NSX-T Data Center REST API

Associated URIs:

API Description	API Path
Get effective object permissions to object specified by path for current user. Returns none if user doesn't have access or feature_name from required request parameter is empty/invalid/doesn't match with object-path provided.	GET /policy/api/v1/aaa/effective-permissions (Experimental)
List feature permissions List features	GET /policy/api/v1/aaa/features-with-properties GET /api/v1/aaa/features-with-properties
List LDAP identity sources Return a list of all configured LDAP identity sources.	GET /policy/api/v1/aaa/ldap-identity-sources
Test an LDAP server Attempt to connect to an LDAP server and ensure that the server can be contacted using the given URL and authentication credentials.	POST /policy/api/v1/aaa/ldap-identity-sources?action=probe_ldap_server
Probe an LDAP identity source Verify that the configuration of an LDAP identity source is correct before actually creating the source.	POST /policy/api/v1/aaa/ldap-identity-sources?action=probe_identity_source
Fetch the server certificate of an LDAP server Attempt to connect to an LDAP server and retrieve the server certificate it presents.	POST /policy/api/v1/aaa/ldap-identity-sources?action=fetch_certificate
Delete an LDAP identity source Delete an LDAP identity source. Users defined in that source will no longer be able to access NSX.	DELETE /policy/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>
Read a single LDAP identity source Return details about one LDAP identity source	GET /policy/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>
Test the configuration of an existing LDAP identity source Attempt to connect to an existing LDAP identity source and report any errors encountered.	POST /policy/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>?action=probe
Update an existing LDAP identity source Update the configuration of an existing LDAP identity source. You may wish to verify the new configuration using the POST /aaa/ldap-identity-sources?action=probe API before changing the configuration. Note that if you are using LDAP on an active and standby NSX-T Global Manager in a federated environment, you must use the same name for your LDAP identity sources on the active and standby Global Managers.	PUT /policy/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>
Search the LDAP identity source Search the LDAP identity source for users and groups that match the given filter_value. In most cases, the LDAP source performs a case-insensitive search.	POST /policy/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>/search
Delete object-permissions entries	DELETE /policy/api/v1/aaa/object-permissions (Experimental)
Get list of Object-level RBAC entries.	GET /policy/api/v1/aaa/object-permissions (Experimental)
Create/update object permission mappings	PATCH /policy/api/v1/aaa/object-permissions (Experimental)
Create registration access token The privileges of the registration token will be the same as the caller.	POST /policy/api/v1/aaa/registration-token POST /api/v1/aaa/registration-token
Delete registration access token	DELETE /policy/api/v1/aaa/registration-token/<token> DELETE /api/v1/aaa/registration-token/<token>
Get registration access token	GET /policy/api/v1/aaa/registration-token/<token> GET /api/v1/aaa/registration-token/<token>
Get all users and groups with their roles Get all users and groups with their roles.	GET /policy/api/v1/aaa/role-bindings GET /api/v1/aaa/role-bindings
Delete all stale role assignments	POST /policy/api/v1/aaa/role-bindings?action=delete_stale_bindings POST /api/v1/aaa/role-bindings?action=delete_stale_bindings
Assign roles to User or Group This API is used to assign a user/group any role(s) of choice. User has union of all the roles assigned to it. User name is dealt case-insensitively.	POST /policy/api/v1/aaa/role-bindings POST /api/v1/aaa/role-bindings
Delete user/group's roles assignment Delete the user/group's role assignment.	DELETE /policy/api/v1/aaa/role-bindings/<binding-id> DELETE /api/v1/aaa/role-bindings/<binding-id>
Get user/group's role information	GET /policy/api/v1/aaa/role-bindings/<binding-id> GET /api/v1/aaa/role-bindings/<binding-id>
Update User or Group's roles This API is used to update a user/group any role(s) of choice. User name is dealt case-insensitively.	PUT /policy/api/v1/aaa/role-bindings/<binding-id> PUT /api/v1/aaa/role-bindings/<binding-id>
Get information about all roles	GET /policy/api/v1/aaa/roles GET /api/v1/aaa/roles
Validate a new feature permission set Validate the permissions of an incoming role. Also, recommend the permissions which need to be corrected.	POST /policy/api/v1/aaa/roles?action=validate POST /api/v1/aaa/roles?action=validate
Get information about all roles with features and their permissions	GET /policy/api/v1/aaa/roles-with-feature-permissions GET /api/v1/aaa/roles-with-feature-permissions
Delete custom role If a role is assigned to a role binding then the deletion of the role is not allowed. Precanned roles cannot be deleted.	DELETE /policy/api/v1/aaa/roles/<role> DELETE /api/v1/aaa/roles/<role>
Get role information	GET /policy/api/v1/aaa/roles/<role> GET /api/v1/aaa/roles/<role>
Clone an already present role The role with id <role> is cloned and the new id, name and description are the ones provided in the request body.	POST /policy/api/v1/aaa/roles/<role>?action=clone POST /api/v1/aaa/roles/<role>?action=clone
Update custom role Creates a new role with id as <role> if there does not exist any role with id <role>, else updates the existing role.	PUT /policy/api/v1/aaa/roles/<role> PUT /api/v1/aaa/roles/<role>
Get the name and role information of the user. This API will return the name and role information of the user invoking this API request. This API is available for all NSX users no matter their authentication method (Local account, VIDM, LDAP etc).	GET /policy/api/v1/aaa/user-info GET /api/v1/aaa/user-info
Get all the User Groups where vIDM display name matches the search key case insensitively. The search key is checked to be a substring of display name. This is a non paginated API. This API will return as many results that vIDM returns to NSX during the search query. vIDM may not send all results at once so to zero in on the group of interest more characters need to be entered.	GET /policy/api/v1/aaa/vidm/groups GET /api/v1/aaa/vidm/groups
Get all the users and groups from vIDM matching the search key case insensitively. The search key is checked to be a substring of name or given name or family name of user and display name of group. This is a non paginated API. This API will return as many results that vIDM returns to NSX during the search query. vIDM may not send all results at once so to zero in on the user/group of interest more characters need to be entered.	POST /policy/api/v1/aaa/vidm/search POST /api/v1/aaa/vidm/search
Get all the users from vIDM whose userName, givenName or familyName matches the search key case insensitively. The search key is checked to be a substring of name or given name or family name. This is a non paginated API. This API will return as many results that vIDM returns to NSX during the search query. vIDM may not send all results at once so to zero in on the user of interest more characters need to be entered.	GET /policy/api/v1/aaa/vidm/users GET /api/v1/aaa/vidm/users
Collect support bundles from registered cluster and fabric nodes Collect support bundles from registered cluster and fabric nodes.	POST /api/v1/administration/support-bundles?action=collect
Delete existing support bundles waiting to be downloaded Delete existing support bundles waiting to be downloaded.	POST /api/v1/administration/support-bundles?action=delete_async_response
Get list of supported content filters Get list of supported content filters that decide the contents of the support bundle. This depends on target form factor.	GET /api/v1/administration/support-bundles/dynamic-content-filters
Accept end user license agreement Accept end user license agreement	POST /policy/api/v1/eula/accept POST /api/v1/eula/accept
Return the acceptance status of end user license agreement Return the acceptance status of end user license agreement	GET /policy/api/v1/eula/acceptance GET /api/v1/eula/acceptance
Return the content of end user license agreement Return the content of end user license agreement in the specified format. By default, it's pure string without line break	GET /policy/api/v1/eula/content GET /api/v1/eula/content
Deprecated. Return the Enterprise License Deprecated. Use the GET /licenses API instead.	GET /api/v1/license (Deprecated)
Deprecated. Assign an Updated Enterprise License Key Deprecated. Use the POST /licenses API instead	PUT /api/v1/license (Deprecated)
Get all licenses Returns all licenses.	GET /api/v1/licenses
Remove a license This will delete the license key identified in the request body by "license_key" and its properties from the system. Attempting to delete the last license key will result in an error.	POST /api/v1/licenses?action=delete
Add a new license key This will add a license key to the system. The API supports adding only one license key for each license edition type - Standard, Advanced or Enterprise. If a new license key is tried to add for an edition for which the license key already exists, then this API will return an error.	POST /api/v1/licenses
Deprecated. Remove a license identified by the license-key Deprecated. Use POST /licenses?action=delete API instead.	DELETE /api/v1/licenses/<license-key> (Deprecated)
Deprecated. Get license properties for license identified by the license-key Deprecated. Use GET /licenses API instead.	GET /api/v1/licenses/<license-key> (Deprecated)
Get usage report of all registered modules Returns usage report of all registered modules	GET /api/v1/licenses/licenses-usage
Get usage report of all registred modules in CSV format Returns usage report of all registered modules in CSV format	GET /api/v1/licenses/licenses-usage?format=csv
Read AAA provider vIDM properties	GET /api/v1/node/aaa/providers/vidm GET /api/v1/cluster/<cluster-node-id>/node/aaa/providers/vidm
Update AAA provider vIDM properties	PUT /api/v1/node/aaa/providers/vidm PUT /api/v1/cluster/<cluster-node-id>/node/aaa/providers/vidm
Read AAA provider vIDM status	GET /api/v1/cluster/<cluster-node-id>/node/aaa/providers/vidm/status GET /api/v1/node/aaa/providers/vidm/status
Returns the proxy configuration Returns the proxy configuration.	GET /api/v1/proxy/config
Creates or updates the proxy configuration Updates or creates the proxy configuration, and returns the new configuration.	PUT /api/v1/proxy/config
Returns telemetry agreement information Returns telemetry agreement information.	GET /api/v1/telemetry/agreement
Set telemetry agreement information Set telemetry agreement information.	PUT /api/v1/telemetry/agreement
Returns the telemetry configuration Returns the telemetry configuration.	GET /api/v1/telemetry/config
Creates or updates the telemetry configuration Updates or creates the telemetry configuration, and returns the new configuration.	PUT /api/v1/telemetry/config
Return the Properties of a Trust Manager Returns information about the supported algorithms and key sizes.	GET /api/v1/trust-management
Get the certificate profile for the given service type Get an available certificate profile. Note that not every service type has an active certificate profile.	GET /api/v1/trust-management/certificate-profile/<service-type>
Return the list of certificate profiles. List the certificate profiles currently active on the NSX Manager. This list depends on the type of instance deployed and which certificates are currently managed through the certificate-profile manager. That list is expected to expand in future releases.	GET /api/v1/trust-management/certificate-profiles
Return All the User-Facing Components' Certificates Returns all certificate information viewable by the user, including each certificate's UUID; resource_type (for example, certificate_self_signed, certificate_ca, or certificate_signed); pem_encoded data; and history of the certificate (who created or modified it and when). For additional information, include the ?details=true modifier at the end of the request URI.	GET /api/v1/trust-management/certificates
Add a New Certificate Adds a new private-public certificate or a chain of certificates (CAs) and, optionally, a private key that can be applied to one of the user-facing components (appliance management or edge). The certificate and the key should be stored in PEM format. If no private key is provided, the certificate is used as a client certificate in the trust store. A private key can be uploaded for a CA certificate only if the "purpose" parameter is set to "signing-ca".	POST /api/v1/trust-management/certificates?action=import
Set a certificate as the Appliance Proxy certificate to be used in inter-site communication Set a certificate that has been imported to be the Appliance Proxy certificate used for communicating with Appliance Proxies on other sites.	POST /api/v1/trust-management/certificates?action=set_appliance_proxy_certificate_for_inter_site_communication
Delete Certificate for the Given Certificate ID Removes the specified certificate. The private key associated with the certificate is also deleted.	DELETE /api/v1/trust-management/certificates/<cert-id>
Show Certificate Data for the Given Certificate ID Returns information for the specified certificate ID, including the certificate's UUID; resource_type (for example, certificate_self_signed, certificate_ca, or certificate_signed); pem_encoded data; and history of the certificate (who created or modified it and when). For additional information, include the ?details=true modifier at the end of the request URI.	GET /api/v1/trust-management/certificates/<cert-id>
Return the list of CrlDistributionPoints	GET /api/v1/trust-management/crl-distribution-points
Create a Crl Distribution Point Create an entity that will represent a Crl Distribution Point	POST /api/v1/trust-management/crl-distribution-points
Delete a CrlDistributionPoint Delete a CrlDistributionPoint. It does not delete the actual CRL.	DELETE /api/v1/trust-management/crl-distribution-points/<crl-distribution-point-id>
Return the CrlDistributionPoint with <crl-distribution-point-id>	GET /api/v1/trust-management/crl-distribution-points/<crl-distribution-point-id>
Update CrlDistributionPoint with <crl-distribution-point-id> This allows updating the ManagedResource fields.	PUT /api/v1/trust-management/crl-distribution-points/<crl-distribution-point-id>
Return the status of the CrlDistributionPoint	GET /api/v1/trust-management/crl-distribution-points/<crl-distribution-point-id>/status
Return stored CRL in PEM format	POST /api/v1/trust-management/crl-distribution-points/pem-file
Return All Added CRLs Returns information about all CRLs. For additional information, include the ?details=true modifier at the end of the request URI.	GET /api/v1/trust-management/crls
Add a New Certificate Revocation List Adds a new certificate revocation list (CRL). The CRL is used to verify the client certificate status against the revocation lists published by the CA. For this reason, the administrator needs to add the CRL in certificate repository as well. A CRL can be in the PEM X.509 format (crl_type=X509) or JSON OneCRL (crl_type=OneCRL). If crl_type is not specified, it is auto-detected based on the presence of fields pem_encoded or one_crl.	POST /api/v1/trust-management/crls?action=import
Delete a CRL Deletes an existing CRL.	DELETE /api/v1/trust-management/crls/<crl-id>
Show CRL Data for the Given CRL ID Returns information about the specified CRL. For additional information, include the ?details=true modifier at the end of the request URI.	GET /api/v1/trust-management/crls/<crl-id>
Update CRL for the Given CRL ID Updates an existing CRL.	PUT /api/v1/trust-management/crls/<crl-id>
Return All the Generated CSRs Returns information about all of the CSRs that have been created.	GET /api/v1/trust-management/csrs
Generate a New Certificate Signing Request Creates a new certificate signing request (CSR). A CSR is encrypted text that contains information about your organization (organization name, country, and so on) and your Web server's public key, which is a public certificate the is generated on the server that can be used to forward this request to a certificate authority (CA). A private key is also usually created at the same time as the CSR.	POST /api/v1/trust-management/csrs
Generate a New Self-Signed Certificate Creates a new self-signed certificate. A private key is also created at the same time. This is convenience call that will generate a CSR and then self-sign it. For validity of non-CA certificates, if a value greater than 825 days is provided, it will be set to 825 days. No limit is set for CA certificates.	POST /api/v1/trust-management/csrs?action=self_sign
Generate a New Certificate Signing Request with Extensions Creates a new certificate signing request (CSR) with selected extensions. A CSR is encrypted text that contains information about your organization (organization name, country, and so on), additional attributes as extensions, and your Web server's public key, which is a public certificate the is generated on the server that can be used to forward this request to a certificate authority (CA). A private key is also usually created at the same time as the CSR.	POST /api/v1/trust-management/csrs-extended (Experimental)
Delete a CSR Removes a specified CSR. If a CSR is not used for verification, you can delete it.	DELETE /api/v1/trust-management/csrs/<csr-id>
Show CSR Data for the Given CSR ID Returns information about the specified CSR.	GET /api/v1/trust-management/csrs/<csr-id>
Upload the Certificate PEM File Signed by the CA Associated with a CSR Uploads the certificate authority (CA)-signed certificate. After you send the certificate request to the CA of your choice, and the CA sends back the signed certificate, you can use the upload POST action to upload the signed certificate. The upload action is similar to the import action, but the upload action allows you to directly upload the PEM-encoded file (signed certificate) provided by the CA. After this operation you can delete the CSR.	POST /api/v1/trust-management/csrs/<csr-id>?action=upload
Import a Certificate Associated with an Approved CSR Imports a certificate authority (CA)-signed certificate for a CSR. This action links the certificate to the private key created by the CSR. The pem_encoded string in the request body is the signed certificate provided by your CA in response to the CSR that you provide to them. After this operation you can delete the CSR.	POST /api/v1/trust-management/csrs/<csr-id>?action=import
Self-Sign the CSR Self-signs the previously generated CSR. This action is similar to the import certificate action, but instead of using a public certificate signed by a CA, the self_sign POST action uses a certificate that is signed with NSX's own private key. For validity of non-CA certificates, if a value greater than 825 days is provided, it will be set to 825 days. No limit is set for CA certificates.	POST /api/v1/trust-management/csrs/<csr-id>?action=self_sign
Get CSR PEM File for the Given CSR ID Downloads the CSR PEM file for a specified CSR. Clients must include an Accept: text/plain request header.	GET /api/v1/trust-management/csrs/<csr-id>/pem-file
Return the list of OpenID Connect end-points.	GET /api/v1/trust-management/oidc-uris
Update a OpenID Connect end-point's thumbprint Update a OpenID Connect end-point's thumbprint used to connect to the oidc_uri through SSL	POST /api/v1/trust-management/oidc-uris?action=update_thumbprint
Add an OpenID Connect end-point. This request also fetches the issuer and jwks_uri meta-data from the OIDC end-point and stores it.	POST /api/v1/trust-management/oidc-uris
Get an OpenID Connect end-point. When ?refresh=true is added to the request, the meta-data is newly fetched from the OIDC end-point.	GET /api/v1/trust-management/oidc-uris/<id>
Return the list of principal identities Returns the list of principals registered with a certificate.	GET /api/v1/trust-management/principal-identities
Register a name-certificate combination. Associates a principal's name with a certificate that is used to authenticate. The combination name and node_id needs to be unique across token-based and certificate-based principal identities. Deprecated, use POST /trust-management/principal-identities/with-certificate instead.	POST /api/v1/trust-management/principal-identities (Deprecated)
Update a principal identity's certificate Update a principal identity's certificate	POST /api/v1/trust-management/principal-identities?action=update_certificate
Delete a principal identity Delete a principal identity. It does not delete the certificate.	DELETE /api/v1/trust-management/principal-identities/<principal-identity-id>
Get a principal identity Get a stored principal identity	GET /api/v1/trust-management/principal-identities/<principal-identity-id>
Register a name-certificate combination. Create a principal identity with a new, unused, certificate. The combination name and node_id needs to be unique across token-based and certificate-based principal identities.	POST /api/v1/trust-management/principal-identities/with-certificate
Return the list of token-based principal identities. \| These don't have certificate or role information.	GET /api/v1/trust-management/token-principal-identities
Register a token-based principal identity. Register a principal identity that is going to be authenticated through a token. The combination name and node_id needs to be unique across token-based and certificate-based principal identities.	POST /api/v1/trust-management/token-principal-identities
Delete a token-based principal identity Delete a token-based principal identity.	DELETE /api/v1/trust-management/token-principal-identities/<principal-identity-id>
Get a token-based principal identity Get a stored token-based principal identity	GET /api/v1/trust-management/token-principal-identities/<principal-identity-id>

Additional Links

Certificates

CRL

CSR

Certificate

Customer Experience Improvement

Telemetry

Licenses

Proxy Settings

Support Bundle

User Management

Access Token

Authorization

Object Permissions

LDAP Identity Sources

Principal Identity

Roles

Users

VIDM Configuration

NSX-T Data Center REST API

Associated URIs:

Get effective object permissions to object specified by path for current user.

List feature permissions

List LDAP identity sources

Test an LDAP server

Probe an LDAP identity source

Fetch the server certificate of an LDAP server

Delete an LDAP identity source

Read a single LDAP identity source

Test the configuration of an existing LDAP identity source

Update an existing LDAP identity source

Search the LDAP identity source

Delete object-permissions entries

Get list of Object-level RBAC entries.

Create/update object permission mappings

Create registration access token

Delete registration access token

Get registration access token

Get all users and groups with their roles

Delete all stale role assignments

Assign roles to User or Group

Delete user/group's roles assignment

Get user/group's role information

Update User or Group's roles

Get information about all roles

Validate a new feature permission set

Get information about all roles with features and their permissions

Delete custom role

Get role information

Clone an already present role

Update custom role

Get the name and role information of the user.

Collect support bundles from registered cluster and fabric nodes

Delete existing support bundles waiting to be downloaded

Get list of supported content filters

Accept end user license agreement

Return the acceptance status of end user license agreement

Return the content of end user license agreement

Deprecated. Return the Enterprise License

Deprecated. Assign an Updated Enterprise License Key

Get all licenses

Remove a license

Add a new license key

Deprecated. Remove a license identified by the license-key

Deprecated. Get license properties for license identified by the license-key

Get usage report of all registered modules

Get usage report of all registred modules in CSV format

Read AAA provider vIDM properties

Update AAA provider vIDM properties

Read AAA provider vIDM status

Returns the proxy configuration

Creates or updates the proxy configuration

Returns telemetry agreement information

Set telemetry agreement information

Returns the telemetry configuration

Creates or updates the telemetry configuration

Return the Properties of a Trust Manager

Get the certificate profile for the given service type

Return the list of certificate profiles.

Return All the User-Facing Components' Certificates

Add a New Certificate

Set a certificate as the Appliance Proxy certificate to be used in inter-site communication

Delete Certificate for the Given Certificate ID

Show Certificate Data for the Given Certificate ID

Return the list of CrlDistributionPoints

Create a Crl Distribution Point

Delete a CrlDistributionPoint

Return the CrlDistributionPoint with <crl-distribution-point-id>

Update CrlDistributionPoint with <crl-distribution-point-id> This allows updating the ManagedResource fields.

Return the status of the CrlDistributionPoint

Return stored CRL in PEM format

Return All Added CRLs

Add a New Certificate Revocation List

Delete a CRL

Show CRL Data for the Given CRL ID

Update CRL for the Given CRL ID

Return All the Generated CSRs

Generate a New Certificate Signing Request

Generate a New Self-Signed Certificate