directory and saves the .whitelist file to the directory. If --outDir is not specified, the .whitelist files and .airwhitelist files are created in the directory the tool is being run from. If --outDir is a relative path, it is relative to the directory the tool is being run from. |
|
--version |
Yes |
Prints the SWF verification version number in the .whitelist file. |
The following table lists examples of running the whitelist tool:
Example |
Result |
|---|---|
whitelist --in foo.swf --in bar.swf |
Creates a foo.swf.whitelist and a bar.swf.whitelist in the current directory. |
whitelist --in signature.xml --in bar.swf |
Creates signature.xml.airwhitelist and bar.swf.whitelist in the current directory. |
whitelist --in foo.swf --in mydir In this example, mydir is a directory containing bar.swf. |
Creates a foo.swf.whitelist and a bar.swf.whitelist in the current directory. |
whitelist --in signature.xml --in mydir In this example, mydir is a directory containing bar.swf. |
Creates a signature.xml.airwhitelist and a bar.swf.whitelist in the current directory. |
whitelist --in foo.swf --in bar.swf --outDir outputdir |
Creates an outputdir/foo.swf.whitelist file and an outputdir/bar.swf.whitelist file. |
whitelist --in signature.xml --in bar.swf --outDir outputdir |
Creates an outputdir/signature.xml.airwhitelist file and an outputdir/bar.swf.whitelist file. |
whitelist --in foo.swf --in mydir --out outputfile In this this example, mydir is a directory containing bar.swf. |
Creates an outputfile.whitelist file in the current directory containing hashes for foo.swf and mydir/bar.swf. |
whitelist --in signature.xml --in mydir --out outputfile In this this example, mydir is a directory containing bar.swf. |
Creates an outputfile.airwhitelist file containing hashes for signature.xml. Creates an outputfile.whitelist file contaning hashes for bar.swf. Both files are created in the current directory. |
whitelist --in foo.swf --in mydir -out outputfile -outDir outputdir This example, mydir is a directory containing bar.swf. |
Creates an outputfile.whitelist in the current directory containing a hash for foo.swf and mydir/bar.swf. Warning: When the --out option is specified, the tool ignores the --outDir option. |
whitelist --in signature.xml --in mydir --out outputfile --outDir outputdir In this example, mydir is a directory containing bar.swf. |
Creates an outputfile.airwhitelist file that contains the hashes for signature.xml. Creates an outputfile.whitelist file that contains hashes for mydir/bar.swf. Both files are created in the current directory. Warning: When the --out option is specified, the tool ignores the --outDir option. |
whitelist --version |
Displays "version 1.0". |
If an input files has the same name as a previously input file, both files are added to the whitelist.
whitelist --in c:\myfolder\signature.xml --in c:\yourfolder\signature.xml --outDir c:\out\signature.xml
The following is the output:
# c:\myfolder\signature.xml XXXXXXXXXXXXXXXXXXXXXX # c:\yourfolder\signature.xml XXXXXXXXXXXXXXXXXXXXXXXXXXX
The following is the whitelist format for an individual hash:
# foo.swf PGfcEwgUKWScivIRucIwG5jT
The following is the whitelist format for an AIR file:
# C:\air\signatures.xml A167FBF93528C87BBCDAC2B8CD0829479DDA6912.2
The following is the whitelist format for multiple hashes when using the --out option:
# foo.swf PGfcEwgUKWScivIRucIwG5jT # bar.swf TcsQWLLi7h7WNjHqcLzzl0J15Srvdzkz2inCTKQLOHw= # mydir/bar.swf TcsQWLLi7h7WNjHqcLzzl0J15Srvdzkz2inCTKQLOHw=
