The following diagram depicts all node-to-node communication paths in NSX-T, how the paths are secured and authenticated, and the storage location for the credentials used to establish mutual authentication.
Arrows indicate which agent initiates communication. By default, all certificates are self-signed certificates. The northbound API certificate and private key can be replaced.
There are internal daemons that communicate over the loopback or UNIX domain sockets:
KVM: MPA, netcpa, nsx-agent, OVS
ESX: netcpa, ESX-DP (in the kernel)
In the RMQ user database (db), passwords are hashed with a non-reversible hash function. So h(p1) is the hash of password p1.
Colored squares with a lock icon in the upper-right corner indicate private keys. Squares without lock icons are public keys.