NSX-T Data Center REST API

Associated URIs:

API Description API Path

Get effective object permissions to object specified by path for current user.


Returns none if user doesn't have access or feature_name from required request parameter
is empty/invalid/doesn't match with object-path provided.
GET /policy/api/v1/aaa/effective-permissions (Experimental)

List feature permissions


List features
GET /policy/api/v1/aaa/features-with-properties
GET /api/v1/aaa/features-with-properties

List LDAP identity sources


Return a list of all configured LDAP identity sources.
GET /policy/api/v1/aaa/ldap-identity-sources

Test an LDAP server


Attempt to connect to an LDAP server and ensure that the server can be contacted using the given URL and authentication credentials.
POST /policy/api/v1/aaa/ldap-identity-sources?action=probe_ldap_server

Probe an LDAP identity source


Verify that the configuration of an LDAP identity source is correct before actually creating the source.
POST /policy/api/v1/aaa/ldap-identity-sources?action=probe_identity_source

Fetch the server certificate of an LDAP server


Attempt to connect to an LDAP server and retrieve the server certificate it presents.
POST /policy/api/v1/aaa/ldap-identity-sources?action=fetch_certificate

Delete an LDAP identity source


Delete an LDAP identity source. Users defined in that source will no longer be able to access NSX.
DELETE /policy/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>

Read a single LDAP identity source


Return details about one LDAP identity source
GET /policy/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>

Test the configuration of an existing LDAP identity source


Attempt to connect to an existing LDAP identity source and report any errors encountered.
POST /policy/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>?action=probe

Update an existing LDAP identity source


Update the configuration of an existing LDAP identity source. You may wish to verify the new configuration using the POST /aaa/ldap-identity-sources?action=probe API before changing the configuration. Note that if you are using LDAP on an active and standby NSX-T Global Manager in a federated environment, you must use the same name for your LDAP identity sources on the active and standby Global Managers.
PUT /policy/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>

Search the LDAP identity source


Search the LDAP identity source for users and groups that match the given filter_value. In most cases, the LDAP source performs a case-insensitive search.
POST /policy/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>/search

Delete object-permissions entries


DELETE /policy/api/v1/aaa/object-permissions (Experimental)

Get list of Object-level RBAC entries.


GET /policy/api/v1/aaa/object-permissions (Experimental)

Create/update object permission mappings


PATCH /policy/api/v1/aaa/object-permissions (Experimental)

Create registration access token


The privileges of the registration token will be the same as the caller.
POST /policy/api/v1/aaa/registration-token
POST /api/v1/aaa/registration-token

Delete registration access token


DELETE /policy/api/v1/aaa/registration-token/<token>
DELETE /api/v1/aaa/registration-token/<token>

Get registration access token


GET /policy/api/v1/aaa/registration-token/<token>
GET /api/v1/aaa/registration-token/<token>

Get all users and groups with their roles


Get all users and groups with their roles.
GET /policy/api/v1/aaa/role-bindings
GET /api/v1/aaa/role-bindings

Delete all stale role assignments


POST /policy/api/v1/aaa/role-bindings?action=delete_stale_bindings
POST /api/v1/aaa/role-bindings?action=delete_stale_bindings

Assign roles to User or Group


This API is used to assign a user/group any role(s) of choice.
User has union of all the roles assigned to it. User name is
dealt case-insensitively.
POST /policy/api/v1/aaa/role-bindings
POST /api/v1/aaa/role-bindings

Delete user/group's roles assignment


Delete the user/group's role assignment.
DELETE /policy/api/v1/aaa/role-bindings/<binding-id>
DELETE /api/v1/aaa/role-bindings/<binding-id>

Get user/group's role information


GET /policy/api/v1/aaa/role-bindings/<binding-id>
GET /api/v1/aaa/role-bindings/<binding-id>

Update User or Group's roles


This API is used to update a user/group any role(s) of choice.
User name is dealt case-insensitively.
PUT /policy/api/v1/aaa/role-bindings/<binding-id>
PUT /api/v1/aaa/role-bindings/<binding-id>

Get information about all roles


GET /policy/api/v1/aaa/roles
GET /api/v1/aaa/roles

Validate a new feature permission set


Validate the permissions of an incoming role. Also, recommend the
permissions which need to be corrected.
POST /policy/api/v1/aaa/roles?action=validate
POST /api/v1/aaa/roles?action=validate

Get information about all roles with features and their permissions


GET /policy/api/v1/aaa/roles-with-feature-permissions
GET /api/v1/aaa/roles-with-feature-permissions

Delete custom role


If a role is assigned to a role binding then the deletion of
the role is not allowed. Precanned roles cannot be deleted.
DELETE /policy/api/v1/aaa/roles/<role>
DELETE /api/v1/aaa/roles/<role>

Get role information


GET /policy/api/v1/aaa/roles/<role>
GET /api/v1/aaa/roles/<role>

Clone an already present role


The role with id <role> is cloned and the new id, name and description are
the ones provided in the request body.
POST /policy/api/v1/aaa/roles/<role>?action=clone
POST /api/v1/aaa/roles/<role>?action=clone

Update custom role


Creates a new role with id as <role> if there does not exist any
role with id <role>, else updates the existing role.
PUT /policy/api/v1/aaa/roles/<role>
PUT /api/v1/aaa/roles/<role>

Get the name and role information of the user.


This API will return the name and role information of the user
invoking this API request. This API is available for all NSX users
no matter their authentication method (Local account, VIDM, LDAP etc).
GET /policy/api/v1/aaa/user-info
GET /api/v1/aaa/user-info

Get all the User Groups where vIDM display name matches the search key case insensitively. The search key is checked to be a substring of display name. This is a non paginated API. This API will return as many results that vIDM returns to NSX during the search query. vIDM may not send all results at once so to zero in on the group of interest more characters need to be entered.


GET /policy/api/v1/aaa/vidm/groups
GET /api/v1/aaa/vidm/groups

Get all the users and groups from vIDM matching the search key case insensitively. The search key is checked to be a substring of name or given name or family name of user and display name of group. This is a non paginated API. This API will return as many results that vIDM returns to NSX during the search query. vIDM may not send all results at once so to zero in on the user/group of interest more characters need to be entered.


POST /policy/api/v1/aaa/vidm/search
POST /api/v1/aaa/vidm/search

Get all the users from vIDM whose userName, givenName or familyName matches the search key case insensitively. The search key is checked to be a substring of name or given name or family name. This is a non paginated API. This API will return as many results that vIDM returns to NSX during the search query. vIDM may not send all results at once so to zero in on the user of interest more characters need to be entered.


GET /policy/api/v1/aaa/vidm/users
GET /api/v1/aaa/vidm/users

Collect support bundles from registered cluster and fabric nodes


Collect support bundles from registered cluster and fabric nodes.
POST /api/v1/administration/support-bundles?action=collect

Delete existing support bundles waiting to be downloaded


Delete existing support bundles waiting to be downloaded.
POST /api/v1/administration/support-bundles?action=delete_async_response

Get list of supported content filters


Get list of supported content filters that decide the contents of the support bundle. This depends on target form factor.
GET /api/v1/administration/support-bundles/dynamic-content-filters

Accept end user license agreement


Accept end user license agreement
POST /policy/api/v1/eula/accept
POST /api/v1/eula/accept

Return the acceptance status of end user license agreement


Return the acceptance status of end user license agreement
GET /policy/api/v1/eula/acceptance
GET /api/v1/eula/acceptance

Return the content of end user license agreement


Return the content of end user license agreement in the specified format.
By default, it's pure string without line break
GET /policy/api/v1/eula/content
GET /api/v1/eula/content

Deprecated. Return the Enterprise License


Deprecated. Use the GET /licenses API instead.
GET /api/v1/license (Deprecated)

Deprecated. Assign an Updated Enterprise License Key


Deprecated. Use the POST /licenses API instead
PUT /api/v1/license (Deprecated)

Get all licenses


Returns all licenses.
GET /api/v1/licenses

Remove a license


This will delete the license key identified in the request body
by "license_key" and its properties from the system.
Attempting to delete the last license key will result in an error.
POST /api/v1/licenses?action=delete

Add a new license key


This will add a license key to the system.
The API supports adding only one license key for each license edition
type - Standard, Advanced or Enterprise. If a new license key is tried
to add for an edition for which the license key already exists,
then this API will return an error.
POST /api/v1/licenses

Deprecated. Remove a license identified by the license-key


Deprecated. Use POST /licenses?action=delete API instead.
DELETE /api/v1/licenses/<license-key> (Deprecated)

Deprecated. Get license properties for license identified by the license-key


Deprecated. Use GET /licenses API instead.
GET /api/v1/licenses/<license-key> (Deprecated)

Get usage report of all registered modules


Returns usage report of all registered modules
GET /api/v1/licenses/licenses-usage

Get usage report of all registred modules in CSV format


Returns usage report of all registered modules in CSV format
GET /api/v1/licenses/licenses-usage?format=csv

Read AAA provider vIDM properties


GET /api/v1/node/aaa/providers/vidm
GET /api/v1/cluster/<cluster-node-id>/node/aaa/providers/vidm

Update AAA provider vIDM properties


PUT /api/v1/node/aaa/providers/vidm
PUT /api/v1/cluster/<cluster-node-id>/node/aaa/providers/vidm

Read AAA provider vIDM status


GET /api/v1/cluster/<cluster-node-id>/node/aaa/providers/vidm/status
GET /api/v1/node/aaa/providers/vidm/status

Returns the proxy configuration


Returns the proxy configuration.
GET /api/v1/proxy/config

Creates or updates the proxy configuration


Updates or creates the proxy configuration, and returns the new configuration.
PUT /api/v1/proxy/config

Returns telemetry agreement information


Returns telemetry agreement information.
GET /api/v1/telemetry/agreement

Set telemetry agreement information


Set telemetry agreement information.
PUT /api/v1/telemetry/agreement

Returns the telemetry configuration


Returns the telemetry configuration.
GET /api/v1/telemetry/config

Creates or updates the telemetry configuration


Updates or creates the telemetry configuration, and returns the new configuration.
PUT /api/v1/telemetry/config

Return the Properties of a Trust Manager


Returns information about the supported algorithms and key sizes.
GET /api/v1/trust-management

Get the certificate profile for the given service type


Get an available certificate profile.
Note that not every service type has an active certificate profile.
GET /api/v1/trust-management/certificate-profile/<service-type>

Return the list of certificate profiles.


List the certificate profiles currently active on the NSX Manager.
This list depends on the type of instance deployed and which certificates
are currently managed through the certificate-profile manager. That list is
expected to expand in future releases.
GET /api/v1/trust-management/certificate-profiles

Return All the User-Facing Components' Certificates


Returns all certificate information viewable by the user, including each
certificate's UUID; resource_type (for example, certificate_self_signed,
certificate_ca, or certificate_signed); pem_encoded data; and history of the
certificate (who created or modified it and when). For additional
information, include the ?details=true modifier at the end of the request
URI.
GET /api/v1/trust-management/certificates

Add a New Certificate


Adds a new private-public certificate or a chain of certificates (CAs) and,
optionally, a private key that can be applied to one of the user-facing
components (appliance management or edge). The certificate and the key
should be stored in PEM format. If no private key is provided, the
certificate is used as a client certificate in the trust store.
A private key can be uploaded for a CA certificate only if the "purpose"
parameter is set to "signing-ca".
POST /api/v1/trust-management/certificates?action=import

Set a certificate as the Appliance Proxy certificate to be used in inter-site communication


Set a certificate that has been imported to be the Appliance Proxy certificate
used for communicating with Appliance Proxies on other sites.
POST /api/v1/trust-management/certificates?action=set_appliance_proxy_certificate_for_inter_site_communication

Delete Certificate for the Given Certificate ID


Removes the specified certificate. The private key associated with the
certificate is also deleted.
DELETE /api/v1/trust-management/certificates/<cert-id>

Show Certificate Data for the Given Certificate ID


Returns information for the specified certificate ID, including the
certificate's UUID; resource_type (for example, certificate_self_signed,
certificate_ca, or certificate_signed); pem_encoded data; and history of the
certificate (who created or modified it and when). For additional
information, include the ?details=true modifier at the end of the request
URI.
GET /api/v1/trust-management/certificates/<cert-id>

Return the list of CrlDistributionPoints


GET /api/v1/trust-management/crl-distribution-points

Create a Crl Distribution Point


Create an entity that will represent a Crl Distribution Point
POST /api/v1/trust-management/crl-distribution-points

Delete a CrlDistributionPoint


Delete a CrlDistributionPoint. It does not delete the actual CRL.
DELETE /api/v1/trust-management/crl-distribution-points/<crl-distribution-point-id>

Return the CrlDistributionPoint with <crl-distribution-point-id>


GET /api/v1/trust-management/crl-distribution-points/<crl-distribution-point-id>

Update CrlDistributionPoint with <crl-distribution-point-id> This allows updating the ManagedResource fields.


PUT /api/v1/trust-management/crl-distribution-points/<crl-distribution-point-id>

Return the status of the CrlDistributionPoint


GET /api/v1/trust-management/crl-distribution-points/<crl-distribution-point-id>/status

Return stored CRL in PEM format


POST /api/v1/trust-management/crl-distribution-points/pem-file

Return All Added CRLs


Returns information about all CRLs. For additional information, include the
?details=true modifier at the end of the request URI.
GET /api/v1/trust-management/crls

Add a New Certificate Revocation List


Adds a new certificate revocation list (CRL). The CRL is used to verify the
client certificate status against the revocation lists published by the CA.
For this reason, the administrator needs to add the CRL in certificate
repository as well.
A CRL can be in the PEM X.509 format (crl_type=X509) or JSON OneCRL
(crl_type=OneCRL).
If crl_type is not specified, it is auto-detected based on the presence of
fields pem_encoded or one_crl.
POST /api/v1/trust-management/crls?action=import

Delete a CRL


Deletes an existing CRL.
DELETE /api/v1/trust-management/crls/<crl-id>

Show CRL Data for the Given CRL ID


Returns information about the specified CRL. For additional information,
include the ?details=true modifier at the end of the request URI.
GET /api/v1/trust-management/crls/<crl-id>

Update CRL for the Given CRL ID


Updates an existing CRL.
PUT /api/v1/trust-management/crls/<crl-id>

Return All the Generated CSRs


Returns information about all of the CSRs that have been created.
GET /api/v1/trust-management/csrs

Generate a New Certificate Signing Request


Creates a new certificate signing request (CSR). A CSR is encrypted text that
contains information about your organization (organization name, country,
and so on) and your Web server's public key, which is a public certificate
the is generated on the server that can be used to forward this request to a
certificate authority (CA). A private key is also usually created at the
same time as the CSR.
POST /api/v1/trust-management/csrs

Generate a New Self-Signed Certificate


Creates a new self-signed certificate. A private key is also created at the
same time. This is convenience call that will generate a CSR and then self-sign it.
For validity of non-CA certificates, if a value greater than 825 days is
provided, it will be set to 825 days. No limit is set for CA certificates.
POST /api/v1/trust-management/csrs?action=self_sign

Generate a New Certificate Signing Request with Extensions


Creates a new certificate signing request (CSR) with selected extensions.
A CSR is encrypted text that contains information about your organization
(organization name, country, and so on), additional attributes as
extensions, and your Web server's public key, which is a public certificate
the is generated on the server that can be used to forward this request
to a certificate authority (CA). A private key is also usually created at
the same time as the CSR.
POST /api/v1/trust-management/csrs-extended (Experimental)

Delete a CSR


Removes a specified CSR. If a CSR is not used for verification, you can
delete it.
DELETE /api/v1/trust-management/csrs/<csr-id>

Show CSR Data for the Given CSR ID


Returns information about the specified CSR.
GET /api/v1/trust-management/csrs/<csr-id>

Upload the Certificate PEM File Signed by the CA Associated with a CSR


Uploads the certificate authority (CA)-signed certificate. After you send
the certificate request to the CA of your choice, and the CA sends back the
signed certificate, you can use the upload POST action to upload the signed
certificate. The upload action is similar to the import action, but the
upload action allows you to directly upload the PEM-encoded file (signed
certificate) provided by the CA. After this operation you can delete the CSR.
POST /api/v1/trust-management/csrs/<csr-id>?action=upload

Import a Certificate Associated with an Approved CSR


Imports a certificate authority (CA)-signed certificate for a CSR. This
action links the certificate to the private key created by the CSR. The
pem_encoded string in the request body is the signed certificate provided by
your CA in response to the CSR that you provide to them. After this
operation you can delete the CSR.
POST /api/v1/trust-management/csrs/<csr-id>?action=import

Self-Sign the CSR


Self-signs the previously generated CSR. This action is similar to the
import certificate action, but instead of using a public certificate signed
by a CA, the self_sign POST action uses a certificate that is signed with
NSX's own private key.
For validity of non-CA certificates, if a value greater than 825 days is
provided, it will be set to 825 days. No limit is set for CA certificates.
POST /api/v1/trust-management/csrs/<csr-id>?action=self_sign

Get CSR PEM File for the Given CSR ID


Downloads the CSR PEM file for a specified CSR. Clients must include an Accept: text/plain request header.
GET /api/v1/trust-management/csrs/<csr-id>/pem-file

Return the list of OpenID Connect end-points.


GET /api/v1/trust-management/oidc-uris

Update a OpenID Connect end-point's thumbprint


Update a OpenID Connect end-point's thumbprint used to connect to the
oidc_uri through SSL
POST /api/v1/trust-management/oidc-uris?action=update_thumbprint

Add an OpenID Connect end-point.


This request also fetches the issuer and jwks_uri meta-data from the OIDC
end-point and stores it.
POST /api/v1/trust-management/oidc-uris

Get an OpenID Connect end-point.


When ?refresh=true is added to the request, the meta-data is newly fetched
from the OIDC end-point.
GET /api/v1/trust-management/oidc-uris/<id>

Return the list of principal identities


Returns the list of principals registered with a certificate.
GET /api/v1/trust-management/principal-identities

Register a name-certificate combination.


Associates a principal's name with a certificate that is used to authenticate.
The combination name and node_id needs to be unique across token-based and
certificate-based principal identities.
Deprecated, use POST /trust-management/principal-identities/with-certificate instead.
POST /api/v1/trust-management/principal-identities (Deprecated)

Update a principal identity's certificate


Update a principal identity's certificate
POST /api/v1/trust-management/principal-identities?action=update_certificate

Delete a principal identity


Delete a principal identity. It does not delete the certificate.
DELETE /api/v1/trust-management/principal-identities/<principal-identity-id>

Get a principal identity


Get a stored principal identity
GET /api/v1/trust-management/principal-identities/<principal-identity-id>

Register a name-certificate combination.


Create a principal identity with a new, unused, certificate.
The combination name and node_id needs to be unique across token-based and
certificate-based principal identities.
POST /api/v1/trust-management/principal-identities/with-certificate

Return the list of token-based principal identities. | These don't have certificate or role information.


GET /api/v1/trust-management/token-principal-identities

Register a token-based principal identity.


Register a principal identity that is going to be authenticated through a token.
The combination name and node_id needs to be unique across token-based and
certificate-based principal identities.
POST /api/v1/trust-management/token-principal-identities

Delete a token-based principal identity


Delete a token-based principal identity.
DELETE /api/v1/trust-management/token-principal-identities/<principal-identity-id>

Get a token-based principal identity


Get a stored token-based principal identity
GET /api/v1/trust-management/token-principal-identities/<principal-identity-id>