Configuring content protection for HLS

Use Adobe Media Server 5 to serve protected content over HTTP to devices that support Apple HTTP Live Streaming.

The Adobe Media Server installer generates the required certificates and keys to the rootinstall/creds directory. To generate new keys, use the scramble tool. See Scramble tool.

Overview

The content can be protected using three modes:
  • Vanilla

  • PHLS

  • Adobe Access 4.0

To enable a specific encryption scheme, use the HLSProtectionScheme directive.

Vanilla

Vanilla mode is used for plain AES encryption.

PHLS

PHLS mode is a non-DRM solution. You do not need to set up a license or key server. The key is always served in a local mode.

Adobe Access

Adobe Access mode offers a complete DRM solution. It supports all the Adobe Access 3.0 features, along with remote key serving for HLS. Local key serving mode also works with Adobe Access 2.0 or higher license servers. The remote key serving mode works only with an Adobe Access 4.0 compliant server.

Adobe Access SDK is a Digital Rights Management (DRM) platform that makes it possible to protect and securely deliver video and audio content for playback on consumer devices such as personal computers. Adobe Access is a flexible platform that enables content owners to protect their content and maintain control over distribution. Content owners can protect and manage their rights by creating licenses for each digital media file, ensuring that a wide variety of the highest-quality content is made available to consumers.

Adobe Access supports a wide range of business models, including video on demand, rental, and electronic sell-through. You can distribute content protected with Adobe Access by streaming through Adobe Media Server software, offering progressive download via HTTP using Adobe's HTTP Dynamic Streaming technology, or permitting downloads to a content library for local playback at the consumer's convenience.

To enable DRM support for HTTP Live Streaming, use Adobe Access iOS library. The policy files generated for Adobe Access 2.0 and Adobe Access 3.0 will also work in local key serving mode.

AMS supports different content encryption keys for content at the different levels (server, application, stream, and event). The keys are generated according to the location of the content and the location of the Common Key.

Key rotation

You can periodically change the encryption key and specify how often the content encryption key is to be changed.

Out-of-Band DRM metadata

The HLS module of AMS supports serving of BER encoded DRM metadata out-of-band. The requested URL format is same as for a playlist except that the URL format has .drmmeta instead of .m3u8 at the end of the URL. The metadata embedded in the m3u8 file is base64-encoded but the metadata served out-of-band in the .drmmeta file is binary data.

Player binding

Adobe Media Server supports whitelist-based player binding when the protection scheme is PHLS. This is similar to the HTTP SWF Verification.

License chaining

Adobe Media Server will support embedding leaf licenses in the DRM metadata from the policy generated using a chained license. Adobe Media Server will need the license server credential and the credential password configured so that the root license from the policy can be used to encrypt the CEK contained in the embedded leaf license.

Live use case

Getting started

To configure PHLS with basic settings, perform the following steps:
  1. Navigate to the <root-install>/Apache 2.2/conf/ directory. Edit the httpd.conf file and add the following tags under <Location hls-live>:
    <Location /hls-live> 
        HLSHttpStreamingEnabled true 
        HttpStreamingLiveEventPath "../applications" 
        HttpStreamingContentPath "../applications" 
        HLSMediaFileDuration 8000 
        HLSSlidingWindowLength 6 
        HLSFmsDirPath ".." 
        HttpStreamingUnavailableResponseCode 503 
        HLSEncryptionScope server 
        HLSProtectionScheme PHLS 
    </Location>
    Note: This configuration will enable PHLS at the server level.
  2. Publish a live stream called “livestream?adbe-live-event=liveevent” to livepkgr.

  3. Playback the stream using the URI http://<server-ip>:8134/hls-live/livepkgr/_definst_/liveevent/livetsream.m3u8

Detailed configuration

The following sections provides detailed configurations.

Server level

You can configure HLS at the server level to apply content protection across all deployed applications.

Vanilla

The following table contains the directives for the hlshttp_module in the Apache httpd.conf file:

Directive

Default

Description

HLSEncryptionScope

Off

Defines the encryption scope. The following are possible values:

server —Apache encryption settings are applied to all content. The server ignores content-specific encryption configurations in Event.xml and Application.xml (live) and jit.conf (on-demand).

content —Apache encryption settings are ignored. The server uses encryption settings from Event.xml or Application.xml (live) or from jit.conf (on-demand).

Off —Encryption is off for the whole server.

HLSEncryptCipherKeyFile

None

The path of the default cipher key used to encrypt the content.

HLSEncryptKeyURI

None

The URI that the client uses to fetch the encryption key.

Publishing and playback

  1. Open the rootinstall/Apache2.2/conf/httpd.conf file and locate the hlshttp_module:

    <IfModule hlshttp_module> 
        ... 
    <Location /hls-live> 
        ...
  2. Uncomment the following:

    # Uncomment the following directives to enable encryption 
    # for this location: 
        HLSEncryptionScope server 
        HLSEncryptionCipherKeyFile "../creds/liveeventkey.bin" 
        HLSEncryptKeyURI "https://<ServerName>/hls-key/liveeventkey.bin"

    Substitute the fully qualified domain name of your Adobe Media Server for the <ServerName> parameter.

  3. Follow the steps in Serve encryption keys to the client to configure the server to serve keys with or without SSL. These steps configure the /hls-key path in the HLSEncryptKeyURI directive.

  4. Open Flash Media Live Encoder and publish a stream with the following settings:

    • Format—H.264

    • Keyframe Frequency—4 seconds

    • AMS URL—rtmp://<server-name>/livepkgr

    • Stream—encryption?adbe-live-event=encryption

  5. Request the following URL from an iOS device:

    http://<servername>/hls-live/livepkgr/_definst_/encryption/encryption.m3u8

  6. To verify that the stream is encrypted, run the Apple Media Stream Validator Tool on the stream. See Technical Note TN2224.

PHLS and Adobe Access

The following table contains the directives for the hlshttp_module in the Apache httpd.conf file:

Parameter

Required With

Default

Description

HLSProtectionScheme

Adobe Access 4.0, PHLS

Vanilla

Determines the protection scheme used for content. Protection scheme can be Vanilla, AdobeAccessV4 or PHLS. HLSProtectionScheme is effective if encryption is enabled.Use HLSEncryptionScope parameter to determine the status of encryption.

HLSEmbedMetadata

Adobe Access 4.0, PHLS

true for VOD and false for live

(Optional) Enables embedding of metadata in the playlist. The possible values are "true" or "false". Note that false will only work when HLSMetaPackagingEnabled is set to true.

HLSMetaPackagingEnabled

Adobe Access 4.0, PHLS

true

(Optional) Enables just in time packaging of metadata for this location. The possible values are "true" or "false". This configuration is not valid for the Vanilla protection scheme.

HLSMetaMaxAge

Adobe Access 4.0, PHLS

60*60 secs (1 hour)

(Optional) Specifies the max-age to set in the Cache-Control header for M3U8 responses.

Specified in secs. -1 means no Cache-Control header is set. If not specified, the default value will be assumed.

This configuration is used only when the HLSMetaPackagingEnabled value is set to true.

       

PHLSCommonKeyFile

(Optional) PHLS

For PHLS ../creds/commonKey.bin

Contains the name of the Common key file in ../creds/common-key.bin.

HLSDrmContentID/ PHLSContentID

(Optional) PHLS

eventId

Content ID for mapping the license.

HLSDrmLicenseServerURL

Adobe Access 4.0

None

URL of License server used for protecting content

HLSDrmTransportCertFile

Adobe Access 4.0

None

Transport certificate file used for protecting content

HLSDrmLicenseServerCertFile

Adobe Access 4.0

None

File containing license server certificate used for protecting content

HLSDrmPackagerCredentialFile

Adobe Access 4.0

None

File containing Packager credential used for protecting content

HLSDrmPackagerCredentialPassword

Adobe Access 4.0

None

Packager credential password for the configured packager credential file

HLSDrmPolicyFile

Adobe Access 4.0

None

Path and Name of the Policy File to be used for protecting content

HLSDrmKeyServerURL

Adobe Access 4.0

None

Key server URL for embedding in the served playlist.

PHLSOutputProtection

(Optional) PHLS

None

The required hardware Output Protection of media on the client. Possible values are None, BestEffort, and Required.

PHLSPlaybackExpiration

(Optional) PHLS

24Hours

The duration of the time for which the content is available for playback. Possible values are 24Hours and Unlimited.

PHLS
Edit the httpd.conf file and add the following tags under <Location hls-live>:
<Location /hls-live> 
    HLSHttpStreamingEnabled true 
    HttpStreamingLiveEventPath "../applications" 
    HttpStreamingContentPath "../applications" 
    HLSMediaFileDuration 10000 
    HLSSlidingWindowLength 6 
    HLSFmsDirPath ".." 
    HttpStreamingUnavailableResponseCode 503 
    HLSEncryptionScope  server 
    HLSProtectionScheme  PHLS 
    PHLSContentID httpd_conf 
    PHLSCommonKeyFile  "../creds/liveeventkey.bin" 
    PHLSOutputProtection  None 
    PHLSPlaybackExpiration  Unlimited 
</Location>

For details on the configuration elements, see the table mentioned above.

Adobe Access
Edit the httpd.conf file and add the following tags under <Location hls-live>:
<Location /hls-live> 
    HLSHttpStreamingEnabled true 
    HttpStreamingLiveEventPath "../applications" 
    HttpStreamingContentPath "../applications" 
    HLSMediaFileDuration 10000 
    HLSSlidingWindowLength 6 
    HLSFmsDirPath ".." 
    HttpStreamingUnavailableResponseCode 503 
    HLSEncryptionScope  server 
    HLSProtectionScheme  AdobeAccessV4 
    HLSDrmContentID httpd_conf 
    HLSDrmCommonKeyFile  "<path to common key file>" 
    HLSDrmLicenseServerURL  "<url of license server" 
    HLSDrmTransportCertFile  "path to transport certificate file" 
    HLSDrmLicenseServerCertFile  "<path to license server certificate file>" 
    HLSDrmPackagerCredentialFile  "<path to packager credential file>" 
    HLSDrmPackagerCredentialPassword  ?????? 
    HLSDrmPolicyFile  "<path to policy file" 
    HLSDrmKeyServerURL  "<key server url>" 
</Location>
For details on the configuration elements, see the table mentioned abo
Note: For local key delivery it is recommended that HLSDrmKeyServerURL be set to the dummy URL http://faxs.adobe.com.

For information on publishing and playback, see Vanilla.

Application and Event level

You can also configure HLS at an application or event level.

Both the Application.xml file and the Event.xml file have an HLS container that holds the live vanilla encryption configuration settings. In Application.xml, the container is located under //Application/HDS/HLS. In Event.xml, the container is located under //Event/HLS.

Application level
Vanilla

Element

Default

Description

/HLS

None

Container for content protection settings.

/HLS/Encryption

None

Set the enabled attribute to "allow" to allow vanilla encryption configurations in the Event.xml file to override settings in the Application.xml file.

Set the enabled attribute to "true" to configure vanilla encryption in the Application.xml file. These configurations apply to all live events in the application.

The default value of the enabled attribute in the Application.xml file is "allow". The default value in the Event.xml file is "false".

/HLS/Encryption/KeyFile

None

The path of the default cipher key used to encrypt the content.

/HLS/Encryption/KeyURI

None

The URI that the client uses to fetch the encryption key.

Configure live vanilla encryption at the application level
  1. Open the rootinstall/Apache2.2/conf/httpd.conf file and locate the hlshttp_module:

    <IfModule hlshttp_module> 
        ... 
    <Location /hls-live> 
        ...
  2. Uncomment the HLSEncryptionScope directive and set it to content:

    # Uncomment the following directives to enable encryption 
    # for this location: 
        HLSEncryptionScope content 
    #    HLSEncryptionCipherKeyFile "../creds/liveeventkey.bin" 
    #    HLSEncryptKeyURI "https://<ServerName>/hls-key/liveeventkey.bin"

    Substitute the IP address or DNS of your Adobe Media Server for the <ServerName> parameter.

  3. Edit the Application.xml file in the rootinstall/applications/livepkgr folder to include the following:

    <Application> 
        <HDS> 
            <HLS> 
                <Encryption enabled="true"> 
                    <KeyFile>C:\Program Files\Adobe\Adobe Media Server 5\creds\liveeventkey.bin</KeyFile> 
                    <KeyURI>http://<server-ip>/hls-key/liveeventkey.bin</KeyURI> 
                </Encryption> 
            </HLS> 
        </HDS> 
    </Application>
  4. Follow the steps in Serve encryption keys to the clientto configure the server to serve keys with or without SSL. These steps configure the /hls-key path in the KeyURI directive.

  5. Open Flash Media Live Encoder and publish a stream with the following settings:

    • Format—H.264

    • Keyframe Frequency—4 seconds

    • AMS URL—rtmp://<server-name>/livepkgr

    • Stream—encryption?adbe-live-event=encryption

  6. Request the following URL from an application developed using the SDK on an iOS device:

    http://<servername>/hls-live/livepkgr/_definst_/encryption/encryption.m3u8

  7. To verify that the stream is encrypted, run the Apple Media Stream Validator Tool on the stream. See Technical Note TN2224.

Note: To create a live event, create a copy of the livepkgr directory located at rootinstall/applications/livepkgr/events/_definst_/liveevent. The name of the copied directory must be the same as the name of the event.
PHLS
Edit the Application.xml file in the rootinstall/applications/livepkgr folder to include the following:
<Application> 
    <HDS> 
        <HLS> 
            <Encryption  enabled="true"  protection-scheme="PHLS" > 
                <PHLS> 
                    <ContentID>app_event_xml</ContentID> 
                    <CommonKeyPath>common.bin</CommonKeyPath> 
                    <KeyServerURL>faxs://example.com</KeyServerURL> 
                    <OutputProtection>None</OutputProtection> 
                    <PlaybackExpiration>Unlimited</PlaybackExpiration> 
                </PHLS> 
            </Encryption > 
        </HLS> 
    </HDS> 
</Application>

For more information about the elements, see the table in the server level configuration.

For information on publishing and playback, see Vanilla.

Adobe Access
Edit the Application.xml file in the rootinstall/applications/livepkgr folder to include the following:
<Application> 
    <HDS> 
        <HLS> 
            <Encryption  enabled="true"  protection-scheme="AdobeAccessV4" > 
                <AdobeAccessV4> 
                    <ContentID>app_event_xml</ContentID> 
                    <CommonKeyPath>common.bin</CommonKeyPath> 
                    <LicenseServerURL>license server url </LicenseServerURL> 
                    <TransportCertPath>transport.der</TransportCertPath> 
                    <LicenseServerCertPath>server.der</LicenseServerCertPath> 
                    <PackagerCredentialPath> 
                        production_packager.pfx 
                    </PackagerCredentialPath> 
                    <PackagerCredentialPwd>??????</PackagerCredentialPwd> 
                    <PolicyPath>policy.pol</PolicyPath> 
                    <KeyServerURL>http://faxs.adobe.com</KeyServerURL> 
                </AdobeAccessV4> 
            </Encryption > 
        </HLS> 
    </HDS> 
</Application>

For more information about the elements, see the table in the server level configuration.

For information on publishing and playback, see Vanilla.

Event level
Vanilla
  1. Open the rootinstall/Apache2.2/conf/httpd.conf file and locate the hlshttp_module:

    <IfModule hlshttp_module> 
        ... 
    <Location /hls-live> 
        ...
  2. Uncomment the HLSEncryptionScope directive and set it to content:

    # Uncomment the following directives to enable encryption 
    # for this location: 
        HLSEncryptionScope content 
    #    HLSEncryptionCipherKeyFile "../creds/liveeventkey.bin" 
    #    HLSEncryptKeyURI "https://<ServerName>/hls-key/liveeventkey.bin"

    Substitute the IP address or DNS of your Adobe Media Server for the <ServerName> parameter.

  3. Edit the Event.xml file in the rootinstall/applications/livepkgr/_definst_/encryption folder to include the following:

    <Event> 
            <HLS> 
                <Encryption enabled="true"> 
                    <KeyFile> 
                        C:\Program Files\Adobe\Adobe Media Server5 
                        \creds\liveeventkey.bin 
                    </KeyFile> 
                    <KeyURI>http://<server-ip>/hls-key/liveeventkey.bin</KeyURI> 
                </Encryption> 
            </HLS> 
    </Event>
  4. Follow the steps in Serve encryption keys to the client to configure the server to serve keys with or without SSL. These steps configure the /hls-key path in the KeyURI directive.

  5. Open Flash Media Live Encoder and publish a stream with the following settings:

    • Format—H.264

    • Keyframe Frequency—4 seconds

    • AMS URL—rtmp://<server-name>/livepkgr

    • Stream—encryption?adbe-live-event=encryption

  6. Request the following URL from an iOS device:

    http://<ServerName>/hls-live/livepkgr/_definst_/encryption/encryption.m3u8

  7. To verify that the stream is encrypted, run the Apple Media Stream Validator Tool on the stream. See Technical Note TN2224.

PHLS
Edit the Event.xml file in the rootinstall/applications/livepkgr/_definst_/encryption folder to include the following:
<Event> 
    <HLS> 
        <Encryption  enabled="true"  protection-scheme="PHLS" > 
            <PHLS> 
                <ContentID>app_event_xml</ContentID> 
                <CommonKeyPath>common.bin</CommonKeyPath> 
                <KeyServerURL>faxs://example.com</KeyServerURL> 
                <OutputProtection>None</OutputProtection> 
                        <PlaybackExpiration>Unlimited</PlaybackExpiration> 
                </PHLS> 
       </Encryption > 
       </HLS> 
</Event>

For more information about the elements, see the table in the server level configuration.

For more information on publishing and playback, see Vanilla.

Adobe Access
Edit the Event.xml file in the rootinstall/applications/livepkgr/_definst_/encryption folder to include the following:<Event>
<Event> 
    <HLS> 
        <Encryption  enabled="true"  protection-scheme="AdobeAccessV4" > 
            <AdobeAccessV4> 
                <ContentID>app_event_xml</ContentID> 
                <CommonKeyPath>common.bin</CommonKeyPath> 
                <LicenseServerURL>license server url </LicenseServerURL> 
                <TransportCertPath>transport.der</TransportCertPath> 
                <LicenseServerCertPath>server.der</LicenseServerCertPath> 
                <PackagerCredentialPath> 
                    production_packager.pfx 
                </PackagerCredentialPath> 
                <PackagerCredentialPwd>??????</PackagerCredentialPwd> 
                <PolicyPath>policy.pol</PolicyPath> 
                <KeyServerURL>http://faxs.adobe.com</KeyServerURL> 
            </AdobeAccessV4> 
        </Encryption > 
    </HLS> 
</Event>

For more information about the elements, see the table in the server level configuration.

For more information on publishing and playback, see Vanilla.

Live events

To generate unique content encryption keys (CEKs) for Adobe Access, the URL path (relative to the configured content path) up to the stream, but not including the stream name, is used as the Content ID. For example, Content ID for path http://example.com/hls-live/livepkgr/definst/liveevent/livestream.m3u8 would be livepkgr/definst/liveevent.

VOD use case

Configure PHLS for on-demand streaing at the following levels:

Server—rootinstall/Apache2.2/conf/httpd.conf

Stream—create a jit.conf file and copy it to the same directory as the content.

Getting started

To configure PHLS with basic settings, perform the following steps:
 Navigate to <root-install>/Apache 2.2/conf/. Edit the file httpd.conf and add the tags HLSEncryptionScope and HLSProtectionScheme under the <Location /hls-vod> directive:
<Location /hls-vod> 
    HLSHttpSt  reamingEna bled true 
    HLSMediaFileDuration 8000 
    HttpStreamingContentPath "../webroot/vod" 
    HLSFmsDirPath ".." 
    HLSJITConfAllowed true 
    HLSEncryptionScope server 
    HLSProtectionScheme PHLS 
    Options -Indexes FollowSymLinks 
</Location>
Note: This configuration will enable PHLS at the server level with default configurations.

The sample1_1500kbps.f4v media file comes with the default installation of AMS under <root-install>/webroot. You can play the media file using the following URI:http://<server-ip>/hls-vod/sample1_1500kbps.f4v.m3u8

Detailed configuration

The following sections provides the detailed configurations.

Server level

You can configure HLS at the server level to apply content protection at server level to all streams requested through the location directives.

Vanilla

Configure the following directives for the hlshttp_module in the Apache httpd.conf file:

Directive

Default

Description

HLSEncryptionScope

Off

Defines the encryption scope. The following are possible values:

server —Apache encryption settings are applied to all content. The server ignores content-specific encryption configurations in Event.xml and Application.xml (live) and jit.conf (on-demand).

content —Apache encryption settings are ignored. The server uses encryption settings from Event.xml or Application.xml (live) or from jit.conf (on-demand). Off —Encryption is off for the whole server.

HLSEncryptCipherKeyFile

None

The path of the default cipher key used to encrypt the content.

HLSEncryptKeyURI

None

The URI that the client uses to fetch the encryption key. See Serve encryption keys to the client.

To configure vanilla content protection at the server level, set HLSEncryptionScope to server in the httpd.conf file. This configuration tells the server to use the settings in the httpd.conf file for all requests to this Location directive.

  1. Open the rootinstall/Apache2.2/conf/httpd.conf file and locate the hlshttp_module:

    <IfModule hlshttp_module> 
        ... 
    <Location /hls-vod> 
        ...
  2. Uncomment the following:

    # Uncomment the following directives to enable encryption 
    # for this location: 
        HLSEncryptionScope server 
        HLSEncryptionCipherKeyFile "../creds/vodkey.bin" 
        HLSEncryptKeyURI "https://<ServerName>/hls-key/vodkey.bin"

    Substitute the IP address or DNS of your Adobe Media Server for the <ServerName> parameter.

  3. Follow the steps in Serve encryption keys to the clientto configure the server to serve keys with or without SSL. These steps configure the /hls-key path in the HLSEncryptKeyURI directive.

  4. Request the following URL from an iOS device:

    http://<ServerName>/hls-vod/sample2_1000kbps.f4v.m3u8

  5. To verify that the stream is encrypted, run the Apple Media Stream Validator Tool on the stream. See Technical Note TN2224.

The following table contains the directives for the hlshttp_module in the Apache httpd.conf file:

Parameter

Required With

Default

Description

HLSProtectionScheme

Adobe Access 4.0, PHLS

Vanilla

Determines the protection scheme used for content. Protection scheme can be Vanilla, AdobeAccessV4 or PHLS. HLSProtectionScheme is effective if encryption is enabled.Use HLSEncryptionScope parameter to determine the status of encryption.

HLSDrmCommonKeyFile

Adobe Access 4.0, (Optional) PHLS

For PHLS ../creds/commonKey.bin

Contains the name of the Common key file in ../creds/common-key.bin.

HLSDrmContentID / PHLSContentID

(Optional) Adobe Access 4.0 , (Optional) PHLS

eventId

Content ID for mapping the license.

HLSDrmLicenseServerURL

Adobe Access 4.0

None

URL of License server used for protecting content

HLSDrmTransportCertFile

Adobe Access 4.0

None

Transport certificate file used for protecting content

HLSDrmLicenseServerCertFile

Adobe Access 4.0

None

File containing license server certificate used for protecting content

HLSDrmPackagerCredentialFile

Adobe Access 4.0

None

File containing Packager credential used for protecting content

HLSDrmPackagerCredentialPassword

Adobe Access 4.0

None

Packager credential password for the configured packager credential file

HLSDrmPolicyFile

Adobe Access 4.0

None

Path and Name of the Policy File to be used for protecting content

HLSDrmKeyServerURL

Adobe Access 4.0

None

Key server URL for embedding in the served playlist.

PHLSOutputProtection

(Optional) PHLS

None

The required hardware Output Protection of media on the client. Possible values are None, BestEffort, and Required.

PHLSPlaybackExpiration

(Optional) PHLS

24 Hours

The duration of the time for which the content is available for playback. Possible values are 24Hours and Unlimited.

PHLS
Edit the file httpd.conf and update the <Location /hls-vod> directive as follows:
<Location /hls-vod> 
    HLSHttpStreamingEnabled true 
    HLSMediaFileDuration 8000 
    HttpStreamingContentPath "../webroot/vod" 
    HLSFmsDirPath ".." 
    HLSJITConfAllowed true 
    HLSEncryptionScope  server 
    HLSProtectionScheme  PHLS 
    PHLSContentID httpd_conf 
    PHLSCommonKeyFile  "../creds/liveeventkey.bin" 
    PHLSOutputProtection  None 
    PHLSPlaybackExpiration  Unlimited 
</Location>

Request the following URL from an iOS device:

http://<ServerName>/hls-vod/sample2_1000kbps.f4v.m3u8

For more information on the elements, see Vanilla.

Adobe Access
Edit the file httpd.conf and update the <Location /hls-vod> directive as follows:
<Location /hls-vod> 
    HLSHttpStreamingEnabled true 
    HLSMediaFileDuration 8000 
    HttpStreamingContentPath "../webroot/vod" 
    HLSFmsDirPath ".." 
    HLSJITConfAllowed true 
    HLSEncryptionScope server 
    HLSProtectionScheme AdobeAccessV4 
    HLSDrmContentID httpd_conf 
    HLSDrmCommonKeyFile  "<path to common key file>" 
    HLSDrmLicenseServerURL  "<url of license server>" 
    HLSDrmTransportCertFile  "path to transport certificate file" 
    HLSDrmLicenseServerCertFile  "<path to license server certificate file>" 
    HLSDrmPackagerCredentialFile  "<path to packager credential file>" 
    HLSDrmPackagerCredentialPassword  ?????? 
    HLSDrmPolicyFile  "<path to policy file" 
    HLSDrmKeyServerURL  "<key server url>" 
</Location>

Request the following URL from an iOS device:

http://<ServerName>/hls-vod/sample2_1000kbps.f4v.m3u8

Note: For local key delivery, it is recommended that HLSDrmKeyServerURL be set to the dummy URL http://faxs.adobe.com.

For more information on the elements, see Vanilla.

Stream level

To configure individual sets of media, in the httpd.conf file, set HLSEncryptionScope to content. This setting tells the server that configuration settings in the jit.conf file override settings in the httpd.conf file.

Configure the following elements in a jit.conf file in the same directory as the on-demand media:

Element

Default value

Description

//manifest/hds:encryption

None

The parent element for configuration. This element has with an enabled attribute. To enable content for protection with PHLS, set the enabled attribute to "true". The value is "false" by default.

//manifest/hds:encryption/hds:keyfile

None

The path of the default cipher key used to encrypt the content.

//manifest/hds:encryption/hds:keyuri

None

The URI that the client uses to fetch the encryption key. See Serve encryption keys to the client.

Vanilla
  1. To configure live PHLS at the stream level, open the rootinstall/Apache2.2/conf/httpd.conf file and locate the hlshttp_module:

    <IfModule hlshttp_module> 
        ... 
    <Location /hls-vod> 
        ...
  2. Uncomment HLSEncryptionScope and set it to content:

    # Uncomment the following directives to enable encryption 
    # for this location: 
        HLSEncryptionScope content 
    #    HLSEncryptCipherKeyFile 
    #     HLSEncryptKeyURI
  3. Create a jit.conf configuration file and copy it to the same directory as the on-demand media files.

    <hds:hls> 
        <hds:encryption enabled="true"> 
        <hds:keyfile>../creds/content.key</hds:keyfile> 
        <hds:keyuri>https://<server-name>/hls-key/content.key</hds:keyuri> 
        </hds:encryption> 
    </hds:hls>
  4. Follow the steps in Serve encryption keys to the clientto configure the server to serve keys with or without SSL. These steps configure the /hls-key path in the /hds:keyuri element.

  5. Copy the vodkey.bin file from rootinstall/creds to rootinstall/webroot/keys.

  6. Request the following URL from an iOS device:

    http://<servername>/hls-vod/sample2_1000kbps.f4v.m3u8

  7. To verify that the stream is encrypted, run the Apple Media Stream Validator Tool on the stream. See Technical Note TN2224.

PHLS
See the following sample configuration:
<?xml version="1.0" encoding="utf-8"?> 
    <manifest xmlns="http://ns.adobe.com/f4m/1.0" 
        xmlns:hds="http://ns.adobe.com/hds-package/1.0"> 
            <hds:hls> 
                <hds:encryption enabled="true"  protection-scheme="PHLS" > 
                    <hds:PHLS> 
                        <hds:content-id>jit_conf</hds:content-id> 
                        <hds:common-key-file> 
                            root_install/creds/vodkey.bin 
                        </hds:common-key-file> 
                        <hds:output-protection>None</hds:output-protection> 
                        <hds:playback-expiration>Unlimited</hds:playback-expiration> 
                    </hds:PHLS> 
                </hds:encryption> 
            </hds:hls> 
    </manifest>

Request the following URL from an iOS device:

http://<ServerName>/hl-vod/sample2_1000kbps.f4v.m3u8

For configuring the server with PHLS, see the steps mentioned in the Vanilla section. For details on the configuration elements, see the table above.

Adobe Access
See the following sample configuration:
<?xml version="1.0" encoding="utf-8"?> 
    <manifest xmlns="http://ns.adobe.com/f4m/1.0" 
        xmlns:hds="http://ns.adobe.com/hds-package/1.0"> 
    <hds:hls> 
        <hds:encryption enabled="true"  protection-scheme="AdobeAccessV4"> 
            <hds:AdobeAccessV4> 
                <hds:content-id>jit_conf</hds:content-id> 
                <hds:common-key-file> 
                    root_install/creds/vodkey.bin 
                </hds:common-key-file> 
                <hds:license-server-url> 
                    http://mylicenseserver.myhost.com 
                </hds:license-server-url> 
                <hds:transport-cert-file> 
                    production_transport.der 
                </hds:transport-cert-file> 
                <hds:license-server-cert-file> 
                    production_license_server.der 
                </hds:license-server-cert-file> 
                <hds:packager-credential-file> 
                    production_packager.pfx 
                </hds:packager-credential-file> 
                <hds:packager-credential-password> 
                    ?????? 
                </hds:packager-credential-password> 
                <hds:policy-file>policy.pol</hds:policy-file> 
                <hds:key-server-url>http://faxs.adobe.com</hds:key-server-url> 
            </hds:AdobeAccessV4> 
        </hds:encryption> 
    </hds:hls> 
</manifest>

For local key delivery, it is recommended that HLSDrmKeyServerURL be set to the dummy URL http://faxs.adobe.com.

Request the following URL from an iOS device:

http://<ServerName>/hl-vod/sample2_1000kbps.f4v.m3u8

For configuring the server with PHLS, see the steps mentioned in the Vanilla section. For details on the configuration elements, see the table above.

VOD streams

To generate unique content encryption keys (CEKs) for Adobe Access, the URL path (relative to the configured content path) including the stream name is used as Content ID. For example, Content ID for path http://example.com/hls-vod/mymedia/sample.f4v.m3u8 would be mymedia/sample.f4v.

To change the default Content ID, specify the new Content ID in the configuration files event.xml, application.xml or jit.conf.

Multiple renditions of the same content require the same CEK for each rendition. To enable the same CEK across multiple renditions of the same content, configure the content-id in:
  • application.xml

  • event.xml (for Live Events) or jit.conf (for VOD Events).

You can protect the renditions using the Adobe Access configurations.

License chaining

If the configuration for embedding the leaf license is turned off, Adobe Media Server will still support such a policy except that the leaf license will not be embedded in the DRM metadata.

Note: The support will be limited to a single license server credential and credential-password pair.
The following table provides the configuration details:

Parameter

Description

Required with

Default value

HLSDrmEmbedLeafLicense (Server level)

HLS/Encryption/AdobeAccessV4/EmbedLeafLicense( Application and Eventlevel)

hds:hls/hds:encryption/hds:AdobeAccessV4/hds:embed-leaf-license (VOD Use case -Stream level)

(Optional) Enables embedding of leaf licenses for policies generated using chained licenses. Possible values are "true" or "false".

AdobeAccessV4

false

HLSDrmLicenseServerCredentialFile (Server level)

HLS/Encryption/AdobeAccessV4/LicenseServerCredentialFile (Application and Eventlevel)

hds:hls/hds:encryption/hds:AdobeAccessV4/hds:license-server-credential-file (VOD Use case -Stream level)

Required if HLSDrmEmbedLeafLicense is set to true. The license server credential used when protecting content at this location.

AdobeAccessV4

NA

HLSDrmLicenseServerCredentialPassword (Server level)

HLS/Encryption/AdobeAccessV4/LicenseServerCredentialPassword (Application and Eventlevel)

hds:hls/hds:encryption/hds:AdobeAccessV4/hds:li cense-server-credential-password (VOD Use case -Stream level)

Required if HLSDrmEmbedLeafLicense is set to true. The license server credential password for the configured license server credential file.

AdobeAccessV4

NA

Key rotation

To enable the feature, you must add the following configuration directives in the httpd.conf file:

Directive

Required with

Default Value

Description

HLSDrmEnableKeyRotation / PHLSEnableKeyRotation (Server level)

EnableKeyRotation (Application and Eventlevel)

hds:hls/hds:encryption/hds:FlashAccessV4/hds:enable-key-rotation (VOD Use case -Stream leve)

Optional with FlashAccessV4 and PHLS

true

Enabled by default. To enable key rotation set the attribute to "false".

HLSDrmKeyRotationInterval / PHLSKeyRotationInterval (Server level)

KeyRotationInterval (Application and Eventlevel)

hds:hls/hds:encryption/hds:FlashAccessV4/hds:key-rotation-interval (VOD Use case -Stream leve)

Optional with FlashAccessV4 and PHLS

15

The key is changed after the specified number of seconds.

For HDS streams, the key rotation does not have any impact on the performance of the client or on scaling impact of the license server because rotating the key is handled in-band.

In HLS key rotation results in a key request from the key server when using remote key delivery. For local, the rotated key is in the updated M3U8 file.

Out-of-Band DRM metadata

To enable this feature, you must add the following configuration directives in the httpd.conf file:

Directive

Required

Default Value

Description

HLSEmbedMetadata

No

For VOD, true For Live, false

Enables embedding of metadata in the playlist. The false value is applicable only when HLSMetaPackagingEnabled is set to true.

HLSMetaMaxAge

No

3600 seconds

The maximum age in the Cache-Control header for m3u8 responses. A value of -1 specifies that no Cache-Control header is set. If no value is specified, default value,3600 seconds, is assumed.

HLSMetaPackagingEnabled

No

true

(Optional) Enables just in time packaging of metadata for this location. The possible values are "true" or "false".

Player binding

A whitelist file (with extension .airwhitelist) is a text file that contains multiple entries where each entry corresponds to an application identifying four fields (publisher-id, app-id, min-ver, max-ver). The publisher-id is mandatory and rest of the fields are optional. The file can be generated by passing the certificate(s) used to sign the application(s) to the whitelist tool . Currently the whitelist tool only supports extracting publisher-id but the rest of the fields (if required) can be updated manually. Player binding can be enabled by configuration and a folder needs to be specified from where Adobe Media Server can locate the whitelist files (multiple whitelist files and multiple entries in a whitelist files are supported). Adobe Media Server will add the list of identifiers picked up from the whitelist files to the license it embeds in the metadata.

To enable the feature, you must add the following configuration directives in the httpd.conf file:

Directive

Required with

Default Value

Description

PHLSPlayerBindingEnabled (Server level)

HLS/Encryption/PHLS/PlayerBindingEnabled (Application and Eventlevel)

hds:hls/hds:encryption/hds:phls/hds:player-binding (VOD Use case -Stream leve)

PHLS

false

Enables player binding using white-list. Possible values are "true" or "false".

PHLSWhitelistFolder (Server level)

HLS/Encryption/PHLS/WhitelistFolder (Application and Eventlevel)

hds:hls/hds:encryption/hds:phls/hds:whitelist-folder (VOD Use case -Stream leve)

PHLS

NA

(Required if HLSDrmPlayerBindingEnabled is true) The directory location containing the white-list files. This will work only when HLSDrmPlayerBindingEnabled is set to true.

Serve encryption keys to the client

The following PHLS configurations specify the path the client uses to fetch the encryption key:

  • HLSEncryptKeyURI

  • //manifest/hds:hls/hds:encryption/hds:keyuri

  • //Application/HDS/HLS/Encryption/KeyURI

  • //Event/HLS/Encryption/KeyURI

For both on-demand and live vanilla encryption, serve encryption keys to the client through the Apache HLS module. The module unscrambles the key before serving the request.

Note: Note that the key files used for configuring encryption always needs to scrambled.

You can enable client authentication over SSL to ensure that key files are served securely. A reference configuration file and the Apple CA bundle are installed to the following locations:

rootinstall/Apache2.2/conf/httd-hls-secure.conf

rootinstall/creds/certs/ca

The httpd-hls-secure.conf file demonstrates how to configure a virtual host at the default SSL port with client authentication enabled for the location /hls-key with cipher key hosting enabled. However, this is only a reference configuration. To guarantee authentication for a production system, customize the configuration for your deployment.

Note: The SSL certificate presented by the iOS client must be current. If the client presents an expired certificate, client authentication fails and an error message displays to the user (on the client). iOS clients with older iOS installations may encounter this problem.

Serve key files with SSL client authentication

  1. Uncomment the following lines in the Apache httpd.conf file:

    "#LoadModule ssl_module" 
    "#Include conf/httpd-hls-secure.conf"
  2. Customize the SSL properties in the rootinstall/Apache2.2/conf/httpd-hls-secure.conf file based on the deployment. This customization includes getting an SSL certificate from a recognized CA.

    Important: The SSL certificate generated for the server must have a CN that is a FQDN (Fully Qualified Domain Name), even in a test environment. If not, the iOS client may not present its client certificate and client authentication fails. If client authentication fails, the key file is not served and the iOS client crashes. This is a known Apple bug.
  3. Restart Apache.

Serve key files without SSL

  1. Add the following to the Apache httpd.conf file under the line <IfModule hlshttp_module>:

    <Location /hls-key> 
        HLSEncryptHostCipherKey true 
        HLSFmsDirPath ".." 
        HLSEncryptKeyRepository "../creds" 
    </Location>

    The Location path can be any value. Point the HLSEncryptKeyRepository directive to the location of the keys. The keys are in the rootinstall/creds folder by default.

  2. Restart Apache.

Use the following parameters in the Apache httpd.conf file to configure key hosting:

Parameter

Description

Default value

HLSEncryptHostCipherKey

Enable (true) or disable (false) cipher key hosting from this location.

false

HLSEncryptKeyRepository

The path of the folder that contains the key file.

None

Dynamic Content Encryption Key

AMS supports different content encryption keys for content at the different levels (server, application, stream, and event). The keys are generated according to the location of the content and the location of the Common Key.

Delivering Content Encryption Keys

The Content Encryption Key delivery mode is specified in the policy file. For the Adobe Access 4.0 protection scheme, set the policy using HLSDrmPolicyFile parameter. To select the policy file for the PHDS protection scheme, HLSDrmOutputProtection and HLSDrmPlaybackExpiration are used.

The key server URL is based on the key delivery mode specified in the policy file. For remote key serving, use the KeyServerURL parameter to specify the URL of key server. The URL format for remote key serving is https://<customers-keyserver-uri>. For example, https://faxs.adobe.com. For local key serving, the value of KeyServerURL should always be faxs://faxs.adobe.com.
Note: PHLS supports only local key delivery and AMS cannot deliver CEKs as long as DRM is enabled.

Adaptive bitrate streaming

In order to support adaptive bitrate, HTTP Live Streaming requires a variant playlist file that referes to individual playlist files having different renditions of the same content. The Adobe Access for iOS SDK requires that each stream referred to in a variant playlist must be encrypted using the same policy and the same content encryption key. Hence each encrypted stream will have the same DRM metadata referred in #EXT-X-FAXS-CM tag (embedded or served out of band).

The Adobe Access Server protected variant playlist also needs to include the #EXT-X-FAXS-CM tag. The value of #EXT-X-FAXS-CM tag in variant playlist is the relative URI referring to the DRM metadata of one of the individual streams.At the client, the #EXT-X-FAXS-CM tag in variant playlist will be used to create the DRM session. The same DRM session will be used for all encrypted M3U8 files inside the variant playlist.

Here’s an example of Adobe Access protected variant playlist:
#EXTM3U 
#EXT-X-FAXS-CM:URI="hls-vod-faxsv4/sample_mbr_mp4_main_3_1/8_mp4_AAC_212Kbps_720_480_main_3_1.mp4.drmmeta" 
#EXT-X-STREAM-INF:PROGRAM-ID=41,BANDWIDTH=212000, CODECS="avc1.77.31, mp4a.40.5" hls-vod-faxsv4/sample_mbr_mp4_main_3_1/8_mp4_AAC_212Kbps_720_480_main_3_1.mp4.m3u8 
#EXT-X-STREAM-INF:PROGRAM-ID=41,BANDWIDTH=307000, CODECS="avc1.77.31, mp4a.40.5" hls-vod-faxsv4/sample_mbr_mp4_main_3_1/8_mp4_AAC_307Kbps_720_480_main_3_1.mp4.m3u8 
#EXT-X-STREAM-INF:PROGRAM-ID=41,BANDWIDTH=512000, CODECS="avc1.77.31, mp4a.40.5" http://my.server.com/hls-vod-faxsv4/sample_mbr_mp4_main_3_1/8_mp4_AAC_512Kbps_720_480_main_3_1.mp4.m3u8
Note: This variant playlist needs to be served in Adobe Access M3U8 format. For instance, you need to append ?faxs=1 to the URL like http://my.server.com/variantPlaylist.m3u8?faxs=1.