DynamicMedia delivery domain questions

Description description

List of questions concerning the setup, functionality and maintenance of DynamicMedia / DynamicMedia Classic delivery domains.

Resolution resolution

Question: What type of delivery domain options are there for Dynamic Media / DynamicMedia Classic?

Answer: There are 3 types of delivery domains

  1. A generic domain that is configured as part of the provisioning. This is a domain like s7d9.scene7.com, s7g10.scene7.com, s7ap1.scene7.com.
    These delivery domains are in use by a series of customers. For this reason, SmartImaging cannot be turned on on domains of this type at this stage.

  2. A customer specific scene7.com subdomain, like customer.scene7.com. On this type of domain, SmartImaging can be setup, or added at a later stage.

  3. A customer owned subdomain, like assets.customer.com. This is also referred to a vanity domain. 1 such subdomain can be setup as part of any DynamicMedia contract. Any additional ones would need to be contracted. On this type of domain SmartImaging can be setup, or added at a later stage.

Question: How is the certificate for any scene7.com delivery domain maintained?

Answer: Scene7.com subdomains that have been setup in 2021 or earlier are pointing to the enhanced TLS *.scene7.com certificate. Scene7.com subdomains setup in 2022 or later are pointing to the Standard TLS *.scene7.com certificate. The latter has slightly better performance than the former and is therefore the preferred option. Whenever either of these certs is about 1 or 2 months before expiring, it is automatically renewed by Adobe. There is no action point for the customer. This applies to both the generic as well as the customer specific scene7.com subdomains.

Question: What certificate options are there for vanity domains?

Answer: The standard option is to include the subdomain into one of the Adobe managed SAN certificates hosted at the CDN. With this option, the CNAME of the subdomain to the edgehost at the CDN can be used as form of DCV (Domain Control Verification) by the CA (Digicert) to include the subdomain in a cert and issue that to Adobe. For this very same reason, the CNAME needs to remain in place for as long as the customer wants to serve DynamicMedia content through that delivery domain. Adobe renews the SAN certs about a month before they expire automatically. Any subdomains no longer CNAMEd will be removed from the SAN cert on the next renewal.

The setup steps for this option are as follows:

  1. Customer would open up a support ticket for the setup. Support would instruct the customer to setup a CNAME to the SAN cert next up for renewal.
    subdomain.domain.com IN CNAME something-or-other.scene7.com.edgekey.net

  2. Customer would get this done by their domain administrator and notify support through the ticket.

    1. Adobe has the CDN issue a CSR including your subdomain
    2. Adobe has the CA Digicert issue a cert based on that CSR
    3. Adobe deploys the cert at the CDN
    4. Adobe configures the CDN mapping
    5. If desired, Adobe activates SmartImaging 0

When step (2) is in place, the ETA is normally 1 month, as the cert update process is done once monthly.

0 https://experienceleague.adobe.com/docs/experience-manager-65/assets/dynamic/imaging-faq.html?lang=en

If the domain policy of the customer does not allow the inclusion of a subdomain in an Adobe SAN cert, or if the policy dictates that their subdomain can only be included in a cert issued by a CA different from Digicert (through a CAA record), then there is the option to host a dedicated cert at the CDN with as many subdomains as the customer needs. This is a paid option the customer would need to discuss with their CSM, get it contracted before Adobe can proceed with the setup.

Question: Can we have a CAA record on our domain when a subdomain is used for DynamicMedia delivery?

Answer: It is possible to have a CAA record on the domain, but if a subdomain is or is to be used for DynamicMedia delivery, there needs to be a CAA record that allows “digicert.com” to issue certs. If this is not the case, Digicert cannot include a subdomain in a cert.