How to disable Transport Layer Security (TLS) 1.0 on NSX Manager
Article ID: 339088
Updated On:
Products
VMware NSX
Issue/Introduction
This article provides information to disable Transport Layer Security (TLS) 1.0 on NSX Manager in NSX for vSphere 6.2.4.
Environment
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x
Resolution
By Default, NSX Manager has TLS 1.0, 1.1, and 1.2 enabled on the server side. On the client side, only TLS 1.0 is enabled.
Note: With the NSX for vSphere 6.2.4 release, the NSX Manager supports TLSv1.0, TLSv1.1, and TLSv1.2.
To disable TLS 1.0 on NSX Manager, use this REST API call:
<?xml version="1.0" encoding="UTF-8"?>
<tlsSettings>
<serverEnabledProtocols>TLSv1,TLSv1.1,TLSv1.2</serverEnabledProtocols>
<clientEnabledProtocols>TLSv1,TLSv1.1,TLSv1.2</clientEnabledProtocols>
</tlsSettings>
Method: POST
URL: https://nsxmgr_ip/api/1.0/appliance-management/system/tlssettings
Note: With the NSX for vSphere 6.2.4 release, the NSX Manager supports TLSv1.0, TLSv1.1, and TLSv1.2.
To disable TLS 1.0 on NSX Manager, use this REST API call:
Method: GET
URL: https://nsxmgr_ip/api/1.0/appliance-management/system/tlssettings
Body:
<?xml version="1.0" encoding="UTF-8"?>
<tlsSettings>
<serverEnabledProtocols>TLSv1,TLSv1.1,TLSv1.2</serverEnabledProtocols>
<clientEnabledProtocols>TLSv1,TLSv1.1,TLSv1.2</clientEnabledProtocols>
</tlsSettings>
Method: POST
URL: https://nsxmgr_ip/api/1.0/appliance-management/system/tlssettings
Body:
<tlsSettings>
<serverEnabledProtocols>TLSv1,TLSv1.1,TLSv1.2</serverEnabledProtocols>
<clientEnabledProtocols>TLSv1,TLSv1.1,TLSv1.2</clientEnabledProtocols>
</tlsSettings>
Note: Valid values for protocols are TLSv1,TLSv1.1, and TLSv1.2. Protocols are supplied as comma (,) separated list of protocol versions.
Examples:
- To disable TLS 1.0 and enable TLSv1.1,TLSv1.2 on both server and client:
<tlsSettings>
<serverEnabledProtocols>TLSv1.1,TLSv1.2</serverEnabledProtocols>
<clientEnabledProtocols>TLSv1.1,TLSv1.2</clientEnabledProtocols>
</tlsSettings>
- To enable protocols TLSv1.1 and TLSv1.2:
protocols=”TLSv1.1,TLSv1.2”
- To enable protocols TLSv1.0, TLSv1.1 and TLSv1.2:
protocols=”TLSv1,TLSv1.1,TLSv1.2”
Note: Restart the NSX Manager for the changes to take effect.
Additional Information
Changes on Tanuki and Tomcat/TcServer Configurations:
For supporting changes to server side supported protocols, the server.xml located in /usr/app-mgmt/conf/server/xml will be updated.
For supporting changes to client side supported protocols, all the tanuki wrapper configurations would be updated with following additional java env variables:
https.protocols=”TLSv1,TLSv1.1,TLSv1.2”
For supporting changes to server side supported protocols, the server.xml located in /usr/app-mgmt/conf/server/xml will be updated.
For supporting changes to client side supported protocols, all the tanuki wrapper configurations would be updated with following additional java env variables:
https.protocols=”TLSv1,TLSv1.1,TLSv1.2”
Feedback
Yes
No
Powered by
