Adobe maintains a CRL for revoking machine credentials that are known to be compromised. This CRL is automatically enforced by the SDK. If there are additional machines to which you do not want your license server to issue licenses, you may create a machine revocation list and add the issuer name and serial number of the machine tokens you want to exclude (use
MachineToken.getMachineTokenId() to retrieve the issuer name and serial number of the machine certificate).
Revoking machine credentials involves the usage of a
RevocationListFactory object. To create a revocation list, load an existing revocation list, and check whether a machine token has been revoked by using the Java API, perform the following steps:
ServerCredentialFactoryinstance to load the credentials needed for signing. The license server credential is used to sign the revocation list.
IssuerAndSerialNumberobject. All Adobe Access requests contain a machine token.
RevocationListobject using the
IssuerAndSerialNumberobject you just created, and add it to the revocation list by passing it into
RevocationListFactory.addRevocationEntry(). Generate the new revocation list by calling
RevocationList.getBytes(). To load the list, call
RevocationListFactory.loadRevocationList()and pass in the serialized list.
RevocationList.isRevoked(). The revocation list may also be passed into
HandlerConfigurationto have the SDK enforce the revocation list for all authentication and license requests.
To add additional entries to an existing
RevocationList, load an existing revocation list. Create a new
RevocationListFactory instance, and be sure to increment the CRL number. Call
RevocationListFactioryEntries.addRevocationEntries to add all the entries from the old list to the new list. Call
RevocationListFactory.addRevocationEntry to add any new revocation entries to the RevocationList.
For sample code demonstrating how to create a revocation list, load an existing revocation list, and check whether a machine token has been revoked, see
com.adobe.flashaccess.samples.revocation.CreateRevocationList in the Reference Implementation Command Line Tools “samples” directory.