License avoidance errors basically mean that Reporter VA is unable to communicate to the Broadcom licensing servers to validate the license.  So in this article, we abroad the following points.

1. Licensing the product for the first time

2. Explanation on how the licensing process works

3. The URLs must be whitelisted for licensing purposes.

     4. Desired NTP to be set or permit ntp.bluecoat.com and ntp2.bluecoat.com

     5. What to do when the birth certificate on the virtual appliance is expired, and we see license errors related to this certificate

Virtual appliances

With VA appliances (SG/CA/MC/Reporter), they must be allowed out the network to Symantec.com and Bluecoat.com to obtain a birth certificate which will be later used for license validation. In addition,  the Reporter needs to download the buff libraries that are required for Web Application. After the first license attempt is successfully, the Reporter is going to communicate with the licensing servers at Blue Coat every hour to validate it.

The offline license file is either for physical appliances or for VMs where you have purchased a special 'offline' license.  Most VM customers do not have this special license. If internet access should not be allowed due to security restrictions, an offline license must be purchased.

1. Licensing the product for the first time

When the virtual appliance is initially deployed, in order for licensing to be properly retrieved and installed, it must have internet access. Also, it is necessary to keep the internet connection open at all times with each virtual appliance as they will be periodically reaching Broadcom servers to validate the license in order to prevent license duplicates.

The appliance will attempt to license itself automatically. If the license process somehow fails, you can license the appliance manually, by running the following command:

#licensing load username <Broadcom Portal username> password <Broadcom Portal password>

2. Explanation on how the licensing process works

The first time Reporter is brought online, it will try and communicate with Blue Coat every 5 minutes until it makes a successful connection. The Reporter attempts to establish a connection to https://validation.es.bluecoat.com/phs.cgi  After a successful connection is made, the Reporter communicates with the licensing servers at Blue Coat every hour.  If it cannot communicate with the licensing servers or the link is broken or blocked, the Reporter will allow a maximum of 7 days grace period to restore the connectivity before suspending the license. During that time, the Reporter will still try and communicate with the licensing servers back at Blue Coat. If more than one virtual appliance uses the same serial number, the Blue Coat licensing servers will detect this and notify you. You then have a maximum of 30 days to take action and eliminate the duplicate. If there are more than two appliances sharing the same serial number, the grace period is decreased drastically. If the issue is not addressed, then the license will be suspended until the duplicates are removed.

3. The URLs that must be whitelisted for licensing purposes can be found here:

https://knowledge.broadcom.com/external/article/186338/migration-of-symantec-enterprise-divisio.html

4. Desired NTP to be set or permit bluecoat.com
   The NTP server also needs to be contacted by the virtual appliance for time synchronization as it also plays a role in license verification. By default, NTP servers on virtual appliances are pointed to ntp.bluecoat.com and ntp2.bluecoat.com.  If you do not allow the appliances to sync to these external internet servers, you will need to configure an internal NTP server to serve this purpose.
   
   
5. If the birth certificate on the virtual appliance is expired, it must be recreated as follows:

Connect to the virtual appliance CLI via SSH and follow these steps:

1. Enter 'enable' mode
2. Enter 'configure' mode
3. Enter 'ssl' mode
4. Remove the existing default cert with the command: delete certificate default
5. Create the new certificate with the command: create certificate default
6. For the certificate 'Subject', enter this: CN=192.168.121.30,O=SYMC,OU=1006485912

note:  please replace CN, O, and OU with your details... CN must be IP address of Reporter and OU must be serial number

Now reboot Reporter.  First run command exit to exit out of SSL.  Now run command restart to reboot Reporter certificate.

Once the certificate is created without error and Reporter has been rebooted, you should be able to login to Reporter.

-