smart licensing - cisco...associated file downloads and description license entitlement and...

Smart Licensing

The following provides an overview of Smart Licensing in the Learning Network License system.

• Enabling Smart Licensing, page 1

• Smart Licensing Overview, page 1

Enabling Smart LicensingYour Learning Network License deployment requires Smart Licensing to permanently manage agents withthe controller. Each managed agent requires a license entitlement. Purchase the license entitlements, thenmanage them with your Cisco Smart Software Manager account. Generate a registration token in your SmartSoftware Manager account, then use this token to register your controller with the License Authority andenable Smart Licensing.

After you register your deployment, when youmanage a agent with your controller, the controller automaticallyrequests the appropriate license entitlement for the agent.

Before You Begin

• Purchase the appropriate Smart License entitlements for your controller and agents.

Step 1 Obtain a registration token from the Cisco Smart Software Manager (http://www.cisco.com/web/ordering/smart-software-manager/index.html).

Step 2 Log into the controller web UI, and use the registration token to register the controller with the License Authority. SeeRegistering the Controller Instance, on page 11 for more information.

Smart Licensing OverviewTo deploy the Learning Network License, you must register your controller with Cisco Smart Licensing. Ifyou do not, your deployment enters Evaluation Mode, a 90-day trial which limits you to a maximum of 10managed agents, and disables new functionality when the 90 days expire.

Cisco Stealthwatch Learning Network License Configuration Guide, Version 1.1 1

http://www.cisco.com/web/ordering/smart-software-manager/index.html


Cisco Smart Licensing lets you purchase and manage a pool of licenses centrally. Unlike product authorizationkey (PAK) licenses, Smart Licenses are not tied to a specific serial number or license key. Smart Licensinglets you assess your license usage and needs at a glance.

In addition, Smart Licensing does not prevent you from deploying agents. You can deploy an agent andpurchase the license later. This allows you to deploy and use an agent, and avoid delays due to purchase orderapproval.

Smart License TypesEach Learning Network License component has a corresponding license entitlement, as described in thefollowing table:

Table 1: Smart License Entitlement Types

Associated File Downloads andDescription

License Entitlement andDescription

Learning Network LicenseComponent

sln-sca-k9-<ver>.ova - singlecontroller OVA

L-SW-SCA-K9 - SCA VirtualManager

controller

sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova

- agent deployed as a virtualservice to the ISR's NIM-SSD

sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova

- agent deployed as a virtualservice to the ISR's bootflash

L-SW-LN-43-1Y-K9 - CiscoStealthwatch Learning NetworkLicense for 4300 Series 1 Yr Term

agent deployed as a virtual serviceon an ISR 43XX (1 year term)



















Cisco Stealthwatch Learning Network License Configuration Guide, Version 1.12

Smart LicensingSmart License Types

Associated File Downloads andDescription

License Entitlement andDescription

Learning Network LicenseComponent

sln-dla-ucse-k9-<ver>.ova -agent deployed to a UCS E-Seriesblade server

L-SW-LN-UCS-1Y-K9 - CiscoStealthwatch Learning NetworkLicense for UCS Series 1 Yr Term

agent installed on a UCS E-Seriesblade server

sln-dla-ucse-k9-<ver>.ova -agent deployed to a UCS E-Seriesblade server

L-SW-LN-UCS-3Y-K9 - CiscoStealthwatch Learning NetworkLicense for UCS Series 3 Yr Term

agent installed on a UCS E-Seriesblade server

You must obtain one license entitlement for each controller and agent deployed to your environment.

The controller web UI displays license entitlement counts for your agents. When you enable a managed agentwith the controller, the Smart Licensing Agent automatically requests a license entitlement for that agent,specific to that installation type. It also updates the license count. Similarly, when you disable a managedagent from the controller, the Smart Licensing Agent requests to free the license entitlement, and updates thelicense count.

For more information on Smart Licensing, see http://www.cisco.com/web/ordering/smart-software-manager/smart-accounts.html.

Smart License WorkflowsThe following diagram shows the Smart License registration workflow for the Learning Network Licensesystem:

Figure 1: Smart License Registration


Smart LicensingSmart License Workflows

http://www.cisco.com/web/ordering/smart-software-manager/smart-accounts.html

http://www.cisco.com/web/ordering/smart-software-manager/smart-accounts.html

Because you register your controller with the License Authority, the registration status is Unregistered untilyou install your controller.

If you obtain a registration token from the Cisco Smart Software Manager, and use it to register the controller,the registration status updates to Registered, which allows you full system functionality, and removes thelimit of 10 managed agents.

The controller regularly renews your registration with the License Authority. If it goes 90 days withoutcommunicating with the License Authority, the registration status updates to Registration Expired. Systemfunctionality is limited to the following:

• The system stores existing detected anomalies, which you can review.

• The system continues to match existing traffic mitigations and take action.

In Registration Expired, you cannot:

• The system does not detect or report new anomalies.

• The system does not allow you to modify existing mitigations, nor create new mitigations.

If the system reestablishes connection with the License Authority, the Registration Status updates toRegistered.



The following diagram shows the Smart License authorization workflow for the Learning Network Licensesystem:

Figure 2: Smart License Authorization

After you install your controller, the registration status updates to Evaluation Mode, which allows you fullsystem functionality, but limits you to a maximum of 10 managed agents. Evaluation Mode lasts 90 days,after which the registration status updates toEvaluationMode Expired. System functionality and limitationsmatch those of Registration Expired.

When the registration status is Registered, the system checks whether or not you have enough licenseentitlements for the agents managed by your controller. The system tracks license entitlements for agentsdeployed as virtual services, and agents installed on a UCS E-Series blade server, separately. As you add andremove agents, the system updates the appropriate license entitlement count. If you have sufficient licenseentitlements for your managed agents, the license authorization status updates to Authorized.

If you do not have sufficient license entitlements, either for your pool of agents deployed as virtual services,or for your pool of agents installed on a UCS E-Series blade server, the license authorization status updatestoOut-of-Compliance. The system remains out of compliance until you purchase enough license entitlementsfor your deployment.



Smart Licensing ConfigurationBy default, the controller connects directly to the Licensing Authority servers. You can configure thesa.properties Smart Licensing configuration file to connect to the Licensing Authority servers through anHTTP or HTTPS proxy server.

By default, the controller logs information about Smart Licensing. You can disable this in the sa.propertiesconfiguration file.

Smart Licensing Configuration File SettingsIf you want to change how your controller connects to the Licensing Authority servers, you can configure anHTTP proxy or HTTPS proxy. You cannot configure more than one.

Table 2: sa.properties Configuration File Settings

Allowed ValuesDescriptionField

not configurable, do not modifythis property even if blank

A globally unique identifier for thecontroller generated by the systemduring the installation process

PRODUCT_SN

URL of the HTTP proxy

Do not configure this if youconfigured HTTPS_PROXY_HOST.

URL of the HTTP proxy used toconnect to the Licensing Authorityservers

HTTP_PROXY_HOST

HTTP proxy port

Do not configure this unless youconfigured HTTP_PROXY_HOST

HTTP proxy port used to connectto the Licensing Authority servers

HTTP_PROXY_PORT

URL of the HTTPS proxy

Do not configure this if youconfigured HTTP_PROXY_HOST.

URL of the HTTPS proxy used toconnect to the Licensing Authorityservers

HTTPS_PROXY_HOST

HTTPS proxy port

Do not configure this unless youconfigured HTTPS_PROXY_HOST

HTTPS proxy port used to connectto the Licensing Authority servers

HTTPS_PROXY_PORT

true to enable logging, false todisable logging

Whether Smart Licensing loggingis enabled or disabled

LOGGER_ON

Updating the Smart Licensing Configuration File

Before You Begin

• Log into the controller VM console.


Smart LicensingSmart Licensing Configuration

SUMMARY STEPS

1. cd ~/SCA/services/sa-server

2. sudo vi sa.properties, then enter your password when prompted3. You have the following options:

• To connect to the License Authority servers through an HTTP proxy, configure the HTTP_PROXY_HOSTsetting with the HTTP proxy URL, and optionally configure the HTTP_PROXY_PORT setting with aport to use.

• To connect to the License Authority servers through an HTTPS proxy, configure theHTTPS_PROXY_HOST setting with the HTTPS proxy URL, and optionally configure theHTTPS_PROXY_PORT setting with a port to use.

4. If you want to disable Smart Licensing logging, update LOGGER_ON to false.5. Press Esc, then enter :wq! and press Enter.6. more sa.properties, to review the file for errors

DETAILED STEPS

PurposeCommand or Action

Change directories to the /sa-serverdirectory.

cd ~/SCA/services/sa-server

Example:user@host:~$cd ~/SCA/services/sa-server

Step 1

Open the sa.properties in the vi texteditor with super user privileges.

sudo vi sa.properties, then enter your password when prompted

Example:

Step 2

user@host:~/SCA/services/sa-server$ sudo vi sa.properties

Update the configuration file to change theSmart Licensing servers connectionmethod.

You have the following options:Step 3

• To connect to the License Authority servers through an HTTP proxy,configure the HTTP_PROXY_HOST setting with the HTTP proxy URL,and optionally configure the HTTP_PROXY_PORT setting with a portto use.

• To connect to the License Authority servers through an HTTPSproxy, configure the HTTPS_PROXY_HOST setting with the HTTPSproxy URL, and optionally configure the HTTPS_PROXY_PORT settingwith a port to use.

Example:HTTP_PROXY_HOST = <http-proxy-url> HTTP_PROXY_PORT =

<http-proxy-port>

Example:




HTTPS_PROXY_HOST = <https-proxy-url> HTTPS_PROXY_PORT =

<https-proxy-port>

Update the configuration file to disablelogging.

If you want to disable Smart Licensing logging, update LOGGER_ON tofalse.

Example:

Step 4

LOGGER_ON = false

Save your changes and exit the editor.Press Esc, then enter :wq! and press Enter.Step 5

Open the file in read-only mode to reviewthe entries for errors.

more sa.properties, to review the file for errors

Example:

Step 6

user@host:~/SCA/services/sa-server$ more sa.properties

What to Do Next

• Restart the controller processes, as described in the next section.

Restarting the Controller Processes

SUMMARY STEPS

1. cd ~/SCA

2. sudo service ciscosln-sca restart

DETAILED STEPS


Change to the /SCA directory.cd ~/SCA

Example:

Step 1

user@host:~$ cd ~/SCA

Restart the controller processes.sudo service ciscosln-sca restart

Example:

Step 2

user@host:~/SCA$ sudo service ciscosln-sca restart



Smart Software Licensing StatusThe Smart Software Licensing Status provides an overview of license usage on the controller, as describedbelow.

Registration Status

Specifies the Smart License Agent registration status, and the last date when the controller contacted theLicense Authority and registered. Possible registration status values are:

Table 3: Registration Status Descriptions

System FunctionalityDescriptionRegistration Status

No system functionality, becausethe controller has not beeninstalled.

The controller has not beeninstalled, and has neither contactednor registered with the LicenseAuthority.

Unregistered

Full system functionality.The controller has contacted andregistered successfully with theLicense Authority.

Registered

System functionality is limited tothe following:

• The system stores existingdetected anomalies, whichyou can review.

• The system continues tomatch existing trafficmitigations and take action.

The system does not:

• detect or report newanomalies.

• allow you to modify existingmitigations, nor create newmitigations.

The controller has notcommunicated with the LicenseAuthority in 90 or more days. Inthis state, the Smart License Agentretries its requests. If a retrysucceeds, the agent enters aRegistered state, and begins a newregistration period.

Registration Expired

License Authorization Status

Specifies the license entitlement status when the system is registered with the License Authority, and the lastdate the system verified this status. Possible license authorization status values are:


Smart LicensingSmart Software Licensing Status

Table 4: License Authorization Status Descriptions

System FunctionalityDescriptionLicense Authorization Status

Full system functionality.The License Authority identifiedan available license entitlement foreach managed agent.

Authorized

Full system functionality, exceptyou can only manage a maximumof 10 agents with your controller.EvaluationMode lasts for 90 days.

The controller has been installed,and has neither contacted norregistered with the LicenseAuthority

Evaluation Mode

System functionality is limited tothe following:

• The system stores existingdetected anomalies, whichyou can review.

• The system continues tomatch existing trafficmitigations and take action.

The system does not:

• detect or report newanomalies.

• allow you to modify existingmitigations, nor create newmitigations.

The controller was in EvaluationMode for over 90 days withoutcontacting or registering with theLicense Authority.

Evaluation Mode Expired

Full system functionality.The License Authority could notidentify an available licenseentitlement for a managed agent.Licensed features continue to work.However, youmust either purchaseor free up additional entitlementsfor the status to display asAuthorized.

Out-of-Compliance

Smart Account

The name of the Smart Account the controller is registered to.

Virtual Account

Specifies the Virtual Account under the Smart Account that you used to generate the Product InstanceRegistration Token and register the controller.


Smart LicensingSmart Software Licensing Status

Product Instance Name

The unique identifier of the controller registered to the Smart Account.

Export-Controlled Functionality

Whether export-controlled functionality is allowed or restricted in this deployment.

Smart License Usage

The name and version of the agent license entitlement, a description, the count of used license entitlements,and whether that pool of licenses entitlements is Authorized or Out-of-Compliance.

Smart Software ManagerWhen you purchase one or more Smart Licenses, you manage them in the Cisco Smart Software Manager:http://www.cisco.com/web/ordering/smart-software-manager/index.html. The Smart Software Manager letsyou create a master account for your organization.

By default, your licenses are assigned to the Default Virtual Account under your master account. As theaccount administrator, you can create additional virtual accounts; for example, for regions, departments, orsubsidiaries. Multiple virtual accounts help you manage large numbers of licenses and appliances.

You manage licenses and appliances by virtual account. Only that virtual account’s appliances can use thelicenses assigned to the account. If you need additional licenses, you can transfer an unused license fromanother virtual account. You can also transfer appliances between virtual accounts.

For each virtual account, you can create a Product Instance Registration Token. Enter this token ID when youregister a controller. You can create a new token if an existing token expires. An expired token does not affecta registered controller that used this token for registration, but you cannot use an expired token to register acontroller. Also, a registered controller becomes associated with a virtual account based on the token you use.You can also create a new token, and use it to reregister even if the current token is still valid.

For more information about the Cisco Smart Software Manager, see Cisco Smart Software Manager UserGuide.

Registering the Controller Instance

Before You Begin

• Obtain a registration token from the Smart Software Manager (http://www.cisco.com/web/ordering/smart-software-manager/index.html).


Smart LicensingSmart Software Manager




• Log into the controller web UI.

Step 1 Select Dashboard.Step 2 Click Smart Licensing.Step 3 Click Register.Step 4 Paste your registration token into the Smart Software Licensing Product Registration field.Step 5 If you want to use a registration token and the current token is still valid, check Reregister this product instance if it

is already registered.Step 6 Click Register.

Reregistering the Controller Instance

Before You Begin

• Obtain a registration token from the Smart Software Manager (http://www.cisco.com/web/ordering/smart-software-manager/index.html).

• Log into the controller web UI.

Step 1 Select Dashboard.Step 2 Click Smart Licensing.Step 3 Select Reregister from the Actions drop-down.Step 4 Paste your registration token into the Smart Software Licensing Product Registration field.Step 5 Click Reregister.

Periodic Communication with the License AuthorityWhen you use a Product Instance Registration Token to register a controller, the controller registers with theCisco License Authority. The License Authority issues an ID certificate for communication between thecontroller and the License Authority. This certificate is valid for one year, although it will be renewed everysix months. If an ID certificate expires (usually in nine months or a year with no communication), the controllerreverts to a deregistered state.

The controller communicates with the License Authority on a periodic basis. If youmake changes in the SmartSoftware Manager, you can refresh the authorization on the controller so the changes immediately take effect.You also can wait for the appliance to communicate as scheduled.

The controller automatically renews the license authorization every 30 days. Refreshing the controllerauthorization renews your agent license entitlement authorization. You can also separately renew your licenseauthorization.


Smart LicensingPeriodic Communication with the License Authority



If necessary, you can configure a Smart Software Satellite Server to communicate with the License Authority.Your controller must have either direct Internet access to the License Authority through the Cisco SmartSoftware Manager or access through the Smart Software Satellite Server at scheduled time periods. Normallicense communication occurs every 30 days, but with the grace period, your appliance will operate for up to90 days without calling home. You must contact the License Authority before 90 days have passed.

For more information about setting up a Smart Software Satellite Server, see the Smart Software ManagerSatellite User Guide.

Renewing the Controller Registration

Step 1 Select Dashboard.Step 2 Click Smart Licensing.Step 3 Choose Renew Registration Now from the Actions drop-down menu.

Renewing License Authorization

SUMMARY STEPS

1. Select Dashboard.2. Click Smart Licensing.3. Choose Renew Authorization Now from the Actions drop-down menu.

DETAILED STEPS

Step 1 Select Dashboard.Step 2 Click Smart Licensing.Step 3 Choose Renew Authorization Now from the Actions drop-down menu.

Smart License TransferWhen you register a controller with the License Authority, your virtual account allocates the license to thecontroller. If you need to transfer your Smart Licenses to another controller, you must deregister the currentlylicensed controller. This removes it from your virtual account and frees your existing controller and agentlicense entitlements, so you can register with another controller. Otherwise, you may receive anOut-of-Compliance notification because your virtual account does not have enough free license entitlements.When you deregister the controller, the registration status updates to Unregistered.


Smart LicensingSmart License Transfer

Deregistering the Controller Instance

Step 1 Select Dashboard.Step 2 Click Smart Licensing.Step 3 Choose Deregister from the Actions drop-down menu.Step 4 Click Deregister to confirm the deregistration.


Smart LicensingSmart License Transfer

smart licensing - cisco...associated file downloads and description license entitlement and...

Documents