Introduction:
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. This article looks at NSX-T TLSv1.1 disablement using cURL, leaving Web clients to connect to the NSX-T Manager Web UI via TLSv1.2.
Questions around NSX-T TLSv1.1 disablement have come in from some VMware customers looking at PCI compliance.
30 June 2018 was the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the Payment Card Industry Data Security Standard (PCI DSS) for safeguarding payment data.
By default, NSX-T Manager supports TLSv1.1 and TLSv1.2.
Disabling TLSv1.1 cannot be performed via the NSX GUI, this change needs to be performed via a REST API call
Two common methods to perform NSX-T REST API calls are through a REST API Client like Postman, of from the NSX-T Manager CLI using cURL
We will use this as an opportunity to take a look at how a json formatted data file can be used to implement a REST API change
The NSX-T REST API
The NSX-T Data Center REST API Guide can be found at VMware {code}.
NSX-T TLSv1.1 disablement is performed with syntax the same across NSX-T 2.4 and 2.5 versions, via the api-service. The two available api-service methods are GET and PUT. Notice that for this service there is no POST or PATCH method.
GET https:///api/v1/cluster/api-service PUT https:///api/v1/cluster/api-service
cURL command options used in this article
cURL is a command-line tool for transferring data specified with URL syntax. Here are the cURL command-line options used in this article, pulled from the official cURL man page.
Command-line Option | Option Description |
-k | (TLS) By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate even for server connections otherwise considered insecure. My lab uses an NSX-T Mangaer self-signed cert, so this option is required. |
-u | <user:password> If you simply specify the user name, curl will prompt for a password. Use “\” to correctly process special characters in the username or password, In my case, the admin username and password are admin:VMware\1!VMware1\! |
-H | Header(s) to include the request, for NSX-T Mangaer the required header is “Content-Type: application/json” |
-X | Specifies a custom request method to use when communicating with the HTTP server. We will use GET and PUT methods. |
-o | Write output to <file> instead of stdout. In this article we will use -o api-service.json to create the data file named api-service.json |
-d | Sends the specified data in a POST request to the HTTP server. If you start the data with the letter @, the rest should be a file name to read the data from. In this article, we will use -d@api-service.json to specify the data file named api-service.json |
We will break NSX-T TLSv1.1 Disablement using cURL into 4 steps.
Step 1: Using cURL to read the NSX-T API service properties
We will use the NSX-T Manager REST API to look at the supported TLS protocol versions, along with supported key exchange methods and ciphers.
root@nsxtmgr01:~# curl -k -u admin:VMware1\!VMware1\! -H "Content-Type: application/json" -X GET "https://nsxtmgr.core.hypervizor.com/api/v1/cluster/api-service" { "cipher_suites": [ { "enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" }, { "enabled": true, "name": "TLS_RSA_WITH_AES_256_GCM_SHA384" }, { "enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" }, { "enabled": true, "name": "TLS_RSA_WITH_AES_128_GCM_SHA256" }, { "enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" }, { "enabled": true, "name": "TLS_RSA_WITH_AES_256_CBC_SHA256" }, { "enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" }, { "enabled": true, "name": "TLS_RSA_WITH_AES_256_CBC_SHA" }, { "enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" }, { "enabled": true, "name": "TLS_RSA_WITH_AES_128_CBC_SHA256" }, { "enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" }, { "enabled": true, "name": "TLS_RSA_WITH_AES_128_CBC_SHA" } ], "client_api_concurrency_limit": 40, "client_api_rate_limit": 100, "connection_timeout": 30, "global_api_concurrency_limit": 199, "lockout_immune_addresses": [], "protocol_versions": [ { "enabled": true, "name": "TLSv1.1" <--- TLSv1.1 is enabled by default }, { "enabled": true, "name": "TLSv1.2" <--- TLSv1.2 is enabled by default } ], "redirect_host": "", "session_timeout": 1800 }root@nsxtmgr02:~#
Step 2: Using cURL to collect the NSX-T API service properties into a data file
Since there is no PATCH method for /api/v1/cluster/api-service, we don’t have the option to just change just protocol_versions, as the PUT is also expecting cipher_suites to be defined.
To simplify this change, we will collect the exiting setup in a json formatted date file, which we can then edit, and use as the source for a PUT.
Lets collect the results of the GET into a file, in this case api-service.json: root@nsxtmgr01:~# curl -k -u admin:VMware1\!VMware\1! -H "Content-Type: application/json" -X GET "https://nsxtmgr.core.hypervizor.com/api/v1/cluster/api-service" -o api-service.json % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1430 100 1430 0 0 170 0 0:00:08 0:00:08 --:--:-- 385 Notice that the file api-service.json has been created: root@nsxtmgr01:~# ls *.json api-service.json Notice that the file api-service.json contains the results of the GET, and has captured all the API service properties: root@nsxtmgr01:~# cat api-service.json { "cipher_suites": [ { "enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" }, { "enabled": true, "name": "TLS_RSA_WITH_AES_256_GCM_SHA384" }, { "enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" }, { "enabled": true, "name": "TLS_RSA_WITH_AES_128_GCM_SHA256" }, { "enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" }, { "enabled": true, "name": "TLS_RSA_WITH_AES_256_CBC_SHA256" }, { "enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" }, { "enabled": true, "name": "TLS_RSA_WITH_AES_256_CBC_SHA" }, { "enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" }, { "enabled": true, "name": "TLS_RSA_WITH_AES_128_CBC_SHA256" }, { "enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" }, { "enabled": true, "name": "TLS_RSA_WITH_AES_128_CBC_SHA" } ], "client_api_concurrency_limit": 40, "client_api_rate_limit": 100, "connection_timeout": 30, "global_api_concurrency_limit": 199, "lockout_immune_addresses": [], "protocol_versions": [ { "enabled": false, "name": "TLSv1.1" }, { "enabled": true, "name": "TLSv1.2" } ], "redirect_host": "", "session_timeout": 1800 }
Step 3: Edit the data file to set the TLSv1.1 parameter to false
Use a text editor, such as vi to change TLSv1.1 from true to false:
root@nsxtmgr01:~# vi api-service.json ... portion of file omitted here "protocol_versions": [ { "enabled": false, <-- vi editior has been used to change this from true to false "name": "TLSv1.1" }, { "enabled": true, "name": "TLSv1.2" } ] ... portion of file omitted here
Step 4: Apply the data file changes to disable TLSv1.1
root@nsxtmgr01:~# curl -k -u admin:VMware1!VMware1! -H "Content-Type: application/json" -X PUT "https://nsxtmgr.core.hypervizor.com/api/v1/cluster/api-service" -d@api-service.json { "cipher_suites": [ { "enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" }, { "enabled": true, "name": "TLS_RSA_WITH_AES_256_GCM_SHA384" }, { "enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" }, { "enabled": true, "name": "TLS_RSA_WITH_AES_128_GCM_SHA256" }, { "enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" }, { "enabled": true, "name": "TLS_RSA_WITH_AES_256_CBC_SHA256" }, { "enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" }, { "enabled": true, "name": "TLS_RSA_WITH_AES_256_CBC_SHA" }, { "enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" }, { "enabled": true, "name": "TLS_RSA_WITH_AES_128_CBC_SHA256" }, { "enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" }, { "enabled": true, "name": "TLS_RSA_WITH_AES_128_CBC_SHA" } ], "client_api_concurrency_limit": 40, "client_api_rate_limit": 100, "connection_timeout": 30, "global_api_concurrency_limit": 199, "lockout_immune_addresses": [], "protocol_versions": [ { "enabled": false, <--- OK good, TLSv1.1 has been disabled "name": "TLSv1.1" }, { "enabled": true, "name": "TLSv1.2" } ], "redirect_host": "", "session_timeout": 1800 }
Verifying Web Client access is now via TLSv1.2
We can look at the Web client connection method using Chrome’s Developer Tools:
Notice that the connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM).
In summary, I’m hoping that you’re now more comfortable with using cURL and a json formatted data file to implement REST API changes on NSX-T Manager.