DRM Overview
Certificate Enrollment Guide
- About certificates
- Prerequisites
- About certificate enrollment roles
- Add Requesters
- Create a Secondary Administrator
- Request certificates
- Deploy certificates
- Store keys
- Renew certificates
Adobe Primetime DRM SDK 5.3.1
- Adobe Primetime DRM SDK - An overview
- About Adobe Primetime DRM
- Key features
- Terminology and core concepts
- Content distribution workflow
  - Content preparation
  - Content acquisition
- Adobe Primetime DRM components
- Deploy Adobe Primetime DRM
- Additional Deployment Scenarios
  - UltraViolet media and Adobe Primetime DRM
  - Adobe Primetime authentication and Adobe Primetime DRM
DRM Quick-Start Guide
- Getting Started
- Install Tomcat
- Set up and deploy the server for Protected Streaming
- Package encrypted content
- Install Flash Player and playback test content
- Play back a locally packaged video
- Next Steps
Adobe Primetime Cloud DRM Quick-Start Guide
- What is included with Primetime Cloud DRM
- What is NOT supported by Primetime Cloud DRM
- Prerequisites
- Packaging options
- Test the packaged content
- Triaging errors
- Custom authentication/entitlement
- Adobe Primetime authentication (Optional)
- Creating custom DRM policies (Optional)
- Update existing DRM content to use Cloud DRM (Optional)
- Streaming to Xbox360 (Optional)
Using the Adobe Primetime DRM Key Server
- Requirements for using Primetime DRM Key Server
- Deploy the Primetime DRM Key Server
- Packaging content
Adobe Primetime DRM Secure Deployment Guidelines
- Introduction to Network Topology
- Vendor-specific security information
- Physical security and access
- Packaging and protecting content
- Ensuring compatibility with Flash Media Rights Management Server 1.x
- Issue and protect the License Server
Multi-DRM Workflows
- Multi-DRM Workflows
- Primetime DRM Cloud Quick-start
- Workflows: Package, License, and Play
- Generic Workflows
  - Primetime Packager / Cloud DRM / TVSDK
  - ExpressPlay Packager / Cloud DRM / TVSDK
- Feature Topics
- ExpressPlay license token request / response reference
- Migrating from Access to Multi-DRM
- Glossary
Adobe Primetime DRM On Premises Individualization Server Guide
- Software Requirements
- Server configuration properties
- Monitoring
- Update the License Server WAR File
- Generate the On Premises DRM Metadata
- Client Integration
- Sample Client Requests
- FAQ
Primetime DRM Server for Protected Streaming 5.3.1
- About Adobe Primetime DRM Server for Protected Streaming
- About usage rules
- Requirements
- Understanding Deployment
Using the Adobe Primetime DRM SDK for Protecting Content - 5.3.1
- What is new in Adobe Primetime DRM
- Usage rules and Authentication
- Runtime and application restrictions
- Other DRM policy options
- Device Group Domain Registration
- Output protection controls
- Packaging Options
- Setting up the SDK
- Work with DRM policies
- Package media files
- Pre-generating and embedding licenses
  - Pre-generating licenses
  - Embedding licenses
- Implement a License Server
- Revoke client credentials
- Create video players
Resolution-Based Output Protection 5.3.1
- RBOP Overview
- RBOP Concepts
- RBOP Client Support
- Sample RBOP Configuration
- RBOP Grammar
- RBOP FAQ
Adobe Primetime DRM Reference Implementations 5.3.1
- About the reference implementations
- Typical workflow
- Command-line tools
  - Overview
  - Command-line tools requirements
  - Install the command-line tools
- Configure and run the command-line tools
  - Overview
  - About command-line tools configuration files
  - DRM Policy Manager
  - Policy Manager Command-line usage
  - Configuration properties
  - Non-SWF Application Allow listing
  - SWF Application Allow listing
- DRM Media Packager
- DRM Policy Update List Manager
- DRM Revocation List Manager
- DRM License Generator
- DRM License Embedder
- AIR Publisher ID utility
- License server
- Configuration
  - License server properties file
  - Prepare passwords for the Server properties files
  - Prepare passwords using Ant
  - Prepare passwords using Java
  - Remote key delivery properties (iOS)
  - Set up the license server database
  - Configure the license server database
  - HSM configuration
  - Cross-domain policy file
- Deploy the license server
- Troubleshooting
- Check whether the license server started properly
- Determining if Reference Implementation License Server runs properly
- Implementing the usage models
  - Implementing the usage models overview
  - Enable the usage model demo
  - Configure usage model demo mode
  - Update the reference implementation DB
  - Usage model demo business rules
- Domain registration
  - Overview
  - Implement identity-based domain registration
  - Identity-based domain registration logic
  - Implement anonymous domain registration
  - Anonymous domain logic
- Migrate from FMRMS 1.0 or 1.5 to Adobe Primetime DRM 2.0 or later
- Upgrade existing deployments
  - Upgrade existing deployments overview
  - Set up a domain server
Adobe Primetime TVSDK-DRM Workflow
- TVSDK-DRM client-side workflow overview
- Primetime DRM content protection options
- Primetime DRM on the client
- Primetime DRM license server
- License acquisition process overview
- License acquisition process details
- Pre-loading licenses for offline playback
- Using the DRMStatusEvent class
- Using the DRMAuthenticateEvent class
  - Create a DRMAuthenticateEvent handler
  - Create an authentication UI
- Using the DRMErrorEvent class
- Using the DRMManager class
- Using the DRMContentData class
- Out-of-band licenses
- Device domain support
- License preview
- Delivering content
DRM Client Error Message Reference
Using Adobe Access DRM With an External Key Management System
- Adobe Access DRM External CEK Overview
- Standard AAXS DRM Workflow
- AAXS DRM External CEK Workflow
- Using External CEK to Vend and Package Licenses
Use the Adobe Access Server for Protected Streaming
- About Adobe Access Server for Protected Streaming
- Usage rules
- Requirements
- Deploying the Adobe Access Server for Protected Streaming
- License server configuration files
- Crossdomain policy file
- Custom authorization extensions
- Performance tuning
  - Global Configuration File
- Upgrading the Adobe Access Server for Protected Streaming
- Updating configuration files
- Packaging content
- Adobe Access Server for Protected Streaming utilities
Adobe Access Secure Deployment Guidelines
- Introduction to Network Topology
- Vendor-specific security information
- Physical security and access
- Packaging and protecting content
- Protect and issue licenses
An Overview of Adobe Access SDK
- An overview of Adobe Access SDK
- About Adobe Access
- Key features
- Terminology and core concepts
- Content distribution workflow
  - Content preparation
  - Content acquisition
- Adobe Access components
- Deploy Adobe Access
- Additional Deployment Scenarios
  - UltraViolet media and Adobe Access
  - Adobe Pass and Adobe Access
Using the Adobe Access SDK for Protecting Content
- Introduction
- User authentication
- Time-based rules
- Runtime and application restrictions
- Other policy options
- Output protection controls
- Packaging Options
- Setting up the SDK
- Working with policies
- Packaging media files
- Pre-generating and embedding licenses
- Implementing the License Server
  - Implementing the License Server
  - License Server deployment options
- Processing Adobe Access requests
- Revoking client credentials
- Creating video players
Adobe Access Reference Implementations
- Overview - Using the reference implementations
- Command line tools for packaging content and creating revocations lists
- Policy Manager
- Media Packager
- Policy Update List Manager
- Revocation List Manager
- AIR Publisher ID utility
  - AIR Publisher ID utility overview
  - Command line usage
- License Generator
- License Embedder
  - License Embedder overview
  - Command line usage
- License server and watched folder packager
- Deploying the license server and watched folder packager
  - Deploying the license server and watched folder packager overview
  - Troubleshooting
- Determining if Reference Implementation License Server is running properly
- Implementing the usage models
- Implementing domain registration
- Migrating from FMRMS 1.0 or 1.5 to Adobe Access 2.0 and above
- Upgrading existing deployments
- Set up a domain server
- Flash Access Manager AIR application usage

Out-of-band licenses

Licenses can also be obtained out-of-band (without contacting a Primetime DRM license Server) by storing the license on disk and in memory using the storeVoucher() method.

To play encrypted videos in Primetime, the respective runtime needs to obtain the license for that video. The license contains the video’s decryption key and is generated by the Primetime DRM license server that the customer has deployed.

The runtime generally obtains this license by sending a license request to the Primetime DRM license server indicated in the video’s DRM metadata ( DRMContentData class). The application can trigger this license request by calling the DRMManager.loadVoucher() method.

DRMManager.storeVoucher() allows the application to send licenses that it has obtained out-of- band. The runtime can then skip the license request process and use the forwarded licenses for playing encrypted videos. The license still needs to be generated by the Primetime DRM license server before it can be obtained out-of-band. However, you have the option of hosting the licenses on any HTTP server, instead of an Primetime DRM license server.

DRMManager.storeVoucher() is also used to support license sharing between multiple devices. After Primetime DRM 3.0, this feature is referred to as “Device Domain Support”. If your deployment supports this use case, you can register multiple machines to a device group using the DRMManager.addToDeviceGroup() method. If there is a machine with a valid domain-bound license for a given content, the application can then extract the serialized license using the DRMVoucher.toByteArray() method and on your other machines you can import the licenses using the DRMManager.storeVoucher() method.

About device registration

All Primetime DRM licenses, at creation time, must be bound to an end-entity. Binding is the cryptographic process of only allowing a specific entity the ability to consume the license. This is necessary as to prevent “floating licenses” which can be used by any arbitrary device. For Primetime DRM to “pre-generate” licenses, this means the “target” of these pre-generated licenses must be known ahead of time. Primetime DRM refers to this as “Device Registration”.

Register a device

Let us assume that you have performed the following tasks:

You have set up the Primetime DRM Server SDK.
You have set up an HTTP server for issuing pre-generated licenses.
You have created a Primetime application to view the protected content.

The device registration phase involves the following actions:

The application creates a randomly generated ID.
The application invokes the DRMManager.authenticate() method. The application must include the randomly generated ID in the authentication request. For instance, include the ID in the username field.
The action mentioned in Step 2 will result in Primetime DRM sending an authentication request to the customer’s server. This request includes the device certificate:
1. The server extracts the device certificate and the generated ID from the request and stores.
2. The customer sub-system pre-generates licenses for this device certificate, stores them and grants access to them
  in a way that associates them with the generated ID. .
The server responds to the request with a “success” message.
The application stores the generated ID.

After the device registration, the application uses the generated ID in the same way as it would have used the device ID in the previous scheme:

The application will try to locate the generated ID.
If the generated ID is found, the application will use the generated ID while downloading the pre-generated licenses. The application will send the licenses to the Primetime DRM client for consumption using the DRMManager.storeVoucher() method. .
If the generated ID is not found, the application will go through the device registration procedure.

DRM factory reset

When the user of the device invokes the DRM factory reset option, the device certificate will be purged. To continue playing the protected content, the application must go through the device registration procedure again. If the application sends an outdated pre-generated license, the Primetime DRM client will reject it since the license was encrypted for an older device ID.

Flash API: DRMManager.resetDRMVouchers() - (Can only be called in response to certain un-recoverable DRM error codes.)
iOS API: DRMManager resetDRM
Android API: DRMManager.resetDRM()