- DRM Overview
- Certificate Enrollment Guide
- Adobe Primetime DRM SDK 5.3.1
- DRM Quick-Start Guide
- Adobe Primetime Cloud DRM Quick-Start Guide
- What is included with Primetime Cloud DRM
- What is NOT supported by Primetime Cloud DRM
- Prerequisites
- Packaging options
- Test the packaged content
- Triaging errors
- Custom authentication/entitlement
- Adobe Primetime authentication (Optional)
- Creating custom DRM policies (Optional)
- Update existing DRM content to use Cloud DRM (Optional)
- Streaming to Xbox360 (Optional)
- Using the Adobe Primetime DRM Key Server
- Adobe Primetime DRM Secure Deployment Guidelines
- Multi-DRM Workflows
- Multi-DRM Workflows
- Primetime DRM Cloud Quick-start
- Workflows: Package, License, and Play
- Multi-DRM Workflow for FairPlay
- Multi-DRM Workflow for Widevine and PlayReady
- Package your content with Bento4
- Package your content with Adobe Offline Packager
- Using Output Protection Policies
- Client Key Request workflow overview
- Expressplay tokens
- Key request workflow on Android PSDK
- Key request workflow on HTML5 TVSDK
- Device Binding
- Generic Workflows
- Feature Topics
- ExpressPlay license token request / response reference
- Migrating from Access to Multi-DRM
- Glossary
- Adobe Primetime DRM On Premises Individualization Server Guide
- Primetime DRM Server for Protected Streaming 5.3.1
- About Adobe Primetime DRM Server for Protected Streaming
- About usage rules
- Requirements
- Understanding Deployment
- Deploying the Adobe Primetime DRM Server for Protected Streaming
- Java system properties
- About Adobe Primetime DRM credentials
- HSM configuration
- Setting up the License server configuration files
- Crossdomain DRM policy file
- Custom authorization extensions
- Performance tuning
- Upgrading the Adobe Primetime DRM Server for Protected Streaming
- Running the DRM Server for Protected Streaming
- Packaging content
- DRM Server for Protected Streaming utilities
- Using the Adobe Primetime DRM SDK for Protecting Content - 5.3.1
- What is new in Adobe Primetime DRM
- Usage rules and Authentication
- Runtime and application restrictions
- Allow list for Primetime DRM applications allowed to play protected content…
- Allow list for Adobe® Flash® Player SWFs
- Block list of DRM Clients restricted from accessing protected content
- Block list of application runtimes
- Minimum security level for DRM and runtimes
- Device capabilities required to play protected content
- Jailbreak enforcement (requires Adobe Primetime DRM)
- Other DRM policy options
- Device Group Domain Registration
- Output protection controls
- Packaging Options
- Setting up the SDK
- Work with DRM policies
- Package media files
- Pre-generating and embedding licenses
- Implement a License Server
- Overview
- License Server deployment options
- Process Adobe Primetime DRM requests
- Handle Get Server Version requests
- Handle Domain Registration requests
- Handle Domain De-Registration requests
- Handle License Return requests
- Handle authentication requests
- Handle license requests
- License chaining
- Handle synchronization requests
- Handle FMRMS compatibility
- Handling certificate updates when Adobe-issued certificates expire
- Performance tuning
- Revoke client credentials
- Create video players
- Resolution-Based Output Protection 5.3.1
- Adobe Primetime DRM Reference Implementations 5.3.1
- About the reference implementations
- Typical workflow
- Command-line tools
- Configure and run the command-line tools
- DRM Media Packager
- DRM Policy Update List Manager
- DRM Revocation List Manager
- DRM License Generator
- DRM License Embedder
- AIR Publisher ID utility
- License server
- Configuration
- Deploy the license server
- Troubleshooting
- Check whether the license server started properly
- Determining if Reference Implementation License Server runs properly
- Implementing the usage models
- Domain registration
- Migrate from FMRMS 1.0 or 1.5 to Adobe Primetime DRM 2.0 or later
- Upgrade existing deployments
- Adobe Primetime TVSDK-DRM Workflow
- TVSDK-DRM client-side workflow overview
- Primetime DRM content protection options
- Primetime DRM on the client
- Primetime DRM license server
- License acquisition process overview
- License acquisition process details
- Pre-loading licenses for offline playback
- Using the DRMStatusEvent class
- Using the DRMAuthenticateEvent class
- Using the DRMErrorEvent class
- Using the DRMManager class
- Using the DRMContentData class
- Out-of-band licenses
- Device domain support
- License preview
- Delivering content
- DRM Client Error Message Reference
- Using Adobe Access DRM With an External Key Management System
- Use the Adobe Access Server for Protected Streaming
- About Adobe Access Server for Protected Streaming
- Usage rules
- Requirements
- Deploying the Adobe Access Server for Protected Streaming
- License server configuration files
- Crossdomain policy file
- Custom authorization extensions
- Performance tuning
- Upgrading the Adobe Access Server for Protected Streaming
- Updating configuration files
- Packaging content
- Adobe Access Server for Protected Streaming utilities
- Adobe Access Secure Deployment Guidelines
- Introduction to Network Topology
- Vendor-specific security information
- Physical security and access
- Packaging and protecting content
- Protect and issue licenses
- Consuming locally generated CRLs
- Consuming CRLs published by Adobe
- Generating CRLs to supplement those published by Adobe
- Rollback detection
- Machine count when issuing licenses
- Replay protection
- Maintain an allow list of trusted content packagers
- Timeout for authentication tokens
- Overriding policy options
- Pre-generating licenses
- Managing Domains
- An Overview of Adobe Access SDK
- Using the Adobe Access SDK for Protecting Content
- Introduction
- User authentication
- Time-based rules
- Runtime and application restrictions
- Allow list for Adobe® Primetime applications allowed to play protected content
- Allow list for Adobe® Flash® Player SWFs allowed to play protected content
- Block list of DRM Clients restricted from accessing protected content
- Block list of application runtimes restricted from accessing protected content
- Minimum security level for DRM and runtimes
- Device capabilities required to play protected content
- Jailbreak Enforcement (requires Adobe Primetime)
- Other policy options
- Output protection controls
- Packaging Options
- Setting up the SDK
- Working with policies
- Packaging media files
- Pre-generating and embedding licenses
- Implementing the License Server
- Processing Adobe Access requests
- Processing Adobe Access requests
- Using machine identifiers
- User authentication
- Replay protection
- Rollback detection
- Global server configuration data
- Crossdomain policy file
- Handling Get Server Version requests
- Handling Domain Registration requests
- Handling Domain De-Registration requests
- Handling License Return requests
- Handling authentication requests
- Handling license requests
- Handling license requests
- Generating licenses
- License chaining
- Enhanced License Chaining
- Issuing Domain-bound licenses
- Issuing licenses for remote key delivery to iOS clients (requires Adobe Primetime)
- Minimum Client Version
- License preview
- Identity-based licenses
- Revoking client credentials
- Creating video players
- Adobe Access Reference Implementations
- Overview - Using the reference implementations
- Command line tools for packaging content and creating revocations lists
- Policy Manager
- Media Packager
- Policy Update List Manager
- Revocation List Manager
- AIR Publisher ID utility
- License Generator
- License Embedder
- License server and watched folder packager
- License server and watched folder packager overview
- Requirements
- Building the license server
- Configuration
- Server properties files
- Preparing passwords for the Server properties files
- License server properties file
- Packager properties file
- Watched folder properties
- Setting up the database and configuring the JNDI datasource
- HSM configuration
- Crossdomain policy file
- Deploying the license server and watched folder packager
- Determining if Reference Implementation License Server is running properly
- Implementing the usage models
- Implementing domain registration
- Migrating from FMRMS 1.0 or 1.5 to Adobe Access 2.0 and above
- Upgrading existing deployments
- Set up a domain server
- Flash Access Manager AIR application usage
Packaging and protecting content
Information about packaging and protection of content allows you to protect your content.
Securing the server
You need to physically secure the computer on which policy management and content packaging occurs.
For more information, see Physical security and access.
If your content packaging implementation requires network connectivity, you must harden your operating system and implement an appropriate firewall solution. For more information, see Network topology.
Securely packaging content
The configuration file for the Adobe Primetime DRM Media Packager command-line tool requires a PKCS12 credential that is used during packaging.
In the Reference Implementation command-tine tools, the password for the PKCS12 credentials file is stored in the flashaccess.properties file in clear text. For this reason, take extra care when you secure the computer that hosts this file and ensure that the computer is in a secure environment. For more information, see Physical security and access.
The packager also uses the License Server and License Server Transport certificates, and the integrity and confidentiality of this information must be protected. Only authorized entities should be permitted to use the packager. If your private keys are compromised, inform Adobe Systems Incorporated immediately so that the certificate can be revoked.
The API enables you to use the same key for multiple pieces of content. To ensure the highest level of security, you should only use this feature for multi-bit rate FMS content. Do not use the same key for multiple files that represent different content.
The Primetime DRM Packaging API issues warnings under certain conditions. Review these warnings to determine whether your files have been successfully encrypted. The warning messages might be one of the following:
- The policy has expired and an unrecognized tag or track cannot be encrypted.
- Movie fragments cannot be encrypted and references inside those fragments might beinvalid.
- Metadata cannot be encrypted.
If content is packaged by using a policy with incorrect attributes, the policy needs to be updated. The updated policy must be made available to the License Server though a policy update list or another delivery mechanism. Some policy attributes cannot be changed after the policy is created. If these attributes are incorrect, pull the content back from the distribution sites, revoke the policy so that no future licenses can be granted, and encrypt the content again.
When packaging is complete, the packaging key is garbage-collected, and is not explicitly destroyed. As a result, the packaging key remains present in memory for some time. You must guard against unauthorized access to the machine and ensure that you do not expose any files, such as core dumps, that might reveal this information.
Securely storing policies
The Adobe Primetime DRM SDK allows you to develop applications that can be used in content packaging and policy creation.
When you create these applications, you can allow some users to create and modify policies, and limit other users to only applying existing policies to the content. You must implement the necessary access controls and create user accounts with different privileges for policy creation and policy application.
Policies are not signed or protected from modification until they are used in packaging. If you are concerned that packaging tool users might modify policies, sign the policies to ensure that the policies cannot be modified.
For more information about creating applications with the SDK, see the Primetime DRM APIs on API Primetime API References.
Asymmetric key encryption
Asymmetric key encryption, also called public key encryption, uses pairs of keys. One key is for encryption, and the other key is for decryption.
The decryption key, or the private key, is kept secret; the encryption key, or the public key, is made available to anyone who is authorized to encrypt content. Anyone with access to the public key can encrypt content. However, only someone with access to the private key can decrypt the content. The private key cannot be reconstructed from the public key.
When you package content, the License Server’s public key is used to encrypt the content encryption key (CEK) in the DRM metadata. You must ensure that only the License Server has access to the License Server’s private key. If someone else has the key, they can decrypt and view the content.
Make sure that you obtain the License Server’s certificate that includes the public key from a trusted source. This way, you can ensure that it is the License Server’s key and not a rogue public key. If attackers were to substitute their public key for the License Server’s key, they could decrypt your content.
For more information about how to package content, see Using the Adobe Primetime DRM SDK for Protecting Content.
Resources
Adobe Account
