NSX

NSX-T TLSv1.1 Disablement using cURL

Introduction:

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. This article looks at NSX-T TLSv1.1 disablement using cURL, leaving Web clients to connect to the NSX-T Manager Web UI via TLSv1.2.

Questions around NSX-T TLSv1.1 disablement have come in from some VMware customers looking at PCI compliance.

30 June 2018 was the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the Payment Card Industry Data Security Standard  (PCI DSS) for safeguarding payment data.

By default, NSX-T Manager supports TLSv1.1 and TLSv1.2.

Disabling TLSv1.1 cannot be performed via the NSX GUI, this change needs to be performed via a REST API call

Two common methods to perform NSX-T REST API calls are through a REST API Client like Postman, of from the NSX-T Manager CLI using cURL

We will use this as an opportunity to take a look at how a json formatted data file can be used to implement a REST API change

The NSX-T REST API

The NSX-T Data Center REST API Guide can be found at VMware {code}.

NSX-T TLSv1.1 disablement is performed with syntax the same across NSX-T 2.4 and 2.5 versions, via the api-service. The two available api-service methods are GET and PUT. Notice that for this service there is no POST or PATCH method.

GET https:///api/v1/cluster/api-service
PUT https:///api/v1/cluster/api-service

cURL command options used in this article

cURL is a command-line tool for transferring data specified with URL syntax. Here are the cURL command-line options used in this article, pulled from the official cURL man page.

Command-line OptionOption Description
-k(TLS) By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate even for server connections otherwise considered insecure. My lab uses an NSX-T Mangaer self-signed cert, so this option is required.
-u<user:password> If you simply specify the user name, curl will prompt for a password. Use “\” to correctly process special characters in the username or password, In my case, the admin username and password are admin:VMware\1!VMware1\!
-HHeader(s) to include the request, for NSX-T Mangaer the required header is “Content-Type: application/json”
-XSpecifies a custom request method to use when communicating with the HTTP server. We will use GET and PUT methods.
-oWrite output to <file> instead of stdout. In this article we will use -o api-service.json to create the data file named api-service.json
-dSends the specified data in a POST request to the HTTP server. If you start the data with the letter @, the rest should be a file name to read the data from. In this article, we will use -d@api-service.json to specify the data file named api-service.json

We will break NSX-T TLSv1.1 Disablement using cURL into 4 steps.

Step 1: Using cURL to read the NSX-T API service properties

We will use the NSX-T Manager REST API to look at the supported TLS protocol versions, along with supported key exchange methods and ciphers.

root@nsxtmgr01:~# curl -k -u admin:VMware1\!VMware1\! -H "Content-Type: application/json" -X GET "https://nsxtmgr.core.hypervizor.com/api/v1/cluster/api-service"

 {
   "cipher_suites": [
     {
       "enabled": true,
       "name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
     },
     {
       "enabled": true,
       "name": "TLS_RSA_WITH_AES_256_GCM_SHA384"
     },
     {
       "enabled": true,
       "name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
     },
     {
       "enabled": true,
       "name": "TLS_RSA_WITH_AES_128_GCM_SHA256"
     },
     {
       "enabled": true,
       "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
     },
     {
       "enabled": true,
       "name": "TLS_RSA_WITH_AES_256_CBC_SHA256"
     },
     {
       "enabled": true,
       "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
     },
     {
       "enabled": true,
       "name": "TLS_RSA_WITH_AES_256_CBC_SHA"
     },
     {
       "enabled": true,
       "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
     },
     {
       "enabled": true,
       "name": "TLS_RSA_WITH_AES_128_CBC_SHA256"
     },
     {
       "enabled": true,
       "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
     },
     {
       "enabled": true,
       "name": "TLS_RSA_WITH_AES_128_CBC_SHA"
     }
   ],
   "client_api_concurrency_limit": 40,
   "client_api_rate_limit": 100,
   "connection_timeout": 30,
   "global_api_concurrency_limit": 199,
   "lockout_immune_addresses": [],
   "protocol_versions": [
     {
       "enabled": true,
       "name": "TLSv1.1"                 <--- TLSv1.1 is enabled by default
     },
     {
       "enabled": true,
       "name": "TLSv1.2"                 <--- TLSv1.2 is enabled by default
     }
   ],
   "redirect_host": "",
   "session_timeout": 1800
 }root@nsxtmgr02:~#

Step 2: Using cURL to collect the NSX-T API service properties into a data file

Since there is no PATCH method for /api/v1/cluster/api-service, we don’t have the option to just change just protocol_versions, as the PUT is also expecting cipher_suites to be defined.

To simplify this change, we will collect the exiting setup in a json formatted date file, which we can then edit, and use as the source for a PUT.

Lets collect the results of the GET into a file, in this case api-service.json:

root@nsxtmgr01:~# curl  -k -u admin:VMware1\!VMware\1! -H "Content-Type: application/json" -X GET "https://nsxtmgr.core.hypervizor.com/api/v1/cluster/api-service" -o api-service.json
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
 100  1430  100  1430    0     0    170      0  0:00:08  0:00:08 --:--:--   385


Notice that the file api-service.json has been created:

root@nsxtmgr01:~# ls *.json
 api-service.json


Notice that the file api-service.json contains the results of the GET, and has captured all the API service properties:

root@nsxtmgr01:~# cat api-service.json
 {
   "cipher_suites": [
     {
       "enabled": true,
       "name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
     },
     {
       "enabled": true,
       "name": "TLS_RSA_WITH_AES_256_GCM_SHA384"
     },
     {
       "enabled": true,
       "name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
     },
     {
       "enabled": true,
       "name": "TLS_RSA_WITH_AES_128_GCM_SHA256"
     },
     {
       "enabled": true,
       "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
     },
     {
       "enabled": true,
       "name": "TLS_RSA_WITH_AES_256_CBC_SHA256"
     },
     {
       "enabled": true,
       "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
     },
     {
       "enabled": true,
       "name": "TLS_RSA_WITH_AES_256_CBC_SHA"
     },
     {
       "enabled": true,
       "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
     },
     {
       "enabled": true,
       "name": "TLS_RSA_WITH_AES_128_CBC_SHA256"
     },
     {
       "enabled": true,
       "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
     },
     {
       "enabled": true,
       "name": "TLS_RSA_WITH_AES_128_CBC_SHA"
     }
   ],
   "client_api_concurrency_limit": 40,
   "client_api_rate_limit": 100,
   "connection_timeout": 30,
   "global_api_concurrency_limit": 199,
   "lockout_immune_addresses": [],
   "protocol_versions": [
     {
       "enabled": false,
       "name": "TLSv1.1"
     },
     {
       "enabled": true,
       "name": "TLSv1.2"
     }
   ],
   "redirect_host": "",
   "session_timeout": 1800
 }

Step 3: Edit the data file to set the TLSv1.1 parameter to false

Use a text editor, such as vi to change TLSv1.1 from true to false:

root@nsxtmgr01:~# vi api-service.json

... portion of file omitted here

"protocol_versions": [
     {
       "enabled": false,       <-- vi editior has been used to change this from true to false
       "name": "TLSv1.1"
     },
     {
       "enabled": true,
       "name": "TLSv1.2"
     }
   ]

... portion of file omitted here

Step 4: Apply the data file changes to disable TLSv1.1

root@nsxtmgr01:~# curl -k -u admin:VMware1!VMware1! -H "Content-Type: application/json" -X PUT "https://nsxtmgr.core.hypervizor.com/api/v1/cluster/api-service" -d@api-service.json
 {
   "cipher_suites": [
     {
       "enabled": true,
       "name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
     },
     {
       "enabled": true,
       "name": "TLS_RSA_WITH_AES_256_GCM_SHA384"
     },
     {
       "enabled": true,
       "name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
     },
     {
       "enabled": true,
       "name": "TLS_RSA_WITH_AES_128_GCM_SHA256"
     },
     {
       "enabled": true,
       "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
     },
     {
       "enabled": true,
       "name": "TLS_RSA_WITH_AES_256_CBC_SHA256"
     },
     {
       "enabled": true,
       "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
     },
     {
       "enabled": true,
       "name": "TLS_RSA_WITH_AES_256_CBC_SHA"
     },
     {
       "enabled": true,
       "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
     },
     {
       "enabled": true,
       "name": "TLS_RSA_WITH_AES_128_CBC_SHA256"
     },
     {
       "enabled": true,
       "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
     },
     {
       "enabled": true,
       "name": "TLS_RSA_WITH_AES_128_CBC_SHA"
     }
   ],
   "client_api_concurrency_limit": 40,
   "client_api_rate_limit": 100,
   "connection_timeout": 30,
   "global_api_concurrency_limit": 199,
   "lockout_immune_addresses": [],
   "protocol_versions": [
     {
       "enabled": false,         <--- OK good, TLSv1.1 has been disabled
       "name": "TLSv1.1"
     },
     {
       "enabled": true,
       "name": "TLSv1.2"
     }
   ],
   "redirect_host": "",
   "session_timeout": 1800
 }

Verifying Web Client access is now via TLSv1.2

We can look at the Web client connection method using Chrome’s Developer Tools:

NSX-T TLSv1.1 Disablement using cURL

Notice that the connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM).

NSX-T TLSv1.1 Disablement using cURL

In summary, I’m hoping that you’re now more comfortable with using cURL and a json formatted data file to implement REST API changes on NSX-T Manager.

NSX-T TLSv1.1 Disablement with cURL

Begin typing your search term above and press enter to search. Press ESC to cancel.