8 October 2012
This article assumes that you have basic knowledge of using the Adobe Media Server and know how to run a Flash based SWF client.
In this article you will understand how SWF verification for HTTP streaming works in Adobe Media Server (AMS), and how you can prevent unauthorized SWF clients from accessing your content. By using SWF verification you can stop someone from creating their own SWF clients to stream your content.
SWF Verification protects your content by preventing unauthorized clients from accessing it. To enable SWF Verification for HTTP streaming, you need to enable Protected HTTP Streaming (PHDS).
PHDS is used to serve protected content to Flash Player and AIR-based clients, over HTTP, without using a DRM license server. With PHDS, when Adobe Media Server encrypts and packages the content, it generates a license using the Shared domain certificates and embeds it into the DRM metadata of the content stream that is delivered with the media. The Flash Player and AIR clients then retrieve the license from the content stream and use it for decryption, eliminating the need to communicate with a license server.
To enable SWF verification you create a list of "authorized" SWF files, called a whitelist. These files are specified in the embedded license and sent to the client inside the DRM metadata. On the client, SWF verification is enforced by Adobe Access runtime inside the Flash Player and AIR. During DRM authentication, Flash Player or AIR attempt to verify the SWF hash in the DRM metadata with the SWF that is trying to access the resource. If the verification fails, Flash Player or AIR throws a runtime error (3310) and the client stops requesting the content.
Adobe Media Server supports a version of SWF Verification for RTMP connections. In RTMP SWF Verification, AMS is provided with a copy of the authorized SWF clients. When a client SWF connects to AMS, the server verifies the SWF against the copies present on the server and disconnects clients that are sending invalid bytes.
Adobe Media Server supports whitelist-based player binding for HTTP Live Streaming (HLS). This feature is similar to the PHDS/pRTMP SWF Verification feature.
Using Adobe Media Server you can deliver protected streams to iOS based clients over HTTP using Protected HTTP Live Streaming (PHLS). PHLS is a non-DRM based protection scheme similar to PHDS. When player binding is enabled with PHLS, AMS will add the list of identifiers picked up from the .airwhitelist files and embed it into the DRM metadata. SWF verification is then enforced by the Adobe Access SDK on the iOS client. You can find more information regarding player binding here.
To set-up SWF verification there are 5 basic steps :
The first step in the process is to download and install Adobe Media Server (AMS). Adobe Media Server is available for Windows and Linux platforms, and can be downloaded from here. Once you have downloaded and installed the server, you can test your installation by launching the AMS start page
On the server open a browser of your choice and go to : http://localhost:8134/
You should see the following page:
Try to play different streams. If you’re able to playback the streams successfully, your server is properly installed.
To use SWF Verification, PHDS needs to be enabled. You can read more about Protected HTTP Streaming here.
To enable PHDS, open the httpd.conf file in a text editor. The httpd.conf file is located in the root_install/Apache2.2/conf folder.
In the httpd.conf file search for the
location directive. Enable PHDS by uncommenting the following lines :
EncryptionScope tag specifies that the protection will be applied at the server level. The
ProtectionScheme specifies the scheme as PHDS.
Restart the AMS Server.
This enables Protected HTTP Streaming without SWF Verification.
To enable SWF Verification we create a list of authorized SWF files called a whitelist.
To generate the whitelist, you use the Whitelist tool. The tool is located in the root_install/tools/Whitelist directory. The whitelist tool takes SWF files, AIR certificate files and AIR signature files and creates a SHA256 hash for each file. The tool writes the hashes as Base64 encoded text to one or more output files with the
To use the tool, copy the client SWF into the whitelist folder. In the command prompt, navigate to the the whitelist folder and run the following command:
For example :
You should see a
.whitelist file being created.
.airwhitelist files have been generated copy them into a common folder anywhere on the server.
Finally, you need to configure SWF Verification with PHDS. To perform this action, navigate to the
location directive in the httpd.conf file.
Under the PHDS configuration tags, you need to add the following :
PHDSSWFVerification true PHDSSWFWhiteListFolder “path of the whitelist folder”
PHDSSWFVerification tag specifies that the SWF Verification is turned on. The
PHDSSWFWhiteListFolder tag specifies the folder where the
.airwhitelist files are located. This path can be either an absolute path or relative to the Apache2.2 folder.
Save the file and Restart the server.
This configuration will enable SWF Verification for all streams.
You can configure content-specific SWF Verification by changing the encryption scope to content in the httpd.conf file:
In this case, encryption configurations specified in the jit.conf file will be used. If there are two sets of content, say A and B and if you want to apply different set of SWF Verification settings for set A and B, then you can place the content in two different paths and modify their jit.conf files appropriately.
You can find the configurations to set SWF Verification at content level here.
When SWF Verification is enabled, only the SWF client whose hashes are present in the whitelist folder will be able to play back the protected content. On any unauthorized client, Flash Player/AIR will throw a runtime error (3310).
You can verify if SWF Verification has been enabled correctly, by performing two checks.
On a SWF client authorized to access the content, try to play a stream as follows:
The client should be able to play back the stream.
Now, on any unauthorized SWF client try to playback the same stream. This time the client will be unable to play the stream and an error will be thrown.
Configuring SWF Verification for live streams is similar to that used for on-demand streams.
Here are the steps :
PHDSSWFWhiteListFolder “path of the whitelist folder”
.airwhitelistfiles under the whitelist folder.
FMS URL: rtmp://
.whitelist/.airwhitelistfile for the client is present in the
SWF Verification is an easy and quick way to prevent unauthorized clients from streaming your content.
SWF Verification can be applied at either the server level or the content level. SWF Verification can also be configured for live streams.
Learn how to configure SWF Verification at content level for On-Demand streams here.
Learn how to configure SWF Verification at content level for live streams here.
Learn about Player Binding for HTTP Live Streaming here.
Learn more about Adobe Media Server:
Tutorials & Samples
|11/30/2015||Continued Support for Adobe Flash Media Live Encoder?|
|11/08/2015||Blackmagic ATEM TVS and Flash Media Live Encoder|
|11/27/2015||Media Server using rtpm input from another server?|