How to disable Transport Layer Security (TLS) 1.0 on NSX Manager
search cancel

How to disable Transport Layer Security (TLS) 1.0 on NSX Manager

book

Article ID: 339088

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

This article provides information to disable Transport Layer Security (TLS) 1.0 on NSX Manager in NSX for vSphere 6.2.4.

Environment

VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x

Resolution

By Default, NSX Manager has TLS 1.0, 1.1, and 1.2 enabled on the server side. On the client side, only TLS 1.0 is enabled.

Note: With the NSX for vSphere 6.2.4 release, the NSX Manager supports TLSv1.0, TLSv1.1, and TLSv1.2.

To disable TLS 1.0 on NSX Manager, use this REST API call:
 
Method: GET
 
URL: https://nsxmgr_ip/api/1.0/appliance-management/system/tlssettings
 
Body:

<?xml version="1.0" encoding="UTF-8"?>
<tlsSettings>
<serverEnabledProtocols>TLSv1,TLSv1.1,TLSv1.2</serverEnabledProtocols>
<clientEnabledProtocols>TLSv1,TLSv1.1,TLSv1.2</clientEnabledProtocols>
</tlsSettings>


Method: POST

URL: https://nsxmgr_ip/api/1.0/appliance-management/system/tlssettings
 
Body:
 

<tlsSettings>
<serverEnabledProtocols>TLSv1,TLSv1.1,TLSv1.2</serverEnabledProtocols>
<clientEnabledProtocols>TLSv1,TLSv1.1,TLSv1.2</clientEnabledProtocols>
</tlsSettings>


Note: Valid values for protocols are TLSv1,TLSv1.1, and TLSv1.2. Protocols are supplied as comma (,) separated list of protocol versions.

Examples:

  • To disable TLS 1.0 and enable TLSv1.1,TLSv1.2 on both server and client:

    <tlsSettings>
    <serverEnabledProtocols>TLSv1.1,TLSv1.2</serverEnabledProtocols>
    <clientEnabledProtocols>TLSv1.1,TLSv1.2</clientEnabledProtocols>
    </tlsSettings>

     
  • To enable protocols TLSv1.1 and TLSv1.2:

    protocols=”TLSv1.1,TLSv1.2”
     
  • To enable protocols TLSv1.0, TLSv1.1 and TLSv1.2:

    protocols=”TLSv1,TLSv1.1,TLSv1.2”

Note: Restart the NSX Manager for the changes to take effect.


Additional Information

Changes on Tanuki and Tomcat/TcServer Configurations:

For supporting changes to server side supported protocols, the server.xml located in /usr/app-mgmt/conf/server/xml will be updated.

For supporting changes to client side supported protocols, all the tanuki wrapper configurations would be updated with following additional java env variables:

https.protocols=”TLSv1,TLSv1.1,TLSv1.2”
 

For more information on how to make API calls to the NSX Manager, see the Using the NSX REST API section in the VMware NSX for vSphere API Guide.

NSX でトランスポート レイヤー セキュリティ (TLS) 1.0 を無効にする方法
在 NSX 上禁用传输层安全 (TLS) 1.0