How to Enforce SSL Cipher Priority/Preference on the NSX Manager
search cancel

How to Enforce SSL Cipher Priority/Preference on the NSX Manager

book

Article ID: 435082

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

For strict TLS compliance, security teams often require the server to dictate the order of preferred cipher suites during the TLS handshake (similar to the Nginx directive ssl_prefer_server_ciphers on;).

Modifying the nginx.conf file directly via the root shell is strictly unsupported on the NSX Manager. This article explains how to enforce cipher priority using the officially supported REST API.

Environment

VMware NSX

Cause

VMware has always tried to follow industry standards when it comes to TLS and encryption ciphers for security purposes.

Resolution

The NSX Manager determines cipher priority strictly based on the top-down order of the ciphers provided in the API configuration array. To change the priority, you must retrieve the configuration, rearrange the array, and push it back.

Step 1: Retrieve the current API service configuration

  • Run a GET request to pull the current list of cipher suites.
  • API Endpoint: GET https://<NSX-Manager-IP>/api/v1/cluster/api-service
  • Save the JSON output to a text editor.

Step 2: Rearrange the JSON array

  • Locate the cipher_suites array in the JSON payload.
  • To enforce preference, manually cut and paste the cipher blocks within the array so that your most preferred cipher is at the very top of the list, and the least preferred is at the bottom.
  • Ensure "enabled": true is set for the ciphers you want to use

Step 3: Push the new configuration

  • Run a PUT request using your newly reordered JSON as the payload.
  • API Endpoint: PUT https://<NSX-Manager-IP>/api/v1/cluster/api-service
  • Header: Content-Type: application/json
  • Note: The API service will automatically restart across the cluster to apply the changes. You may experience a brief UI disconnect (up to 60 seconds).

Additional Information

Example snippet of a prioritized array:

"cipher_suites": [
    {
        "name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "enabled": true
    },
    {
        "name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "enabled": true
    }
]

Reference KB : https://knowledge.broadcom.com/external/article/319144/disableenable-nsxt-manager-ciphers-or-tl.html

Powered by Wolken Software