- DRM Overview
- Certificate Enrollment Guide
- Adobe Primetime DRM SDK 5.3.1
- DRM Quick-Start Guide
- Adobe Primetime Cloud DRM Quick-Start Guide
- What is included with Primetime Cloud DRM
- What is NOT supported by Primetime Cloud DRM
- Prerequisites
- Packaging options
- Test the packaged content
- Triaging errors
- Custom authentication/entitlement
- Adobe Primetime authentication (Optional)
- Creating custom DRM policies (Optional)
- Update existing DRM content to use Cloud DRM (Optional)
- Streaming to Xbox360 (Optional)
- Using the Adobe Primetime DRM Key Server
- Adobe Primetime DRM Secure Deployment Guidelines
- Multi-DRM Workflows
- Multi-DRM Workflows
- Primetime DRM Cloud Quick-start
- Workflows: Package, License, and Play
- Multi-DRM Workflow for FairPlay
- Multi-DRM Workflow for Widevine and PlayReady
- Package your content with Bento4
- Package your content with Adobe Offline Packager
- Using Output Protection Policies
- Client Key Request workflow overview
- Expressplay tokens
- Key request workflow on Android PSDK
- Key request workflow on HTML5 TVSDK
- Device Binding
- Generic Workflows
- Feature Topics
- ExpressPlay license token request / response reference
- Migrating from Access to Multi-DRM
- Glossary
- Adobe Primetime DRM On Premises Individualization Server Guide
- Primetime DRM Server for Protected Streaming 5.3.1
- About Adobe Primetime DRM Server for Protected Streaming
- About usage rules
- Requirements
- Understanding Deployment
- Deploying the Adobe Primetime DRM Server for Protected Streaming
- Java system properties
- About Adobe Primetime DRM credentials
- HSM configuration
- Setting up the License server configuration files
- Crossdomain DRM policy file
- Custom authorization extensions
- Performance tuning
- Upgrading the Adobe Primetime DRM Server for Protected Streaming
- Running the DRM Server for Protected Streaming
- Packaging content
- DRM Server for Protected Streaming utilities
- Using the Adobe Primetime DRM SDK for Protecting Content - 5.3.1
- What is new in Adobe Primetime DRM
- Usage rules and Authentication
- Runtime and application restrictions
- Allow list for Primetime DRM applications allowed to play protected content…
- Allow list for Adobe® Flash® Player SWFs
- Block list of DRM Clients restricted from accessing protected content
- Block list of application runtimes
- Minimum security level for DRM and runtimes
- Device capabilities required to play protected content
- Jailbreak enforcement (requires Adobe Primetime DRM)
- Other DRM policy options
- Device Group Domain Registration
- Output protection controls
- Packaging Options
- Setting up the SDK
- Work with DRM policies
- Package media files
- Pre-generating and embedding licenses
- Implement a License Server
- Overview
- License Server deployment options
- Process Adobe Primetime DRM requests
- Handle Get Server Version requests
- Handle Domain Registration requests
- Handle Domain De-Registration requests
- Handle License Return requests
- Handle authentication requests
- Handle license requests
- License chaining
- Handle synchronization requests
- Handle FMRMS compatibility
- Handling certificate updates when Adobe-issued certificates expire
- Performance tuning
- Revoke client credentials
- Create video players
- Resolution-Based Output Protection 5.3.1
- Adobe Primetime DRM Reference Implementations 5.3.1
- About the reference implementations
- Typical workflow
- Command-line tools
- Configure and run the command-line tools
- DRM Media Packager
- DRM Policy Update List Manager
- DRM Revocation List Manager
- DRM License Generator
- DRM License Embedder
- AIR Publisher ID utility
- License server
- Configuration
- Deploy the license server
- Troubleshooting
- Check whether the license server started properly
- Determining if Reference Implementation License Server runs properly
- Implementing the usage models
- Domain registration
- Migrate from FMRMS 1.0 or 1.5 to Adobe Primetime DRM 2.0 or later
- Upgrade existing deployments
- Adobe Primetime TVSDK-DRM Workflow
- TVSDK-DRM client-side workflow overview
- Primetime DRM content protection options
- Primetime DRM on the client
- Primetime DRM license server
- License acquisition process overview
- License acquisition process details
- Pre-loading licenses for offline playback
- Using the DRMStatusEvent class
- Using the DRMAuthenticateEvent class
- Using the DRMErrorEvent class
- Using the DRMManager class
- Using the DRMContentData class
- Out-of-band licenses
- Device domain support
- License preview
- Delivering content
- DRM Client Error Message Reference
- Using Adobe Access DRM With an External Key Management System
- Use the Adobe Access Server for Protected Streaming
- About Adobe Access Server for Protected Streaming
- Usage rules
- Requirements
- Deploying the Adobe Access Server for Protected Streaming
- License server configuration files
- Crossdomain policy file
- Custom authorization extensions
- Performance tuning
- Upgrading the Adobe Access Server for Protected Streaming
- Updating configuration files
- Packaging content
- Adobe Access Server for Protected Streaming utilities
- Adobe Access Secure Deployment Guidelines
- Introduction to Network Topology
- Vendor-specific security information
- Physical security and access
- Packaging and protecting content
- Protect and issue licenses
- Consuming locally generated CRLs
- Consuming CRLs published by Adobe
- Generating CRLs to supplement those published by Adobe
- Rollback detection
- Machine count when issuing licenses
- Replay protection
- Maintain an allow list of trusted content packagers
- Timeout for authentication tokens
- Overriding policy options
- Pre-generating licenses
- Managing Domains
- An Overview of Adobe Access SDK
- Using the Adobe Access SDK for Protecting Content
- Introduction
- User authentication
- Time-based rules
- Runtime and application restrictions
- Allow list for Adobe® Primetime applications allowed to play protected content
- Allow list for Adobe® Flash® Player SWFs allowed to play protected content
- Block list of DRM Clients restricted from accessing protected content
- Block list of application runtimes restricted from accessing protected content
- Minimum security level for DRM and runtimes
- Device capabilities required to play protected content
- Jailbreak Enforcement (requires Adobe Primetime)
- Other policy options
- Output protection controls
- Packaging Options
- Setting up the SDK
- Working with policies
- Packaging media files
- Pre-generating and embedding licenses
- Implementing the License Server
- Processing Adobe Access requests
- Processing Adobe Access requests
- Using machine identifiers
- User authentication
- Replay protection
- Rollback detection
- Global server configuration data
- Crossdomain policy file
- Handling Get Server Version requests
- Handling Domain Registration requests
- Handling Domain De-Registration requests
- Handling License Return requests
- Handling authentication requests
- Handling license requests
- Handling license requests
- Generating licenses
- License chaining
- Enhanced License Chaining
- Issuing Domain-bound licenses
- Issuing licenses for remote key delivery to iOS clients (requires Adobe Primetime)
- Minimum Client Version
- License preview
- Identity-based licenses
- Revoking client credentials
- Creating video players
- Adobe Access Reference Implementations
- Overview - Using the reference implementations
- Command line tools for packaging content and creating revocations lists
- Policy Manager
- Media Packager
- Policy Update List Manager
- Revocation List Manager
- AIR Publisher ID utility
- License Generator
- License Embedder
- License server and watched folder packager
- License server and watched folder packager overview
- Requirements
- Building the license server
- Configuration
- Server properties files
- Preparing passwords for the Server properties files
- License server properties file
- Packager properties file
- Watched folder properties
- Setting up the database and configuring the JNDI datasource
- HSM configuration
- Crossdomain policy file
- Deploying the license server and watched folder packager
- Determining if Reference Implementation License Server is running properly
- Implementing the usage models
- Implementing domain registration
- Migrating from FMRMS 1.0 or 1.5 to Adobe Access 2.0 and above
- Upgrading existing deployments
- Set up a domain server
- Flash Access Manager AIR application usage
Protecting the License Server
You must ensure that you are securely issuing licenses. Consider these best practices to protect the License Server:
Consuming locally generated CRLs
To consume locally generated certificate revocation lists (CRLs) and policy update lists, use Adobe Primetime DRM APIs to verify the signature.
The following APIs verify that the lists have not been tampered with and that the lists were signed by the correct License Server:
-
Call RevocationList.verifySignature to check the signature before you provide the RevocationList to any APIs.
For more information, see RevocationListFactory.
-
Call PolicyUpdateList.verifySignature to check the signature before providing the
PolicyUpdateListto any APIs.For more information, see PolicyUpdateList.
Consuming CRLs published by Adobe
The SDK periodically downloads CRLs that are published by Adobe. You must ensure that access to these files is not blocked or the enforcement of these CRLs is not prevented.
The SDK has a configuration option to ignore errors when retrieving Adobe CRLs, and you can only apply this option in development environments. In production environments, the license server must retrieve the CRLs from Adobe. If the license server cannot obtain a valid CRL, an error has occurred.
Generating CRLs to supplement those published by Adobe
You can use Adobe Primetime DRM to create CRLs that supplement the machine CRL that is published by Adobe.
The Primetime DRM SDK checks and enforces the Adobe CRLs. However, you can disallow additional client machines by creating a CRL that revokes additional machine credentials by passing the CRL to the Primetime DRM SDK. When you issue a license, the SDK checks the Adobe CRL and your CRL.
To generate CRLs, see RevocationListFactory.
Rollback detection
If your implementation of Adobe Primetime DRM uses business rules that require the client to maintain state (for example, the playback window interval), Adobe recommends that the server keeps track of the rollback counter and use AIR or SWF allow listing.
The rollback counter is sent to the server in most requests from the client. If your implementation of Primetime DRM does not require the rollback counter, it can be ignored. Otherwise, Adobe recommends that the server store the random machine ID, which is obtained using MachineToken.getUniqueId(), and the current counter value in a database.
For more information on how to increment and track the rollback counter, see ClientState and Rollback detection.
Machine count when issuing licenses
If the business rules require that the number of machines for a user be tracked, the License Server or Domain Server must store the machine IDs that are associated with the user.
The most robust way to track machine IDs is to store the value that is returned by the MachineId.getBytes() method in a database. When a new request is received, compare the machine ID in the request with the known machine IDs by using MachineId.matches().
MachineId.matches() performs a comparison of IDs to determine whether the IDs represent the same machine. This comparison is only practical if there is a small number of machine IDs. For example, if users are allowed five machines in their domain, you can search the database for the machine IDs that are associated with the user’s username and obtain a small set of data for comparison.
This comparison is not practical for deployments that allow anonymous access. In this case, MachineId.getUniqueID() can be used. However, this ID cannot be the same if the user accesses content from Flash and Adobe AIR® runtimes.
The ID does not survive if the user reformats the hard drive.
Replay protection
Replay protection prevents an attacker from replaying a license request message and potentially causing a denial-of-service (DoS) attack against the client.
A DoS attack is an attempt by attackers to prevent legitimate users of a service from using that service. For example, a replay attack that uses the rollback counter could be used to “trick” the License Server into thinking that the DRM client has rolled back its state, which causes a suspension of the account.
To learn more about replay protection, see AbstractRequestMessage.getMessageId().
Maintain an allow list of trusted content packagers
A allow list is a list of trusted entities.
For content packagers, the entities are organizations that are trusted by the content owner to package (or encrypt) the video files and create DRM protected content. When deploying Adobe Primetime DRM, you should maintain an allow list of trusted content packagers. You must also verify the identity of the content packager in the DRM metadata of a DRM protected file before issuing a license.
To learn how to obtain information about the entity that packaged the content, see V2ContentMetaData.getPackagerInfo().
Timeout for authentication tokens
All authentication tokens that are generated by the Adobe Primetime DRM SDK have a timeout interval to protect application security.
The expiration for the authentication token is specified use the Primetime DRM SDK when handling an authentication request. After it has expired, the token is no longer valid, and the user must authenticate again with the license server.
To learn more about authentication requests, see AuthenticationHandler.
Overriding policy options
When you issue a license, the license server can override the usage rules that are specified in the policy.
If the policy specifies a start date, a license is not generated before that start date. However, you can set a future start date in the license after the license has been generated. This option should be used with caution because the client cannot prevent the user from moving the system time forward to circumvent the start date.
Business.Adobe.com resources
Resources
Adobe Account
