NSX-T Data Center REST API
Associated URIs:
| API Description | API Path |
|---|---|
List RBAC featuresList all the RBAC features and their properties. |
GET /policy/api/v1/aaa/features-with-properties
GET /api/v1/aaa/features-with-properties |
List LDAP identity sourcesReturn a list of all configured LDAP identity sources. |
GET /policy/api/v1/aaa/ldap-identity-sources
|
Test an LDAP serverAttempt to connect to an LDAP server and ensure that the server can be contacted using the given URL and authentication credentials. |
POST /policy/api/v1/aaa/ldap-identity-sources?action=probe_ldap_server
|
Probe an LDAP identity sourceVerify that the configuration of an LDAP identity source is correct before actually creating the source. |
POST /policy/api/v1/aaa/ldap-identity-sources?action=probe_identity_source
|
Fetch the server certificate of an LDAP serverAttempt to connect to an LDAP server and retrieve the server certificate it presents. |
POST /policy/api/v1/aaa/ldap-identity-sources?action=fetch_certificate
|
Delete an LDAP identity sourceDelete an LDAP identity source. Users defined in that source will no longer be able to access NSX. |
DELETE /policy/api/v1/aaa/ldap-identity-sources/{ldap-identity-source-id}
|
Read a single LDAP identity sourceReturn details about one LDAP identity source |
GET /policy/api/v1/aaa/ldap-identity-sources/{ldap-identity-source-id}
|
Test the configuration of an existing LDAP identity sourceAttempt to connect to an existing LDAP identity source and report any errors encountered. |
POST /policy/api/v1/aaa/ldap-identity-sources/{ldap-identity-source-id}?action=probe
|
Create or update an LDAP identity sourceCreate a new LDAP identity source or update the configuration of an existing LDAP identity source. You may wish to verify the new configuration using the POST /aaa/ldap-identity-sources?action=probe API before creating or changing the configuration. Note that if you are using LDAP on an active and standby NSX-T Global Manager in a federated environment, you must use the same name for your LDAP identity sources on the active and standby Global Managers. |
PUT /policy/api/v1/aaa/ldap-identity-sources/{ldap-identity-source-id}
|
Search the LDAP identity sourceSearch the LDAP identity source for users and groups that match the given filter_value. In most cases, the LDAP source performs a case-insensitive search. |
POST /policy/api/v1/aaa/ldap-identity-sources/{ldap-identity-source-id}/search
|
Create registration access tokenThe privileges of the registration token will be the same as the caller. |
POST /api/v1/aaa/registration-token
|
Delete registration access token |
DELETE /api/v1/aaa/registration-token/{token}
(Deprecated)
|
Get registration access token |
GET /api/v1/aaa/registration-token/{token}
(Deprecated)
|
Delete registration access token |
POST /api/v1/aaa/registration-token/delete
|
Get registration access tokenGet the roles associated with the given registration token |
POST /api/v1/aaa/registration-token/retrieve
|
Get all users and groups with their rolesGet all users and groups with their roles. If the root_path is provided then only return role bindings that start-with or are sub-trees of the provided root path. Also filter the roles_for_paths such that only those roles_for_paths appear that start-with or are sub-tree of the provided root path. |
GET /policy/api/v1/aaa/role-bindings
GET /api/v1/aaa/role-bindings |
Delete all stale role assignments |
POST /policy/api/v1/aaa/role-bindings?action=delete_stale_bindings
POST /api/v1/aaa/role-bindings?action=delete_stale_bindings |
Assign roles to User or GroupThis API is used to assign a user/group any role(s) of choice. It is recommended to use the new property roles_for_paths instead of roles. When using the roles_for_paths, set the read_roles_for_paths as true. User has union of all the roles assigned to it on a particular path and its sub-tree. User name is dealt case-insensitively. |
POST /policy/api/v1/aaa/role-bindings
POST /api/v1/aaa/role-bindings |
Delete user/group's roles assignmentDelete the user/group's role assignment. If the path is provided then deletes only the roles_for_paths that matches the path. If path is provided for the last roles_for_paths then the whole role binding is deleted provided it is not that of a local user. For deleting multiple paths, please provide semi-colon ';' separated paths in the request parameter. |
DELETE /policy/api/v1/aaa/role-bindings/{binding-id}
DELETE /api/v1/aaa/role-bindings/{binding-id} |
Get user/group's role information |
GET /policy/api/v1/aaa/role-bindings/{binding-id}
GET /api/v1/aaa/role-bindings/{binding-id} |
Update User or Group's rolesThis API is used to update a user/group any role(s) of choice. It is recommended to use the new property roles_for_paths instead of roles. When using the roles_for_paths, set the read_roles_for_paths as true. User has union of all the roles assigned to it on a particular path and its sub-tree. User name is dealt case-insensitively. This API will merge the existing roles_for_paths with the newly provided roles_for_paths excluding roles_for_paths those are marked for deletion. |
PUT /policy/api/v1/aaa/role-bindings/{binding-id}
PUT /api/v1/aaa/role-bindings/{binding-id} |
Get information about all roles |
GET /policy/api/v1/aaa/roles
GET /api/v1/aaa/roles |
Validate a new feature permission setValidate the permissions of an incoming role. Also, recommend the permissions which need to be corrected. |
POST /policy/api/v1/aaa/roles?action=validate
POST /api/v1/aaa/roles?action=validate |
Get information about all roles with features and their permissions |
GET /policy/api/v1/aaa/roles-with-feature-permissions
GET /api/v1/aaa/roles-with-feature-permissions |
Delete custom roleIf a role is assigned to a role binding then the deletion of the role is not allowed. Precanned roles cannot be deleted. |
DELETE /policy/api/v1/aaa/roles/{role}
DELETE /api/v1/aaa/roles/{role} |
Get role information |
GET /policy/api/v1/aaa/roles/{role}
GET /api/v1/aaa/roles/{role} |
Clone an already present roleThe role with id <role> is cloned and the new id, name and description are the ones provided in the request body. |
POST /policy/api/v1/aaa/roles/{role}?action=clone
POST /api/v1/aaa/roles/{role}?action=clone |
Update custom roleCreates a new role with id as <role> if there does not exist any role with id <role>, else updates the existing role. Permissions for features marked is_internal as true will be ignored if provided in request payload. These features' permission are set internally. |
PUT /policy/api/v1/aaa/roles/{role}
PUT /api/v1/aaa/roles/{role} |
Set role assignment permission configurationProvides a means to allow or disallow project administrators and VPC administrators to assign roles to other users on projects and VPCs. |
PUT /policy/api/v1/aaa/roles/{role}/role-assignment-permission-config
PUT /api/v1/aaa/roles/{role}/role-assignment-permission-config |
Get the name and role information of the user.This API will return the name and role information of the user invoking this API request. This API is available for all NSX users no matter their authentication method (Local account, VIDM, LDAP etc). The permissions parameter of the NsxRole has been deprecated. The request parameter root_path has been introduced for multi-tenancy to get user's role at any path that the user desires. The response will contain the roles_for_paths to indicate roles at various paths. |
GET /policy/api/v1/aaa/user-info
GET /api/v1/aaa/user-info |
Get all the User Groups where vIDM display name matches the search key case insensitively. The search key is checked to be a substring of display name. This is a non paginated API. This API will return as many results that vIDM returns to NSX during the search query. vIDM may not send all results at once so to zero in on the group of interest more characters need to be entered. |
GET /policy/api/v1/aaa/vidm/groups
GET /api/v1/aaa/vidm/groups |
Get all the users and groups from vIDM matching the search key case insensitively. The search key is checked to be a substring of name or given name or family name of user and display name of group. This is a non paginated API. This API will return as many results that vIDM returns to NSX during the search query. vIDM may not send all results at once so to zero in on the user/group of interest more characters need to be entered. |
POST /policy/api/v1/aaa/vidm/search
POST /api/v1/aaa/vidm/search |
Get all the users from vIDM whose userName, givenName or familyName matches the search key case insensitively. The search key is checked to be a substring of name or given name or family name. This is a non paginated API. This API will return as many results that vIDM returns to NSX during the search query. vIDM may not send all results at once so to zero in on the user of interest more characters need to be entered. |
GET /policy/api/v1/aaa/vidm/users
GET /api/v1/aaa/vidm/users |
Delete existing support bundles waiting to be downloadedDelete existing support bundles waiting to be downloaded. |
POST /api/v1/administration/support-bundles?action=delete_async_response
|
Collect support bundles from registered cluster and fabric nodesCollect support bundles from registered cluster and fabric nodes. |
POST /api/v1/administration/support-bundles?action=collect
|
Get support bundle configurationGet support bundle configuration properties. |
GET /api/v1/administration/support-bundles/config
|
Update support bundle configurationUpdate support bundle configuration properties. |
PUT /api/v1/administration/support-bundles/config
|
Get list of supported content filtersGet list of supported content filters that decide the contents of the support bundle. This depends on target form factor. |
GET /api/v1/administration/support-bundles/dynamic-content-filters
|
Accept end user license agreementAccept end user license agreement |
POST /policy/api/v1/eula/accept
POST /api/v1/eula/accept |
Return the acceptance status of end user license agreementReturn the acceptance status of end user license agreement |
GET /policy/api/v1/eula/acceptance
GET /api/v1/eula/acceptance |
Return the content of end user license agreementReturn the content of end user license agreement in the specified format. By default, it's pure string without line break |
GET /policy/api/v1/eula/content
GET /api/v1/eula/content |
Return the Enterprise LicenseReturn the Enterprise License. |
GET /api/v1/license
(Deprecated)
|
Assign an Updated Enterprise License KeyAssign an Updated Enterprise License Key. |
PUT /api/v1/license
(Deprecated)
|
Get all licensesReturns all licenses. |
GET /api/v1/licenses
|
Remove a licenseThis will delete the license key identified in the request body by "license_key" and its properties from the system. Attempting to delete the last license key will result in an error. |
POST /api/v1/licenses?action=delete
|
Add a new license keyThis will add a license key to the system. The API supports adding only one license key for each license edition type - Standard, Advanced or Enterprise. If a new license key is tried to add for an edition for which the license key already exists, then this API will return an error. |
POST /api/v1/licenses
|
Remove a license identified by the license-keyRemove a license identified by the license-key. |
DELETE /api/v1/licenses/{license-key}
(Deprecated)
|
Get license properties for license identified by the license-keyGet license properties for license identified by the license-key. |
GET /api/v1/licenses/{license-key}
(Deprecated)
|
Get usage report of all registered modulesReturns usage report of all registered modules |
GET /api/v1/licenses/licenses-usage
|
Get usage report of all registred modules in CSV formatReturns usage report of all registered modules in CSV format |
GET /api/v1/licenses/licenses-usage?format=csv
|
Get the security feature license usage report in CSV format.Get the security feature license usage report in CSV format. |
GET /api/v1/licenses/security-usage?format=csv
|
Get the security feature license usage report.Get the security feature license usage report. |
GET /api/v1/licenses/security-usage
|
Synchronize VCF licenses from all registered vCentersSynchronize VCF licenses from all registered vCenters and update licenses in NSX. This API will not return synchronized VCF licenses and just update them in NSX. |
POST /api/v1/licenses/vcf-licenses
(Deprecated)
|
Synchronize VCF licenses from all registered vCentersSynchronize VCF licenses from all registered vCenters and update licenses in NSX. This API will not return synchronized VCF licenses and just update them in NSX. |
POST /api/v1/licenses/vcf/action/sync
|
Read AAA provider vIDM properties |
GET /api/v1/cluster/{cluster-node-id}/node/aaa/providers/vidm
GET /api/v1/node/aaa/providers/vidm |
Update AAA provider vIDM properties |
PUT /api/v1/cluster/{cluster-node-id}/node/aaa/providers/vidm
PUT /api/v1/node/aaa/providers/vidm |
Read AAA provider vIDM status |
GET /api/v1/cluster/{cluster-node-id}/node/aaa/providers/vidm/status
GET /api/v1/node/aaa/providers/vidm/status |
Get all users and groups with their rolesGet all users and groups with their roles from CSP. If the root_path is provided then only return role bindings that start-with or are sub-trees of the provided root path. Also filter the roles_for_paths such that only those roles_for_paths appear that start-with or are sub-tree of the provided root path. |
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/aaa/role-bindings
|
Assign roles to User or GroupThis API is used to assign a user/group any role(s) of choice on CSP. It is recommended to use the new property roles_for_paths instead of roles. When using the roles_for_paths, set the read_roles_for_paths as true. User has union of all the roles assigned to it on a particular path and its sub-tree. User name is dealt case-insensitively. |
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/aaa/role-bindings
|
Delete user/group's roles assignmentDelete the user/group's role assignment on CSP. If the path is provided then deletes only the roles_for_paths that matches the path. If path is provided for the last roles_for_paths then the whole role binding is deleted provided it is not that of a local user. |
DELETE /policy/api/v1/orgs/{org-id}/projects/{project-id}/aaa/role-bindings/{binding-id}
|
Get user/group's role information from CSP |
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/aaa/role-bindings/{binding-id}
|
Get information about all roles |
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/aaa/roles
|
Get the name and role information of the user.This API will return the name and role information of the user invoking this API request on the particular project. The permissions parameter of the NsxRole has been deprecated. The response will contain the roles_for_paths to indicate roles of the user at various paths . |
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/aaa/user-info
|
Get all users and groups with their rolesGet all users and groups with their roles from CSP. If the root_path is provided then only return role bindings that start-with or are sub-trees of the provided root path. Also filter the roles_for_paths such that only those roles_for_paths appear that start-with or are sub-tree of the provided root path. |
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/vpcs/{vpc-id}/aaa/role-bindings
|
Assign roles to User or GroupThis API is used to assign a user/group any role(s) of choice on CSP. It is recommended to use the new property roles_for_paths instead of roles. When using the roles_for_paths, set the read_roles_for_paths as true. User has union of all the roles assigned to it on a particular path and its sub-tree. User name is dealt case-insensitively. |
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/vpcs/{vpc-id}/aaa/role-bindings
|
Delete user/group's roles assignmentDelete the user/group's role assignment on CSP. If the path is provided then deletes only the roles_for_paths that matches the path. If path is provided for the last roles_for_paths then the whole role binding is deleted provided it is not that of a local user. |
DELETE /policy/api/v1/orgs/{org-id}/projects/{project-id}/vpcs/{vpc-id}/aaa/role-bindings/{binding-id}
|
Get user/group's role information from CSP |
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/vpcs/{vpc-id}/aaa/role-bindings/{binding-id}
|
Get information about all roles |
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/vpcs/{vpc-id}/aaa/roles
|
Get the name and role information of the user.This API will return the name and role information of the user invoking this API request on the particular project. The permissions parameter of the NsxRole has been deprecated. The response will contain the roles_for_paths to indicate roles of the user at various paths . |
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/vpcs/{vpc-id}/aaa/user-info
|
Returns the proxy configurationReturns the proxy configuration. |
GET /api/v1/proxy/config
|
Creates or updates the proxy configurationUpdates or creates the proxy configuration, and returns the new configuration. |
PUT /api/v1/proxy/config
|
Create sensor registration access tokenThe privileges of the registration token will be user with sensor role. |
POST /api/v1/security/sensor-registration-token
|
Returns telemetry agreement informationReturns telemetry agreement information. |
GET /api/v1/telemetry/agreement
|
Set telemetry agreement informationSet telemetry agreement information. |
PUT /api/v1/telemetry/agreement
|
Returns the telemetry configurationReturns the telemetry configuration. |
GET /api/v1/telemetry/config
|
Creates or updates the telemetry configurationUpdates or creates the telemetry configuration, and returns the new configuration. |
PUT /api/v1/telemetry/config
|
Return the Properties of a Trust ManagerReturns information about the supported algorithms and key sizes. |
GET /api/v1/trust-management
|
Get the certificate profile for the given service typeGet an available certificate profile. Note that not every service type has an active certificate profile. |
GET /api/v1/trust-management/certificate-profile/{service-type}
|
Return the list of certificate profiles.List the certificate profiles currently active on the NSX Manager. This list depends on the type of instance deployed and which certificates are currently managed through the certificate-profile manager. That list is expected to expand in future releases. |
GET /api/v1/trust-management/certificate-profiles
|
Return All the User-Facing Components' CertificatesReturns all certificate information viewable by the user, including each certificate's UUID; resource_type (for example, certificate_self_signed, certificate_ca, or certificate_signed); pem_encoded data; and history of the certificate (who created or modified it and when). For additional information, include the ?details=true modifier at the end of the request URI. |
GET /api/v1/trust-management/certificates
|
Add a New CertificateAdds a new private-public certificate or a chain of certificates (CAs) and, optionally, a private key that can be applied to one of the user-facing components (appliance management or edge). The certificate and the key should be stored in PEM format. If no private key is provided, the certificate is used as a client certificate in the trust store. A private key can be uploaded for a CA certificate only if the "purpose" parameter is set to "signing-ca". |
POST /api/v1/trust-management/certificates?action=import
|
Set a certificate as a GM or LM Principal Identity certificateSet a certificate that has been imported to be either the principal identity certificate for the local cluster with either GM or LM service type. Currently, the service type specified must match the current service type of the local cluster. |
POST /api/v1/trust-management/certificates?action=set_pi_certificate_for_federation
(Deprecated)
|
Fetch the server certificate chain of a TLS service endpointAttempt to connect to an TLS service endpoint and retrieve the server certificate chain it presents. |
POST /api/v1/trust-management/certificates?action=fetch_peer_certificate_chain
|
Set a certificate as the Appliance Proxy certificate to be used in inter-site communicationSet a certificate that has been imported to be the Appliance Proxy certificate used for communicating with Appliance Proxies on other sites. |
POST /api/v1/trust-management/certificates?action=set_appliance_proxy_certificate_for_inter_site_communication
(Deprecated)
|
Add a CA certificate as a trust anchor |
POST /api/v1/trust-management/certificates/{alias}?action=import_trusted_ca
|
Delete Certificate for the Given Certificate IDRemoves the specified certificate. The private key associated with the certificate is also deleted. |
DELETE /api/v1/trust-management/certificates/{cert-id}
|
Validate a certificateChecks whether certificate is valid. When the certificate contains a chain, the full chain is validated. The usage parameter can be SERVER (default) or CLIENT. This indicates whether the certificate needs to be validated as a server-auth or a client-auth certificate. |
GET /api/v1/trust-management/certificates/{cert-id}?action=validate
|
Show Certificate Data for the Given Certificate IDReturns information for the specified certificate ID, including the certificate's UUID; resource_type (for example, certificate_self_signed, certificate_ca, or certificate_signed); pem_encoded data; and history of the certificate (who created or modified it and when). For additional information, include the ?details=true modifier at the end of the request URI. |
GET /api/v1/trust-management/certificates/{cert-id}
|
Apply a certificate for a CertificateProfileLook up the Certificate Profile matching the service-type and apply the certificate. When the Certificate Profile has cluster_certificate=false, the node_id parameter is required to designate the node where the certificate needs to be applied. Note that when applying CA-signed certificates to either the API certificate profile or the MGMT_CLUSTER certificate profile, the cerficate must have its CN or SAN extensions matching the endpoint's IP or FQDN. This also means that applying a CA-signed certificate to the MGMT_CLUSTER service profile to a cluster without first configuring its VIP is not allowed. |
POST /api/v1/trust-management/certificates/{cert-id}?action=apply_certificate
|
Batch replace certificatesReplaces one or more certificates. Certificate could be replaced using this API only if it has a private key and a certificate profile, recorded in the used-by section of the certificate, exists. Invoking this API will error if certificate replacement operation is running due to previously invoked API. The results of these batch operations can be queried by calling the API GET /trust-management/certificates/action/batch-results |
POST /api/v1/trust-management/certificates/action/batch-replace
|
Renew all internal appliance certificates that will expire soonLocates all certificates that are used for internal NSX appliance communications that will expire soon (by default, 31 days). If any such certificates exist, a batch operation will be started that creates new certificates and private keys and installs them. After calling this API, you can check on the status of this asynchronous batch operation with the API GET https://<nsx-mgr>/api/v1/trust-management/certificates/batch-results |
POST /api/v1/trust-management/certificates/action/renew-appliance-certificates
|
Replace a Host CertificateSends a new private-public certificate or a chain of certificates (CAs) and a private key to be used on a Transport Node. |
POST /api/v1/trust-management/certificates/action/replace-host-certificate/{host-id}
|
Delete result of certificates batch operationDelete batch-results of certificate operations created by calling the POST /api/v1/trust-management/certificates/action/batch-replace API. Invoking this API while a certificates batch operation is pending, will result in error. With force=true parameter, the result of certificates batch operation will be deleted and the certificate operations will be forced stopped. |
DELETE /api/v1/trust-management/certificates/batch-results
|
Get result of certificates batch operationGet batch-result of certificate operations created by calling the POST /api/v1/trust-management/certificates/action/batch-replace API. |
GET /api/v1/trust-management/certificates/batch-results
|
Return the list of CrlDistributionPoints |
GET /api/v1/trust-management/crl-distribution-points
|
Create a Crl Distribution PointCreate an entity that will represent a Crl Distribution Point |
POST /api/v1/trust-management/crl-distribution-points
|
Delete a CrlDistributionPointDelete a CrlDistributionPoint. It does not delete the actual CRL. |
DELETE /api/v1/trust-management/crl-distribution-points/{crl-distribution-point-id}
|
Return the CrlDistributionPoint with <crl-distribution-point-id> |
GET /api/v1/trust-management/crl-distribution-points/{crl-distribution-point-id}
|
Update CrlDistributionPoint with <crl-distribution-point-id> This allows updating the ManagedResource fields. |
PUT /api/v1/trust-management/crl-distribution-points/{crl-distribution-point-id}
|
Return the status of the CrlDistributionPoint |
GET /api/v1/trust-management/crl-distribution-points/{crl-distribution-point-id}/status
|
Return stored CRL in PEM format |
POST /api/v1/trust-management/crl-distribution-points/pem-file
|
Return All Added CRLsReturns information about all CRLs. For additional information, include the ?details=true modifier at the end of the request URI. |
GET /api/v1/trust-management/crls
|
Add a New Certificate Revocation ListAdds a new certificate revocation list (CRL). The CRL is used to verify the client certificate status against the revocation lists published by the CA. For this reason, the administrator needs to add the CRL in certificate repository as well. A CRL can be in the PEM X.509 format (crl_type=X509) or JSON OneCRL (crl_type=OneCRL). If crl_type is not specified, it is auto-detected based on the presence of fields pem_encoded or one_crl. |
POST /api/v1/trust-management/crls?action=import
|
Delete a CRLDeletes an existing CRL. |
DELETE /api/v1/trust-management/crls/{crl-id}
|
Show CRL Data for the Given CRL IDReturns information about the specified CRL. For additional information, include the ?details=true modifier at the end of the request URI. |
GET /api/v1/trust-management/crls/{crl-id}
|
Update CRL for the Given CRL IDUpdates an existing CRL. |
PUT /api/v1/trust-management/crls/{crl-id}
|
Return All the Generated CSRsReturns information about all of the CSRs that have been created. |
GET /api/v1/trust-management/csrs
|
Generate a New Certificate Signing RequestCreates a new certificate signing request (CSR) with selected extensions. A CSR is encrypted text that contains information about your organization (organization name, country, and so on), additional attributes as extensions, and your Web server's public key, which is a public certificate the is generated on the server that can be used to forward this request to a certificate authority (CA). A private key is also usually created at the same time as the CSR. |
POST /api/v1/trust-management/csrs
|
Generate a New Self-Signed CertificateCreates a new self-signed certificate. A private key is also created at the same time. This is convenience call that will generate a CSR and then self-sign it. The maximum validity limit for non-CA certificates is 825 days, except that values of 3,650 and 36,500 days are allowed. No limit is set for CA certificates. |
POST /api/v1/trust-management/csrs?action=self_sign
|
Generate a New Certificate Signing Request with ExtensionsCreates a new certificate signing request (CSR) with selected extensions. A CSR is encrypted text that contains information about your organization (organization name, country, and so on), additional attributes as extensions, and your Web server's public key, which is a public certificate the is generated on the server that can be used to forward this request to a certificate authority (CA). A private key is also usually created at the same time as the CSR. |
POST /api/v1/trust-management/csrs-extended
(Deprecated)
|
Delete a CSRRemoves a specified CSR. If a CSR is not used for verification, you can delete it. |
DELETE /api/v1/trust-management/csrs/{csr-id}
|
Show CSR Data for the Given CSR IDReturns information about the specified CSR. |
GET /api/v1/trust-management/csrs/{csr-id}
|
Upload the Certificate PEM File Signed by the CA Associated with a CSRUploads the certificate authority (CA)-signed certificate. After you send the certificate request to the CA of your choice, and the CA sends back the signed certificate, you can use the upload POST action to upload the signed certificate. The upload action is similar to the import action, but the upload action allows you to directly upload the PEM-encoded file (signed certificate) provided by the CA. After this operation you can delete the CSR. |
POST /api/v1/trust-management/csrs/{csr-id}?action=upload
|
Import a Certificate Associated with an Approved CSRImports a certificate authority (CA)-signed certificate for a CSR. This action links the certificate to the private key created by the CSR. The pem_encoded string in the request body is the signed certificate provided by your CA in response to the CSR that you provide to them. After this operation you can delete the CSR. |
POST /api/v1/trust-management/csrs/{csr-id}?action=import
|
Self-Sign the CSRSelf-signs the previously generated CSR. This action is similar to the import certificate action, but instead of using a public certificate signed by a CA, the self_sign POST action uses a certificate that is signed with NSX's own private key. The maximum validity limit for non-CA certificates is 825 days, except that values of 3,650 and 36,500 days are also allowed. No limit is set for CA certificates. |
POST /api/v1/trust-management/csrs/{csr-id}?action=self_sign
|
Get CSR PEM File for the Given CSR IDDownloads the CSR PEM file for a specified CSR. Clients must include an Accept: text/plain request header. |
GET /api/v1/trust-management/csrs/{csr-id}/pem-file
|
Return the list of OpenID Connect end-points. |
GET /api/v1/trust-management/oidc-uris
|
Update a OpenID Connect end-point's thumbprintUpdate a OpenID Connect end-point's thumbprint used to connect to the oidc_uri through SSL |
POST /api/v1/trust-management/oidc-uris?action=update_thumbprint
|
Add an OpenID Connect end-point.This request also fetches the issuer and jwks_uri meta-data from the OIDC end-point and stores it. |
POST /api/v1/trust-management/oidc-uris
|
Get an OpenID Connect end-point.When ?refresh=true is added to the request, the meta-data is newly fetched from the OIDC end-point. |
GET /api/v1/trust-management/oidc-uris/{id}
|
Refresh an OpenID Connect end-pointRefresh an OpenID Connect end-point by re-reading data from the OIDC URI. |
POST /api/v1/trust-management/oidc-uris/{id}?action=refresh
|
Update an OpenID Connect end-point.Update the properties of an OpenID Connect end-point. The oidc_uri property may not be changed. If you need to update the oidc_uri, you should delete the OIDC end-point and create a new one with the correct oidc_uri. This request also re-fetches the issuer, jwks_uri, and other meta-data from the OIDC end-point and stores it. |
PUT /api/v1/trust-management/oidc-uris/{id}
|
Check the health of an OpenID Connect end-pointConnect to the OpenID Connect end-point and verify that it appears to be functioning properly. |
GET /api/v1/trust-management/oidc-uris/{id}/health
|
Search a SCIM endpointSearch the System for Cross-domain Identity Management (SCIM) source for users and groups whose names match the search string. |
POST /api/v1/trust-management/oidc-uris/{id}/search
|
Verify that a given user or group exists on the SCIM endpointSearch the System for Cross-domain Identity Management (SCIM) source to find a user or group whose name exactly matches the given name. |
GET /api/v1/trust-management/oidc-uris/{id}/user-or-group-exists
|
Configure NSX for OIDC authentication with VC/WS1BConfigures NSX to use VC/WS1B for OIDC authentication. Using the provided JWT token, NSX will create an OAuth app on VC/WS1B, creating a client ID and client secret. NSX will subsequently use that client ID/secret to authenticate user, and will support single sign-on across VMware products. |
POST /api/v1/trust-management/oidc-uris/action/configure-ws1b-oidc-endpoint
|
Unconfigure NSX for OIDC authentication with VC/WS1BRemoves the OAuth app on VC/W1B and deletes the associated OIDC endpoint from NSX. |
POST /api/v1/trust-management/oidc-uris/action/remove-ws1b-oidc-endpoint
|
Return the list of principal identitiesReturns the list of principals registered with a certificate. |
GET /api/v1/trust-management/principal-identities
|
Register a name-certificate combination.Associates a principal's name with a certificate that is used to authenticate. The combination name and node_id needs to be unique across token-based and certificate-based principal identities. |
POST /api/v1/trust-management/principal-identities
(Deprecated)
|
Update a principal identity's certificateUpdate a principal identity's certificate |
POST /api/v1/trust-management/principal-identities?action=update_certificate
|
Delete a principal identityDelete a principal identity. It does not delete the certificate. |
DELETE /api/v1/trust-management/principal-identities/{principal-identity-id}
|
Get a principal identityGet a stored principal identity |
GET /api/v1/trust-management/principal-identities/{principal-identity-id}
|
Register a name-certificate combination.Create a principal identity with a new, unused, certificate. The combination name and node_id needs to be unique across token-based and certificate-based principal identities. |
POST /api/v1/trust-management/principal-identities/with-certificate
|
Get stale certificatesGet list of certificates that are currently not applied to any certificate profile and ones that are applied to deprecated certificate profiles. |
GET /api/v1/trust-management/stale-certificates
|
Return the list of token-based principal identities. | These don't have certificate or role information. |
GET /api/v1/trust-management/token-principal-identities
|
Register a token-based principal identity.Register a principal identity that is going to be authenticated through a token. The combination name and node_id needs to be unique across token-based and certificate-based principal identities. |
POST /api/v1/trust-management/token-principal-identities
|
Delete a token-based principal identityDelete a token-based principal identity. |
DELETE /api/v1/trust-management/token-principal-identities/{principal-identity-id}
|
Get a token-based principal identityGet a stored token-based principal identity |
GET /api/v1/trust-management/token-principal-identities/{principal-identity-id}
|