Post-Quantum Cryptography (PQC)
Configuring IBM® Application Gateway to use Post-Quantum Cryptography.
Quantum computing poses a risk to classical cryptographic algorithms. Widely adopted public key cryptography standards are expected to become vulnerable within the next several years. In response to this emerging threat, the U.S. National Institute of Standards and Technology (NIST) has evaluated and selected several quantum-resistant algorithms for various use cases. These algorithms are collectively referred to as post-quantum cryptography (PQC).
For more information about Post-Quantum Cryptography, see Security in the quantum computing era.
IAG uses PQC as part of the TLS 1.3 key agreement. PQC can be configured independently for connections between clients and IAG, and for connections between IAG and resource servers.
The following table shows the PQC configuration entries for various connection types:
| Connection Type | Configuration Entries |
|---|---|
|
IAG Listening Interfaces |
server/ssl/front_end/key_agreement |
|
Resource Servers |
server/ssl/applications/key_agreement |
|
Credential Service |
server/ssl/applications/key_agreement |
|
OAuth Introspection |
server/ssl/applications/key_agreement |
|
OIDC RP |
server/ssl/applications/key_agreement |
|
Redis Server(s) |
services/redis/collections/[]/servers/[]/ssl/key_agreement |
For more information about how to configure PQC between clients and IAG, see server/ssl/front_end/key_agreement in the YAML schema.
For more information about how to configure PQC between IAG and servers, see server/ssl/applications/key_agreement in the YAML schema.
For more information about how to configure PQC between IAG and Redis servers, see services/redis/collections/[]/servers/[]/ssl/key_agreement in the YAML schema.