Introduction:
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. This article looks at NSX-T TLSv1.1 disablement using cURL, leaving Web clients to connect to the NSX-T Manager Web UI via TLSv1.2.
Questions around NSX-T TLSv1.1 disablement have come in from some VMware customers looking at PCI compliance.
30 June 2018 was the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the Payment Card Industry Data Security Standard (PCI DSS) for safeguarding payment data.
By default, NSX-T Manager supports TLSv1.1 and TLSv1.2.
Disabling TLSv1.1 cannot be performed via the NSX GUI, this change needs to be performed via a REST API call
Two common methods to perform NSX-T REST API calls are through a REST API Client like Postman, of from the NSX-T Manager CLI using cURL
We will use this as an opportunity to take a look at how a json formatted data file can be used to implement a REST API change
The NSX-T REST API
The NSX-T Data Center REST API Guide can be found at VMware {code}.
NSX-T TLSv1.1 disablement is performed with syntax the same across NSX-T 2.4 and 2.5 versions, via the api-service. The two available api-service methods are GET and PUT. Notice that for this service there is no POST or PATCH method.
GET https:///api/v1/cluster/api-service PUT https:///api/v1/cluster/api-service
cURL command options used in this article
cURL is a command-line tool for transferring data specified with URL syntax. Here are the cURL command-line options used in this article, pulled from the official cURL man page.
| Command-line Option | Option Description |
| -k | (TLS) By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate even for server connections otherwise considered insecure. My lab uses an NSX-T Mangaer self-signed cert, so this option is required. |
| -u | <user:password> If you simply specify the user name, curl will prompt for a password. Use “\” to correctly process special characters in the username or password, In my case, the admin username and password are admin:VMware\1!VMware1\! |
| -H | Header(s) to include the request, for NSX-T Mangaer the required header is “Content-Type: application/json” |
| -X | Specifies a custom request method to use when communicating with the HTTP server. We will use GET and PUT methods. |
| -o | Write output to <file> instead of stdout. In this article we will use -o api-service.json to create the data file named api-service.json |
| -d | Sends the specified data in a POST request to the HTTP server. If you start the data with the letter @, the rest should be a file name to read the data from. In this article, we will use -d@api-service.json to specify the data file named api-service.json |
We will break NSX-T TLSv1.1 Disablement using cURL into 4 steps.
Step 1: Using cURL to read the NSX-T API service properties
We will use the NSX-T Manager REST API to look at the supported TLS protocol versions, along with supported key exchange methods and ciphers.
root@nsxtmgr01:~# curl -k -u admin:VMware1\!VMware1\! -H "Content-Type: application/json" -X GET "https://nsxtmgr.core.hypervizor.com/api/v1/cluster/api-service"
{
"cipher_suites": [
{
"enabled": true,
"name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
},
{
"enabled": true,
"name": "TLS_RSA_WITH_AES_256_GCM_SHA384"
},
{
"enabled": true,
"name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
},
{
"enabled": true,
"name": "TLS_RSA_WITH_AES_128_GCM_SHA256"
},
{
"enabled": true,
"name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
},
{
"enabled": true,
"name": "TLS_RSA_WITH_AES_256_CBC_SHA256"
},
{
"enabled": true,
"name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
},
{
"enabled": true,
"name": "TLS_RSA_WITH_AES_256_CBC_SHA"
},
{
"enabled": true,
"name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
},
{
"enabled": true,
"name": "TLS_RSA_WITH_AES_128_CBC_SHA256"
},
{
"enabled": true,
"name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
},
{
"enabled": true,
"name": "TLS_RSA_WITH_AES_128_CBC_SHA"
}
],
"client_api_concurrency_limit": 40,
"client_api_rate_limit": 100,
"connection_timeout": 30,
"global_api_concurrency_limit": 199,
"lockout_immune_addresses": [],
"protocol_versions": [
{
"enabled": true,
"name": "TLSv1.1" <--- TLSv1.1 is enabled by default
},
{
"enabled": true,
"name": "TLSv1.2" <--- TLSv1.2 is enabled by default
}
],
"redirect_host": "",
"session_timeout": 1800
}root@nsxtmgr02:~#
Step 2: Using cURL to collect the NSX-T API service properties into a data file
Since there is no PATCH method for /api/v1/cluster/api-service, we don’t have the option to just change just protocol_versions, as the PUT is also expecting cipher_suites to be defined.
To simplify this change, we will collect the exiting setup in a json formatted date file, which we can then edit, and use as the source for a PUT.
Lets collect the results of the GET into a file, in this case api-service.json:
root@nsxtmgr01:~# curl -k -u admin:VMware1\!VMware\1! -H "Content-Type: application/json" -X GET "https://nsxtmgr.core.hypervizor.com/api/v1/cluster/api-service" -o api-service.json
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1430 100 1430 0 0 170 0 0:00:08 0:00:08 --:--:-- 385
Notice that the file api-service.json has been created:
root@nsxtmgr01:~# ls *.json
api-service.json
Notice that the file api-service.json contains the results of the GET, and has captured all the API service properties:
root@nsxtmgr01:~# cat api-service.json
{
"cipher_suites": [
{
"enabled": true,
"name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
},
{
"enabled": true,
"name": "TLS_RSA_WITH_AES_256_GCM_SHA384"
},
{
"enabled": true,
"name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
},
{
"enabled": true,
"name": "TLS_RSA_WITH_AES_128_GCM_SHA256"
},
{
"enabled": true,
"name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
},
{
"enabled": true,
"name": "TLS_RSA_WITH_AES_256_CBC_SHA256"
},
{
"enabled": true,
"name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
},
{
"enabled": true,
"name": "TLS_RSA_WITH_AES_256_CBC_SHA"
},
{
"enabled": true,
"name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
},
{
"enabled": true,
"name": "TLS_RSA_WITH_AES_128_CBC_SHA256"
},
{
"enabled": true,
"name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
},
{
"enabled": true,
"name": "TLS_RSA_WITH_AES_128_CBC_SHA"
}
],
"client_api_concurrency_limit": 40,
"client_api_rate_limit": 100,
"connection_timeout": 30,
"global_api_concurrency_limit": 199,
"lockout_immune_addresses": [],
"protocol_versions": [
{
"enabled": false,
"name": "TLSv1.1"
},
{
"enabled": true,
"name": "TLSv1.2"
}
],
"redirect_host": "",
"session_timeout": 1800
}
Step 3: Edit the data file to set the TLSv1.1 parameter to false
Use a text editor, such as vi to change TLSv1.1 from true to false:
root@nsxtmgr01:~# vi api-service.json
... portion of file omitted here
"protocol_versions": [
{
"enabled": false, <-- vi editior has been used to change this from true to false
"name": "TLSv1.1"
},
{
"enabled": true,
"name": "TLSv1.2"
}
]
... portion of file omitted here
Step 4: Apply the data file changes to disable TLSv1.1
root@nsxtmgr01:~# curl -k -u admin:VMware1!VMware1! -H "Content-Type: application/json" -X PUT "https://nsxtmgr.core.hypervizor.com/api/v1/cluster/api-service" -d@api-service.json
{
"cipher_suites": [
{
"enabled": true,
"name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
},
{
"enabled": true,
"name": "TLS_RSA_WITH_AES_256_GCM_SHA384"
},
{
"enabled": true,
"name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
},
{
"enabled": true,
"name": "TLS_RSA_WITH_AES_128_GCM_SHA256"
},
{
"enabled": true,
"name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
},
{
"enabled": true,
"name": "TLS_RSA_WITH_AES_256_CBC_SHA256"
},
{
"enabled": true,
"name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
},
{
"enabled": true,
"name": "TLS_RSA_WITH_AES_256_CBC_SHA"
},
{
"enabled": true,
"name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
},
{
"enabled": true,
"name": "TLS_RSA_WITH_AES_128_CBC_SHA256"
},
{
"enabled": true,
"name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
},
{
"enabled": true,
"name": "TLS_RSA_WITH_AES_128_CBC_SHA"
}
],
"client_api_concurrency_limit": 40,
"client_api_rate_limit": 100,
"connection_timeout": 30,
"global_api_concurrency_limit": 199,
"lockout_immune_addresses": [],
"protocol_versions": [
{
"enabled": false, <--- OK good, TLSv1.1 has been disabled
"name": "TLSv1.1"
},
{
"enabled": true,
"name": "TLSv1.2"
}
],
"redirect_host": "",
"session_timeout": 1800
}
Verifying Web Client access is now via TLSv1.2
We can look at the Web client connection method using Chrome’s Developer Tools:
Notice that the connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM).
In summary, I’m hoping that you’re now more comfortable with using cURL and a json formatted data file to implement REST API changes on NSX-T Manager.
