- DRM Overview
- Certificate Enrollment Guide
- Adobe Primetime DRM SDK 5.3.1
- DRM Quick-Start Guide
- Adobe Primetime Cloud DRM Quick-Start Guide
- What is included with Primetime Cloud DRM
- What is NOT supported by Primetime Cloud DRM
- Prerequisites
- Packaging options
- Test the packaged content
- Triaging errors
- Custom authentication/entitlement
- Adobe Primetime authentication (Optional)
- Creating custom DRM policies (Optional)
- Update existing DRM content to use Cloud DRM (Optional)
- Streaming to Xbox360 (Optional)
- Using the Adobe Primetime DRM Key Server
- Adobe Primetime DRM Secure Deployment Guidelines
- Multi-DRM Workflows
- Multi-DRM Workflows
- Primetime DRM Cloud Quick-start
- Workflows: Package, License, and Play
- Multi-DRM Workflow for FairPlay
- Multi-DRM Workflow for Widevine and PlayReady
- Package your content with Bento4
- Package your content with Adobe Offline Packager
- Using Output Protection Policies
- Client Key Request workflow overview
- Expressplay tokens
- Key request workflow on Android PSDK
- Key request workflow on HTML5 TVSDK
- Device Binding
- Generic Workflows
- Feature Topics
- ExpressPlay license token request / response reference
- Migrating from Access to Multi-DRM
- Glossary
- Adobe Primetime DRM On Premises Individualization Server Guide
- Primetime DRM Server for Protected Streaming 5.3.1
- About Adobe Primetime DRM Server for Protected Streaming
- About usage rules
- Requirements
- Understanding Deployment
- Deploying the Adobe Primetime DRM Server for Protected Streaming
- Java system properties
- About Adobe Primetime DRM credentials
- HSM configuration
- Setting up the License server configuration files
- Crossdomain DRM policy file
- Custom authorization extensions
- Performance tuning
- Upgrading the Adobe Primetime DRM Server for Protected Streaming
- Running the DRM Server for Protected Streaming
- Packaging content
- DRM Server for Protected Streaming utilities
- Using the Adobe Primetime DRM SDK for Protecting Content - 5.3.1
- What is new in Adobe Primetime DRM
- Usage rules and Authentication
- Runtime and application restrictions
- Allow list for Primetime DRM applications allowed to play protected content…
- Allow list for Adobe® Flash® Player SWFs
- Block list of DRM Clients restricted from accessing protected content
- Block list of application runtimes
- Minimum security level for DRM and runtimes
- Device capabilities required to play protected content
- Jailbreak enforcement (requires Adobe Primetime DRM)
- Other DRM policy options
- Device Group Domain Registration
- Output protection controls
- Packaging Options
- Setting up the SDK
- Work with DRM policies
- Package media files
- Pre-generating and embedding licenses
- Implement a License Server
- Overview
- License Server deployment options
- Process Adobe Primetime DRM requests
- Handle Get Server Version requests
- Handle Domain Registration requests
- Handle Domain De-Registration requests
- Handle License Return requests
- Handle authentication requests
- Handle license requests
- License chaining
- Handle synchronization requests
- Handle FMRMS compatibility
- Handling certificate updates when Adobe-issued certificates expire
- Performance tuning
- Revoke client credentials
- Create video players
- Resolution-Based Output Protection 5.3.1
- Adobe Primetime DRM Reference Implementations 5.3.1
- About the reference implementations
- Typical workflow
- Command-line tools
- Configure and run the command-line tools
- DRM Media Packager
- DRM Policy Update List Manager
- DRM Revocation List Manager
- DRM License Generator
- DRM License Embedder
- AIR Publisher ID utility
- License server
- Configuration
- Deploy the license server
- Troubleshooting
- Check whether the license server started properly
- Determining if Reference Implementation License Server runs properly
- Implementing the usage models
- Domain registration
- Migrate from FMRMS 1.0 or 1.5 to Adobe Primetime DRM 2.0 or later
- Upgrade existing deployments
- Adobe Primetime TVSDK-DRM Workflow
- TVSDK-DRM client-side workflow overview
- Primetime DRM content protection options
- Primetime DRM on the client
- Primetime DRM license server
- License acquisition process overview
- License acquisition process details
- Pre-loading licenses for offline playback
- Using the DRMStatusEvent class
- Using the DRMAuthenticateEvent class
- Using the DRMErrorEvent class
- Using the DRMManager class
- Using the DRMContentData class
- Out-of-band licenses
- Device domain support
- License preview
- Delivering content
- DRM Client Error Message Reference
- Using Adobe Access DRM With an External Key Management System
- Use the Adobe Access Server for Protected Streaming
- About Adobe Access Server for Protected Streaming
- Usage rules
- Requirements
- Deploying the Adobe Access Server for Protected Streaming
- License server configuration files
- Crossdomain policy file
- Custom authorization extensions
- Performance tuning
- Upgrading the Adobe Access Server for Protected Streaming
- Updating configuration files
- Packaging content
- Adobe Access Server for Protected Streaming utilities
- Adobe Access Secure Deployment Guidelines
- Introduction to Network Topology
- Vendor-specific security information
- Physical security and access
- Packaging and protecting content
- Protect and issue licenses
- Consuming locally generated CRLs
- Consuming CRLs published by Adobe
- Generating CRLs to supplement those published by Adobe
- Rollback detection
- Machine count when issuing licenses
- Replay protection
- Maintain an allow list of trusted content packagers
- Timeout for authentication tokens
- Overriding policy options
- Pre-generating licenses
- Managing Domains
- An Overview of Adobe Access SDK
- Using the Adobe Access SDK for Protecting Content
- Introduction
- User authentication
- Time-based rules
- Runtime and application restrictions
- Allow list for Adobe® Primetime applications allowed to play protected content
- Allow list for Adobe® Flash® Player SWFs allowed to play protected content
- Block list of DRM Clients restricted from accessing protected content
- Block list of application runtimes restricted from accessing protected content
- Minimum security level for DRM and runtimes
- Device capabilities required to play protected content
- Jailbreak Enforcement (requires Adobe Primetime)
- Other policy options
- Output protection controls
- Packaging Options
- Setting up the SDK
- Working with policies
- Packaging media files
- Pre-generating and embedding licenses
- Implementing the License Server
- Processing Adobe Access requests
- Processing Adobe Access requests
- Using machine identifiers
- User authentication
- Replay protection
- Rollback detection
- Global server configuration data
- Crossdomain policy file
- Handling Get Server Version requests
- Handling Domain Registration requests
- Handling Domain De-Registration requests
- Handling License Return requests
- Handling authentication requests
- Handling license requests
- Handling license requests
- Generating licenses
- License chaining
- Enhanced License Chaining
- Issuing Domain-bound licenses
- Issuing licenses for remote key delivery to iOS clients (requires Adobe Primetime)
- Minimum Client Version
- License preview
- Identity-based licenses
- Revoking client credentials
- Creating video players
- Adobe Access Reference Implementations
- Overview - Using the reference implementations
- Command line tools for packaging content and creating revocations lists
- Policy Manager
- Media Packager
- Policy Update List Manager
- Revocation List Manager
- AIR Publisher ID utility
- License Generator
- License Embedder
- License server and watched folder packager
- License server and watched folder packager overview
- Requirements
- Building the license server
- Configuration
- Server properties files
- Preparing passwords for the Server properties files
- License server properties file
- Packager properties file
- Watched folder properties
- Setting up the database and configuring the JNDI datasource
- HSM configuration
- Crossdomain policy file
- Deploying the license server and watched folder packager
- Determining if Reference Implementation License Server is running properly
- Implementing the usage models
- Implementing domain registration
- Migrating from FMRMS 1.0 or 1.5 to Adobe Access 2.0 and above
- Upgrading existing deployments
- Set up a domain server
- Flash Access Manager AIR application usage
Keys, IDs, and Authenticators
To implement DRM you need particular certs and keys, including a content encryption key or CEK to encrypt your content, a customer authenticator for protecting communications with ExpressPlay servers, and CEKSIDs for identifying your content encryption keys as stored in a key management system.
You need these items to package, license, and play your protected content:
Content Encryption Key
The Content Encryption Key (CEK) is a 16-byte string used for encrypting content.
What is the CEK? - The CEK is the key that your packager uses to encrypt your content. It’s a 16 byte hex encoded string.
Where does the CEK come from? - You (the content provider) create this key yourself, using a tool such as OpenSSL, or Notepad++. For example:
openssl rand 16 -hex > cek_hex_file
or (for the Adobe Offline Packager):
-
Generate the 16 byte hex encoded string, as above or using some other tool. It will look something like this:
7debe705d938c76bfd886f077b8fa5f7 -
Open Notepad++ and paste in the 16 byte hex string.
-
Convert this value from hex ASCII by Base64-encoding the value to create your keyfile.bin. (This is covered in .)
Same key, different name? - Yes, you may see the CEK referred to by other names in other places, such as:
-
** [somefile].bin** - The Adobe Offline Packager refers to the CEK as [somefile].bin; e.g., * Keyfile.bin* - This is your CEK as used by the Adobe Offline Packager, in the form of a file on the machine you use for packaging content.
You “Base64” your random CEK hex string, and save it as a file (e.g., keyfile.bin), usually located in the creds directory beneath offlinepkgr/. In your Packager config file (e.g., you might call it widevine.xml if you’re packaging for the Widevine DRM), you refer to your CEK in your config file like this:
<config> <in_path>sample.mp4</in_path> <out_type>dash</out_type> <b><key_file_path>keyfile.bin</key_file_path></b> // This is your CEK […] </config> -
Content Key - You also may see the CEK referred to as a Content Key in calls (
&contentKey=), in error messages, in support tickets, and in other documentation.
When / where do I use it?
- First, you need to have the CEK available on the machine on which you are doing your packaging. Your packaging tool uses your CEK to encrypt your content.
- Second, you need to store the CEK in some form of Key Management System (KMS), with each CEK associated with its own Content Encryption Key. You can create your own KMS, or use ExpressPlay’s Key Storage. This lets your storefront (your entitlement server, that handles customer entitlement and License Token provision) pull a license token for the customer from the KMS using a Key ID instead of the actual CEK (this is much more secure).
Content Encryption Key Storage ID
The Content Encryption Key Storage ID (CEKSID) uniquely identifies the stored key that decrypts an encrypted piece of video content.
What is the CEKSID? - The CEKSID is the unique identifier for a Content Encryption Key (CEK). The CEK is necessary to unlock the protected content; the CEKSID is necessary to access the CEK from where it is stored. When you are testing your setup, you can provide a random CEKSID and CEK at Packaging time, as long as you use the same information for the licensing and playback checks.
Where does it come from? - You (the content provider) can create this ID yourself, or you can use a service such as ExpressPlay’s Key Storage to generate CEKSIDs for each of your CEKs (and store both of them). Further, you can use randomly generated CEKSIDs, or employ a scheme that suits your business model. For example, you could use CEKSIDs that are meaningful strings rather than random Hex strings (the ID name could consist of subjects, dates, times, etc.)
What else is the CEKSID called? - It is sometimes referred to as a Content ID.
Customer authenticator
The customer authenticator is a key you obtain from ExpressPlay when you set up an admin account there. The authenticator is used in communications with ExpressPlay servers.
What are the customer authenticators? - The two customer authenticators make up the pair of IDs — one for testing, one for production — that ExpressPlay registers for you hen you sign up with their service. They are always available to you on your ExpressPlay admin page:
When do I use this? - You include this in all calls to ExpressPlay servers — for example, license servers, ExpressPlay Key Storage, and other calls.
Business.Adobe.com resources
Resources
Adobe Account
