Dynamic Media delivery domain questions
Learn about available delivery domain options for Dynamic Media/Dynamic Media Classic domains and if a Certification Authority Authorization (CAA) record is applicable when a subdomain is used for Dynamic Media delivery.
Description description
Environments
- Adobe Dynamic Media (ADM)
- Adobe Dynamic Media Classic (ADMC)
Issue/Symptoms
List of questions concerning the setup, functionality, and maintenance of Dynamic Media/Dynamic Media Classic delivery domains.
Resolution resolution
Where is the Dynamic Media delivery domain configured in AEM?
Open up Hammer - Assets - Dynamic Media General Setting - Published Server Name, and change that to the delivery domain you want to configure, e.g. “https://subdomain.domain.com/”
After that you might need to reprocess your assets in order for them to make use of the domain.
Can the same DynamicMedia delivery domain be used for different environments?
Yes, the DM delivery domains are in fact aliases from one another - they all point to the same CDN, and are mapped to the same origin servers. The DMS7 environment is always part of each and every DM delivery URL, and using the same DM delivery domain for different DM environments does not cause any conflict at all, provided they are setup on the same region (NA, EMEA, APAC)
What type of delivery domain options are there for Dynamic Media/ Dynamic Media Classic?
There are three types of delivery domains
- A generic domain that is configured as part of the provisioning. This is a domain like s7d9.scene7.com, s7g10.scene7.com, and s7ap1.scene7.com. These delivery domains are in use by a series of users.
- Specific scene7.com subdomain, like customer.scene7.com.
- Subdomains owned by you, like assets.customer.com. These is also referred to as a vanity domain. One such subdomain can be set up as part of any Dynamic Media contract. Any additional ones need to be contracted separately.
What type of domain do I need to be able to make use of SmartImaging?
Any domain setup for DynamicMedia/Scene7 delivery can be used with SmartImaging, including generic domains. The functionality is per default turned off, and can be tested by adding SmartImaging parameters to a URL, e.g. bfc=on, network=on, dpr=on. It is possible to turn these functionalities on per default for any DMS7 company by submitting a support ticket with the details.
How is the certificate for any scene7.com delivery domain maintained?
All scene7.com subdomains set up are pointing to the Standard TLS *.scene7.com certificate. STLS has slightly better performance than Enhanced TLS and is, therefore, the preferred option. Whenever the cert is about one or two months before expiring, it is renewed automatically by Adobe. There is no action point for the customer. This applies to both the generic as well as the customer specific scene7.com subdomains.
What certificate options are there for vanity domains?
The standard option is to include the subdomain in one of the Adobe-managed SAN certificates hosted at the CDN. With this option, the CNAME of the subdomain to the edgehost at the CDN can be used as a form of DCV (Domain Control Verification) by the CA (DigiCert) to include the subdomain in a cert and issue that to Adobe. For this very same reason, the CNAME needs to remain in place for as long as the customer wants to serve Dynamic Media content through that delivery domain. Adobe renews the SAN certs automatically about a month before they expire. Any subdomains no longer CNAMEd will be removed from the SAN cert on the next renewal.
The setup steps for this option are as follows:
-
Open a support ticket for the setup. Support would instruct you to set up a CNAME to the SAN cert next up for renewal.
subdomain.domain.com IN CNAME something-or-other.scene7.com.edgekey.net -
You will have to get this done by your domain administrator and notify support through the ticket.
- Adobe has the CDN issue a CSR, including your subdomain.
- Adobe has the CA DigiCert issue a cert based on that CSR.
- Adobe deploys the cert at the CDN.
- Adobe configures the CDN mapping
- If desired, Adobe activates Smart Imaging.
When Step 2 is in place, the ETA is normally 1 month, as the cert update process is done once monthly.
If your domain policy does not allow the inclusion of a subdomain in an Adobe SAN cert, or if the policy dictates that your subdomain can only be included in a cert issued by a CA different from DigiCert (through a CAA record), then there is the option to host a dedicated cert at the CDN with as many subdomains as you need. This is a paid option that you would need to discuss with your CSM, and get it contracted before Adobe can proceed with the setup.
Can we have a CAA record on our domain when a subdomain is used for Dynamic Media delivery?
It is possible to have a CAA record on the domain, but if a subdomain is or is to be used for Dynamic Media delivery, there needs to be a CAA record that allows digicert.com to issue certs. If this is not the case, DigiCert cannot include a subdomain in a cert.
Are there any caching/delivery restrictions for domains setup with Dynamic Media?
Adobe as US based company has 5 embargoed countries/areas it is not allowed to serve content towards. These countries/areas are North Korea, Cuba, Iran, Syria and the Crimea region of Ukraine. DynamicMedia requests originating from one of these countries/areas are being rejected as a result.
The bundled CDN that comes with DynamicMedia (Akamai) has 2 restricted areas: Russia and China. Caching / delivery within these countries is limited as a result. For a company to be able to cache content within Russia, the https traffic needs to happen using a Standard TLS cert. Scene7.com subdomains are served using a Standard TLS cert and can therefore be used to serve content to China. Vanity delivery domains are setup with an Enhanced TLS cert, so content requested from within Russia from one of those domains is served from Akamai servers outside of Russia, or the requests might be blocked altogether.
Something similar is per default true for China for any domains not licensed to be cached within China. The traffic needs to pass the China firewall which causes delivery delays. CDN caching within China is restricted, but in a different way. The China government only allows caching of content within China when the delivery domain is licensed by their CNC agency. This is the so called ICP license. Up to around 2018 the Chinese government used to issue ICP licenses on .com
domains. The rules have been tightened since and it no longer does that nowadays. Now it is only possible to acquire an ICP license on a domain registered in China, so that is a .cn or a .com.cn domain. If you have registered such a domain and have acquired an ICP license on it, then a subdomain of that licensed domain can be setup for dynamicmedia delivery with ChinaCDN caching using the ICP license details through a Support ticket. This remarkably speeds up the delivery within China.
I have a DynamicMedia delivery domain “domain.scene7.com” or “assets.customer.com” or similar already setup. I requested new Dynamic Media delivery environments, but now when I use the delivery domain to request images from the new environment, I get “ Catalog ‘NewEnvironment’ is not allowed for domain ‘domain.scene7.com ’”.
Support will need to configure access from the delivery domain to the new DynamicMedia environment(s). Provide the specifics in a ticket and they will be able to help with that.