You can enable post quantum cryptography (PQC) on Windows and Linux computers in a CommCell environment, including the CommServe computer, the Web Server computer, the MediaAgent, and client computers. Post quantum cryptography provides resistance against attacks from quantum computers.
Note
-
Post Quantum Cryptography can be enabled only when setting up a new CommCell environment. It cannot be enabled on an existing CommCell environment in which the CommServe computer is already installed and has clients.
-
Post Quantum Cryptography does not work in multi-CommCell environments.
Procedure
-
Install the CommServe computer.
Verify that no clients are installed on the Windows or Linux computer. You can install clients only after post quantum cryptography is enabled.
-
On Windows computers only, add MaxRequestBytes and MaxFieldLength keys to the registry as follows:
-
Open the Windows Registry Editor, and go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesHTTPParameters directory.
-
Create a new DWORD (32-bit) key named MaxRequestBytes with a value 30720 (30 KB).
-
Create a new DWORD (32-bit) key named MaxFieldLength with a value 30720 (30 KB).
-
Close the Registry Editor.
-
Reboot the computer.
-
-
On Windows and Linux computers, add the sPostQuantumCerts additional setting as shown in the following table. Note that you can also create a server group, add all the clients to that group, and then add the additional setting at the server group level.
For information about adding an additional setting to a server or server group, see Adding a Setting for Servers and Server Groups.
Property
Value
Name
Category
Session
Type
String
Value
dilithium3
-
On Windows and Linux computers, add the sPostQuantumKEM additional setting as shown in the following table. Note that you can also create a server group, add all the clients to that group, and then add the additional setting at the server group level.
For information about adding an additional setting to a server or server group, see Adding a Setting for Servers and Server Groups.
Property
Value
Name
Category
Session
Type
String
Value
kyber1024
-
Restart client services on each client, and verify that certificates are generated on the clients signed by the new CA.
Note
A folder named rest will be created under the Base/certificates folder. This is used for web service communication.
-
Restart services on the CommServe computer to renew the CA and generate a new client certificate.
-
To verify if certificates are generated with new algorithms, decode the contents of individual certificates and verify there is no mention of RSA or SHA. Use the following command:
openssl x509 -in <cert file>.pem -text -noout
Alternatively, you can check the file size for newly generated certificates. The newly generated certificates will be larger in size compared to previous ones. Use the following command on Linux computers:
ls -lh