Strategic Consulting

Using the PHDS, PHLS, or PRTMP feature of Adobe Media Server is reliant on some certificate files provided with the installation. These files are located in the {AMS_INSTALL_ROOT}/creds folder. From time to time these files are set to expire and new files are provided by new AMS install versions.

The last time this happened was when AMS 5.0.3 was released. At the time you had two options:

  1. Back up your files, uninstall AMS and then re-install using the AMS 5.0.3 updater: http://www.adobe.com/support/flashmediaserver/downloads_updaters.html
  2. Get a hold of the updated certificates – you can download the linux updater, unzip, and extract them – and use the list of files at this blog post to replace the certificates on your existing installation: http://blogs.adobe.com/ams/2013/07/ams-5-0-3-availability-and-refresh-of-phdsphlsprtmp-certificates.html

With the release of AMS 5.0.7, it has been noted in the release notes that these certificate files will need to be replaced again before April 6th, 2015:

“We have also refreshed the certificates used for Protecting Streaming workflows – PRTMP, PHDS and PHLS. The certificates in the earlier versions are due to expire on 5:30 AM April 6 2015. The refreshed certificates in this version have an expiry date of 5:30 AM September 24 2016.”

Although it’s likely that you could use step 2 as mentioned above to simply refresh your certs – especially if you’re still using Adobe Media Gateway which has been discontinued – there is some other interesting information called out in the release notes that make me feel AMS 5.0.7 is a worthwhile upgrade:

  • If you’re using SWF Verification for PHDS there’s a fix for when you forget to add your whitelist file: “3704242: SWF verification for PHDS was ignored if whitelist file was missing. Now playback fails and error is logged suggesting user to provide whitelist file or disable SWF verification for PHDS.”
  • If your AMS is on a Windows box and you’re using HDS or HLS with the Apache cache turned on: “3803660: Disk cache cleanup for Apache using htcacheclean even though enabled by default was not functioning on Windows. This is working fine now.”
  • If you’re using SSL: “We have updated the OpenSSL version used by AMS to 1.0.1j. This provides four security fixes including POODLE (CVE-2014-3566). We have disabled SSL 3.0 on the server. The successor protocols to SSL3.0- TLS 1.0, 1.1 and 1.2 can be used for secure communication.”

That said, use your best judgement on whether you upgrade or just swap out the certificates. IMPORTANT NOTE: If you’re using any kind of fragment or manifest caching, the new certificate won’t match up so you will need to kill your caches and rebuild them after the certificate change.

Quotes are from AMS 5.0.7 Release Notes: http://www.adobe.com/support/documentation/en/adobe-media-server/507/AMS_5_0_7_Release_Notes.pdf

FMS/AMS Updaters: http://www.adobe.com/support/flashmediaserver/downloads_updaters.html

The idea of being able to upload recordings to Connect can be an attractive thing under the right circumstances. The two most common use cases are when a recording needs to be repaired because of an audio issue (this is probably going to be done by Adobe or a savvy support person with your reseller) and wanting multiple versions of the same recording. Since the first use case is a support based scenario, I won’t dive into it, but the work flow for uploading the repaired recordings are the same as what will follow.

So, let’s address the use case of having multiple versions of the same recording. One scenario might be the desire to have a teaser version of your recording (say the first 1-5 minutes), while still having a full version of your recording. Another scenario would be if you would like a recorded session covering multiple topics broken out into unique topic-specific recordings to play back. By default, in Connect you can only have one version of a recording available for playback to authenticated users or the general public.

Working around the single recording issue prior to Connect 9 was a pretty simple task. All you had to do was download the recording source files by adding /output/myRecording.zip?download=zip to the URL for your recording to download a zip file containing the recording FLV and XML files representing the meeting recording. From there you can take the zip file and upload it as a new content object to the desired Content Library folder, and you are good to go.

The above workflow still works for Connect 9+, but you may see an error when trying to move the recording. The error will read No message for validation error “recording-is-in-progress”, type “string”, field “sco-id”This error is caused by a field that doesn’t get populated when uploading the recording source files. This field is the recording end date. Resolving this error requires populating the field in the database (DB) to allow Connect to properly manage the recording. This can be accomplished by making an API call.

Making an API call can can seem scary, but here’s a step by step on how to go about it:

  1. Before making an API call, make sure you are logged in with an account that has Administrator credentials. Although lesser permissions may work for some API calls, this particular API call is set up with the assumption of Admin rights. You can login via the API or by going to your Connect server URL and logging in.
  2. Now to update the missing DB field for the recording we need to make the following call using sco-update: http://yourserver.adobeconnect.com/api/xml?action=sco-update&sco-id=123456&date-end=2015-03-15T15:28:37.227-07:00 You can find the SCO ID for the recording in the URL of the management page for it in Connect Central.
    Recording SCO ID
  3. As stated before, the end date is not populated when you upload a recording which causes the error to be thrown. The end date you choose in step 2 can be any date/time after the upload of the new recording zip, just make sure to use the date format in the step 2 example above.

Right! So now that you’ve fixed the issue (if you even knew it was an issue), what does it get you? Here’s a cool parting trick. Have you ever had someone ask to have multiple versions of their recordings in the Recordings folder for one meeting room? Here is how we can accomplish it:

  1. Using the sco-move call we can place the recording in a different folder. This isn’t needed to move it to a new folder in the Content library. Example: http://yourserver.adobeconnect.com/api/xml?action=sco-move&sco-id=123456& folder-id=654321 The trick is what to put in the folder-id field. If you want to move it to the Recordings folder for a Meeting room then you would just use the sco-id of the meeting room.

Meeting SCO ID

 

Now the recording will reside in the Recordings folder of the Meeting room!

Recording in Meeting folder

 

Want to learn more about Adobe Connect and how it can help you meet your web collaboration or eLearning needs?

Contact Us

Why we love Wowza

Posted on January 30, 2015 at 1:32 pm in Media Solutions, Products, Strategic Consulting, Training

Wowza has been growing up as a product well placed to take over the streaming media world. As a result of their attention to focusing on ease of use and an ability to reach every screen they have created the new industry leader in streaming media technology. Because of this we have come to see the Wowza Streaming Engine (WSE) as the most future proof option you can purchase. So why do we feel this way? Well, here are our top 4 reasons, in no particular order.

  • Will it stream to XYZ device? Yes! By adopting both current and next gen media formats the WSE ensures that it can deliver your stream to all screens. This alone overcomes one of the biggest challenges we face in deploying a media server. No one wants to have to exclude or limit their viewers to specific OS’s, devices, or browsers. If you aren’t using WSE, it’s time to ask if you can support the following media formats with one server:
    • RTMP
    • HLS
    • HDS
    • MS Smooth
    • MPEG-DASH
    • RTSP/RTP
    • MPEG-TS
  • Is there an easy to deploy player for my clients to view my media on? Yes! Wowza and JWPlayer have formed a partnership and created a workflow to easily deploy a polished and diverse media player as the portal through which your audience will view your media. In seven (pretty simple) steps you can have your media player set up and running. This is a great benefit to having your streaming media deployment up and running quickly
  • Transcoders seem to vary and are complicated, is there a simple solution from Wowza? Yes! Wowza can accept a live stream from any h.264 or RTMP source. So if you have a transcoding solution in place, it will likely work with WSE. However, should you want to use a different format, IP cameras or another video streaming source, the Wowza Transcoder AddOn can be used to take in that stream and format it to whatever you need. Why is this so amazing?
    • The transcoding is done server side. No more needing to have encoding software on each device that is steaming to the server. This can be a huge cost savings in not only software purchasing, but also in time. Since the WSE can take in almost any media format, this means you don’t have to spend a large amount of time setting up and teaching configuration to those individuals sending the stream. Just point it to the WSE server and hit go!
    • The transcoding is done on the fly. This means that there is very little latency from the transcoding. You can take in one stream setting and output multiple formats and qualities of the same media. You can even have an audio only stream which can be great for those on small devices or very low bandwidth environments.
    • Static and dynamic images can overlay the media stream. Place Ads, calls to action, watermarks, tickers (sports scores or stock tickers), or whatever else you can think to do to enhance the experience of your video.
  • I’ve never managed a media server, it is complicated? Or, I’ve managed media servers in the past, is WSE as complicated? No! WSE was built with an intuitive and easy to use management interface. Everyone from novice to advanced users has found this tool to be a wonderfully simple and powerful tool to set up, manage and monitor these servers. You can still play in the XML configuration files if you want, but you don’t have to. There are even built in test players where you can test any of your streams in any media format without having to build your own test page! In the WSE Manager interface you can:
    • Set up streaming apps
    • Manage your streams
    • Monitor the server performance
    • Add and manage other admins and publishers
    • Manage your AddOns

To top it all off, WSE is an extremely flexible tool that really can meet most streaming media needs.

Want to talk more about Wowza? Looking to purchase Wowza? Looking for training on Wowza? Need help with Wowza? We can do it all. Reach out to us and start the conversation today.

Contact Us

Released today (Nov 18, 2014) are three new products to add to the Varnish Plus application; Unlimited cache sizing, increased caching performance and customized cache optimization support content-heavy, high-traffic sites.

“For most consumers, websites are now the pivotal point of interaction with companies. If information and content isn’t delivered instantly, they will seek alternatives that are just a mouse-click away,” – Per Buer, Founder and CTO, Varnish Software.

Product details:

Unlimited cache sizing with Varnish Massive Storage Engine
The new Varnish Massive Storage Engine tackles the problems of content-heavy sites by allowing the Varnish caching layer to handle multi-terabyte data sets. This makes it possible to cache almost unlimited objects while the website performance remains stable over time. The Varnish Massive Storage Engine is targeted at business with large data sets such as online retailers, image banks, video distributors or Content Distribution Networks and enables them to deliver high quality content within their current infrastructure while pushing the bounds of modern web experience delivery.

Increased caching performance and resilience with Varnish High Availability
Varnish High Availability is a high performance content replicator that eliminates cache misses (when an item looked up in the cache is not found) and ensures the stability of the Varnish Cache set-up. By protecting the backend infrastructure from overload caused by cache misses, it increases website performance and minimizes the risk of frustrated visitors leaving websites. Varnish High Availability is for Varnish Cache users whose sites are business-critical. It can be installed with any multi-cache Varnish Cache setup, including two/three node CDN POP installations.

Customized cache optimization with Varnish Tuner
Varnish Tuner automates customized cache optimization in both the Varnish and operating system environments. It recommends configuration options for the Varnish Cache set-up including how the operating system should be tuned, which cache parameters should be changed or replaced and also explains these recommendations. Varnish Tuner makes it possible for businesses to find the specific set-ups that best matches their resources and needs, resulting in better website performance.

Availability:
Varnish Massive Storage Engine, Varnish High Availability and Varnish Tuner are all available from today with a Varnish Plus subscription

Contact us today for all your Varnish purchasing/training/configuration needs!

Your Name (required)

Your Email (required)

Your Company

Your Phone Number

Subject

Your Message

HTML Video Check-in – iOS 7 vs. iOS 8

Since iOS 8 went live on the 17th and I updated a few of my devices over the weekend, I decided to do some quick testing of web video playback. I wanted to see if there were any little, undocumented changes that would affect our custom, cross-platform video player, or our general approach to working with HTML video – like the changes to exiting fullscreen video that came in the update from iOS 6 -> iOS 7. 1

Overall, things seem pretty much the same between iOS 7 -> iOS 8, and in a quick runthrough, REPlayer looks to be working just fine.

Cannot Access Alternate Audio Tracks

One interesting change to note, especially since it relates directly to our current series on Alternate Audio Streams in HTML Video, is that the native interface (iOS default controls used when video is fullscreen) for selecting Sub-Title/CC tracks – or Alternate Audio tracks when they’re available – no longer seems to recognize/display the audio tracks in iOS 8.

iOS7 vs. iOS8

Sub-Title selection still works just fine, but the Audio Section (and Audio Tracks) do not display in iOS8. We confirmed this by verifying our test m3u8 still contains Alternate Audio tracks in the manifest. Viewing the same video on a device running iOS7 will display, and allow the selection of, both Sub-Title and Audio Tracks, while iOS8 will only display the subtitle tracks.

Off the bat, I’m assuming this is a bug, not a feature, and it will be addressed in future updates, though it could also be a result of the transition from QTKit to AVFoundation as the new iOS Media Framework. 2
One other possible cause for the discrepancy, is the different versions of WebKit used between the two. 3

As of this writing, this does not seem to be a known issue according to the release notes.

Stay Tuned

Be sure to check back on Wednesday 10/1 as we continue our series on Alternate Audio Tracks in HTML Video – addressing some of the options and implementations available for providing user-selectable alternate audio streams using various formats, and suggest solutions for reaching the widest number of browsers and devices.

This week we’ll be featuring an in-depth writeup of alternate audio in HLS and other playlist-based formats.


Notes and non sequiturs
1

In iOS6 – when you switched to fullscreen video, there were 2 options available for exiting fullscreen:

  • One was to tap the “Exit Fullscreen” icon in the lower right side of the control bar (Two arrows on a diagonal that were pointing inwards towards each other – the inverse of the icon used to enter fullscreen)
    • This would exit fullscreen, and maintain the current playback state of the video, i.e., if the video was playing in fullscreen, it would continue to be playing after leaving fullscreen – if the video was paused in fullscreen, it would remain paused after leaving fullscreen
  • The other was to tap on the text-button “DONE” in the upper left of the fullscreen interface
    • This would exit fullscreen and pause the video, regardless of current playback state

In iOS7 – the “Exit Fullscreen” icon was removed, and the only option was to use “DONE” – this meant that whenever you exited fullscreen in iOS7, the video would be paused every time. Meaning that an extra tap on the Play Button was necessary in order to resume playback.

2

AVFoundation was added in iOS 7 and existed alongside QTKit, though developers were strongly encouraged to make the switch – Have not yet found explicit documentation of the status/availability of QTKit in iOS8

3
  • User Agent String of an iPhone 5S running iOS 8.0 reports WebKit v600.1.4
    • Full User Agent String –
      Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A365 Safari/600.1.4
  • User Agent String of an iPhone 5S running iOS 7.1 reports WebKit v537.51.2
    • Full User Agent String –
      Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53

On May 13th, we had the pleasure of being a part of the Varnish Summit in New York. Our own David Hassoun gave a great session on using Varnish Plus to help create your own CDN, and had a great time meeting with the other Varnish users there. This event was a great networking opportunity, and a fantastic way to get together with other Varnish users to see how they have been using the product. Since no two deployments will be the same, it has been amazing to see how this tool gets used and the creativity that everyone uses in their own deployment. If you missed the summit and David’s session, you can view it here: http://youtu.be/P7YPFMF5wGo?t=30m25s.

Now, the new round of summits are about to start, though no US date has been announced yet. However, we are hoping that will change soon! Untill something get’s solidified for the US, and for those of you out there who are in Europe, there are currently three dates that you can register to attend. Paris on October 16th, Frankfurt on October 30th, and Stockholm on November 20th. With any luck, there will be live streaming available so those of us unable to make the trip can still attend the conference and get some great information. You can register for any of these dates here,  http://info.varnish-software.com/varnish-summits-autumn-2014-registration.

Check back here as we will pass along any information about a US summit as it comes, and keep making your websites fly!

If you’re using Varnish as your web accelerator or media caching server and want to learn more about it, we’ll be holding online administrator training next week. It’s not too late to register so see you there!

Recently, I was tasked with building a video player that would play live streams via IP Multicast on a supported network and automagically switch to Unicast on an unsupported network. Problem is, with IP Multicast the clients will make a connection and just wait around for data without bombing out. This is because the clients are connected to the IP Multicast address space via their network hardware and not a server endpoint in many other types of streaming.

In the past, this type of configuration might be implemented through a connection timeout in the video player logic. However, I wanted a seamless and immediate way to fall back without making the user have to wait. Enter Apache mod_rewrite.

The general workflow I wanted to follow was this:

  1. The end user hits the video player page on the Apache server
  2. The video player seamlessly and immediately point itself at the right stream.
  3. Everyone’s happy

I accomplished the above with a little mod_rewrite magic in my Apache config.

First, I needed to make sure clients on specific subnets would play back the live stream using Unicast. Second, I needed to properly redirect all other clients to the live stream using IP Multicast. Also, I needed to make sure that VOD requests would be ignored.

Here’s a gist of my rewrites along with some commentary.

Enjoy!

Recently RealEyes joined the Varnish Software family, and became the first North American reseller and training partner. This is a very exciting partnership and runs in line with our goals and vision for effective delivery of streaming media. The Varnish Plus product is an amazing tool for caching your website and streaming media.

In June we delivered our first public Varnish Administration Class and we, as well as the attendees, were thrilled with the results. That said, we are proud to be able to offer more training sessions within the balance of this year. On September 18th and 19th in Boston, MA and on November 13th and 14th in Denver, CO, we will hold live public classes. These classes will feature a combination of lecture and hands on training, and with the additional option of taking the Varnish certification test at the end of the second day. On August 21st and 22nd, we’ll have an online class. The online class offers the same course material, but no certification test at the end of the course. As always, the sessions will provide valuable and resourceful information for users of Varnish with a heavy emphasis on implementation, deployment, customization, and monitoring. This is a great opportunity for Varnish users of all skill levels to become better users.

If you’re still curious about what Varnish does in general, please have a look at the New York Times website, and be sure to pay attention to the load times of the images and other media. It also works wonders for on-demand content, as well. Check out Vimeo.

Still not convinced? OK, take a quick look at VG (Verdens Gang), which is Norway’s largest newspaper.  VG is leveraging Varnish for their exclusive, real time article cloud:

“Some months later @ VG Multimedia 12 squid servers hit the dust and were replaced by 1 server running Varnish. One server handling all requests (45 Million a week) faster than before and with a noticeable carbon footprint reduction.”

http://huayra.wordpress.com/2010/05/08/joining-varnish-software/

If you want even more in depth technical info, check out this article on data visualization the most read articles at VG with Varnish: http://tech.vg.no/2014/03/07/visualizing-the-most-read-articles-on-vg/

Want to learn more about Varnish and how you can use it to make your website fly? Contact us today and we’ll get you going with Varnish!

I’ve been asked a lot of questions and have done a lot of work recently around security hardening for HTTP Streaming with Adobe Media Server (AMS) and Apache. Content protection and sever security and hardening is an evolving beast and the best thing to do is to keep in mind what needs to be secure and how it can possibly be circumvented. However, there’s some basic things to know and a couple tips I can shed some light on within the span of a blog post.

First, with HTTP streaming I think of security in three major categories:

  1. Server security
  2. Content protection over the wire
  3. Content protection while at rest and preventing unauthorized access

Server Security

When considering the origin of your content, you need to follow the general server hardening and security processes:

  • Decreasing access to root level accounts.
  • Protecting authentication info such as passwords and certs. Changing them from time to time as well.
  • Keeping the Operating System and server applications patched.
  • Using firewalls to decrease the network attack surface of your server.
  • Auditing the server files and logs and using some IDS systems.
  • The list goes on…

After you’ve done due diligence when it comes to your server, then next you need to concern yourself with AMS and Apache as well. Here’s a couple tips to keep in mind:

Adobe Media Server

Apache Server

The version of Apache bundled with AMS is 2.2.x. Unfortunately, due to the modules needed for HTTP Streaming you can’t upgrade to a newer version of Apache such as 2.4. However, you can lock 2.2 down as far as you need. Here’s some tips on that:

AMS and Apache – Ongoing

A really good way to see how well your lockdown efforts are going is to run a vulnerability scanner against your server. This not only will give you an idea of what’s still exposed, but it’s also a good way to check your server from time to time as new vulnerabilities are found. Here’s a scanner that I like using: http://go.beyondtrust.com/community

Content Protection Over the Wire

Now that your server is secure, you need to figure out how to protect your content as it traverses the network between your AMS/Apache origin and the end-user’s video player. SSL is always an option, but did you know that AMS has some built-in DRM protection that doesn’t need to use SSL?

Content Protection While at Rest and Preventing Unauthorized Access

How do we prevent unauthorized access and protect the content that the end user has streamed to their local machine?

Prevent Unauthorized Access

There’s a number of things you can do to prevent unauthorized access. Without going too far into implementation details, this step requires:

  1. Some co-ordination with the application developers on your team to basically create a binding between the video player and the wrapping application. For instance, the video player would require some kind of token to be passed in before it will play back content. This token can be anything from a shared secret to some information acquired through a valid SSO sign-on.
  2. If you’re using PHDS, once the player is bound to your system, then you can leverage Protected SWF Verification for PHDS to make sure only your player can play back the PHDS content: http://www.adobe.com/devnet/adobe-media-server/articles/swf-verification-protected-http-dynamic-streaming.html
  3. If you’re using HLS, it’s much trickier and not quite as all encompassing, but someting you might keep in mind is locking down requests for content through token rewrites that have a short expiration ttl: https://code.google.com/p/mod-auth-token/

Content Protection While at Rest

This one’s easy…for now. If you use PHDS or PHLS as mentioned in the previous section, the data itself is protect with DRM. Basically, a simple AMS bundled version of Adobe Access DRM. :)

Closing thoughts

Don’t consider this article and the referenced links as an end-all be all to HTTP Streaming Security with AMS/Apache. It’s just a quick summary of some of the things to consider.

In my consulting experience, I’ve had a wide variety of consulting clients each with varying needs for security. Some implement everything, some a subset and most of the time there’s custom development, consulting, and testing involved. Also, security is a trade-off, the more secure you make something the less functionality there will be for you to leverage. So, implement your security while keeping your required functionality in mind. And test, Test, TEST your configurations against your production use cases.

Hope you enjoyed the read. If you’re ever in need of advice or help with implementing your HTTP Streaming Security, feel free to drop us a line: http://www.realeyes.com/contact/