Configuring content protection for HLS

Use Adobe Media Server 5 to serve protected content over HTTP to devices that support Apple HTTP Live Streaming.

The Adobe Media Server installer generates the required certificates and keys to the rootinstall/creds directory. To generate new keys, use the scramble tool. See Scramble tool.

Overview

The content can be protected using three modes:

Vanilla
PHLS
Adobe Access 4.0

To enable a specific encryption scheme, use the HLSProtectionScheme directive.

Vanilla

Vanilla mode is used for plain AES encryption.

PHLS

PHLS mode is a non-DRM solution. You do not need to set up a license or key server. The key is always served in a local mode.

Adobe Access

Adobe Access mode offers a complete DRM solution. It supports all the Adobe Access 3.0 features, along with remote key serving for HLS. Local key serving mode also works with Adobe Access 2.0 or higher license servers. The remote key serving mode works only with an Adobe Access 4.0 compliant server.

Adobe Access SDK is a Digital Rights Management (DRM) platform that makes it possible to protect and securely deliver video and audio content for playback on consumer devices such as personal computers. Adobe Access is a flexible platform that enables content owners to protect their content and maintain control over distribution. Content owners can protect and manage their rights by creating licenses for each digital media file, ensuring that a wide variety of the highest-quality content is made available to consumers.

Adobe Access supports a wide range of business models, including video on demand, rental, and electronic sell-through. You can distribute content protected with Adobe Access by streaming through Adobe Media Server software, offering progressive download via HTTP using Adobe's HTTP Dynamic Streaming technology, or permitting downloads to a content library for local playback at the consumer's convenience.

To enable DRM support for HTTP Live Streaming, use Adobe Access iOS library. The policy files generated for Adobe Access 2.0 and Adobe Access 3.0 will also work in local key serving mode.

AMS supports different content encryption keys for content at the different levels (server, application, stream, and event). The keys are generated according to the location of the content and the location of the Common Key.

Key rotation

You can periodically change the encryption key and specify how often the content encryption key is to be changed.

Out-of-Band DRM metadata

The HLS module of AMS supports serving of BER encoded DRM metadata out-of-band. The requested URL format is same as for a playlist except that the URL format has .drmmeta instead of .m3u8 at the end of the URL. The metadata embedded in the m3u8 file is base64-encoded but the metadata served out-of-band in the .drmmeta file is binary data.

Player binding

Adobe Media Server supports whitelist-based player binding when the protection scheme is PHLS. This is similar to the HTTP SWF Verification.

License chaining

Adobe Media Server will support embedding leaf licenses in the DRM metadata from the policy generated using a chained license. Adobe Media Server will need the license server credential and the credential password configured so that the root license from the policy can be used to encrypt the CEK contained in the embedded leaf license.

Live use case

Getting started

To configure PHLS with basic settings, perform the following steps:

Navigate to the <root-install>/Apache 2.2/conf/ directory. Edit the http.conf file and add the following tags under <Location hls-live>:

<Location /hls-live> 
    HLSHttpStreamingEnabled true 
    HttpStreamingLiveEventPath "../applications" 
    HttpStreamingContentPath "../applications" 
    HLSMediaFileDuration 8000 
    HLSSlidingWindowLength 6 
    HLSFmsDirPath ".." 
    HttpStreamingUnavailableResponseCode 503 
    HLSEncryptionScope server 
    HLSProtectionScheme PHLS 
</Location>

Note: This configuration will enable PHLS at the server level.

Publish a live stream called “livestream?adbe-live-event=liveevent” to livepkgr.
Playback the stream using the URI http://<server-ip>:8134/hls-live/livepkgr/_definst_/liveevent/livetsream.m3u8

Detailed configuration

The following sections provides detailed configurations.

Server level

You can configure HLS at the server level to apply content protection across all deployed applications.

Vanilla

The following table contains the directives for the hlshttp_module in the Apache httpd.conf file:

Directive

Default

Description

HLSEncryptionScope

Off

Defines the encryption scope. The following are possible values:

server —Apache encryption settings are applied to all content. The server ignores content-specific encryption configurations in Event.xml and Application.xml (live) and jit.conf (on-demand).

content —Apache encryption settings are ignored. The server uses encryption settings from Event.xml or Application.xml (live) or from jit.conf (on-demand).

Off —Encryption is off for the whole server.

HLSEncryptCipherKeyFile

None

The path of the default cipher key used to encrypt the content.

HLSEncryptKeyURI

None

The URI that the client uses to fetch the encryption key.

Publishing and playback

Open the rootinstall/Apache2.2/conf/httpd.conf file and locate the hlshttp_module:
```
<IfModule hlshttp_module> 
    ... 
<Location /hls-live> 
    ...
```

Uncomment the following:

# Uncomment the following directives to enable encryption 
# for this location: 
    HLSEncryptionScope server 
    HLSEncryptionCipherKeyFile "../creds/liveeventkey.bin" 
    HLSEncryptKeyURI "https://<ServerName>/hls-key/liveeventkey.bin"

Substitute the fully qualified domain name of your Adobe Media Server for the <ServerName> parameter.

Follow the steps in Serve encryption keys to the client to configure the server to serve keys with or without SSL. These steps configure the /hls-key path in the HLSEncryptKeyURI directive.
Open Flash Media Live Encoder and publish a stream with the following settings:
- Format—H.264
- Keyframe Frequency—4 seconds
- AMS URL—rtmp://<server-name>/livepkgr
- Stream—encryption?adbe-live-event=encryption
Request the following URL from an iOS device:

http://<servername>/hls-live/livepkgr/_definst_/encryption/encryption.m3u8
To verify that the stream is encrypted, run the Apple Media Stream Validator Tool on the stream. See Technical Note TN2224.

PHLS and Adobe Access

The following table contains the directives for the hlshttp_module in the Apache httpd.conf file:

Parameter	Required With	Default	Description
HLSProtectionScheme	Adobe Access 4.0, PHLS	Vanilla	Determines the protection scheme used for content. Protection scheme can be Vanilla, AdobeAccessV4 or PHLS. HLSProtectionScheme is effective if encryption is enabled.Use HLSEncryptionScope parameter to determine the status of encryption.
HLSEmbedMetadata	Adobe Access 4.0, PHLS	true for VOD and false for live	(Optional) Enables embedding of metadata in the playlist. The possible values are "true" or "false". Note that false will only work when `HLSMetaPackagingEnabled` is set to true.
HLSMetaPackagingEnabled	Adobe Access 4.0, PHLS	true	(Optional) Enables just in time packaging of metadata for this location. The possible values are "true" or "false". This configuration is not valid for the Vanilla protection scheme.
HLSMetaMaxAge	Adobe Access 4.0, PHLS	60*60 secs (1 hour)	(Optional) Specifies the max-age to set in the Cache-Control header for M3U8 responses. Specified in secs. -1 means no Cache-Control header is set. If not specified, the default value will be assumed. This configuration is used only when the `HLSMetaPackagingEnabled` value is set to true.

PHLSCommonKeyFile	(Optional) PHLS	For PHLS ../creds/commonKey.bin	Contains the name of the Common key file in ../creds/common-key.bin.
PHLSContentID	(Optional) PHLS	eventId	Content ID for mapping the license.
HLSDrmLicenseServerURL	Adobe Access 4.0	None	URL of License server used for protecting content
HLSDrmTransportCertFile	Adobe Access 4.0	None	Transport certificate file used for protecting content
HLSDrmLicenseServerCertFile	Adobe Access 4.0	None	File containing license server certificate used for protecting content
HLSDrmPackagerCredentialFile	Adobe Access 4.0	None	File containing Packager credential used for protecting content
HLSDrmPackagerCredentialPassword	Adobe Access 4.0	None	Packager credential password for the configured packager credential file
HLSDrmPolicyFile	Adobe Access 4.0	None	Path and Name of the Policy File to be used for protecting content
HLSDrmKeyServerURL	Adobe Access 4.0	None	Key server URL for embedding in the served playlist.
PHLSOutputProtection	(Optional) PHLS	None	The required hardware Output Protection of media on the client. Possible values are None, BestEffort, and Required.
PHLSPlaybackExpiration	(Optional) PHLS	24 Hours	The duration of the time for which the content is available for playback. Possible values are 24Hours and Unlimited.

PHLS

Edit the http.conf file and add the following tags under <Location hls-live>:

<Location /hls-live> 
    HLSHttpStreamingEnabled true 
    HttpStreamingLiveEventPath "../applications" 
    HttpStreamingContentPath "../applications" 
    HLSMediaFileDuration 10000 
    HLSSlidingWindowLength 6 
    HLSFmsDirPath ".." 
    HttpStreamingUnavailableResponseCode 503 
    HLSEncryptionScope  server 
    HLSProtectionScheme  PHLS 
    PHLSContentID httpd_conf 
    PHLSCommonKeyFile  "../creds/liveeventkey.bin" 
    PHLSOutputProtection  None 
    PHLSPlaybackExpiration  Unlimited 
</Location>

For details on the configuration elements, see the table mentioned above.

Adobe Access

Edit the http.conf file and add the following tags under <Location hls-live>:

<Location /hls-live> 
    HLSHttpStreamingEnabled true 
    HttpStreamingLiveEventPath "../applications" 
    HttpStreamingContentPath "../applications" 
    HLSMediaFileDuration 10000 
    HLSSlidingWindowLength 6 
    HLSFmsDirPath ".." 
    HttpStreamingUnavailableResponseCode 503 
    HLSEncryptionScope  server 
    HLSProtectionScheme  AdobeAccessV4 
    HLSDrmContentID httpd_conf 
    HLSDrmCommonKeyFile  "<path to common key file>" 
    HLSDrmLicenseServerURL  "<url of license server" 
    HLSDrmTransportCertFile  "path to transport certificate file" 
    HLSDrmLicenseServerCertFile  "<path to license server certificate file>" 
    HLSDrmPackagerCredentialFile  "<path to packager credential file>" 
    HLSDrmPackagerCredentialPassword  ?????? 
    HLSDrmPolicyFile  "<path to policy file" 
    HLSDrmKeyServerURL  "<key server url>" 
</Location>

For details on the configuration elements, see the table mentioned abo

Note: For local key delivery it is recommended that HLSDrmKeyServerURL be set to the dummy URL http://faxs.adobe.com.

For information on publishing and playback, see Vanilla.

Application and Event level

You can also configure HLS at an application or event level.

Both the Application.xml file and the Event.xml file have an HLS container that holds the live vanilla encryption configuration settings. In Application.xml, the container is located under //Application/HDS/HLS. In Event.xml, the container is located under //Event/HLS.

Application level

Vanilla

Element	Default	Description
`/HLS`	None	Container for content protection settings.
`/HLS/Encryption`	None	Set the `enabled` attribute to `"allow"` to allow vanilla encryption configurations in the Event.xml file to override settings in the Application.xml file. Set the `enabled` attribute to `"true"` to configure vanilla encryption in the Application.xml file. These configurations apply to all live events in the application. The default value of the `enabled` attribute in the Application.xml file is `"allow"`. The default value in the Event.xml file is `"false"`.
`/HLS/Encryption/KeyFile`	None	The path of the default cipher key used to encrypt the content.
`/HLS/Encryption/KeyURI`	None	The URI that the client uses to fetch the encryption key.

Configure live vanilla encryption at the application level

Open the rootinstall/Apache2.2/conf/httpd.conf file and locate the hlshttp_module:
```
<IfModule hlshttp_module> 
    ... 
<Location /hls-live> 
    ...
```

Uncomment the HLSEncryptionScope directive and set it to content:

# Uncomment the following directives to enable encryption 
# for this location: 
    HLSEncryptionScope content 
#    HLSEncryptionCipherKeyFile "../creds/liveeventkey.bin" 
#    HLSEncryptKeyURI "https://<ServerName>/hls-key/liveeventkey.bin"

Substitute the IP address or DNS of your Adobe Media Server for the <ServerName> parameter.

Edit the Application.xml file in the rootinstall/applications/livepkgr folder to include the following:

<Application> 
    <HDS> 
        <HLS> 
            <Encryption enabled="true"> 
                <KeyFile>C:\Program Files\Adobe\Adobe Media Server 5\creds\liveeventkey.bin</KeyFile> 
                <KeyURI>http://<server-ip>/hls-key/liveeventkey.bin</KeyURI> 
            </Encryption> 
        </HLS> 
    </HDS> 
</Application>

Follow the steps in Serve encryption keys to the clientto configure the server to serve keys with or without SSL. These steps configure the /hls-key path in the KeyURI directive.
Open Flash Media Live Encoder and publish a stream with the following settings:
- Format—H.264
- Keyframe Frequency—4 seconds
- AMS URL—rtmp://<server-name>/livepkgr
- Stream—encryption?adbe-live-event=encryption
Request the following URL from an application developed using the SDK on an iOS device:

http://<servername>/hls-live/livepkgr/_definst_/encryption/encryption.m3u8
To verify that the stream is encrypted, run the Apple Media Stream Validator Tool on the stream. See Technical Note TN2224.

Note: To create a live event, create a copy of the livepkgr directory located at rootinstall/applications/livepkgr/events/_definst_/liveevent. The name of the copied directory must be the same as the name of the event.

PHLS

Edit the Application.xml file in the rootinstall/applications/livepkgr folder to include the following:

<Application> 
    <HDS> 
        <HLS> 
            <Encryption  enabled="true"  protection-scheme="PHLS" > 
                <PHLS> 
                    <ContentID>app_event_xml</ContentID> 
                    <CommonKeyPath>common.bin</CommonKeyPath> 
                    <KeyServerURL>faxs://example.com</KeyServerURL> 
                    <OutputProtection>None</OutputProtection> 
                    <PlaybackExpiration>Unlimited</PlaybackExpiration> 
                </PHLS> 
            </Encryption > 
        </HLS> 
    </HDS> 
</Application>

For more information about the elements, see the table in the server level configuration.

For information on publishing and playback, see Vanilla.

Adobe Access

Edit the Application.xml file in the rootinstall/applications/livepkgr folder to include the following:

<Application> 
    <HDS> 
        <HLS> 
            <Encryption  enabled="true"  protection-scheme="AdobeAccessV4" > 
                <AdobeAccessV4> 
                    <ContentID>app_event_xml</ContentID> 
                    <CommonKeyPath>common.bin</CommonKeyPath> 
                    <LicenseServerURL>license server url </LicenseServerURL> 
                    <TransportCertPath>transport.der</TransportCertPath> 
                    <LicenseServerCertPath>server.der</LicenseServerCertPath> 
                    <PackagerCredentialPath> 
                        production_packager.pfx 
                    </PackagerCredentialPath> 
                    <PackagerCredentialPwd>??????</PackagerCredentialPwd> 
                    <PolicyPath>policy.pol</PolicyPath> 
                    <KeyServerURL>http://faxs.adobe.com</KeyServerURL> 
                </AdobeAccessV4> 
            </Encryption > 
        </HLS> 
    </HDS> 
</Application>

For more information about the elements, see the table in the server level configuration.

For information on publishing and playback, see Vanilla.

Event level

Vanilla

Open the rootinstall/Apache2.2/conf/httpd.conf file and locate the hlshttp_module:
```
<IfModule hlshttp_module> 
    ... 
<Location /hls-live> 
    ...
```

Uncomment the HLSEncryptionScope directive and set it to content:

# Uncomment the following directives to enable encryption 
# for this location: 
    HLSEncryptionScope content 
#    HLSEncryptionCipherKeyFile "../creds/liveeventkey.bin" 
#    HLSEncryptKeyURI "https://<ServerName>/hls-key/liveeventkey.bin"

Substitute the IP address or DNS of your Adobe Media Server for the <ServerName> parameter.

Edit the Event.xml file in the rootinstall/applications/livepkgr/_definst_/encryption folder to include the following:

<Event> 
        <HLS> 
            <Encryption enabled="true"> 
                <KeyFile> 
                    C:\Program Files\Adobe\Adobe Media Server5 
                    \creds\liveeventkey.bin 
                </KeyFile> 
                <KeyURI>http://<server-ip>/hls-key/liveeventkey.bin</KeyURI> 
            </Encryption> 
        </HLS> 
</Event>

Follow the steps in Serve encryption keys to the client to configure the server to serve keys with or without SSL. These steps configure the /hls-key path in the KeyURI directive.
Open Flash Media Live Encoder and publish a stream with the following settings:
- Format—H.264
- Keyframe Frequency—4 seconds
- AMS URL—rtmp://<server-name>/livepkgr
- Stream—encryption?adbe-live-event=encryption
Request the following URL from an iOS device:

http://<ServerName>/hls-live/livepkgr/_definst_/encryption/encryption.m3u8
To verify that the stream is encrypted, run the Apple Media Stream Validator Tool on the stream. See Technical Note TN2224.

PHLS

Edit the Event.xml file in the rootinstall/applications/livepkgr/_definst_/encryption folder to include the following:

<Event> 
    <HLS> 
        <Encryption  enabled="true"  protection-scheme="PHLS" > 
            <PHLS> 
                <ContentID>app_event_xml</ContentID> 
                <CommonKeyPath>common.bin</CommonKeyPath> 
                <KeyServerURL>faxs://example.com</KeyServerURL> 
                <OutputProtection>None</OutputProtection> 
                        <PlaybackExpiration>Unlimited</PlaybackExpiration> 
                </PHLS> 
       </Encryption > 
       </HLS> 
</Event>

For more information about the elements, see the table in the server level configuration.

For more information on publishing and playback, see Vanilla.

Adobe Access

Edit the Event.xml file in the rootinstall/applications/livepkgr/_definst_/encryption folder to include the following:<Event>

<Event> 
    <HLS> 
        <Encryption  enabled="true"  protection-scheme="AdobeAccessV4" > 
            <AdobeAccessV4> 
                <ContentID>app_event_xml</ContentID> 
                <CommonKeyPath>common.bin</CommonKeyPath> 
                <LicenseServerURL>license server url </LicenseServerURL> 
                <TransportCertPath>transport.der</TransportCertPath> 
                <LicenseServerCertPath>server.der</LicenseServerCertPath> 
                <PackagerCredentialPath> 
                    production_packager.pfx 
                </PackagerCredentialPath> 
                <PackagerCredentialPwd>??????</PackagerCredentialPwd> 
                <PolicyPath>policy.pol</PolicyPath> 
                <KeyServerURL>http://faxs.adobe.com</KeyServerURL> 
            </AdobeAccessV4> 
        </Encryption > 
    </HLS> 
</Event>

For more information about the elements, see the table in the server level configuration.

For more information on publishing and playback, see Vanilla.

Live events

To generate unique content encryption keys (CEKs) for Adobe Access, the URL path (relative to the configured content path) up to the stream, but not including the stream name, is used as the Content ID. For example, Content ID for path http://example.com/hls-live/livepkgr/definst/liveevent/livestream.m3u8 would be livepkgr/definst/liveevent.

VOD use case

Configure PHLS for on-demand streaing at the following levels:

Server—rootinstall/Apache2.2/conf/httpd.conf

Stream—create a jit.conf file and copy it to the same directory as the content.

Getting started

To configure PHLS with basic settings, perform the following steps:

Navigate to <root-install>/Apache 2.2/conf/. Edit the file http.conf and add the tags HLSEncryptionScope and HLSProtectionScheme under the <Location /hls-vod> directive:

<Location /hls-vod> 
    HLSHttpSt  reamingEna bled true 
    HLSMediaFileDuration 8000 
    HttpStreamingContentPath "../webroot/vod" 
    HLSFmsDirPath ".." 
    HLSJITConfAllowed true 
    HLSEncryptionScope server 
    HLSProtectionScheme PHLS 
    Options -Indexes FollowSymLinks 
</Location>

Note: This configuration will enable PHLS at the server level with default configurations.

The sample1_1500kbps.f4v media file comes with the default installation of AMS under <root-install>/webroot. You can play the media file using the following URI:http://<server-ip>/hls-vod/sample1_1500kbps.f4v.m3u8

Detailed configuration

The following sections provides the detailed configurations.

Server level

You can configure HLS at the server level to apply content protection at server level to all streams requested through the location directives.

Vanilla

Configure the following directives for the hlshttp_module in the Apache httpd.conf file:

Directive

Default

Description

HLSEncryptionScope

Off

Defines the encryption scope. The following are possible values:

server —Apache encryption settings are applied to all content. The server ignores content-specific encryption configurations in Event.xml and Application.xml (live) and jit.conf (on-demand).

content —Apache encryption settings are ignored. The server uses encryption settings from Event.xml or Application.xml (live) or from jit.conf (on-demand). Off —Encryption is off for the whole server.

HLSEncryptCipherKeyFile

None

The path of the default cipher key used to encrypt the content.

HLSEncryptKeyURI

None

The URI that the client uses to fetch the encryption key. See Serve encryption keys to the client.

To configure vanilla content protection at the server level, set HLSEncryptionScope to server in the httpd.conf file. This configuration tells the server to use the settings in the httpd.conf file for all requests to this Location directive.

Open the rootinstall/Apache2.2/conf/httpd.conf file and locate the hlshttp_module:
```
<IfModule hlshttp_module> 
    ... 
<Location /hls-vod> 
    ...
```

Uncomment the following:

# Uncomment the following directives to enable encryption 
# for this location: 
    HLSEncryptionScope server 
    HLSEncryptionCipherKeyFile "../creds/vodkey.bin" 
    HLSEncryptKeyURI "https://<ServerName>/hls-key/vodkey.bin"

Substitute the IP address or DNS of your Adobe Media Server for the <ServerName> parameter.

Follow the steps in Serve encryption keys to the clientto configure the server to serve keys with or without SSL. These steps configure the /hls-key path in the HLSEncryptKeyURI directive.
Request the following URL from an iOS device:

http://<ServerName>/hls-vod/sample2_1000kbps.f4v.m3u8
To verify that the stream is encrypted, run the Apple Media Stream Validator Tool on the stream. See Technical Note TN2224.

The following table contains the directives for the hlshttp_module in the Apache httpd.conf file:

Parameter	Required With	Default	Description
HLSProtectionScheme	Adobe Access 4.0, PHLS	Vanilla	Determines the protection scheme used for content. Protection scheme can be Vanilla, AdobeAccessV4 or PHLS. HLSProtectionScheme is effective if encryption is enabled.Use HLSEncryptionScope parameter to determine the status of encryption.
HLSDrmCommonKeyFile	Adobe Access 4.0, (Optional) PHLS	For PHLS ../creds/commonKey.bin	Contains the name of the Common key file in ../creds/common-key.bin.
HLSDrmContentID	(Optional) Adobe Access 4.0 , (Optional) PHLS	eventId	Content ID for mapping the license.
HLSDrmLicenseServerURL	Adobe Access 4.0	None	URL of License server used for protecting content
HLSDrmTransportCertFile	Adobe Access 4.0	None	Transport certificate file used for protecting content
HLSDrmLicenseServerCertFile	Adobe Access 4.0	None	File containing license server certificate used for protecting content
HLSDrmPackagerCredentialFile	Adobe Access 4.0	None	File containing Packager credential used for protecting content
HLSDrmPackagerCredentialPassword	Adobe Access 4.0	None	Packager credential password for the configured packager credential file
HLSDrmPolicyFile	Adobe Access 4.0	None	Path and Name of the Policy File to be used for protecting content
HLSDrmKeyServerURL	Adobe Access 4.0	None	Key server URL for embedding in the served playlist.
HLSDrmOutputProtection	(Optional) PHLS	None	The required hardware Output Protection of media on the client. Possible values are None, BestEffort, and Required.
HLSDrmPlaybackExpiration	(Optional) PHLS	24 Hours	The duration of the time for which the content is available for playback. Possible values are 24Hours and Unlimited.

PHLS

Edit the file http.conf and update the <Location /hls-vod> directive as follows:

<Location /hls-vod> 
    HLSHttpStreamingEnabled true 
    HLSMediaFileDuration 8000 
    HttpStreamingContentPath "../webroot/vod" 
    HLSFmsDirPath ".." 
    HLSJITConfAllowed true 
    HLSEncryptionScope  server 
    HLSProtectionScheme  PHLS 
    HLSDrmContentID httpd_conf 
    HLSDrmCommonKeyFile  "../creds/liveeventkey.bin" 
    HLSDrmKeyServerURL  "faxs://example.com" 
    HLSDrmOutputProtection  None 
    HLSDrmPlaybackExpiration  Unlimited 
</Location>

Request the following URL from an iOS device:

http://<ServerName>/hl-vod/sample2_1000kbps.f4v.m3u8

For more information on the elements, see Vanilla.

Adobe Access

Edit the file http.conf and update the <Location /hls-vod> directive as follows:

<Location /hls-live> 
    HLSHttpStreamingEnabled true 
    HLSMediaFileDuration 8000 
    HttpStreamingContentPath "../webroot/vod" 
    HLSFmsDirPath ".." 
    HLSJITConfAllowed true 
    HLSEncryptionScope server 
    HLSProtectionScheme AdobeAccessV4 
    HLSDrmContentID httpd_conf 
    HLSDrmCommonKeyFile  "<path to common key file>" 
    HLSDrmLicenseServerURL  "<url of license server>" 
    HLSDrmTransportCertFile  "path to transport certificate file" 
    HLSDrmLicenseServerCertFile  "<path to license server certificate file>" 
    HLSDrmPackagerCredentialFile  "<path to packager credential file>" 
    HLSDrmPackagerCredentialPassword  ?????? 
    HLSDrmPolicyFile  "<path to policy file" 
    HLSDrmKeyServerURL  "<key server url>" 
</Location>

Request the following URL from an iOS device:

http://<ServerName>/hl-vod/sample2_1000kbps.f4v.m3u8

Note: For local key delivery, it is recommended that HLSDrmKeyServerURL be set to the dummy URL http://faxs.adobe.com.

For more information on the elements, see Vanilla.

Stream level

To configure individual sets of media, in the httpd.conf file, set HLSEncryptionScope to content. This setting tells the server that configuration settings in the jit.conf file override settings in the httpd.conf file.

Configure the following elements in a jit.conf file in the same directory as the on-demand media:

Element	Default value	Description
`//manifest/hds:encryption`	None	The parent element for configuration. This element has with an `enabled` attribute. To enable content for protection with PHLS, set the enabled attribute to `"true"`. The value is `"false"` by default.
`//man`if`est/hds`:`encryption/hds:keyfile`	None	The path of the default cipher key used to encrypt the content.
`//manifest/hds:encryption/hds:keyuri`	None	The URI that the client uses to fetch the encryption key. See Serve encryption keys to the client.

Vanilla

To configure live PHLS at the stream level, open the rootinstall/Apache2.2/conf/httpd.conf file and locate the hlshttp_module:
```
<IfModule hlshttp_module> 
    ... 
<Location /hls-vod> 
    ...
```

Uncomment HLSEncryptionScope and set it to content:

# Uncomment the following directives to enable encryption 
# for this location: 
    HLSEncryptionScope content 
#    HLSEncryptCipherKeyFile 
#     HLSEncryptKeyURI

Create a jit.conf configuration file and copy it to the same directory as the on-demand media files.

<hds:hls> 
    <hds:encryption enabled="true"> 
    <hds:keyfile>../creds/content.key</hds:keyfile> 
    <hds:keyuri>https://<server-name>/hls-key/content.key</hds:keyuri> 
    </hds:encryption> 
</hds:hls>

Follow the steps in Serve encryption keys to the clientto configure the server to serve keys with or without SSL. These steps configure the /hls-key path in the /hds:keyuri element.
Copy the vodkey.bin file from rootinstall/creds to rootinstall/webroot/keys.
Request the following URL from an iOS device:

http://<servername>/hls-vod/sample2_1000kbps.f4v.m3u8
To verify that the stream is encrypted, run the Apple Media Stream Validator Tool on the stream. See Technical Note TN2224.

PHLS

See the following sample configuration:

<?xml version="1.0" encoding="utf-8"?> 
    <manifest xmlns="http://ns.adobe.com/f4m/1.0" 
        xmlns:hds="http://ns.adobe.com/hds-package/1.0"> 
            <hds:hls> 
                <hds:encryption enabled="true"  protection-scheme="PHLS" > 
                    <hds:PHLS> 
                        <hds:content-id>jit_conf</hds:content-id> 
                        <hds:common-key-file> 
                            root_install/creds/vodkey.bin 
                        </hds:common-key-file> 
                        <hds:output-protection>None</hds:output-protection> 
                        <hds:playback-expiration>Unlimited</hds:playback-expiration> 
                    </hds:PHLS> 
                </hds:encryption> 
            </hds:hls> 
    </manifest>

Request the following URL from an iOS device:

http://<ServerName>/hl-vod/sample2_1000kbps.f4v.m3u8

For configuring the server with PHLS, see the steps mentioned in the Vanilla section. For details on the configuration elements, see the table above.

Adobe Access

See the following sample configuration:

<?xml version="1.0" encoding="utf-8"?> 
    <manifest xmlns="http://ns.adobe.com/f4m/1.0" 
        xmlns:hds="http://ns.adobe.com/hds-package/1.0"> 
    <hds:hls> 
        <hds:encryption enabled="true"  protection-scheme="AdobeAccessV4"> 
            <hds:AdobeAccessV4> 
                <hds:content-id>jit_conf</hds:content-id> 
                <hds:common-key-file> 
                    root_install/creds/vodkey.bin 
                </hds:common-key-file> 
                <hds:license-server-url> 
                    http://mylicenseserver.myhost.com 
                </hds:license-server-url> 
                <hds:transport-cert-file> 
                    production_transport.der 
                </hds:transport-cert-file> 
                <hds:license-server-cert-file> 
                    production_license_server.der 
                </hds:license-server-cert-file> 
                <hds:packager-credential-file> 
                    production_packager.pfx 
                </hds:packager-credential-file> 
                <hds:packager-credential-password> 
                    ?????? 
                </hds:packager-credential-password> 
                <hds:policy-file>policy.pol</hds:policy-file> 
                <hds:key-server-url>http://faxs.adobe.com</hds:key-server-url> 
            </hds:AdobeAccessV4> 
        </hds:encryption> 
    </hds:hls> 
</manifest>

For local key delivery, it is recommended that HLSDrmKeyServerURL be set to the dummy URL http://faxs.adobe.com.

Request the following URL from an iOS device:

http://<ServerName>/hl-vod/sample2_1000kbps.f4v.m3u8

For configuring the server with PHLS, see the steps mentioned in the Vanilla section. For details on the configuration elements, see the table above.

VOD streams

To generate unique content encryption keys (CEKs) for Adobe Access, the URL path (relative to the configured content path) including the stream name is used as Content ID. For example, Content ID for path http://example.com/hls-vod/mymedia/sample.f4v.m3u8 would be mymedia/sample.f4v.

To change the default Content ID, specify the new Content ID in the configuration files event.xml, application.xml or jit.conf.

Multiple renditions of the same content require the same CEK for each rendition. To enable the same CEK across multiple renditions of the same content, configure the content-id in:

application.xml
event.xml (for Live Events) or jit.conf (for VOD Events).

You can protect the renditions using the Adobe Access configurations.

License chaining

If the configuration for embedding the leaf license is turned off, Adobe Media Server will still support such a policy except that the leaf license will not be embedded in the DRM metadata.

Note: The support will be limited to a single license server credential and credential-password pair.

The following table provides the configuration details:

Parameter

Description

Required with

Default value

HLSDrmEmbedLeafLicense (Server level)

HLS/Encryption/AdobeAccessV4/EmbedLeafLicense( Application and Eventlevel)

hds:hls/hds:encryption/hds:AdobeAccessV4/hds:embed-leaf-license (VOD Use case -Stream level)

(Optional) Enables embedding of leaf licenses for policies generated using chained licenses. Possible values are "true" or "false".

AdobeAccessV4

false

HLSDrmLicenseServerCredentialFile (Server level)

HLS/Encryption/AdobeAccessV4/LicenseServerCredentialFile (Application and Eventlevel)

hds:hls/hds:encryption/hds:AdobeAccessV4/hds:license-server-credential-file (VOD Use case -Stream level)

Required if HLSDrmEmbedLeafLicense is set to true. The license server credential used when protecting content at this location.

AdobeAccessV4

HLSDrmLicenseServerCredentialPassword (Server level)

HLS/Encryption/AdobeAccessV4/LicenseServerCredentialPassword (Application and Eventlevel)

hds:hls/hds:encryption/hds:AdobeAccessV4/hds:li cense-server-credential-password (VOD Use case -Stream level)

Required if HLSDrmEmbedLeafLicense is set to true. The license server credential password for the configured license server credential file.

AdobeAccessV4

Key rotation

To enable the feature, you must add the following configuration directives in the corresponding configuration file:

Directive

Required with

Default Value

Description

HLSDrmEnableKeyRotation (Server level)

EnableKeyRotation (Application and Eventlevel)

hds:hls/hds:encryption/hds:AdobeAccessV4/hds:enable-key-rotation (VOD Use case -Stream leve)

Optional with AdobeAccessV4 and PHLS

true

Enabled by default. To enable key rotation set the attribute to "false".

HLSDrmKeyRotationInterval (Server level)

KeyRotationInterval (Application and Eventlevel)

hds:hls/hds:encryption/hds:AdobeAccessV4/hds:key-rotation-interval (VOD Use case -Stream leve)

Optional with AdobeAccessV4 and PHLS

If the value is "n”, the key will be rotated after n ts entries in playlist..

For HDS streams, the key rotation does not have any impact on the performance of the client or on scaling impact of the license server because rotating the key is handled in-band.

In HLS key rotation results in a key request from the key server when using remote key delivery. For local, the rotated key is in the updated M3U8 file.

Out-of-Band DRM metadata

To enable this feature, you must add the following configuration directives in the httpd.conf file:

Directive	Required	Default Value	Description
HLSEmbedMetadata	No	For VOD, true For Live, false	Enables embedding of metadata in the playlist. The false value is applicable only when HLSMetaPackagingEnabled is set to true.
HLSMetaMaxAge	No	3600 seconds	The maximum age in the Cache-Control header for m3u8 responses. A value of -1 specifies that no Cache-Control header is set. If no value is specified, default value,3600 seconds, is assumed.
HLSMetaPackagingEnabled	No	true	This configuration is applicable only when HLSMetaPackagingEnabled is set to true.

Player binding

A whitelist file (with extension .airwhitelist) is a text file that contains multiple entries where each entry corresponds to an application identifying four fields (publisher-id, app-id, min-ver, max-ver). The publisher-id is mandatory and rest of the fields are optional. The file can be generated by passing the certificate(s) used to sign the application(s) to the whitelist tool . Currently the whitelist tool only supports extracting publisher-id but the rest of the fields (if required) can be updated manually. Player binding can be enabled by configuration and a folder needs to be specified from where Adobe Media Server can locate the whitelist files (multiple whitelist files and multiple entries in a whitelist files are supported). Adobe Media Server will add the list of identifiers picked up from the whitelist files to the license it embeds in the metadata.

To enable the feature, you must add the following configuration directives in the httpd.conf file:

Directive

Required with

Default Value

Description

PHLSPlayerBindingEnabled (Server level)

HLS/Encryption/PHLS/PlayerBindingEnabled (Application and Eventlevel)

hds:hls/hds:encryption/hds:phls/hds:player-binding (VOD Use case -Stream leve)

PHLS

false

Enables player binding using white-list. Possible values are "true" or "false".

PHLSWhitelistFolder (Server level)

HLS/Encryption/PHLS/WhitelistFolder (Application and Eventlevel)

hds:hls/hds:encryption/hds:phls/hds:whitelist-folder (VOD Use case -Stream leve)

PHLS

(Required if HLSDrmPlayerBindingEnabled is true) The directory location containing the white-list files. This will work only when HLSDrmPlayerBindingEnabled is set to true.

Serve encryption keys to the client

The following PHLS configurations specify the path the client uses to fetch the encryption key:

HLSEncryptKeyURI
//manifest/hds:hls/hds:encryption/hds:keyuri
//Application/HDS/HLS/Encryption/KeyURI
//Event/HLS/Encryption/KeyURI

For both on-demand and live vanilla encryption, serve encryption keys to the client through the Apache HLS module. The module unscrambles the key before serving the request.

Note: Note that the key files used for configuring encryption always needs to scrambled.

You can enable client authentication over SSL to ensure that key files are served securely. A reference configuration file and the Apple CA bundle are installed to the following locations:

rootinstall/Apache2.2/conf/httd-hls-secure.conf

rootinstall/creds/certs/ca

The httpd-hls-secure.conf file demonstrates how to configure a virtual host at the default SSL port with client authentication enabled for the location /hls-key with cipher key hosting enabled. However, this is only a reference configuration. To guarantee authentication for a production system, customize the configuration for your deployment.

Note: The SSL certificate presented by the iOS client must be current. If the client presents an expired certificate, client authentication fails and an error message displays to the user (on the client). iOS clients with older iOS installations may encounter this problem.

Serve key files with SSL client authentication

Uncomment the following lines in the Apache httpd.conf file:

"#LoadModule ssl_module" 
"#Include conf/httpd-hls-secure.conf"

Customize the SSL properties in the rootinstall/Apache2.2/conf/httpd-hls-secure.conf file based on the deployment. This customization includes getting an SSL certificate from a recognized CA.

Important: The SSL certificate generated for the server must have a CN that is a FQDN (Fully Qualified Domain Name), even in a test environment. If not, the iOS client may not present its client certificate and client authentication fails. If client authentication fails, the key file is not served and the iOS client crashes. This is a known Apple bug.
Restart Apache.

Serve key files without SSL

Add the following to the Apache httpd.conf file under the line <IfModule hlshttp_module>:
```
<Location /hls-key> 
    HLSEncryptHostCipherKey true 
    HLSFmsDirPath ".." 
    HLSEncryptKeyRepository "../creds" 
</Location>
```
The Location path can be any value. Point the HLSEncryptKeyRepository directive to the location of the keys. The keys are in the rootinstall/creds folder by default.
Restart Apache.

Use the following parameters in the Apache httpd.conf file to configure key hosting:

Parameter	Description	Default value
`HLSEncryptHostCipherKey`	Enable (`true`) or disable (`false`) cipher key hosting from this location.	false
`HLSEncryptKeyRepository`	The path of the folder that contains the key file.	None

Dynamic Content Encryption Key

Delivering Content Encryption Keys

The Content Encryption Key delivery mode is specified in the policy file. For the Adobe Access 4.0 protection scheme, set the policy using HLSDrmPolicyFile parameter. To select the policy file for the PHDS protection scheme, HLSDrmOutputProtection and HLSDrmPlaybackExpiration are used.

The key server URL is based on the key delivery mode specified in the policy file. For remote key serving, use the KeyServerURL parameter to specify the URL of key server. The URL format for remote key serving is https://<customers-keyserver-uri>. For example, https://faxs.adobe.com. For local key serving, the value of KeyServerURL should always be faxs://faxs.adobe.com.

Note: PHLS supports only local key delivery and AMS cannot deliver CEKs as long as DRM is enabled.

Adaptive bitrate streaming

In order to support adaptive bitrate, HTTP Live Streaming requires a variant playlist file that referes to individual playlist files having different renditions of the same content. The Adobe Access for iOS SDK requires that each stream referred to in a variant playlist must be encrypted using the same policy and the same content encryption key. Hence each encrypted stream will have the same DRM metadata referred in #EXT-X-FAXS-CM tag (embedded or served out of band).

The Adobe Access Server protected variant playlist also needs to include the #EXT-X-FAXS-CM tag. The value of #EXT-X-FAXS-CM tag in variant playlist is the relative URI referring to the DRM metadata of one of the individual streams.At the client, the #EXT-X-FAXS-CM tag in variant playlist will be used to create the DRM session. The same DRM session will be used for all encrypted M3U8 files inside the variant playlist.

Here’s an example of Adobe Access protected variant playlist:

#EXTM3U 
#EXT-X-FAXS-CM:URI="hls-vod-faxsv4/sample_mbr_mp4_main_3_1/8_mp4_AAC_212Kbps_720_480_main_3_1.mp4.drmmeta" 
#EXT-X-STREAM-INF:PROGRAM-ID=41,BANDWIDTH=212000, CODECS="avc1.77.31, mp4a.40.5" hls-vod-faxsv4/sample_mbr_mp4_main_3_1/8_mp4_AAC_212Kbps_720_480_main_3_1.mp4.m3u8 
#EXT-X-STREAM-INF:PROGRAM-ID=41,BANDWIDTH=307000, CODECS="avc1.77.31, mp4a.40.5" hls-vod-faxsv4/sample_mbr_mp4_main_3_1/8_mp4_AAC_307Kbps_720_480_main_3_1.mp4.m3u8 
#EXT-X-STREAM-INF:PROGRAM-ID=41,BANDWIDTH=512000, CODECS="avc1.77.31, mp4a.40.5" http://my.server.com/hls-vod-faxsv4/sample_mbr_mp4_main_3_1/8_mp4_AAC_512Kbps_720_480_main_3_1.mp4.m3u8

Note: This variant playlist needs to be served in Adobe Access M3U8 format. For instance, you need to append ?faxs=1 to the URL like http://my.server.com/variantPlaylist.m3u8?faxs=1.