You can modify the API service properties of the NSX Manager cluster, such as TLS protocol version, cipher suites, and so on.

The supported ciphers for TLSv1.1 are:
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
The supported ciphers for TLSv1.2 are:
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
The supported ciphers for TLSv1.3 are:
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256

The following procedure explains the workflow of running the NSX API service calls to disable the TLS 1.1 protocol, and to enable or disable the cipher suites in the API service configuration.

For a detailed information about the API schema, example request, example response, and error messages of the NSX API service, you must read the NSX API Guide.

Procedure

  1. Run the following GET API to read the configuration of the NSX API service:
    GET https://<NSX-Manager-IP>/api/v1/cluster/api-service
    The API response contains the list of cipher suites and TLS protocols.
  2. Disable the TLS 1.1 protocol.
    1. Set TLSv1.1 to enabled = false.
    2. Run the following PUT API to send the changes to the NSX API server:
      PUT https://<NSX-Manager-IP>/api/v1/cluster/api-service
  3. Enable or disable the cipher suites.
    1. Set one or more cipher names to enabled = false or enabled = true depending on your requirement.
    2. Run the following PUT API to send the changes to the NSX API server:
      PUT https://<NSX-Manager-IP>/api/v1/cluster/api-service

Results

The API service on each NSX Manager node restarts after it is updated using the API. There might be a delay of up to a minute between the time the API call completes and when the new configuration comes into effect. The changes in the API service configuration are applied to all the nodes in the NSX Manager cluster.