Configuring content protection for HDS

You can use Protected HTTP Dynamic Streaming (PHDS) or Adobe Access for protecting content for HDS.

Overview

Configure PHDS/Adobe Access for live streaming at the following levels:

Server—rootinstall/Apache2.2/conf/httpd.conf
Application—rootinstall/applications/livepkgr/Application.xml
Event—rootinstall/applications/livepkgr/events/_definst_/liveevent/Event.xml

PHDS

Use Adobe Media Server 5 to serve live and on-demand protected content to Flash Player and AIR over HTTP without using a DRM License Server. When Adobe Media Server packages the content, it generates the license and embeds it into the DRM metadata of the content stream. This feature is called Protected HTTP Dynamic Streaming (PHDS). In addition to encrypting content, PHDS also supports SWF verification for HTTP Dynamic Streaming.

The F4F packaging process for on-demand and live PHDS generates a license, embeds it in the DRM metadata, and delivers it with the media. Flash Player 11 and AIR 3 clients can retrieve the license from the content stream, which eliminates communication between the client and a License Server.

The Adobe Media Server installer generates credentials, certificates, and policy files to the rootinstall/creds directory. The installer also creates a common-key.bin file in the /creds directory. You can change the content of this file or create a new common key file. To create a common key file (common-key.bin), which is used to derive the Content Encryption Key, use the Scramble tool. See the Scramble tool.

Use the following policy files to generate licenses for on-demand and live PHDS (AMS 5 includes four new policy files to support output protection):

Policy name	Description
phds_24hr_policy.pol	24 Hour limited policy `anonymous; 24 hours limited license caching`. This is the default policy. Users can start playback within 24 hours of the time the content was packaged. Users can continue watching the content until the end of the content (users may pause content). The 24 hours window starts when the DRM metadata is generated.
phds_policy.pol	Unlimited policy `anonymous; unlimited license caching; and binding to Protected Streaming is permitted` This policy allows playback at any time.
phds-24hr-OPBestEffort.pol	(AMS 5) 24 Hours Limited / Best Effort Output Protection Policy Set in the same way as the 24 Hours Limited / No Output Protection Policy policy with an additional restriction to use hardware content protection, if available. Users are still able to playback media if the client hardware doesn't support Output Protection. If the client hardware supports Output Protection but it is disabled, Flash Player returns DRM Run Time Error: 3342 (NoDigitalProtectionAvail).
phds-OPBestEffort.pol	(AMS 5) Unlimited / Best Effort Protection Policy Set in the same way as the Unlimited / No Output Protection Policy policy with an additional restriction to use hardware content protection, if available. Users arestill able to playback media if the client hardware doesn't support Output Protection. If the client hardware supports Output Protection, but it is disabled, Flash Player returns DRM Run Time Error: 3342 (NoDigitalProtectionAvail).
phds-24hr-OPRequired.pol	(AMS 5) 24 Hours Limited / Required Output Protection Policy Set in the same way as the 24 Hours Limited / No Output Protection Policy policy with an additional restriction to use hardware content protection. Users cannot playback media if the client hardware doesn't support Output Protection. If the client hardware doesn't support Output Protection or if it supports Output Protection, but it is disabled, Flash Player returns DRM Run Time Error: 3342 (NoDigitalProtectionAvail).
phds-OPRequired.pol	(AMS 5) Unlimited / Required Output Protection Policy Set in the same way as the Unlimited / No Output Protection Policy policy with an additional restriction to use hardware content protection. Users cannot playback media if the client hardware doesn't support Output Protection. If the client hardware doesn't support Output Protection or if it supports Output Protection but, it is disabled, Flash Player returns DRM Run Time Error: 3342 (NoDigitalProtectionAvail).

The simple unlimited policy is not intended for a regular use. It is provided as a temporary work around in case there is an issue with the network. When media is cached on network devices between Adobe Media Server and Flash Player, clients may receive expired policy data from the network instead of the expected media from the server. If media that was generated with the 24 hours policy is cached for more than 24 hours the player does not allow playback. Switch to the unlimited PHDS policy as a temporary solution until the network configuration is fixed and the caches are flushed. This solution allows you to distribute media with lower protection instead of not distributing the media. After switching to the Unlimited Policy, flush the caches to allow the unlimited license to propagate to clients.

Adobe Access

To deliver live or on-demand content with HDS, you can enable HDS with Adobe Access for protected streaming. The Adobe Access server for protected streaming is a license server implementation optimized for use with HDS. See the Adobe Access documentation for more details.

Important: Use the HDS packagers to both encrypt and fragment content. Do not use the Adobe Access packaging tools to encrypt content. The HDS packagers cannot fragment encrypted content.

Note: The Adobe Access SDK and the Adobe Access license server reference implementation can issue licenses for HDS.

After you have deployed Adobe Access Server for protected streaming, configure Adobe Media Server to package and encrypt the content in real-time.

Live use case

In httpd.conf, ContentProtection tag is specified under <Location hds-live>.

Whereas, both the Application.xml file and the Event.xml file have a ContentProtection container that holds the live PHDS configuration settings. In Application.xml, the container is located under //Application/HDS/Recording/ContentProtection. In Event.xml, the container is located under //Event/Recording/ContentProtection.

Getting Started

To quickly get started with PHDS, you need to understand the following directives:

Directive	Default Value	Description
`HttpStreamingEncryptionScope`	content	Possible values are off, content, and server. When the value is off, content remains in the unprotected format. When the value is content, configuration settings in the application.xml or event.xml files are used to protect the content. When the value is server, configuration settings in the httpd.conf are used to protect the content.
`HttpStreamingProtectionScheme`	PHDS	Encryption type for the content. It can be FlashAccessV3, FlashAccessV2 or PHDS. HttpStreamingProtectionScheme is applicable if encryption is enabled. Use HttpStreamingEncryptionScope to determine the scope of the encryption.

To configure PHDS with basic settings, perform the following steps:

After installing Adobe Media Server, navigate to the <root-install>/Apache 2.2/conf/ directory. Edit the http.conf file and add the following tags under <Location hds-live>:

<Location /hds-live> 
    HttpStreamingEnabled true 
    HttpStreamingLiveEventPath "../applications" 
    HttpStreamingContentPath "../applications" 
    HdsFmsDirPath ".." 
    HttpStreamingF4MMaxAge 2 
    HttpStreamingBootstrapMaxAge 2 
    HttpStreamingDrmmetaMaxAge 3600 
    HttpStreamingFragMaxAge -1 
     
    HttpStreamingEncryptionScope serverHttpStreamingProtectionScheme PHDS 
</Location>

Note: This configuration change will enable PHDS at the server level.

Publish a live stream called “livestream?adbe-live-event=liveevent” to livepkgr.
Playback the stream using the URI http://<server-ip>:8134/hds-live/livepkgr/_definst_/liveevent/livetsream.f4m.

Detailed configuration

The following sections provides detailed configurations for both PHDS and Adobe Access schemes.

Server level

Server-level configurations for live PHDS/Adobe Access

When server level configuration is specified, the protection parameters specified are applied server wide. Encryption parameters specified in Application/Event level will be ignored.

Flash Media Server 4.5.3 and higher allows setting the encryption configurations at the server level. These settings will apply to live events recorded on the server. To enable or disable encryption, configure the following directives for the f4fhttp_module in the Apache httpd.conf file:

Common configuration:

Directive	Default Value	Description
`HdsFmsDirPath`	None	Relative path of the Adobe Media Server root directory. Use '..' as Relative path.
`HttpStreamingEncryptionScope`	content	Possible values are off, content, and server. When the value is off, content remains in the unprotected format. When the value is content, configuration settings in the application.xml or event.xml files are used to protect the content. When the value is server, configuration settings in the httpd.conf are used to protect the content.
`HttpStreamingProtectionScheme`	PHDS	Encryption type for the content. It can be FlashAccessV3, FlashAccessV2 or PHDS. HttpStreamingProtectionScheme is applicable if encryption is enabled. Use HttpStreamingEncryptionScope to determine the scope of the encryption.

PHDS configuration

Directive	Default Value	Description
`PHDSCommonKeyFile`	`<AMSInstallDir>`/creds/common-key.bin	A common key used to protect content at this location. PHDSCommonKeyFile path is relative to rootinstall/Apache2.2.
`PHDSVideoEncryptionLevel`	2	The level of encryption for the content (0-low,1-medium, 2-high). Lower settings provide partial encryption. A subset of the samples (like video keyframes) are encrypted. Partial encryption can improve playback performance on the client, because there are fewer frames to decrypt.
`PHDSPlaybackExpiration`	24Hours	The duration within which the content playback is available. Possible values are 24Hours and Unlimited.
`PHDSOutputProtection`	none	The required hardware Output Protection of media on the client. Possible values are None, BestEffort, and Required.

Adobe Access configuration

Directive	Default Value	Description
`HdsDrmCommonKeyFile`	None	A common key used to protect content at this location. HdsDrmCommonKeyFile path is relative to rootinstall/Apache2.2.
`HdsDrmLicenseServerURL`	None	The URL of the license server used for protecting content.
`HdsDrmTransportCertFile`	None	The transport certificate used for protecting content.
`HdsDrmLicenseServerCertFile`	None	The License server certificate used for protecting content.
`HdsDrmPackagerCredentialFile`	None	The Packager credential used for protecting content.
`HdsDrmPackagerCredentialPassword`	None	The Packager credential password for the configured packager credential file.
`HdsDrmPolicyFile`	None	Policy for protecting content.
`HdsDrmUseUniqueContentID`	false	By default, Adobe Media Server uses non-unique content ID if the protection scheme is set. The file path is used as the content ID. Hence, the content IDs for the files present in a directory will be the same. This feature is used in allowing content ID encryption for multi-bitrate stream where all the files with different bit rate are kept in the same directory. If you want to use unique content IDs for each file, add this element.
`HdsDrmContentID`	None	You can manually specify the content ID, which will be used for all the files. Note that this element must not be used when `HdsDrmUseUniqueContentID` is set to true.

The following example enables and configures PHDS in the httpd.conf file. These settings apply to every live event configured for this server.

<Location /hds-live> 
    HttpStreamingEnabled true 
    HttpStreamingLiveEventPath "../applications" 
    HttpStreamingContentPath "../applications" 
    HdsFmsDirPath ".." 
    HttpStreamingF4MMaxAge 2 
    HttpStreamingBootstrapMaxAge 2 
    HttpStreamingDrmmetaMaxAge 3600 
    HttpStreamingFragMaxAge -1 
    Options -Indexes FollowSymLinks 
    HttpStreamingEncryptionScope server 
    HttpStreamingProtectionScheme PHDS 
    PHDSCommonKeyFile "../creds/common-key.bin" 
    PHDSPlaybackExpiration 24Hours 
    PHDSOutputProtection  None 
</Location>

The following example enables and configures Adobe Access (FlashAccessV2) in the httpd.conf file. These settings apply to every live event configured for this server.

<Location /hds-live-faxs> 
    HttpStreamingEnabled true 
    HttpStreamingLiveEventPath "../applications" 
    HttpStreamingContentPath "../applications" 
    HdsFmsDirPath ".." 
    HttpStreamingF4MMaxAge 2 
    HttpStreamingBootstrapMaxAge 2 
    HttpStreamingDrmmetaMaxAge 3600 
    HttpStreamingFragMaxAge -1 
    HttpStreamingEncryptionScope server 
    HttpStreamingProtectionScheme FlashAccessV2 
    HdsDrmCommonKeyFile "../creds/common-key.bin"HdsDrmLicenseServerURL http://<aaxs-test-server>/HdsDrmTransportCertFile "aaxs-test-server-trnsCert.der" 
    HdsDrmLicenseServerCertFile "aaxs-test-server-licCert.der" 
    HdsDrmPackagerCredentialFile " aaxs-test-server-pkgrCert.pfx"HdsDrmPackagerCredentialPassword pwd=HdsDrmPolicyFile "sample_policy.pol" 
    Options -Indexes FollowSymLinks 
</Location>

The following example enables and configures Adobe Access (FlashAccessV3) in the httpd.conf file. These settings apply to every live event configured for this server.

<Location /hds-live-faxs> 
    HttpStreamingEnabled true 
    HttpStreamingLiveEventPath "../applications" 
    HttpStreamingContentPath "../applications" 
    HdsFmsDirPath ".." 
    HttpStreamingF4MMaxAge 2 
    HttpStreamingBootstrapMaxAge 2 
    HttpStreamingDrmmetaMaxAge 3600 
    HttpStreamingFragMaxAge -1 
    HttpStreamingEncryptionScope server 
    HttpStreamingProtectionScheme FlashAccessV3 
    HdsDrmCommonKeyFile "../creds/common-key.bin"HdsDrmLicenseServerURL http://<aaxs-test-server>/HdsDrmTransportCertFile "aaxs-test-server-trnsCert.der" 
    HdsDrmLicenseServerCertFile "aaxs-test-server-licCert.der" 
    HdsDrmPackagerCredentialFile " aaxs-test-server-pkgrCert.pfx"HdsDrmPackagerCredentialPassword pwd=HdsDrmPolicyFile "sample_policy.pol" 
    Options -Indexes FollowSymLinks 
</Location>

Application level

When Application level configuration is specified, the protection parameters specified are applied to the particular application (to all the events under the application). Encryption parameters specified in Event/Server level will be ignored.

Common configuration

Element

Default

Description

HDS/Recording/ContentProtection

"allow" in Application.xml

"false" in Event.xml

Container element for content protection configurations.

In Application.xml, set the enabled attribute to "true" to enable content protection, "false" to disable content protection, or "allow" to allow settings in the Event.xml file to override the ContentProtection section of the Application.xml file.

When enabled="allow", the server uses none of the settings in the ContentProtection section of the Application.xml file. If a ContentProtection section is not specified in Event.xml, content protection is disabled because the default value is "false" in Event.xml.

In Event.xml, set the enabled attribute to "true"or "false".

HDS/Recording/ContentProtection/ProtectionScheme

None

Possible values are phds, FlashAccessV2,and FlashAccessV3. For PHDS, use PHDS.

PHDS configuration

Element	Default	Description
HDS/`Recording/ContentProtection/PHDS`	None	Container for PHDS encryption settings.
`HDS/Recording/ContentProtection/PHDS/CommonKeyFile`	None	A relative path to the common-key.bin file containing a base key used (along with the content ID) to generate the final content encryption key. This file is generated during installation to rootinstall/creds/common-key.bin. If you define the `CommonKeyFile` in the Application.xml file, the server looks for the file relative to the application directory. If you define the `CommonKeyFile` in the Event.xml file, the server looks for the file relative to the event folder.
HDS/`Recording/ContentProtection/PHDS/PlaybackExpiration`	24Hours	The protection policy. The policy determines the duration within which content playback is available. Possible values are `24Hours` and `Unlimited`.
HDS/`Recording/ContentProtection/PHDS/VideoEncryptionLevel`	2	The level of encryption for the content (0-low,1-medium,2-high). Lower settings mean "partial encryption", where a subset of the samples (like video keyframes) are encrypted. This can improve playback performance on the client, since there will be fewer frame to decrypt.
HDS/`Recording/ContentProtection/PHDS/UpdateInterval`	60	The frequency at which the server generates the drm metadata, in minutes.
`HDS/Recording/ContentProtection/PHDS/OutputProtection`	None	The required hardware Output Protection of media on the client. Possible values are None, BestEffort, and Required.

Adobe Access configuration

Element	Default	Description
`HDS/Recording/ContentProtection/FlashAccessV2`	None	Container for FlashAccessV2 encryption settings.
`HDS/Recording/ContentProtection/FlashAccessV3`	None	Container for FlashAccessV3 encryption settings.
`HDS/Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/ContentID`	None	The content ID used when protecting the streams in the live event
`HDS/Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/CommonKeyFile`	None	The file containing the common key
`HDS/Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/LicenseServerURL`	None	The URL of the license server that will provide licensing services for the protected content
`HDS/Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/TransportCertFile`	None	The file containing the transport certificate, in DER format
`HDS/Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/LicenseServerCertFile`	None	The file containing the license server certificate, in DER format
`HDS/Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/PackagerCredentialFile`	None	The file containing the packager credentials, in PFX format
`HDS/Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/PackagerCredentialPassword`	None	The password for the packager credentials
`HDS/Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/ PolicyFile`	None	The file containing the content protection policy

Configure the httpd.conf as given below to allow protection configurations at the application level.

<Location /hds-live> 
    HttpStreamingEnabled true 
    HttpStreamingLiveEventPath "../applications" 
    HttpStreamingContentPath "../applications" 
    HdsFmsDirPath ".." 
    HttpStreamingF4MMaxAge 2 
    HttpStreamingBootstrapMaxAge 2 
    HttpStreamingDrmmetaMaxAge 3600 
    HttpStreamingFragMaxAge -1 
    Options -Indexes FollowSymLinks 
    HttpStreamingEncryptionScope content 
</Location>

The following example enables and configures PHDS in the Application.xml file. These settings apply to every live event configured for this application.

<Application> 
     <StreamManager> 
        <Live> 
            <AssumeAbsoluteTime>true</AssumeAbsoluteTime> 
            <PublishTimeout>0</PublishTimeout> 
            <AdjustForZeroTimeStampMessages>2</AdjustForZeroTimeStampMessages> 
            <AdjustForRecordingRollover>false</AdjustForRecordingRollover> 
         </Live> 
    </StreamManager> 
    <HDS> 
        <Recording > 
             <ContentProtection enabled="true" > 
                 <ProtectionScheme>PHDS</ProtectionScheme> 
                    <PHDS> 
                        <CommonKeyFile>common-key.bin</CommonKeyFile> 
                        <VideoEncryptionLevel>2</VideoEncryptionLevel> 
                        <PlaybackExpiration>24Hours</PlaybackExpiration> 
                        <OutputProtection>None</OutputProtection>     
                    </PHDS> 
            </ContentProtection> 
        </Recording>         
    </HDS> 
</Application>

The following example enables and configures Adobe Access V2 in the Application.xml file. These settings apply to every live event configured for this application.

<Appl ication>  
    <S treamManager> 
         < Live> 
              <Assume Ab soluteTime> true</ AssumeAbsoluteTime> 
              <PublishTimeou t >0</Pu blishTimeout>  
            <AdjustForZeroTimeStampMessages>2< /AdjustF orZeroTimeStampMessages> 
            < AdjustForRe cordingRollover>false</AdjustForRecordingRollover> 
        </Live> 
    </Str eamManager> 
    <HDS> 
        <Re cording> 
             <ContentProtection enab led="true"> 
                 <ProtectionScheme>FlashAccessV2</ProtectionScheme> 
                <FlashAccessV2> 
                    <ContentID>liveevent</ContentID> 
                    <CommonKeyFile>common-key.bin</CommonKeyFile> 
                    <LicenseServerURL>http://<aaxs-test-server>/</LicenseServerURL> 
                    <TransportCertFile> 
                        aaxs-test-server-trnsCert.der 
                    </TransportCertFile> 
                    <LicenseServerCertFile> 
                        aaxs-test-server-licCert.der 
                    </LicenseServerCertFile> 
                    <PackagerCredentialFile> 
                        aaxs-test-server-pkgrCert.pfx</PackagerCredentialFile> 
                    <PackagerCredentialPassword>pwd=</PackagerCredentialPassword> 
                    <PolicyFile>sample_policy.pol</PolicyFile> 
                </FlashAccessV2> 
            </ContentProtection> 
        </Recording> 
    </HDS> 
</Application>

The following example enables and configures Adobe Access V3 in the Application.xml file. These settings apply to every live event configured for this application.

<Application > 
      <StreamManager> 
        <Live> 
            <AssumeAbsoluteTime>true</AssumeAbsoluteTime> 
            <PublishTimeout>0</PublishTimeout> 
            <AdjustForZeroTimeStampMessages>2</AdjustForZeroTimeStampMessages> 
             <AdjustForRecordingRollover>false</AdjustForRecordingRollover> 
        </Live> 
    </StreamManager> 
    <HDS> 
        <Recording> 
            <ContentProtection enabled="true"> 
            <ProtectionScheme>FlashAccessV3</ProtectionScheme> 
                <FlashAccessV3> 
                    <ContentID>liveevent</ContentID> 
                    <CommonKeyFile>common-key.bin</CommonKeyFile> 
                    <LicenseServerURL>http://<aaxs-test-server>/</LicenseServerURL> 
                    <TransportCertFile> 
                        aaxs-test-server-trnsCert.der 
                    </TransportCertFile> 
                    <LicenseServerCertFile> 
                        aaxs-test-server-licCert.der</LicenseServerCertFile> 
                    <PackagerCredentialFile> 
                        aaxs-test-server-pkgrCert.pfx 
                    </PackagerCredentialFile> 
                    <PackagerCredentialPassword>pwd=</PackagerCredentialPassword> 
                    <PolicyFile>sample_policy.pol</PolicyFile> 
                     </FlashAccessV3> 
            </ContentProtection> 
        </Recording> 
    </HDS> 
</Application>

Note: In this case, copy the common-key.bin file from the rootinstall/creds directory to the root-install/applications/livepkgr/ directory.

Event level

When Event level configuration is specified, the protection parameters specified are applied to the particular event. Encryption parameters specified in Application/Server level will be ignored.

Common configuration

Element

Default

Description

Recording/ContentProtection

"allow" in Application.xml

"false" in Event.xml

Container element for content protection configurations.

In Event.xml, set the enabled attribute to "true"or "false".

Recording/ContentProtection/ProtectionScheme

None

Possible values are phds, FlashAccessV2,and FlashAccessV3. For PHDS, use PHDS.

PHDS configuration

Element	Default	Description
`Recording/ContentProtection/PHDS`	None	Container for PHDS encryption settings.
`Recording/ContentProtection/PHDS/CommonKeyFile`	None	A relative path to the common-key.bin file containing a base key used (along with the content ID) to generate the final content encryption key. This file is generated during installation to rootinstall/creds/common-key.bin. If you define the `CommonKeyFile` in the Application.xml file, the server looks for the file relative to the application directory. If you define the `CommonKeyFile` in the Event.xml file, the server looks for the file relative to the event folder.
`Recording/ContentProtection/PHDS/PlaybackExpiration`	24Hours	The protection policy. The policy determines the duration within which content playback is available. Possible values are `24Hours` and `Unlimited`.
`Recording/ContentProtection/PHDS/VideoEncryptionLevel`	2	The level of encryption for the content (0-low,1-medium,2-high). Lower settings mean "partial encryption", where a subset of the samples (like video keyframes) are encrypted. This can improve playback performance on the client, since there will be fewer frame to decrypt.
`Recording/ContentProtection/PHDS/UpdateInterval`	60	The frequency at which the server generates the drm metadata, in minutes.
`Recording/ContentProtection/PHDS/OutputProtection`	None	The required hardware Output Protection of media on the client. Possible values are None, BestEffort, and Required.

Adobe Access configuration

Element	Default	Description
`Recording/ContentProtection/FlashAccessV2`	None	Container for FlashAccessV2 encryption settings.
`Recording/ContentProtection/FlashAccessV3`	None	Container for FlashAccessV3 encryption settings.
`Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/ContentID`	None	The content ID used when protecting the streams in the live event
`Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/CommonKeyFile`	None	The file containing the common key
`Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/LicenseServerURL`	None	The URL of the license server that will provide licensing services for the protected content
`Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/TransportCertFile`	None	The file containing the transport certificate, in DER format
`Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/LicenseServerCertFile`	None	The file containing the license server certificate, in DER format
`Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/PackagerCredentialFile`	None	The file containing the packager credentials, in PFX format
`Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/PackagerCredentialPassword`	None	The password for the packager credentials
`Recording/ContentProtection/FlashAccessV3(or FlashAccessV2)/ PolicyFile`	None	The file containing the content protection policy

Configure the httpd.conf as given below to allow protection configurations at the event level:

<Location /hds-live> 
    HttpStreamingEnabled true 
    HttpStreamingLiveEventPath "../applications" 
    HttpStreamingContentPath "../applications"HdsFmsDirPath ".." 
    HttpStreamingF4MMaxAge 2 
    HttpStreamingBootstrapMaxAge 2 
    HttpStreamingDrmmetaMaxAge 3600 
    HttpStreamingFragMaxAge -1 
    Options -Indexes FollowSymLinks 
    HttpStreamingEncryptionScope content 
</Location>

The following is an example of an Application.xml file that allows protection configurations at the event level and tells the server to look for configurations in the Event.xml file for each live event:

<Application> 
    <StreamManager> 
        <Live> 
            <AssumeAbsoluteTime>true</AssumeAbsoluteTime> 
        </Live> 
    </StreamManager> 
     
    <HDS> 
        <Recording> 
            <ContentProtection enabled="allow">                  
            </ContentProtection> 
        </Recording> 
    </HDS> 
     
</Application>

The following Event.xml file configures PHDS for a single live event:

<Event> 
    <EventID>liveevent</EventID> 
    <Recording> 
        <FragmentDuration>4000</FragmentDuration> 
        <SegmentDuration>400000</SegmentDuration> 
        <DiskManagementDuration>3</DiskManagementDuration> 
        <ContentProtection enabled="true"> 
            <ProtectionScheme>PHDS</ProtectionScheme> 
            <PHDS> 
                <CommonKeyFile>common-key.bin</CommonKeyFile> 
                <VideoEncryptionLevel>2</VideoEncryptionLevel> 
                <PlaybackExpiration>24Hours</PlaybackExpiration> 
                <OutputProtection>None</OutputProtection>     
            </PHDS> 
        </ContentProtection> 
    </Recording>         
</Event>

In this case, copy the common-key.bin file from the rootinstall/creds directory to the rootinstall/applications/livepkgr/events/_definst_/liveevent directory.

The following Event.xml file configures Adobe Access V2 for a single live event:

<Event> 
    <EventID>liveevent</EventID> 
    <Recording> 
        <FragmentDuration>4000</FragmentDuration> 
        <SegmentDuration>400000</SegmentDuration> 
        <DiskManagementDuration>3</DiskManagementDuration> 
        <ContentProtection enabled="true"> 
            <ProtectionScheme>FlashAccessV2</ProtectionScheme> 
            <FlashAccessV2> 
                <ContentID>liveevent</ContentID> 
                <CommonKeyFile>common-key.bin</CommonKeyFile> 
                <LicenseServerURL> 
                    http://<aaxs-test-server>/ 
                </LicenseServerURL> 
                <TransportCertFile> 
                    aaxs-test-server-trnsCert.der 
                </TransportCertFile> 
                <LicenseServerCertFile> 
                    aaxs-test-server-licCert.der 
                </LicenseServerCertFile> 
                <PackagerCredentialFile> 
                    aaxs-test-server-pkgrCert.pfx 
                </PackagerCredentialFile> 
                <PackagerCredentialPassword>pwd=</PackagerCredentialPassword> 
                <PolicyFile>sample_policy.pol</PolicyFile> 
                 </FlashAccessV2> 
        </ContentProtection> 
    </Recording> 
</Event>

The following Event.xml file configures Adobe Access V3 for a single live event:

<Event> 
    <EventID>liveevent</EventID> 
    <Recording> 
        <FragmentDuration>4000</FragmentDuration> 
        <SegmentDuration>400000</SegmentDuration> 
        <DiskManagementDuration>3</DiskManagementDuration> 
        <ContentProtection enabled="true"> 
            <ProtectionScheme>FlashAccessV3</ProtectionScheme> 
            <FlashAccessV3> 
                <ContentID>liveevent</ContentID> 
                <CommonKeyFile>common-key.bin</CommonKeyFile> 
                <LicenseServerURL> 
                    http://<aaxs-test-server>/ 
                </LicenseServerURL> 
                <TransportCertFile> 
                    aaxs-test-server-trnsCert.der 
                </TransportCertFile> 
                <LicenseServerCertFile> 
                    aaxs-test-server-licCert.der 
                </LicenseServerCertFile> 
                <PackagerCredentialFile> 
                    aaxs-test-server-pkgrCert.pfx 
                </PackagerCredentialFile> 
                <PackagerCredentialPassword>pwd=</PackagerCredentialPassword> 
                <PolicyFile>sample_policy.pol</PolicyFile> 
                 </FlashAccessV3> 
        </ContentProtection> 
    </Recording> 
</Event>

Note: In this case, copy the common-key.bin file from the rootinstall/creds directory to the rootinstall/applications/livepkgr/events/_definst_/liveevent directory.

License chaining

Adobe Media Server will support embedding leaf licenses in the DRM metadata from the policy generated using a chained license. Adobe Media Server will need the license server credential and the credential password configured so that the root license from the policy can be used to encrypt the CEK contained in the embedded leaf license.

If the configuration for embedding the leaf license is turned off, Adobe Media Server will still support such a policy except that the leaf license will not be embedded in the DRM metadata.

Note: The support will be limited to a single license server credential and credential-password pair.

The following table provides the required configuration:

Parameter

Description

Default value

HdsDrmEmbedLeafLicense (Server level)

EmbedLeafLicense (Application and event level)

Enables embedding of leaf licenses in DRM metadata. Possible values are "true" or "false".

Note: The policy file must be created using a chained license.

false

HdsDrmsLicenseServerCredentialFile (Server level)

LicenseServerCredentialFile (Application and event level)

Required if HdsDrmEmbedLeafLicense is set to true. The license server credential used when protecting content at this location.

HdsDrmLicenseServerCredentialPassword (Server level)

LicenseServerCredentialPassword (Application and event level)

Required if HdsDrmEmbedLeafLicense is set to true. The license server credential password for the configured license server credential file.

The following example shows the license chaining configuration at the application level:

<Application> 
    <HDS> 
        <Recording> 
            <ContentProtection enabled="true"> 
                <ProtectionScheme>FlashAccessV3</ProtectionScheme> 
                <FlashAccessV3> 
                    <ContentID>liveevent</ContentID> 
                    <CommonKeyFile>common-key.bin</CommonKeyFile> 
                    <LicenseServerURL>http://<aaxs-test-server>/</LicenseServerURL> 
                    <TransportCertFile> 
                        aaxs-test-server-trnsCert.der 
                    </TransportCertFile> 
                    <LicenseServerCertFile> 
                        aaxs-test-server-licCert.der 
                    </LicenseServerCertFile> 
                    <PackagerCredentialFile> 
                        aaxs-test-server-pkgrCert.pfx 
                    </PackagerCredentialFile> 
                    <PackagerCredentialPassword>pwd=</PackagerCredentialPassword> 
                    <PolicyFile>sample_policy.pol</PolicyFile>  
                    <EmbedLeafLicense>true</EmbedLeafLicense> 
                    <LicenseServerCredentialFile> 
                        aaxs-test-server-pkgrCertLic.pfx      
                    </LicenseServerCredentialFile> 
                    <LicenseServerCredentialPassword> 
                        pwd_lic= 
                    </LicenseServerCredentialPassword>  
                </FlashAccessV3> 
            </ContentProtection> 
        </Recording> 
    </HDS> 
</Application>

The following example shows the license chaining configuration at the event level:

<Event> 
    <Recording> 
        <ContentProtection enabled="true"> 
                <ProtectionScheme>FlashAccessV3</ProtectionScheme> 
                <FlashAccessV3> 
                        <ContentID>liveevent</ContentID> 
                        <CommonKeyFile>common-key.bin</CommonKeyFile> 
                        <LicenseServerURL> 
                            http://<aaxs-test-server>/ 
                        </LicenseServerURL> 
                        <TransportCertFile> 
                            aaxs-test-server-trnsCert.der 
                        </TransportCertFile> 
                        <LicenseServerCertFile> 
                            aaxs-test-server-licCert.der 
                        </LicenseServerCertFile> 
                        <PackagerCredentialFile> 
                            aaxs-test-server-pkgrCert.pfx 
                        </PackagerCredentialFile> 
                        <PackagerCredentialPassword> 
                            pwd= 
                        </PackagerCredentialPassword> 
                        <PolicyFile>sample_policy.pol</PolicyFile> 
                        <EmbedLeafLicense>true</EmbedLeafLicense> 
                        <LicenseServerCredentialFile> 
                            aaxs-test-server-pkgrCertLic.pfx 
                        </LicenseServerCredentialFile> 
                        <LicenseServerCredentialPassword> 
                            pwd_lic= 
                        </LicenseServerCredentialPassword> 
                </FlashAccessV3> 
        </ContentProtection> 
    </Recording> 
</Event>

Note: License chaining is not supported for the VOD use case.

Key rotation

Adobe Media Server 5 supports Key Rotation for protected HTTP Dynamic Streaming when used with Adobe Access. You can encrypt content packaged with AMS 5 using a set of keys. You can periodically change the encryption key and specify how often the content encryption key is to be changed. You can also specify the list of keys for encryption.

Server level

Parameter	Description	Default value
`HdsDrmEnableKeyRotation`	Whether to use Key Rotation with AAXS protection scheme	false
`HdsDrmKeyRotationInterval`	Key rotation interval to be used (in seconds), when enabling key rotation.	900 seconds
`HdsDrmKeyRotationFilePath`	The file containing the rotation keys to be used. This file will contain a sequence of rotated keys used to encrypt content. If no file is specified, randomly generated keys will be used. The keys must be 16 bytes in length and specified as hex values.	Randomly generated keys will be used (as described below)

The following httpd.conf will enable key rotation at server level :

<Location /hds-live> 
    HttpStreamingEnabled true 
    HttpStreamingLiveEventPath "../applications" 
    HttpStreamingContentPath "../applications" HdsFmsDirPath ".." 
    HttpStreamingF4MMaxAge 2 
    HttpStreamingBootstrapMaxAge 2 
    HttpStreamingDrmmetaMaxAge 3600 
    HttpStreamingFragMaxAge -1 
    Options -Indexes FollowSymLinks 
    HttpStreamingEncryptionScope server 
    HttpStreamingProtectionScheme FlashAccessV3 
    HdsDrmCommonKeyFile "../creds/common-key.bin" 
    HdsDrmLicenseServerURL http://<aaxs-test-server>/ 
    HdsDrmTransportCertFile aaxs-test-server-trnsCert.der 
    HdsDrmLicenseServerCertFile aaxs-test-server-licCert.der 
    HdsDrmPackagerCredentialFile aaxs-test-server-pkgrCert.pfx 
    HdsDrmPackagerCredentialPassword pwd= 
    HdsDrmPolicyFile sample_policy.pol 
    HdsDrmEnableKeyRotation true 
    HdsDrmKeyRotationInterval 500 
    HdsDrmKeyRotationFilePath sample_keys.txt 
</Location>

Application level

Parameter	Description	Default value
HDS/Recording/ContentProtection/FlashAccessV3/EnableKeyRotation	Whether to use Key Rotation with AAXS protection scheme	false
HDS/Recording/ContentProtection/FlashAccessV3/KeyRotationInterval	Key rotation interval to be used (in seconds), when enabling key rotation.	900 seconds
HDS/Recording/ContentProtection/FlashAccessV3/KeyRotationFilePath	The file containing the rotation keys to be used. This file will contain a sequence of rotated keys used to encrypt content. If no file is specified, randomly generated keys will be used. The keys must be 16 bytes in length and specified as hex values.	Randomly generated keys will be used (as described below)

The following Application.xml will enable key rotation at Application level :

<Application>  
    <StreamMana ger> 
        <Live> 
            <AssumeAbsoluteTime>true</AssumeAbsoluteTime> 
            <PublishTimeout>0</PublishTim eout> 
            <Adj ustForZeroTimeStampMessages>2</AdjustForZeroTimeStampMessages> 
            <AdjustForRecordingRollover>false</AdjustForRecordingRollover> 
        </Live> 
    </StreamManager > 
    <HDS> 
        <Recording> 
             <ContentProtection enabled="true"> 
                 <ProtectionScheme>FlashAccessV3</ProtectionScheme> 
                 <FlashAccessV3> 
                    <ContentID >liveevent</ContentID> 
                    <CommonKeyFile>common-key.bin</CommonKeyFile> 
                    <LicenseServerURL>http://<aaxs-test-server>/</LicenseServerURL> 
                    <TransportCertFile> 
                        aaxs-test-server-trnsCert.der 
                    </TransportCertFile> 
                    <Licens eServerCertFile> 
                        aaxs-test-server-licCert.der 
                    </LicenseServerCertFile> 
                    < PackagerCredentialFile> 
                        aaxs-test-server-pkgrCert.pfx 
                    </PackagerCredentialFile> 
                    <PackagerCredentialPassword>pwd=</PackagerCredentialPassword> 
                     <PolicyFil e>sample _policy.pol</PolicyFile> 
                    <EnableKeyRotation>true</EnableKeyRotation> 
                    <KeyRotationInterval>500</KeyRotationInterval>                  
                    <KeyRotationFilePath>sample_keys.txt</KeyRotationFilePath>                     
                </FlashAccessV3> 
            </ContentProtection> 
        </Recording> 
    </HDS> 
</Application>

Event level

Parameter	Description	Default value
Recording/ContentProtection/FlashAccessV3/EnableKeyRotation	Whether to use Key Rotation with AAXS protection scheme	false
Recording/ContentProtection/FlashAccessV3/KeyRotationInterval	Key rotation interval to be used (in seconds), when enabling key rotation.	900 seconds
Recording/ContentProtection/FlashAccessV3/KeyRotationFilePath	The file containing the rotation keys to be used. This file will contain a sequence of rotated keys used to encrypt content. If no file is specified, randomly generated keys will be used. The keys must be 16 bytes in length and specified as hex values.	Randomly generated keys will be used (as described below)

The following Event.xml will enable key rotation at Application level :

<Event> 
    <EventID>liveevent</EventID> 
    <Recording> 
        <FragmentDuration>4000</FragmentDuration> 
        <SegmentDuration>400000</SegmentDuration> 
        <DiskManagementDuration>3</DiskManagementDuration> 
        <ContentProtection enabled="true"> 
            <ProtectionScheme>FlashAccessV3</ProtectionScheme> 
            <FlashAccessV3> 
                <ContentID>liveevent</ContentID> 
                <CommonKeyFile>common-key.bin</CommonKeyFile> 
                <LicenseServerURL>http://<aaxs-test-server>/</LicenseServerURL> 
                <TransportCertFile>aaxs-test-server-trnsCert.der</TransportCertFile> 
                <LicenseServerCertFile> 
                    aaxs-test-server-licCert.der 
                </LicenseServerCertFile> 
                <PackagerCredentialFile> 
                    aaxs-test-server-pkgrCert.pfx 
                </PackagerCredentialFile> 
                <PackagerCredentialPassword>pwd=</PackagerCredentialPassword> 
                <PolicyFile>sample_policy.pol</PolicyFile> 
                <EnableKeyRotation>true</EnableKeyRotation> 
                <KeyRotationInterval>500</KeyRotationInterval>                  
                <KeyRotationFilePath>sample_keys.txt</KeyRotationFilePath> 
            </FlashAccessV3> 
        </ContentProtection> 
    </Recording> 
</Event>

Note: HdsDrmKeyRotationFilePath takes path relative to <AMS-Install>/applications/<application-name>/.

Disable JIT encryption for F4F content

When PHDS/Adobe Access protection is enabled, the server ingests a stream and packages it into F4F stream data. The unencrypted F4F data is taken as source and encrypted using the PHDS/Adobe Access configurations.In order to force the server to store the ingested stream as encrypted F4F data, and disable the just-in-time encryption of the F4F data, a special configuration is required.

The following table contains the configuration directive for enabling and disabling JIT encryption at server level:

httpd.conf tags:

Directive	Description	Default value
`HttpStreamingJITEncryption`	To disable just in time encryption, set the value to “false”	true

<AMS-Install>conf/_defaultRoot_/_defaultVHost_/Application.xml tags:

Directive	Description	Default value
`HDS/Recording/JITEncryption`	To disable just in time encryption, set the value to “false”	false

Note: The tags HttpStreamingJITEncryption and JITEncryption both must be set to false to disable JIT encryption.

When JITEncryption is set to false:

Specify server level encryption settings (PHDS/Adobe Access) at <AMS-Install>conf/_defaultRoot_/_defaultVHost_/Application.xml.
The ingested stream is stored as encrypted F4F content. So, DRMmeta file is stored on the server inside the F4F content.

The following configurations in httpd.conf will disable JIT encryption server wide:

<Location /hds-live> 
    HttpStreamingEnabled true 
    HttpStreamingLiveEventPath "../applications" 
    HttpStreamingContentPath "../applications" HdsFmsDirPath ".." 
    HttpStreamingF4MMaxAge 2 
    HttpStreamingBootstrapMaxAge 2 
    HttpStreamingDrmmetaMaxAge 3600 
    HttpStreamingFragMaxAge -1 
    HttpStreamingJITEncryption false 
    Options -Indexes FollowSymLinks 
</Location>

The following configurations for <AMSInstall>conf/_defaultRoot_/_defaultVHost_/Application.xml enables PHDS protection:

<Application>     
    <!-- This section provides th e means to control the  behavior  of  --> 
    <!-- application-specific HTTP dynamic s treaming f unctionality. --> 
    <HDS> 
        <!-- This section cont rols the behavior of HTTP live recording --> 
        <Recording> 
            <!-- The enabled attribute can be set to  "true", "false" or "allow".     --> 
            <!-- Content prote cted is enabled when the attribute is  set to "true",  --> 
            <!-- and disabled when set to "false".                                   --> 
            <!-- If enabled is set to "allow", only then Event.xml have right  to    --> 
            <!-- override the ContentProtection tag completely. And none of the --> 
            <!-- settings inside the ContentProtection here will be used.  And if   --> 
            <!-- ContentProtection is also not specified in Event.xml, content      --> 
            <!-- protection will be disabled by default.                            --> 
        <JITEncryption>false</JITEncryption> 
        <ContentProtection enabled="true"> 
            <ProtectionScheme>PHDS</ProtectionScheme> 
            <PHDS> 
                <CommonKeyFile>common-key.bin</CommonKeyFile> 
                <VideoEncryptionLevel>2</VideoEncryptionLevel> 
                <PlaybackExpiration>24Hours</PlaybackExpiration> 
                <OutputProtection>None</OutputProtection> 
            </PHDS> 
        </ContentProtection> 
    </Recording> 
    </HDS> 
</Application>

The following configurations at <AMS-Install>conf/_defaultRoot_/_defaultVHost_/Application.xml enables Adobe Access protection:

<Application>     
    <!-- This section provides t he means to control the behavior  of - -> 
    <!-- application-specific HTTP dynamic streaming fu nctionality. --> 
    <HDS> 
        <!-- This section controls the behavior of HTTP live recording --> 
        <Recording> 
            <!-- The enabled attribute can be set to "true", "false" or "allow".     --> 
            <!-- Content protection is enabled when the attribute is set to "true ",  --> 
            <!-- and disabled when set to "false".                                   --> 
            <!-- If enabled is set to "allow", then Event.xml will --> 
            <!-- override the ContentProtection tag completely.  And none of the    --> 
            <!-- settings inside the ContentProtection will be used.  And if   --> 
            <!-- ContentProtection is not specified in Event.xml, then content      --> 
            <!-- protection will be disabled by default.                            --> 
        <JITEncryption>false</JITEncryption> 
            <ContentProtection enabled="true"> 
                <ProtectionScheme>FlashAccessV2</ProtectionScheme> 
                < FlashAccessV2> 
                    <ContentID>liveevent</ContentID> 
                    <CommonKeyFile>common-key.bin</CommonKeyFile> 
                    <LicenseServerURL> 
                        http://<aaxs-test-server>/ 
                    </LicenseServerURL> 
                    <TransportCertFile> 
                        aaxs-test-server-trnsCert.der 
                    </TransportCertFile> 
                    <LicenseServerCertFile> 
                        aaxs-test-server-licCert.der</LicenseServerCertFile> 
                    <PackagerCredentialFile> 
                        aaxs-test-server-pkgrCert.pfx 
                    </PackagerCredentialFile> 
                    <PackagerCredentialPassword>pwd=</PackagerCredentialPassword> 
                    <PolicyFile>sample_policy.pol</PolicyFile> 
                </ FlashAccessV2> 
            </ContentProtection> 
        </Recording> 
    </HDS> 
</Application>

Configure system for encrypted live stream in HLS and HDS

You do not need two different recording applications for HDS and HLS if JIT encryption is ON. The live content is stored unencrypted on the disk, and later encrypted dynamically using the HDS or HLS modules of Apache.By default JIT encryption is on unless the HttpStreamingJITEncryption and JITEncryption tags are set to false.Publishing one set of streams to Adobe Media Server for delivery with live PHLS and PHDS requires special configuration when JIT Encryption is off.When PHDS is enabled when JIT encryption is off , the server ingests a stream and packages it into encrpypted F4F data. However, PHLS requires unencrypted data as its source. It’s not possible to take the encrypted F4F data and encrypt it again for PHLS.To deliver protected content to Flash Player/AIR and iOS devices, configure your encoder to publish to two different applications, one for HDS and one for HLS.

Create two copies of the livepkgr application. Name them “livepkgr_hds” and “livepkgr_hls”.

Configure the <AMS-Install>/conf/_defaultRoot_/_defaultVHost_/Application.xml as following:

<Application>     
    <!-- This section provides the ways to control the behavi or of --> 
    <!-- application-specific HTTP dynamic streaming functionality. --> 
    < HDS> 
        <!-- This section controls the behavior of HTTP live recording --> 
         <Recording> 
            <!-- The enabled attribute can be set to "true", "false" or "allow" . --> 
            <!-- Content protected is enabled when the attribute is set to "true", --> 
            <!-- and disabled when set to "false". --> 
            <!-- If enabled is set to "allow", only then Event.xml  have right to --> 
            <!-- override the ContentProtection tag completely.  And none of the --> 
            <!-- settings inside the ContentProtection here will be used. And if --> 
            <!-- ContentProtection is also not specified in Event.xml, content --> 
            <!-- protection  will  be disabled  by  default. --> 
           < JITEncryption>false</JITEncryption> 
            <ContentProtection enabled="allow"> 
            </ContentProtection> 
        </Recording> 
    </HDS> 
</Application>

Configure the <AMS-Install>/applications/livepkgr_hds/Application.xml as following:

<Application> 
     <StreamManager> 
        <Live> 
            <AssumeAbsoluteTime>true</AssumeAbsoluteTime> 
            <PublishTimeout>0</PublishTimeout> 
            <AdjustForZeroTimeStampMessages>2</AdjustForZeroTimeStampMessages> 
            <AdjustForRecordingRollover>false</AdjustForRecordingRollover> 
         </Live> 
    </StreamManager> 
    <HDS> 
        <Recording > 
             <ContentProtection enabled="true" > 
                 <ProtectionScheme>PHDS</ProtectionScheme> 
                    <PHDS> 
                        <CommonKeyFile>common-key.bin</CommonKeyFile> 
                        <VideoEncryptionLevel>2</VideoEncryptionLevel> 
                        <PlaybackExpiration>24Hours</PlaybackExpiration> 
                        <OutputProtection>None</OutputProtection>     
                    </PHDS> 
            </ContentProtection> 
        </Recording>         
    </HDS> 
</Application>

Configure the httpd.conf files as follows:

For PHDS, use the following Location directive:

<Location /hds-live> 
    HttpStreamingEnabled true 
    HttpStreamingLiveEventPath "../applications/livepkgr_hds" 
    HttpStreamingContentPath "../applications/livepkgr_hds" 
    HttpStreamingURLSandboxLevel "App" 
    HttpStreamingF4MMaxAge 2 
    HttpStreamingBootstrapMaxAge 2 
    HttpStreamingDrmmetaMaxAge 3600 
    HttpStreamingFragMaxAge -1 
    HttpStreamingJITEncryption false 
    Options -Indexes FollowSymLinks 
</Location>

For PHLS, use the following Location directive:

<Location /hls-live> 
    HLSHttpStreamingEnabled true 
    HttpStreamingLiveEventPath "../applications/livepkgr_hls" 
    HttpStreamingContentPath "../applications/livepkgr_hls" 
    HttpStreamingURLSandboxLevel "App" 
    HLSMediaFileDuration 8000 
    HLSSlidingWindowLength 6 
    HLSFmsDirPath ".." 
    HttpStreamingUnavailableResponseCode 503 
    HLSEncryptionScope server 
    HLSProtectionScheme PHLS 
</Location>

Restart Apache.
Publish streams from Flash Media Live Encoder to the livepkgr_hds and livepkgr_hls applications. Use the stream name livestream%i?adbe-live-event=liveevent.
The request URL for PHDS is http://<serveruri>/hds-live/_definst_/<liveevent>.f4m and the request URL for PHLS is http://<serveruri>/hls-live/_definst_/<liveevent>.m3u8. Because the directive HttpStreamingURLSandboxLevel is set to "App", the request URL doesn’t use the application name.

Note: In this case, copy the common-key.bin from <AMS Install>/creds directory to <AMS Install>/applications/livepkgr_hds/.

Similarly, by following the above mentioned steps, Adobe Access configurations can also be used with HDS and HLS.

VOD use case

Configure PHDS for on-demand streaming at the following levels:

Server—rootinstall/Apache2.2/conf/httpd.conf

Stream—create a jit.conf file and copy it to the same directory as the content.

Getting started

To quickly get started with PHDS, you need to understand the following directives:

Directive

Default value

Description

EncryptionScope

None

Possible values are content and server.

When the value is content, PHDS configuration settings in the jit.conf file override settings in the httpd.conf. file.

When the value is server, the server uses configuration settings in the httpd.conf file.

ProtectionScheme

None

A string determining the type of protection. For PHDS, use PHDS.

The simplest way to configure on-demand PHDS is to uncomment two lines in the Apache httpd.conf file:

<IfModule jithttp_module> 
<Location /hds-vod> 
    HttpStreamingJITPEnabled true 
    HttpStreamingContentPath "../webroot/vod" 
    JitFmsDirPath ".." 
    Options -Indexes FollowSymLinks 
 
# Uncomment the following directives to enable encryption 
# for this location. 
   EncryptionScope server 
   ProtectionScheme phds 
</Location> 
</IfModule>

Note: This configuration will enable PHDS at the server level.

The sample1_1500kbps.f4v media file comes with the default installation of AMS under <root-install>/webroot. Play back the media file sample1_1500kbps.f4v using the following URI:http://<server-ip>/hds-vod/ sample1_1500kbps.f4v.f4m

Detailed configuration

The following sections provides details configurations for both PHDS and Adobe Access.

Server level

The following sections explain how content protection can be applied across the server:

Common configurations

Directive

Default value

Description

EncryptionScope

content

Possible values are content and server.

When the value is content, PHDS configuration settings in the jit.conf file override settings in the httpd.conf. file.

When the value is server, the server uses configuration settings in the httpd.conf file.

Serverwide configuration that sets encryption policy.server - ALL content is protected according to the apache configuration (jit.conf is ignored).content - Content is protected/unprotected according the to jit.conf file.off - ALL content are unprotected (jit.conf is ignored) .

ProtectionScheme

PHDS

A string determining the type of protection. Possible values are PHDS and FlashAccessV2.

PHDS configurations

Configure the following directives for the jithttp_module in the Apache httpd.conf file:

Directive	Default value	Description
`PHDSCommonKeyFile`	creds/common-key.bin This file is generated during installation.	A common key used to protect content at this location.
`PHDSPlaybackExpiration`	24Hours	The duration within which content playback is available. Possible values are `24Hours` and `Unlimited`
`PHDSOutputProtection`	None	The required hardware Output Protection of media on the client. Possible values are None, BestEffort, and Required.
`PHDSVideoEncryptionLevel`	2	The level of encryption for the content (0-low,1-medium, 2-high). Lower settings provide partial encryption. A subset of the samples (like video keyframes) are encrypted. Partial encryption can improve playback performance on the client, because there are fewer frames to decrypt.

Adobe Access configurations

Directive	Default Value	Description
`JitDrmCommonKeyFile`	None	A common key used to protect content at this location. JitDrmCommonKeyFile path is relative to rootinstall/Apache2.2.
`JitDrmLicenseServerURL`	None	The URL of the license server used for protecting content.
`JitDrmTransportCertFile`	None	The transport certificate used for protecting content.
`JitDrmPackagerCredentialFile`	None	The Packager credential used for protecting content.
`JitDrmPackagerCredentialPassword`	None	The Packager credential password for the configured packager credential file.
`JitDrmPolicyFile`	None	Policy for protecting content.

The following example adds a new Location directive. Request that include /phds serve protected content. This configuration doesn’t define PHDSPlaybackExpiration, PHDSVideoEncryptionLevel, or PHDSCommonKeyFile, but relies on their default values:

LoadModule jithttp_module modules/mod_jithttp.so 
<IfModule jithttp_module> 
 
<Location /phds> 
    HttpStreamingJITPEnabled true 
    HttpStreamingContentPath "../webroot/vod" 
    JitFmsDirPath ".." 
    Options -Indexes FollowSymLinks 
    EncryptionScope server 
    ProtectionScheme phds 
</Location>

When a media player request content from the /webroot/vod folder, it is protected. For example, request the following URL from the sample video player:

http://localhost:8134/hds-vod/sample1_1500kbps.f4v.f4m

To verify that the content is protected, enter the same URL into the address bar of a web browser. The XML response contains a <drmAdditionalHeader> element like the following:

 <?xml version="1.0" encoding="UTF-8" ?> 
- <manifest xmlns="http://ns.adobe.com/f4m/1.0"> 
  <id>sample1_1500kbps.f4v</id> 
  <streamType>recorded</streamType> 
  <duration>114.61450000000001</duration> 
  <bootstrapInfo profile="named" id="bootstrap3628">AAABq2Fic3QAAAAAAAA</bootstrapInfo> 
  <drmAdditionalHeader drmContentId="sample1_1500kbps.f4v" id="drmMetadata9839">AgARfEFkZGl0aW9uYWxIZWFkZXIDAAp</drmAdditionalHeader> 
- <media streamId="sample1_1500kbps.f4v" url="sample1_1500kbps.f4v" bootstrapInfoId="bootstrap3628" drmAdditionalHeaderId="drmMetadata9839"> 
  <metadata>AgAKb25NZXRhRGF0</metadata> 
  </media> 
  </manifest>

Note: The <bootstrapInfo>, <drmAdditionalHeader>, and <metadata> information has been abridged for readability.

The following example adds a new Location directive. Request that include /hds-vod-fax serve protected content through Adobe Access:

<Location /hds-vod-fax> 
    HttpStreamingJITPEnabled true 
    HttpStreamingContentPath "../webroot/vod" 
    HttpStreamingJITConfAllowed true 
    JitFmsDirPath ".." 
    Options -Indexes FollowSymLinks 
    EncryptionScope server 
    ProtectionScheme FlashAccessV2 
    JitDrmCommonKeyFile common-key.bin  
    // Common key to be used to protect content at this location. No default 
    JitDrmLicenseServerURL http: 
     
    // License server URL used when protecting content at this location. No default 
    JitDrmTransportCertFile aaxs-test-server-trnsCert.der 
    // Transport certification used when protecting content at this location. No default 
    JitDrmLicenseServerCertFile aaxs-test-server-licCert.der 
    // License server certificate used when protecting content at this location. 
    // No default. 
    JitDrmPackagerCredentialFile aaxs-test-server-pkgrCert.pfx 
    // Packager credential used when protecting content at this location. No default 
    JitDrmPackagerCredentialPassword pwd= 
    // Packager credential password for the configured packager credential file. 
    // No default 
    JitDrmPolicyFile sample_policy.pol 
    //Policy to be used when protecting content at this location . No default 
</Location>

Note: JitDrmCommonKeyFile takes path relative to <AMS-Install>/Apache2.2.

Stream level

To configure encryption parameters for individual sets of media, follow the configurations mentioned below.

Common configurations

Element	Default value	Description
`//manifest/hds:content-protection enabled`	false	To enable content protection with Adobe Access or PHDS, set the enabled attribute to `"true"`.
`//manifest/hds:content-protection/hds:protection-scheme`	PHDS	The type of protection. The possible values are `PHDS` and `FlashAccessV2` only. For PHDS, use `PHDS`.

PHDS configurations

Element	Default value	Description
`//manifest/hds:content-protection/hds:phds/hds:common-key-file`	creds/common-key.bin	Path to a common key file generated when the server installs. The file contains a16-byte/128-bit random key. This path can be absolute or relative to the jit.conf file.
`//manifest/hds:content-protection/hds:phds/hds:video-encryption-level`	2	The level of encryption for the content (0-low,1-medium,2-high). Lower settings provide partial encryption. A subset of the samples (like video keyframes) are encrypted. Partial encryption can improve playback performance on the client because there are fewer frames to decrypt.
`//manifest/hds:content-protection/hds:phds/hds:playback-expiration`	24Hours	The protection policy. The policy determines the duration within which content playback is available. Possible values are `24Hours` and `Unlimited`.
`//manifest/hds:content-protection/hds:phds/hds:output-protection`	None	The required hardware Output Protection of media on the client. Possible values are None, BestEffort, and Required.

Adobe Access configurations

Element	Default value	Description
`//manifest/hds:content-protection/hds:flash-access/hds:common-key-file`	None	The path to common key file. File contains 16-byte/128-bit random key.The path must be absolute or relative to the jit.conf file.
`//manifest/hds:content-protection/hds:flash-access/hds:content-id`	None	The Content ID to be used for content protection. If not specified, the salt is the filename. If specified, the salt is shared with all content in the directory.
`//manifest/hds:content-protection/hds:flash-access/hds:license-server-url`	None	The License Server URL.
`//manifest/hds:content-protection/hds:flash-access/hds:transport-cert-file`	None	The path to transport cert file. The file is in DER format.The path should be absolute or relative to the jit.conf file.
`//manifest/hds:content-protection/hds:flash-access/hds:license-server-cert-file`	None	The path to license cert file. File is in DER format.The path should be absolute or relative to the jit.conf file.
`//manifest/hds:content-protection/hds:flash-access/hds:packager-credential-file`	None	The path to packager credential cert file. File is in PFX format.The path should be absolute or relative to the jit.conf file.
`//manifest/hds:content-protection/hds:flash-access/hds:packager-credential-password`	None	The packager credential password.
`//manifest/hds:content-protection/hds:flash-access/hds:policy-file`	None	The path to a policy file. File is in Adobe Access policy format.The path should be absolute or relative to the jit.conf file.

The following httpd.conf file sets EncryptionScope to content. This setting tells the server that configuration settings in the jit.conf file override settings in the httpd.conf file. Use this setting to configure PHDS/AdobeAccess for individual sets of media.

LoadModule jithttp_module modules/mod_jithttp.so 
<IfModule jithttp_module> 
<Location /hds-vod> 
    HttpStreamingJITPEnabled true 
    HttpStreamingContentPath "../webroot/vod" 
    JitFmsDirPath ".." 
    Options -Indexes FollowSymLinks 
    EncryptionScope content 
</Location>

The following is the accompanying jit.conf file, which is in the same directory as the on-demand media files (/webroot/vod), which will enable PHDS:

<?xml version="1.0" encoding="utf-8"?> 
<manifest xmlns="http://ns.adobe.com/f4m/1.0" xmlns:hds="http://ns.adobe.com/hds-package/1.0> 
 
    <frame-rate>29.97</frame-rate> 
    <frames-per-keyframe-interval>60</frames-per-keyframe-interval> 
    <hds:content-protection enabled="true"> 
        <hds:protection-scheme>phds</hds:protection-scheme> 
            <hds:phds> 
                <hds:common-key-file> 
                    C:\Program Files\Adobe\Adobe Media Server 5\creds\common-key.bin 
                </hds:common-key-file> 
                <hds:video-encryption-level>0</hds:video-encryption-level> 
                <hds:playback-expiration>unlimited</hds:playback-expiration> 
            </hds:phds> 
    </hds:content-protection> 
 
</manifest>

The following is the accompanying jit.conf file, which is in the same directory as the on-demand media files (/webroot/vod), which will enable Adobe Access:

<?xml version="1.0" encoding="utf-8"?> 
<manifest xmlns="http://ns.adobe.com/f4m/1.0" xmlns:hds="http://ns.adobe.com/hds-package/1.0"> 
        <hds:FlashAccessV2> 
            <hds:content-id>jit_fax2</hds:content-id> 
            <hds:common-key-file>common-key.bin</hds:common-key-file> 
            <hds:license-server-url>http://<aaxs-test-server></hds:license-server-url> 
            <hds:transport-cert-file>aaxs-test-server-trnsCert.der</hds:transport-cert-file> 
            <hds:license-server-cert-file>aaxs-test-server-licCert.der</hds:license-server-cert-file> 
            <hds:packager-credential-file>aaxs-test-server-pkgrCert.pfx</hds:packager-credential-file> 
            <hds:packager-credential-password>pwd=</hds:packager-credential-password> 
            <hds:policy-file>sample_policy.pol</hds:policy-file> 
        </hds:FlashAccessV2> 
    </hds:content-protection> 
</manifest>

Note: In this case, hds:common-key-file takes path relative to <AMS-Install>/webroot/vod.

SWF verification for Protected HTTP Dynamic Streaming

SWF verification prevents unauthorized SWF files from accessing content. To use SWF verification, you must enable Protected HTTP Dynamic Streaming (PHDS).

Create a list of authorized SWF files, called a whitelist. These files are specified in the embedded license and sent to the client inside the DRM metadata. On the client, SWF verification is enforced by Adobe Access inside of Flash Player and AIR.

To create the whitelist, use Whitelist tool (rootinstall/tools/Whitelist).

Workflow

Enable PHDS.
Use the whitelist tool to generate a whitelist of authorized SWF files. The whitelist file can have any name. It must have the .whitelist or .airwhitelist extension.
Copy the whitelist to the server.
Enable SWF verification and indicate the location of the whitelist in the following locations:
- (Live)—Application.xml or Event.xml
- (On-demand)—httpd.conf or jit.conf
Publish a stream to the livepkgr application on Adobe Media Server.
Request a stream from an OSMF media player. The syntax of the request URL does not change for SWF verification.

The server embeds the SWF hashes from the whitelist into the .drmmeta file. Flash Player attempts to verify the SWF hash during DRM authentication.
(Live) The server looks for the whitelist in the following order:
1. The application folder. (The default application for live HTTP streaming is rootinstall/applications/livepkgr).
2. A path in the /SWFVerification/WhitelistFolder element of Application.xml
3. A path in the /SWFVerification/WhitelistFolder element of Event.xml
(On-demand) The server looks for the whitelist in the httpd.conf/jit.conf file in the same folder as the on-demand content.

If the hashes don’t match, Flash Player throws an runtime error (3310) and the OSMF media player stops requesting fragments.

SWF verification configurations for live PHDS

To enable SWF verification for live PHDS, enable PHDS at the server level (httpd.conf), the application level (Application.xml) or the event level (Event.xml).

Configure SWF verification for live HDS at the server level (httpd.conf)

Add the following elements to the hds-live directive to enable SWF verification:

Element	Description	Default
`PHDSSWFVerification`	The container for SWF verification configuration. To enable SWF verification, set the enabled attribute to "true".	"false"
`PHDSSWFWhiteListFolder`	Specify the location of SWF whitelist	The application folder of the live event.

Configure SWF verification for live HDS at the application level (Application.xml) or at the event level (Event.xml).

In Application.xml, SWFVerification is located at //Application/HDS/Recording/ContentProtection/PHDS/SWFVerification.In Event.xml, SWFVerification is located at //Event/Recording/ContentProtection/PHDS/SWFVerification.

Element

Description

Default

/SWFVerification

The container for SWF verification configuration. To enable SWF verification, set the enabled attribute to "true".

"false"

/SWFVerification/WhiteListFolder

A path to the folder containing the whitelist. The folder can contain more than one whitelist file.

The path can be absolute or relative. A relative path in the Application.xml file is relative to the application folder. A relative path in the Event.xml file is relative to the event folder. Backwards relative paths are not supported for security reasons.

This configuration is optional. If no value is given, the server looks in the application folder of the live event.

The application folder of the live event.

Configure the following settings in the Apache httpd.conf file to configure cache control for the bootstrap, fragment, manifest and drmmeta responses:

HttpStreamingBootstrapMaxAge
HttpStreamingFragMaxAge
HttpStreamingF4MMaxAge
HttpStreamingDrmmetaMaxAge

For detailed information about each configuration, see Configure live and on-demand HTTP Streaming at the server level (httpd.conf).

SWF verification configurations for on-demand PHDS

SWF verification is configured under PHDS. To enable SWF verification, enable PHDS. You can enable on-demand PHDS at the server level (httpd.conf) or at the stream level (jit.conf).

Configure SWF verification for on-demand PHDS at the server level (httpd.conf) or at the stream level (jit.conf).

Use the following elements to enable and configure SWF verification in the httpd.conf file:

Element

Description

Default

PHDSSWFVerification

The container for SWF verification configuration. To enable SWF verification, set the enabled attribute to "true".

"false"

PHDSSWFWhiteListFolder

Optional setting to specify where the SWF whitelist can be found. The folder can contain more than one whitelist files.

This can be overridden by jit.conf if the Apache configuration is overridable.

This configuration is optional. If no value is given, the server looks in the folder containing the jit.conf file.

The folder containing the media.

Use the following elements to enable and configure SWF verification in the jit.conf file. Copy the jit.conf file to the same directory as the on-demand media.

Element

Description

Default

//manifest/hds:content-protection/hds:phds/hds:swf-verification

The container for SWF verification configuration. To enable SWF verification, set the enabled attribute to "true".

"false"

//manifest/hds:content-protection/hds:phds/hds:swf-verification/hds:white-list-folder

A path to the folder containing the whitelist. The folder can contain more than one whitelist file.

The path can be absolute or relative. A relative path is relative to the folder containing the jit.conf file. Backwards relative paths are not supported for security reasons.

This configuration is optional. If no value is given, the server looks in the folder containing the jit.conf file.

The folder containing the media.

Whitelist tool

Use the whitelist tool to generate a list of verified SWF and AIR files. The server uses the whitelist to perform SWF verification for Flash Player and AIR applications.

The whitelist tool takes SWF files, AIR certificate files, and AIR signature files and creates a SHA256 hash for each file. The tool writes the hashes as Base64 encoded text to one or more text files and outputs the text files. The text files use the filename extensions .whitelist and .airwhitelist.

The whitelist tool is located in the following directory:

rootinstall/tools/Whitelist

Use the following command line syntax to run the whitelist tool:

whitelist --in <file|dir> [--outDir <output dir>] [--out <output file>] [--version]

The following table lists the command line options and arguments for the whitelist tool:

Option	Optional	Description
`--in <file\|dir>`	No	A SWF file, an AIR signature file, or an AIR certificate file. A directory containing SWF files. The `dir` parameter does not support AIR files. To specify multiple files or directories, use multiple `--in` options. For SWF files, the tool outputs a file with the extension .whitelist. For AIR signature and certificate files, the tool outputs a file with the extension .airwhitelist.
`--log <file\|dir>`	Yes	An existing directory path where default whitelist.properties file is present or the full path name to the properties file. Customize logging in the .properties file. The whitelist tool supports log4j Apache logging. By default, logging messages are routed to the console. To reroute them, use the `--log` option.
`--out <output file>`	Yes	The name for the .whitelist file and the .airwhitelist file. If `--out` is not specified, creates .whitelist and .airwhitelist files for each .swf file and .xml file. If `--out` is specified, `--outDir` is ignored and the file is saved to the directory the tool is being run from.
`--outDir <outputdir>`	Yes	Creates an output directory and saves the .whitelist file to the directory. If `--outDir` is not specified, the .whitelist files and .airwhitelist files are created in the directory the tool is being run from. If `--outDir` is a relative path, it is relative to the directory the tool is being run from.
`--version`	Yes	Prints the SWF verification version number in the .whitelist file.

The following table lists examples of running the whitelist tool:

Example	Result
`whitelist --in foo.swf --in bar.swf`	Creates a foo.swf.whitelist and a bar.swf.whitelist in the current directory.
`whitelist --in signature.xml --in bar.swf`	Creates signature.xml.airwhitelist and bar.swf.whitelist in the current directory.
`whitelist --in foo.swf --in mydir` In this example, mydir is a directory containing bar.swf.	Creates a foo.swf.whitelist and a bar.swf.whitelist in the current directory.
`whitelist --in signature.xml --in mydir` In this example, mydir is a directory containing bar.swf.	Creates a signature.xml.airwhitelist and a bar.swf.whitelist in the current directory.
`whitelist --in foo.swf --in bar.swf --outDir outputdir`	Creates an outputdir/foo.swf.whitelist file and an outputdir/bar.swf.whitelist file.
`whitelist --in signature.xml --in bar.swf --outDir outputdir`	Creates an outputdir/signature.xml.airwhitelist file and an outputdir/bar.swf.whitelist file.
`whitelist --in foo.swf --in mydir --out outputfile` In this this example, mydir is a directory containing bar.swf.	Creates an outputfile.whitelist file in the current directory containing hashes for foo.swf and mydir/bar.swf.
`whitelist --in signature.xml --in mydir --out outputfile` In this this example, mydir is a directory containing bar.swf.	Creates a an outputfile.airwhitelist file containing hashes for signature.xml. Creates an outputfile.whitelist file contaning hashes for bar.swf. Both files are created in the current directory.
`whitelist --in foo.swf --in mydir -out outputfile -outDir outputdir` This example, mydir is a directory containing bar.swf.	Creates an outputfile.whitelist in the current directory containing a hash for foo.swf and mydir/bar.swf. Warning: When the `--out` option is specified, the tool ignores the `--outDir` option.
`whitelist --in signature.xml --in mydir --out outputfile --outDir outputdir` In this example, mydir is a directory containing bar.swf.	Creates an outputfile.airwhitelist file that contains the hashes for signature.xml. Creates an outputfile.whitelist file that contains hashes for mydir/bar.swf. Both files are created in the current directory. Warning: When the `--out` option is specified, the tool ignores the `--outDir` option.
`whitelist --version`	Displays "version 1.0".

If an input files has the same name as a previously input file, both files are added to the whitelist.

whitelist --in c:\myfolder\signature.xml --in c:\yourfolder\signature.xml --outDir c:\out\signature.xml

The following is the output:

# c:\myfolder\signature.xml 
XXXXXXXXXXXXXXXXXXXXXX 
# c:\yourfolder\signature.xml 
XXXXXXXXXXXXXXXXXXXXXXXXXXX

The following is the whitelist format for an individual hash:

# foo.swf 
PGfcEwgUKWScivIRucIwG5jT

The following is the whitelist format for an AIR file:

# C:\air\signatures.xml 
A167FBF93528C87BBCDAC2B8CD0829479DDA6912.2

The following is the whitelist format for multiple hashes when using the --out option:

# foo.swf 
PGfcEwgUKWScivIRucIwG5jT 
 
# bar.swf 
TcsQWLLi7h7WNjHqcLzzl0J15Srvdzkz2inCTKQLOHw= 
 
# mydir/bar.swf 
TcsQWLLi7h7WNjHqcLzzl0J15Srvdzkz2inCTKQLOHw=