Introduction
This document describes the activation process, definitions, and troubleshooting of the Smart Licensing Service on ESA/SMA/WSA.
Prerequisites
Components Used
The information in this document is based on these software and hardware versions:
- Email Security Appliance (ESA) AsyncOS Version 12.0 and newer.
- Security Management Appliance (SMA) AsyncOS Version 12.0 and newer.
- Web Security Appliance (WSA) AsyncOS Version 11.7 and newer
Note: Enabling the Smart License Feature on the ESA/SMA/WSA is Permanent and does not permit the option to revert an appliance back to Classic License Mode.
Background Information
Smart Licensing Provides the ability to:
- Manage all of your product licensing from a central location
- Normalizes the process between Physical a Virtual ESA/SMA/WSA, using 1 method to apply and manage licenses
- Easily apply a license to your ESA/SMA/WSA
- Receive Alerts related to license expiration
- Hardware model ESA/SMA/WSA, out of the box, have a 90 day Evaluation Period for all services
Summary of the Smart License Global Topic from Cisco
Even though the core purpose of this article is to configure the Smart Licensing Services on the ESA/SMA/WSA, we have included links below to provide general direction to educate on the topic.
Registering the ESA/SMA/WSA host with smart licensing first requires the owner of the appliance to possess a Smart Account.
- Smart Accounts are issued one per domain.
- The administrator of the Smart Account can create sub-level Virtual Accounts allowing segregation of resources.
- Virtual Accounts may be used to restrict access to different Cisco Product Licenses based on customer needs.
- Customers access the Cisco Smart Software Manager (CSSM) to manage licenses and download TOKENS
The following links provided by Cisco, include videos, guides, and explanations related to Smart Licensing:
Out of the Box
- All hardware model ESA/SMA/WSA purchased include 90-day Evaluation Licenses for all features
- All hardware models migrating with existing Classic Licenses(CL) will receive 90-day Evaluation Licenses
- All Virtual ESA/SMA/WSA models require a basic VLN (.xml) file loaded to the appliance to link it/them to the upgrade/update server
- All Virtual ESA/SMA/WSA models when created, do NOT include 90-day licenses and require registration via the Classic License VLN (.xml)
- All Virtual ESA/SMA/WSA models migrating with existing Classic Licenses (CL) include 90-day Evaluation Licenses
Communication Requirements
- Network or Proxy communication smartreceiver.cisco.com on TCP port 443
Description of the CSSM tool and the tabs.
A basic illustration of the CSSM Tabs
- General Tab
- The location to generate the token (the token is time-based and may be used to register multiple ESA/SMA/WSA
- Ensure the proper "Virtual Account:" has been selected as a customer may have multiple virtual accounts
- New Token, will open a template to complete and results in a "Token," line entry in the table
- Actions can be executed repeatedly as needed and will display options to; Copy, Download, Revoke the token
CSSM General Tab
- Licenses Tab
- The location to review and confirm the presence and availability of licenses
- The License column lists the names of the services or bundles purchased
- The Purchased column lists the presence of usable keys
- The Alerts column displays important messages regarding a specific license
CSSM License Tab
- Product Instances Tab
- Displays the individual appliance names, models, last communication, and Alerts
CSSM Product Instances Tab
Generate a Token from CSSM
- Launch the CSSM webpage
- Top of page, select Inventory
- Once loaded, select the appropriate “Virtual Account:” from the top left portion of the page
- A large organization may have multiple virtual accounts assigned to a single smart account, requiring a selection of the appropriate virtual account related to the ESA/SMA/WSA licenses
- Tabs: General, Licenses, Product Instances, Event Log
- Generate a Token from CSSM
- Select the “General,” tab
- Just below the heading, “Product Instance Registration Tokens,” select the button, “New Token”
- A window will appear to complete the “Description,” and “Expire After,” values
- Create a Token
- Returning to the General Tab, select the “Actions,” drop-down tab to copy or download the token
SAMPLE TOKEN FILE
Token: M2UyYmIxYTktNzJmMy00ZxxxxxxxxxxxxxxxxxxxxZjVhMDMwLTE1NDE3Mzcx%0ANDU2ODR8RlluSVI5NmxCUS92SnVzUjUvcVViV0ZyVVFrcHBxNVh2TVdNa1My%0AeGJYMD0%3D%0A
Virtual Account: ESA
Smart Account: InternalTestDemoAccount.MY_DOMAIN.com
Token Description: SMA_token
Export-Controlled Functionality: Allowed
Created by User: my_CCOID
Contact Email: ADMIN@MY_DOMAIN.com
Expiry Date: 2018-Nov-09 04:19:05 (in 18 days)
* Note: this token file was downloaded on October 22nd 2018
* Note: copy entire token string to use for product instance registration
Enable the Smart License feature on the ESA/SMA/WSA
- Web UI activation:
- Browse to System Administration > Smart Software Licensing
- Select Enable Smart Software Licensing
- Options are listed providing the choices to request feature keys:
- Option 1: Use a token to register and request needed features
- Option 2: Register without a token and have a 90 day Evaluation Period
- Select OK
- Commit Changes
- CLI activation:
- Execute command license_smart > Enable > Y
- Option 1 and Option 2 will be listed the same as the above UI description
- Select OK
- Commit
Register the ESA/SMA/WSA to a Smart Account using the Token.
- Navigate to System Administration > Smart Software Licensing
- Select the "Register" button to open the pop-up registration page
- Paste the copied token in the space provided below step 4
- Select "Register" to complete the steps (The pop-up window will close)
- Refresh the "Smart Software Licensing" page after 30 seconds to view the new status
- Once completed the "Registration Status" field will present the word "Registered" along with the registration expiration dates
Smart Software Licensing "Register"
Registration Pop-up page.
Registration confirmation.
Actions
Additional tasks can be performed from the Smart Licensing "Actions" drop-down menu.
- Renew Authorization
- Complete this task to manually renew the License Authorization Status for all licenses listed under the License Type
Note: The license authorization is renewed automatically every 30 days. The license authorization status will expire after 90 days if the ESA/SMA/WSA does not communicate with CSSM.
- Renew Registration
- Complete this action to manually renew the registration
Note: The initial registration is valid for one year. Renewal of registration is performed automatically every six months if the appliance has connectivity to CSSM.
- De-register
- Disconnects the ESA/SMA/WSA from CSSM
- The system will transition to Evaluation Mode
- The licenses consumed by the ESA/SMA/WSA get released and credited to the smart account for re-use
- Re-register
- Reregister the ESA/SMA/WSA with CSSM
Note: Re-register could be used to migrate between organizations multiple virtual Accounts
Definitions related to Smart License
License types:
- Classic License (CL): CL refers to the legacy methods used for both hardware and virtual licenses
- Smart License (SL): SL refers to Smart Licensing
License Authorization Status - Is the status of a given license within the Appliance.
- The ESA/WSA/SMA does not display the actual expiration date with the Smart Licenses page.
- Location: WebUI > System Administration > Licenses.
- Location: CLI > license_smart > summary.
The status of a specific feature will appear with one of the below values:
- Eval:
- SL Service has been enabled on a new (Hardware) ESA/SMA without token registration
- SL Service has been enabled on an appliance with existing CL installed
- Eval Expired: 90 Day Evaluation SL has expired and the appliance has transitioned to the additional 30-day grace period
- In Compliance: The appliance has been registered with a token and currently feature is consuming a valid license
- Out of Compliance (Grace Period) may be observed in 2 scenarios
- One-click request for a temporary 30-day feature license is being used
- A license has expired on the appliance and the 30 day grace period has initiated
- Out of Compliance (Expired): LIcense fully expired and the associated service stops functioning
System Administration > Licenses
Note: The WebUI Smart Licensing pages contain numerous informational buttons in the form of a ? to assist to define values.
How to View License Expiration
How do I see the actual expiration date?
The License Expiration Dates can be viewed within the CSSM Smart Software Management Site.
- Navigate to: Inventory > Virtual Account > LIcenses > Click a license name to open the popup window.
- The Overview tab will show the current license count, purchase and expiration date.
- The Transaction History tab shows each purchase/expiration per transaction.
CSSM: View license expiration.
Logging Services for Smart Licensing
The ESA/SMA/WSA log activities related to Smart Licensing to the "smartlicense" logs. The logs are viewable from the CLI. The logs can also be downloaded to a local computer for parsing.
The following output is a sample of the registration action from the "smartlicense" logs:
Mon Jan 28 08:40:57 2019 Info: The administrator has requested to register the product with Smart Software Manager.
Mon Jan 28 08:41:07 2019 Info: Smart License: NotifyExportControlled notification has been ignored
Mon Jan 28 08:41:12 2019 Info: The product is registered successfully with Smart Software Manager.
Mon Jan 28 08:41:17 2019 Info: Smart License: Moved out of evaluation mode
Mon Jan 28 08:41:17 2019 Info: Renew authorization of the product with Smart Software Manager is successful.
Mon Jan 28 08:42:18 2019 Info: Email Security Appliance Anti-Spam License license has been moved to In Compliance successfully.
Mon Jan 28 08:42:23 2019 Info: Email Security Appliance Outbreak Filters license has been moved to In Compliance successfully.
Mon Jan 28 08:42:28 2019 Warning: Email Security Appliance Graymail Safe-unsubscribe license has been moved to Out of Complaince successfully.
Mon Jan 28 08:42:33 2019 Warning: Email Security Appliance Cloudmark Anti-Spam license has been moved to Out of Complaince successfully.
Mon Jan 28 08:42:44 2019 Warning: The Mail Handling is in Out of Compliance (OOC) state. You have 4 days remaining in your grace period.
Mon Jan 28 08:42:48 2019 Info: Email Security Appliance Sophos Anti-Malware license has been moved to In Compliance successfully.
Mon Jan 28 08:42:53 2019 Warning: Email Security Appliance PXE Encryption license has been moved to Out of Complaince successfully.
Mon Jan 28 08:42:59 2019 Warning: Email Security Appliance Data Loss Prevention license has been moved to Out of Complaince successfully.
Mon Jan 28 08:43:04 2019 Warning: Email Security Appliance Advanced Malware Protection license has been moved to Out of Complaince successfully.
Mon Jan 28 08:43:09 2019 Warning: Email Security Appliance McAfee Anti-Malware license has been moved to Out of Complaince successfully.
Mon Jan 28 08:43:14 2019 Warning: Email Security Appliance Intelligent Multi-Scan license has been moved to Out of Complaince successfully.
Mon Jan 28 08:43:15 2019 Warning: The Email Security Appliance Intelligent Multi-Scan is in Out of Compliance (OOC) state. You have 4 days remaining in your grace period.
Mon Jan 28 08:43:19 2019 Info: Email Security Appliance External Threat Feeds license has been moved to In Compliance successfully.
Mon Jan 28 08:43:24 2019 Info: Email Security Appliance Bounce Verification license has been moved to In Compliance successfully.
Mon Jan 28 08:43:29 2019 Info: Email Security Appliance Image Analyzer license has been moved to In Compliance successfully.
Mon Jan 28 10:18:56 2019 Info: Renew authorization of the product with Smart Software Manager is successful.
Sample with an interpretation of the values:
This sample shows:
- The Evaluation Period has stopped counting since the host has been registered.
- The host has been registered using smart account: InternalTestDemo111.cisco.com.
- The ESA is associated with the Virtual Account: ESA_EMEA.
- Keys in the state "Out of Compliance 18 days."
- The keys have expired and are incrementing the 30 day grace period.
- Keys in the state "Out of Compliance Expired."
- The keys have expired and depleted the 30 day grace period. The feature is disabled.
Smart Licensing is : Enabled
Evaluation Period: Not In Use
Evaluation Period Remaining: 81 days 7 hours 32 minutes
Registration Status: Registered ( 30 Oct 2018 07:57 ) Registration Expires on: ( 04 Dec 2019 16:11 )
Smart Account : InternalTestDemo111.cisco.com
Virtual Account : ESA_EMEA
Last Registration Renewal Attempt Status : SUCCEEDED on 04 Dec 2018 16:16
License Authorization Status: Out Of Compliance ( 30 Oct 2018 07:57 ) Authorization Expires on: ( 05 Mar 2019 03:29 )
Last Authorization Renewal Attempt Status: SUCCEEDED on 05 Dec 2018 03:34
Product Instance Name: beta.ironport.com
Transport Settings: Direct (https://smartreceiver.cisco.com/licservice/license)
beta.ironport.com (SERVICE)> license_smart
Choose the operation you want to perform:
- URL - Set the Smart Transport URL.
- REQUESTSMART_LICENSE - Request licenses for the product.
- RELEASESMART_LICENSE - Release licenses of the product.
- DEREGISTER - Deregister the product from Smart Licensing.
- REREGISTER - Reregister the product for Smart Licensing.
- RENEW_AUTH - Renew authorization of Smart Licenses in use.
- RENEW_ID - Renew registration with Smart Licensing.
- STATUS - Show overall Smart Licensing status.
- SUMMARY - Show Smart Licensing status summary.
[]> summary
Feature Name License Authorization Status Grace Period
-----------------------------------------------------------------------------------------------------------------------------
Email Security Appliance Anti-Spam License In Compliance N/A
Email Security Appliance Outbreak Filters Out Of Compliance 18 days
Email Security Appliance Graymail Safe-unsubscribe Out Of Compliance Expired
Email Security Appliance Cloudmark Anti-Spam Out Of Compliance Expired
Email Security Appliance Advanced Malware Protection Reputation Out Of Compliance Expired
Mail Handling In Compliance N/A
Email Security Appliance Sophos Anti-Malware In Compliance N/A
Email Security Appliance PXE Encryption Out Of Compliance Expired
Email Security Appliance Data Loss Prevention Out Of Compliance Expired
Email Security Appliance Advanced Malware Protection Out Of Compliance Expired
Email Security Appliance McAfee Anti-Malware Out Of Compliance Expired
Email Security Appliance Intelligent Multi-Scan Out Of Compliance 17 days
Email Security Appliance External Threat Feeds Out Of Compliance 17 days
Email Security Appliance Bounce Verification Out Of Compliance 17 days
Email Security Appliance Image Analyzer Out Of Compliance 21 days
Related Information