VMware NSX 4.2 and above

• There are two processes involved:
      1.Proton - the primary service responsible for hosting the majority of APIs.
      2.Reverse-proxy - responsible for the actual authentication processing (authN)
• Proton is responsible for maintaining the LDAP configuration in the database.  It then passes those values to reverse-proxy on disk.   
• There was a change made to the allowed ciphersuites for proton services specifically.  This change significantly lowered the number of cipher suites that are permitted.  Many of the less secure cipher suites are no longer supported.  See below for a comparison of cipher suites allowed in 4.2.2.1 vs. 3.2.1.2:
  • • 4.2.2.1 proton-tomcat-wrapper.conf:
      wrapper.java.additional.50=-Djdk.tls.client.cipherSuites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256
      
      
    • 3.2.1.2 proton-tomcat-wrapper.conf:
      wrapper.java.additional.50=-Djdk.tls.client.cipherSuites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256

• It is STRONGLY recommend that the LDAP server TLS version be upgraded to 1.3 with a cipher suite supported by NSX.
• If you are unable to upgrade your LDAP server TLS version, please open a case with Broadcom support via the Broadcom portal.

*For assistance with opening a case with our support team, please see: Creating and managing Broadcom support request (SR) cases

Disable/Enable NSX-T Manager Ciphers or TLS Settings