Introduction

This document describes the activation process, definitions, and troubleshooting of the Smart Licensing Service on ESA/SMA/WSA.

Prerequisites

Components Used

The information in this document is based on these software and hardware versions:

• Email Security Appliance (ESA) AsyncOS Version 12.0 and newer.
• Security Management Appliance (SMA) AsyncOS Version 12.0 and newer.
• Web Security Appliance (WSA) AsyncOS Version 11.7 and newer

Note: Enabling the Smart License Feature on the ESA/SMA/WSA is Permanent and does not permit the option to revert an appliance back to Classic License Mode.

Background Information

Smart Licensing Provides the ability to:

• Manage all of your product licensing from a central location.
• Normalizes the process between Physical an Virtual ESA/SMA/WSA, using 1 method to apply and manage licenses
• Easily apply licensing to your ESA/SMA/WSA.
• Receive Alerts related to license expiration.
• Hardware model ESA/SMA/WSA, out of the box, have a 90 day Evaluation Period for all services

Summary of the Smart License Global Topic from Cisco

Even though the core purpose of this article is to configure the Smart Licensing Services on the ESA/SMA/WSA, we have included links below to provide general direction to educate on the topic.

Registering the ESA/SMA/WSA host with smart licensing first requires the owner of the appliance to possess a Smart Account.

• Smart Accounts are issued one per domain.
• The administrator of the Smart Account can create sub level Virtual Accounts allowing segregation of resources.
• Virtual Accounts may be used to restrict access to different Cisco Product Licenses based on customer needs.
• Customers access the Cisco Smart Software Manager (CSSM) to manage licenses and download TOKENS

The following links provided by Cisco, include videos, guides, and explanations related to Smart Licensing.

• Cisco Internal(only) Search for Smart Account
• Create New Smart Account or Request to add user to existing account
• Smart Software Licensing Overview Cisco WebPage
• Smart Licensing Deployment Guide

• Cisco Smart Accounts Cisco Page

• Smart Software Manager Cisco Page

• Cisco Smart Software Manager (CSSM)

Out of the Box

• All hardware model ESA/SMA/WSA purchased include 90 day Evaluation Licenses for all features.
• All hardware models migrating with existing Classic Licenses(CL) will receive 90 day Evaluation Licenses.
• All Virtual ESA/SMA/WSA models require a basic VLN (.xml) file loaded to the appliance to link it/them to the upgrade/update server.
• All Virtual ESA/SMA/WSA models when created, do NOT include 90 day licenses and require registration via the Classic License VLN (.xml).
• All Virtual ESA/SMA/WSA models migrating with existing Classic Licenses (CL) include 90 day Evaluation Licenses.

Communication Requirements

• Network or Proxy communication smartreceiver.cisco.com on TCP port 443

Description of the CSSM tool and the tabs.

Basic illustration of the CSSM Tabs

• General Tab
  
  • The location to generate the token (token is time based and may be used to register multiple ESA/SMA/WSA.
  • Ensure the proper "Virtual Account:" has been selected as a customer may have multiple virtual accounts.
  • New Token, will open a template to complete and results in a "Token," line entry in the table.
  • Actions, can be executed repeatedly as needed and will display options to; Copy, Download, Revoke the token.

CSSM General Tab

• Licenses Tab
  • The location to review and confirm the presence and availability of licenses.
  • The License column lists the names of the services or bundles purchased.
  • The Purchased column lists the presence of usable keys.
  • The Alerts column displays important messages regarding a specific license.

CSSM License Tab

•  Product Instances Tab
  
  • Displays the individual appliance names, models, last communication, and Alerts.

CSSM Product Instances Tab

Generate a Token from CSSM

• Launch the CSSM webpage
  • Cisco Smart Software Manager (CSSM)
•  Top of page, Select > Inventory
  • Once loaded, select the appropriate “Virtual Account:” from the top left portion of the page.
  • Large organization may have multiple virtual accounts assigned to a single smart account, requiring a selection of the appropriate virtual account related to the ESA/SMA/WSA licenses.
  • Tabs – General, Licenses, Product Instances, Event Log
• Generate a Token from CSSM
  • Select the, “General,” tab.
  • Just below the heading, “Product Instance Registration Tokens,” select the button, “New Token.”
  • A window will appear to complete the “Description,” and “Expire After,” values.
  • Create Token.
  • Returning to the General Tab, select the, “Actions,” drop down tab to copy or download the token.

SAMPLE TOKEN FILE
Token:           M2UyYmIxYTktNzJmMy00ZxxxxxxxxxxxxxxxxxxxxZjVhMDMwLTE1NDE3Mzcx%0ANDU2ODR8RlluSVI5NmxCUS92SnVzUjUvcVViV0ZyVVFrcHBxNVh2TVdNa1My%0AeGJYMD0%3D%0A
Virtual Account:   ESA
Smart Account:      InternalTestDemoAccount.MY_DOMAIN.com
Token Description: SMA_token
Export-Controlled Functionality:  Allowed
Created by User:   my_CCOID
Contact Email:       ADMIN@MY_DOMAIN.com
Expiry Date:       2018-Nov-09 04:19:05 (in 18 days)




* Note: this token file was downloaded on October 22nd 2018
* Note: copy entire token string to use for product instance registration

Enable the Smart License feature on the ESA/SMA/WSA

• • Web UI activation
    
    • Browse to > System Administration > Smart Software Licensing
    • Select > Enable Smart Software Licensing.
    • Options are listed providing the choices to request feature keys.
      • Option 1: Use a token to register and request needed features
      • Option 2: Register without a token and have a 90 day Evaluation Period
    • Select OK
    • Commit Changes
  • CLI activation
    
    • Execute Command > license_smart > Enable > Y
    • Option 1 and Option 2 will be listed the same as the above UI description.
    • Select OK
    • Commit

Register the ESA/SMA/WSA to a Smart Account using the Token.

•  Navigate to > System Administration > Smart Software Licensing
• Select the "Register," button to open the pop-up registration page.
• Paste the copied token in the space provided below step 4.
• Select "Register," to complete the steps. The pop-up window will close.
• Refresh the "Smart Software Licensing" page after 30 seconds to view the new status.
• Once completed, the "Registration Status: field, will present the word "Registered," along with the registration expiration dates.

Smart Software Licensing "Register"Registration Pop-up page.Registration confirmation.

Actions

Additional tasks can be performed from the Smart Licensing "Actions" drop-down menu.

• Renew Authorization
  • Complete this task to manually renew the License Authorization Status for all licenses listed under the License Type.

Note: The license authorization is renewed automatically every 30 days. The license authorization status will expire after 90 days if the ESA/SMA/WSA does not communicate with CSSM.

• Renew Registration
  • Complete this action to manually renew the registration

Note: The initial registration is valid for one year. Renewal of registration is performed automatically every six months if the appliance has connectivity to CSSM.

• De-register
  • Disconnects the ESA/SMA/WSA from CSSM
  • The system will transition to Evaluation Mode.
  • The licenses consumed by the ESA/SMA/WSA get released and credited to the smart account for re-use.
• Re-register
  • Reregister the ESA/SMA/WSA with CSSM

Note: Re-register could be used to migrate between an organizations multiple virtual Accounts

Definitions related to Smart License

License types:

• Classic License (CL)
  • CL Refers to the legacy methods used for both hardware and virtual licenses.
• Smart License (SL)
  • SL Refers to smart licensing.

License Authorization Status

(WebUI > System Administration > Licenses)

(CLI > license_smart > summary)

• Eval
  • SL Service has been enabled on a new (Hardware) ESA/SMA without token registration.
  • SL Service has been enabled on an appliance with existing CL installed
• Eval Expired
  • 90 Day Evaluation SL have expired and the appliance has transitioned to the additional 30 day Grace Period.
• In Compliance
  • Appliance has been registered with a token and currently feature is consuming a valid license
• Out of Compliance (Grace Period) may be observed in 2 scenarios.
  
  • One click request for a temporary 30 day feature license is being used.
  • A license has expired on the appliance and the 30 day grace period has initiated.
• Out of Compliance (Expired)
  
  • LIcense fully expired and the associated service stops functioning.

Note: The WebUI Smart Licensing pages contain numerous informational buttons in the form of a ? to assist to define values.

Logging Services for Smart Licensing.

The ESA/SMA/WSA log activities related to Smart Licensing to the "smartlicense" logs.

The logs are viewable from the CLI. The logs can also be downloaded to a local computer for parsing.

The following output is a sample of the registration action from the "smartlicense" logs.

Mon Jan 28 08:40:57 2019 Info: The administrator has requested to register the product with Smart Software Manager.
Mon Jan 28 08:41:07 2019 Info: Smart License: NotifyExportControlled notification has been ignored
Mon Jan 28 08:41:12 2019 Info: The product is registered successfully with Smart Software Manager.
Mon Jan 28 08:41:17 2019 Info: Smart License: Moved out of evaluation mode
Mon Jan 28 08:41:17 2019 Info: Renew authorization of the product with Smart Software Manager is successful.
Mon Jan 28 08:42:18 2019 Info: Email Security Appliance Anti-Spam License license has been moved to In Compliance successfully.
Mon Jan 28 08:42:23 2019 Info: Email Security Appliance Outbreak Filters license has been moved to In Compliance successfully.
Mon Jan 28 08:42:28 2019 Warning: Email Security Appliance Graymail Safe-unsubscribe license has been moved to Out of Complaince successfully.
Mon Jan 28 08:42:33 2019 Warning: Email Security Appliance Cloudmark Anti-Spam license has been moved to Out of Complaince successfully.
Mon Jan 28 08:42:44 2019 Warning: The Mail Handling is in Out of Compliance (OOC) state. You have 4 days remaining in your grace period.
Mon Jan 28 08:42:48 2019 Info: Email Security Appliance Sophos Anti-Malware license has been moved to In Compliance successfully.
Mon Jan 28 08:42:53 2019 Warning: Email Security Appliance PXE Encryption license has been moved to Out of Complaince successfully.
Mon Jan 28 08:42:59 2019 Warning: Email Security Appliance Data Loss Prevention license has been moved to Out of Complaince successfully.
Mon Jan 28 08:43:04 2019 Warning: Email Security Appliance Advanced Malware Protection license has been moved to Out of Complaince successfully.
Mon Jan 28 08:43:09 2019 Warning: Email Security Appliance McAfee Anti-Malware license has been moved to Out of Complaince successfully.
Mon Jan 28 08:43:14 2019 Warning: Email Security Appliance Intelligent Multi-Scan license has been moved to Out of Complaince successfully.
Mon Jan 28 08:43:15 2019 Warning: The Email Security Appliance Intelligent Multi-Scan is in Out of Compliance (OOC) state. You have 4 days remaining in your grace period.
Mon Jan 28 08:43:19 2019 Info: Email Security Appliance External Threat Feeds license has been moved to In Compliance successfully.
Mon Jan 28 08:43:24 2019 Info: Email Security Appliance Bounce Verification license has been moved to In Compliance successfully.
Mon Jan 28 08:43:29 2019 Info: Email Security Appliance Image Analyzer license has been moved to In Compliance successfully.
Mon Jan 28 10:18:56 2019 Info: Renew authorization of the product with Smart Software Manager is successful.

Sample with interpretation of the values:

This sample shows:

• The Evaluation Period has stopped counting since the host has been registered.
• The host has been registered using smart account: InternalTestDemo111.cisco.com.
• The ESA is associated to the Virtual Account: ESA_EMEA.
• Keys in the state "Out of Compliance 18 days."
  • The keys have expired and are incrementing the 30 day grace period.
  • Keys in the state "Out of Compliance Expired."
    • The keys have expired and depleted the 30 day grace period. The feature is disabled.

Smart Licensing is : Enabled

Evaluation Period: Not In Use
Evaluation Period Remaining: 81 days 7 hours 32 minutes
Registration Status: Registered ( 30 Oct 2018 07:57 ) Registration Expires on:  ( 04 Dec 2019 16:11 )
Smart Account : InternalTestDemo111.cisco.com
Virtual Account : ESA_EMEA
Last Registration Renewal Attempt Status : SUCCEEDED on 04 Dec 2018 16:16
License Authorization Status: Out Of Compliance ( 30 Oct 2018 07:57 ) Authorization Expires on:  ( 05 Mar 2019 03:29 )
Last Authorization Renewal Attempt Status: SUCCEEDED on 05 Dec 2018 03:34
Product Instance Name: beta.ironport.com
Transport Settings: Direct (https://smartreceiver.cisco.com/licservice/license)


beta.ironport.com (SERVICE)> license_smart


Choose the operation you want to perform:
- URL - Set the Smart Transport URL.
- REQUESTSMART_LICENSE - Request licenses for the product.
- RELEASESMART_LICENSE - Release licenses of the product.
- DEREGISTER - Deregister the product from Smart Licensing.
- REREGISTER - Reregister the product for Smart Licensing.
- RENEW_AUTH - Renew authorization of Smart Licenses in use.
- RENEW_ID - Renew registration with Smart Licensing.
- STATUS - Show overall Smart Licensing status.
- SUMMARY - Show Smart Licensing status summary.
[]> summary

Feature Name                                                        License Authorization Status      Grace Period
-----------------------------------------------------------------------------------------------------------------------------
Email Security Appliance Anti-Spam License                             In Compliance                     N/A
Email Security Appliance Outbreak Filters                              Out Of Compliance                 18 days
Email Security Appliance Graymail Safe-unsubscribe                     Out Of Compliance                 Expired
Email Security Appliance Cloudmark Anti-Spam                           Out Of Compliance                 Expired
Email Security Appliance Advanced Malware Protection Reputation        Out Of Compliance                 Expired
Mail Handling                                                          In Compliance                     N/A
Email Security Appliance Sophos Anti-Malware                           In Compliance                     N/A
Email Security Appliance PXE Encryption                                Out Of Compliance                 Expired
Email Security Appliance Data Loss Prevention                          Out Of Compliance                 Expired
Email Security Appliance Advanced Malware Protection                   Out Of Compliance                 Expired
Email Security Appliance McAfee Anti-Malware                           Out Of Compliance                 Expired
Email Security Appliance Intelligent Multi-Scan                        Out Of Compliance                 17 days
Email Security Appliance External Threat Feeds                         Out Of Compliance                 17 days
Email Security Appliance Bounce Verification                           Out Of Compliance                 17 days
Email Security Appliance Image Analyzer                                Out Of Compliance                 21 days

Related Information

• ESA User Guides
• ESA Release Notes
• ESA CLI Refence Guides
• Smart Software Licensing Overview Cisco WebPage

• Cisco Smart Accounts Cisco Page

• Smart Software Manager Cisco Page

• Cisco Smart Software Manager (CSSM)