DRM Overview
Certificate Enrollment Guide
- About certificates
- Prerequisites
- About certificate enrollment roles
- Add Requesters
- Create a Secondary Administrator
- Request certificates
- Deploy certificates
- Store keys
- Renew certificates
Adobe Primetime DRM SDK 5.3.1
- Adobe Primetime DRM SDK - An overview
- About Adobe Primetime DRM
- Key features
- Terminology and core concepts
- Content distribution workflow
  - Content preparation
  - Content acquisition
- Adobe Primetime DRM components
- Deploy Adobe Primetime DRM
- Additional Deployment Scenarios
  - UltraViolet media and Adobe Primetime DRM
  - Adobe Primetime authentication and Adobe Primetime DRM
DRM Quick-Start Guide
- Getting Started
- Install Tomcat
- Set up and deploy the server for Protected Streaming
- Package encrypted content
- Install Flash Player and playback test content
- Play back a locally packaged video
- Next Steps
Adobe Primetime Cloud DRM Quick-Start Guide
- What is included with Primetime Cloud DRM
- What is NOT supported by Primetime Cloud DRM
- Prerequisites
- Packaging options
- Test the packaged content
- Triaging errors
- Custom authentication/entitlement
- Adobe Primetime authentication (Optional)
- Creating custom DRM policies (Optional)
- Update existing DRM content to use Cloud DRM (Optional)
- Streaming to Xbox360 (Optional)
Using the Adobe Primetime DRM Key Server
- Requirements for using Primetime DRM Key Server
- Deploy the Primetime DRM Key Server
- Packaging content
Adobe Primetime DRM Secure Deployment Guidelines
- Introduction to Network Topology
- Vendor-specific security information
- Physical security and access
- Packaging and protecting content
- Ensuring compatibility with Flash Media Rights Management Server 1.x
- Issue and protect the License Server
Multi-DRM Workflows
- Multi-DRM Workflows
- Primetime DRM Cloud Quick-start
- Workflows: Package, License, and Play
- Generic Workflows
  - Primetime Packager / Cloud DRM / TVSDK
  - ExpressPlay Packager / Cloud DRM / TVSDK
- Feature Topics
- ExpressPlay license token request / response reference
- Migrating from Access to Multi-DRM
- Glossary
Adobe Primetime DRM On Premises Individualization Server Guide
- Software Requirements
- Server configuration properties
- Monitoring
- Update the License Server WAR File
- Generate the On Premises DRM Metadata
- Client Integration
- Sample Client Requests
- FAQ
Primetime DRM Server for Protected Streaming 5.3.1
- About Adobe Primetime DRM Server for Protected Streaming
- About usage rules
- Requirements
- Understanding Deployment
Using the Adobe Primetime DRM SDK for Protecting Content - 5.3.1
- What is new in Adobe Primetime DRM
- Usage rules and Authentication
- Runtime and application restrictions
- Other DRM policy options
- Device Group Domain Registration
- Output protection controls
- Packaging Options
- Setting up the SDK
- Work with DRM policies
- Package media files
- Pre-generating and embedding licenses
  - Pre-generating licenses
  - Embedding licenses
- Implement a License Server
- Revoke client credentials
- Create video players
Resolution-Based Output Protection 5.3.1
- RBOP Overview
- RBOP Concepts
- RBOP Client Support
- Sample RBOP Configuration
- RBOP Grammar
- RBOP FAQ
Adobe Primetime DRM Reference Implementations 5.3.1
- About the reference implementations
- Typical workflow
- Command-line tools
  - Overview
  - Command-line tools requirements
  - Install the command-line tools
- Configure and run the command-line tools
  - Overview
  - About command-line tools configuration files
  - DRM Policy Manager
  - Policy Manager Command-line usage
  - Configuration properties
  - Non-SWF Application Allow listing
  - SWF Application Allow listing
- DRM Media Packager
- DRM Policy Update List Manager
- DRM Revocation List Manager
- DRM License Generator
- DRM License Embedder
- AIR Publisher ID utility
- License server
- Configuration
  - License server properties file
  - Prepare passwords for the Server properties files
  - Prepare passwords using Ant
  - Prepare passwords using Java
  - Remote key delivery properties (iOS)
  - Set up the license server database
  - Configure the license server database
  - HSM configuration
  - Cross-domain policy file
- Deploy the license server
- Troubleshooting
- Check whether the license server started properly
- Determining if Reference Implementation License Server runs properly
- Implementing the usage models
  - Implementing the usage models overview
  - Enable the usage model demo
  - Configure usage model demo mode
  - Update the reference implementation DB
  - Usage model demo business rules
- Domain registration
  - Overview
  - Implement identity-based domain registration
  - Identity-based domain registration logic
  - Implement anonymous domain registration
  - Anonymous domain logic
- Migrate from FMRMS 1.0 or 1.5 to Adobe Primetime DRM 2.0 or later
- Upgrade existing deployments
  - Upgrade existing deployments overview
  - Set up a domain server
Adobe Primetime TVSDK-DRM Workflow
- TVSDK-DRM client-side workflow overview
- Primetime DRM content protection options
- Primetime DRM on the client
- Primetime DRM license server
- License acquisition process overview
- License acquisition process details
- Pre-loading licenses for offline playback
- Using the DRMStatusEvent class
- Using the DRMAuthenticateEvent class
  - Create a DRMAuthenticateEvent handler
  - Create an authentication UI
- Using the DRMErrorEvent class
- Using the DRMManager class
- Using the DRMContentData class
- Out-of-band licenses
- Device domain support
- License preview
- Delivering content
DRM Client Error Message Reference
Using Adobe Access DRM With an External Key Management System
- Adobe Access DRM External CEK Overview
- Standard AAXS DRM Workflow
- AAXS DRM External CEK Workflow
- Using External CEK to Vend and Package Licenses
Use the Adobe Access Server for Protected Streaming
- About Adobe Access Server for Protected Streaming
- Usage rules
- Requirements
- Deploying the Adobe Access Server for Protected Streaming
- License server configuration files
- Crossdomain policy file
- Custom authorization extensions
- Performance tuning
  - Global Configuration File
- Upgrading the Adobe Access Server for Protected Streaming
- Updating configuration files
- Packaging content
- Adobe Access Server for Protected Streaming utilities
Adobe Access Secure Deployment Guidelines
- Introduction to Network Topology
- Vendor-specific security information
- Physical security and access
- Packaging and protecting content
- Protect and issue licenses
An Overview of Adobe Access SDK
- An overview of Adobe Access SDK
- About Adobe Access
- Key features
- Terminology and core concepts
- Content distribution workflow
  - Content preparation
  - Content acquisition
- Adobe Access components
- Deploy Adobe Access
- Additional Deployment Scenarios
  - UltraViolet media and Adobe Access
  - Adobe Pass and Adobe Access
Using the Adobe Access SDK for Protecting Content
- Introduction
- User authentication
- Time-based rules
- Runtime and application restrictions
- Other policy options
- Output protection controls
- Packaging Options
- Setting up the SDK
- Working with policies
- Packaging media files
- Pre-generating and embedding licenses
- Implementing the License Server
  - Implementing the License Server
  - License Server deployment options
- Processing Adobe Access requests
- Revoking client credentials
- Creating video players
Adobe Access Reference Implementations
- Overview - Using the reference implementations
- Command line tools for packaging content and creating revocations lists
- Policy Manager
- Media Packager
- Policy Update List Manager
- Revocation List Manager
- AIR Publisher ID utility
  - AIR Publisher ID utility overview
  - Command line usage
- License Generator
- License Embedder
  - License Embedder overview
  - Command line usage
- License server and watched folder packager
- Deploying the license server and watched folder packager
  - Deploying the license server and watched folder packager overview
  - Troubleshooting
- Determining if Reference Implementation License Server is running properly
- Implementing the usage models
- Implementing domain registration
- Migrating from FMRMS 1.0 or 1.5 to Adobe Access 2.0 and above
- Upgrading existing deployments
- Set up a domain server
- Flash Access Manager AIR application usage

FairPlay license token request and response

The FairPlay license token interface provides production and test services. This request returns a token that can be redeemed for a FairPlay license.

Method: GET, POST (with a www-url-encoded body that contains parameters for both methods)

URLs:

Production: https://fp-gen.{prod_domain}/hms/fp/token
Test: https://fp-gen.test.expressplay.com/hms/fp/token
Sample request:

  https://fp-gen.test.expressplay.com/hms/fp/token?customerAuthenticator=
   <ExpressPlay customer authenticator identifier>
   &kid=<CEKSID>
   &contentKey=<CEK>
   &rightsType=BuyToOwn
   &analogVideoOPL=0
   &compressedDigitalAudioOPL=0
   &compressedDigitalVideoOPL=0
   &uncompressedDigitalAudioOPL=0
   &uncompressedDigitalVideoOPL=0

Sample Response:

https://fp.service.expressplay.com:80/hms/fp/rights/?ExpressPlayToken=<base64-encoded ExpressPlay token>

Request Query Parameters

Table 3: Token Query Parameters

Query Parameter	Description	Required?
customerAuthenticator Customer authenticator as query parameter customerAuthenticator FairPlay	This is your customer API key, one each for your production and test environments. You can find this on the ExpressPlay Admin Dashboard tab.	Yes
errorFormat	Either html or json. If html (the default) an HTML representation of any errors is provided in the entity body of the response. If json is specified, a structured response in JSON format is returned. See JSON Errors for details. The mime type of the response is either text/uri-list on success, text/html for HTML error format, or application/json for JSON error format.	No

Table 4: License Query Parameters

Query Parameter	Description	Required?
`generalFlags`	A 4 byte hexadecimal string representing the license flags. ‘0000’ is the only allowed value.	No
`kek`	Key Encryption Key (KEK). Keys are stored encrypted with a KEK using a key wrapping algorithm (AES Key Wrap, RFC3394). If `kek` is supplied, either one of the `kid` or the `ek` parameters needs to be supplied, but not both.	No
`kid`	A 16 byte hexadecimal string representation of the content encryption key or a string `'^somestring'`. The length of the string followed by the `'^'` cannot be greater than 64 characters.	No
`ek`	A hex string representation of the encrypted content key.	No
`contentKey`	A 16 byte hexadecimal string representation of the content encryption key	Yes, unless the `kek` and `ek` or `kid` are provided.
`iv`	A 16 byte hexadecimal string representation of the content encryption IV	Yes
`rentalDuration`	Duration of the rental in seconds (default - 0)	No
`fpExtension`	A short form wrapping `extensionType` and `extensionPayload`, as a comma separated string. For example: […] `&fpExtension=wudo,AAAAAA==&`[…]	No, any number can be used

Table 5: Token Restriction Query Parameters

Query Parameter	Description	Required?
expirationTime	Expiration time of this token. This value MUST be a string in RFC 3339 date/time format in the ‘Z' zone designator ("Zulu time"), or an integer preceded by a '+' sign. An example of an RFC 3339 date/time is 2006-04-14T12:01:10Z . If the value is a string in RFC 3339 date/time format, then it represents an absolute expiration date/time for the token. If the value is an integer preceded by a '+' sign, then it is interpreted as a relative number of seconds, from issuance, that the token is valid. For example, +60 specifies one minute. The maximum and default (if not specified) token lifetime is 30 days.	No

Table 6: Correlation Query Parameters

Query Parameter	Description	Required?
`cookie`	An arbitrary string up to 32 characters long, carried in the token and logged by the token redemption server. This can be used to correlate log entries at the redemption server and those at the service provider’s servers.	No

Response

Table 7: HTTP Responses

HTTP Status Code	Description	Content-Type	Entity Body Contains
`200 OK`	No error.	`text/uri-list`	License acquisition URL + token
`400 Bad Request`	Invalid args	`text/html` or `application/json`	Error description
`401 Unauthorized`	Auth failed	`text/html` or `application/json`	Error description
`404 Not found`	Bad URL	`text/html` or `application/json`	Error description
`50x Server Error`	Server error	`text/html` or `application/json`	Error description

Table 8: Event Error Codes

Code	Description
-2002	Invalid token expiration time: <details>
-2003	Invalid IP address
-2005	Invalid content encryption key: <details>
-2008	Invalid output control flags specified: <details>
-2017	Authentication token must be supplied
-2018	Authentication token invalid: <details> Note: This can happen if the authenticator is wrong or when accessing the test API at .test.expressplay.com using the production authenticator and vice versa. Note: The Test SDK and Advanced Test Tool (ATT) only work with .test.expressplay.com , whereas production devices must use *.service.expressplay.com .
-2019	Insufficient tokens available
-2020	Missing rights type
-2021	Invalid rights type
-2022	Missing rental period end time
-2023	Missing rental play duration
-2025	Invalid rental play duration
-2027	Content encryption key must be 32-hexadecimal digits long
-2030	ExpressPlay Admin error: <details>
-2031	Service Account Disabled
-2033	Invalid cookie
-2034	Invalid Output Control, values out of specified range
-2035	No corresponding value specified
-2036	Extension type should be 4 characters
-2037	Extension payload should be Base64 encoded
-2040	OutputControlFlag must be encode 4 bytes
-3004	Invalid error format specified: <format>
-4001	Device could not be authenticated
-4010	Invalid token
-4018	Missing Kid
-4019	Failed to get content key from key storage service
-4020	kid must be 32 hexadecimal characters long
-4021	kid must be 64 characters long after the ^
-4022	Invalid kid
-4024	Invalid encrypted key or kek
-5003	Invalid general flags
-6001	Invalid FPExtension parameters specified
-6002	Invalid FP Token Type
-6003	Invalid iv parameter specified
-6004	Failed to generate CKC for FP
-6005	Invalid key data specified
-6006	Service not authorized for FairPlay support
-6007	Invalid rental duration specified
-6008	Device ID binding is not supported for FairPlay
-6009	FairPlay option disabled

Business.Adobe.com resources

Embedded Charts Mobile Forms Campaign Management Second Party Data Video Advertising Creative Management

FairPlay license token request and response

Business.Adobe.com resources

On this page

View next:

Learn

Documentation

Community

Support

Resources

Adobe Account

Adobe