Manual Chapter : Integrating PQC
back-action BIG-IP System: SSL Administration

Updated Date: 04/09/2026

Integrating PQC

PQC (Post-Quantum Cryptography) is a new method of cryptography that develops algorithms resistant to quantum computer attacks. These algorithms rely on mathematical problems that remain hard to solve even for quantum computers.

Popular encryption methods, such as RSA, ECC (Elliptic Curve Cryptography), and Diffie-Hellman, are designed around solving very hard mathematical problems. These problems are almost impossible for traditional computers to solve within a reasonable time. However, with the emergence of Quantum Computers, the situation has changed. Quantum Computers can solve these problems in a fraction of the time using algorithms like Shor’s algorithm, making current encryption methods obsolete and insecure.

One of the serious threats today is “Harvest Now, Decrypt Later” attacks. This means that even if your data seems secure now, it might be vulnerable in the future. To address this, PQC ensures that even if someone steals encrypted data, they won’t be able to decrypt it – now or in the future.

X25519KYBER768 Key Exchange:

To mitigate the risks of the new age, BIG-IP supports the Hybrid X25519Kyber768 key exchange in TLS 1.3 on the client-side, improving security against future quantum-based threats. This new DH curve protects encrypted data from “Harvest Now, Decrypt Later” attacks by integrating post-quantum cryptographic resilience. You can now implement quantum-safe encryption while maintaining compatibility with existing security protocols. This implementation of PQC algorithms is designed to make it easier for organizations to test, integrate, and prototype quantum-safe cryptographic systems

X25519MLKEM768 Key Exchange:

BIG-IP also supports the Hybrid X25519MLKEM768, anNIST approved algorithm. X25519MLKEM768 is a hybrid key exchange mechanism that combines X25519 and MLKEM768. Together, they protect encryption key exchanges against current threats and those expected in a future with quantum computing.

Note: Important: PQC implementation is compatible only with the TLS 1.3 protocol.

Note:

Note: Support for X25519KYBER768 will be deprecated soon. It is recommended to transition to X25519MLKEM768.

Follow the below steps, to create a Cipher Rule:

  1. On the Main tab, expand Local Traffic. Go to Ciphers and select Rules.

  2. Click the Create button.

  3. In the Name field, type a name for the new cipher rule.

  4. Select any of the suites from Cipher Suitesfield’s provided list. Use “ALL” or “DEFAULT” to list all the available suites. for example, DEFAULT

  5. For DH Groups:

    1. KYBER support (17.5.0 & above): Enter X25519KYBER768
    2. MLKEM support (17.5.1 & above): Enter X25519MLKEM768
    3. Optionally enter the following to support all forms: X25519MLKEM768:X25519KYBER768:DEFAULT

  6. For the Signature Algorithms field, select an algorithm. Example, DEFAULT.

  7. Click the Finished button.

Use the cipher rules to create cipher groups, follow the below steps:

  1. On the Main tab, expand Local Traffic.

  2. Go to Ciphers and select Groups.Click the Create button.

  3. Provide the details in the General section. Select the rule created in the above step from Group Creation > Available Rules.

  4. Add the created rule to “Allow the following list” or “Restrict the Allowed list to the following” in the Group Details section.

  5. All the other details**,such as__DH Group, Signature Algorithms,and__Cipher Suites,**will be reflected in the Group Audit section as per the selected rule.

  6. Click the Finished button.

To add the cipher group to a Client SSL profile, follow the below steps:

  1. Go to Profile > SSL > Client.

  2. Select any existing profile or create a new one, and set the Configuration value to Advanced.

  3. Go to Ciphers, and select the  Cipher Group radio button. Select the created group to enable the created Ciphers group for the client SSL profile.

To add the cipher group to a Client SSL profile, follow the below steps:

  1. Go to Profile > SSL > Server.

  2. Select any existing profile or create a new one, and set the Configuration value to Advanced.

  3. Go to Ciphers, and select the  Cipher Group radio button. Select the created group to enable the created Ciphers group for the server SSL profile.

Use the below commands to create cipher rules

  1. SSH into the BIG-IP system and log in with admin credentials. Type tmsh to enter the Traffic Management Shell.

  2. Create the ltm cipher rule using the following commands, substituting the value of <key_exchange> with the key exchange group you want to use:

    root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm cipher rule TMSH_PQC cipher DEFAULT dh-groups <key_exchange>:DEFAULT signature-algorithms DEFAULT

    For Example:

    root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm cipher rule TMSH_PQC cipher DEFAULT dh-groups X25519KYBER768:DEFAULT signature-algorithms DEFAULT

  3. To list or view the basic details of the created cipher rule use the following command, substituting the value of <key_exchange> with the key exchange group you want to use:

    root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm cipher rule TMSH_PQC
ltm cipher rule TMSH_PQC {
    cipher DEFAULT
    dh-groups <key_exchange>:DEFAULT
    signature-algorithms DEFAULT
}

    For Example:

    root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm cipher rule TMSH_PQC
ltm cipher rule TMSH_PQC {
    cipher DEFAULT
    dh-groups X25519MLKEM768:DEFAULT
    signature-algorithms DEFAULT
}

  4. To view the complete details of the created cipher rule use the below command, substituting the value of <key_exchange> with the key exchange group you want to use:

    root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm cipher rule TMSH_PQC

--------------------
Ltm::Cipher::Rule
--------------------
Name                  TMSH_PQC
Cipher Suites         ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-GCM-SHA256/DTLS1.2:ECDHE-RSA-AES128-CBC-SHA/TLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.1:ECDHE-RSA-AES128-CBC-SHA/DTLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:ECDHE-RSA-AES128-CBC-SHA/DTLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES128-SHA256/DTLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/DTLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.1:ECDHE-RSA-AES256-CBC-SHA/DTLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/DTLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:ECDHE-RSA-AES256-SHA384/DTLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-GCM-SHA256/DTLS1.2:AES128-SHA/TLS1.0:AES128-SHA/TLS1.1:AES128-SHA/TLS1.2:AES128-SHA/DTLS1.2:AES128-SHA/DTLS1.0:AES128-SHA256/TLS1.2:AES128-SHA256/DTLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-GCM-SHA384/DTLS1.2:AES256-SHA/TLS1.0:AES256-SHA/TLS1.1:AES256-SHA/TLS1.2:AES256-SHA/DTLS1.2:AES256-SHA/DTLS1.0:AES256-SHA256/TLS1.2:AES256-SHA256/DTLS1.2:CAMELLIA128-SHA/TLS1.0:CAMELLIA128-SHA/TLS1.1:CAMELLIA128-SHA/TLS1.2:CAMELLIA128-SHA/DTLS1.2:CAMELLIA256-SHA/TLS1.0:CAMELLIA256-SHA/TLS1.1:CAMELLIA256-SHA/TLS1.2:CAMELLIA256-SHA/DTLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/DTLS1.2:ECDHE-ECDSA-AES128-CCM/TLS1.2:ECDHE-ECDSA-AES128-CCM/DTLS1.2:ECDHE-ECDSA-AES128-CCM8/TLS1.2:ECDHE-ECDSA-AES128-CCM8/DTLS1.2:ECDHE-ECDSA-AES128-SHA/TLS1.0:ECDHE-ECDSA-AES128-SHA/TLS1.1:ECDHE-ECDSA-AES128-SHA/TLS1.2:ECDHE-ECDSA-AES128-SHA/DTLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA256/DTLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/DTLS1.2:ECDHE-ECDSA-AES256-CCM/TLS1.2:ECDHE-ECDSA-AES256-CCM/DTLS1.2:ECDHE-ECDSA-AES256-CCM8/TLS1.2:ECDHE-ECDSA-AES256-CCM8/DTLS1.2:ECDHE-ECDSA-AES256-SHA/TLS1.0:ECDHE-ECDSA-AES256-SHA/TLS1.1:ECDHE-ECDSA-AES256-SHA/TLS1.2:ECDHE-ECDSA-AES256-SHA/DTLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-AES256-SHA384/DTLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES128-GCM-SHA256/DTLS1.2:DHE-RSA-AES128-SHA/TLS1.0:DHE-RSA-AES128-SHA/TLS1.1:DHE-RSA-AES128-SHA/TLS1.2:DHE-RSA-AES128-SHA/DTLS1.2:DHE-RSA-AES128-SHA/DTLS1.0:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES128-SHA256/DTLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:DHE-RSA-AES256-GCM-SHA384/DTLS1.2:DHE-RSA-AES256-SHA/TLS1.0:DHE-RSA-AES256-SHA/TLS1.1:DHE-RSA-AES256-SHA/TLS1.2:DHE-RSA-AES256-SHA/DTLS1.2:DHE-RSA-AES256-SHA/DTLS1.0:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-AES256-SHA256/DTLS1.2:DHE-RSA-CAMELLIA128-SHA/TLS1.0:DHE-RSA-CAMELLIA128-SHA/TLS1.1:DHE-RSA-CAMELLIA128-SHA/TLS1.2:DHE-RSA-CAMELLIA128-SHA/DTLS1.2:DHE-RSA-CAMELLIA256-SHA/TLS1.0:DHE-RSA-CAMELLIA256-SHA/TLS1.1:DHE-RSA-CAMELLIA256-SHA/TLS1.2:DHE-RSA-CAMELLIA256-SHA/DTLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3
DH-Groups             <key_exchange>:DEFAULT          
Signature Algorithms  DEFAULT

    For Example:

    root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm cipher rule TMSH_PQC

--------------------
Ltm::Cipher::Rule
--------------------
Name                  TMSH_PQC
Cipher Suites         ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-GCM-SHA256/DTLS1.2:ECDHE-RSA-AES128-CBC-SHA/TLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.1:ECDHE-RSA-AES128-CBC-SHA/DTLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:ECDHE-RSA-AES128-CBC-SHA/DTLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES128-SHA256/DTLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/DTLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.1:ECDHE-RSA-AES256-CBC-SHA/DTLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/DTLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:ECDHE-RSA-AES256-SHA384/DTLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-GCM-SHA256/DTLS1.2:AES128-SHA/TLS1.0:AES128-SHA/TLS1.1:AES128-SHA/TLS1.2:AES128-SHA/DTLS1.2:AES128-SHA/DTLS1.0:AES128-SHA256/TLS1.2:AES128-SHA256/DTLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-GCM-SHA384/DTLS1.2:AES256-SHA/TLS1.0:AES256-SHA/TLS1.1:AES256-SHA/TLS1.2:AES256-SHA/DTLS1.2:AES256-SHA/DTLS1.0:AES256-SHA256/TLS1.2:AES256-SHA256/DTLS1.2:CAMELLIA128-SHA/TLS1.0:CAMELLIA128-SHA/TLS1.1:CAMELLIA128-SHA/TLS1.2:CAMELLIA128-SHA/DTLS1.2:CAMELLIA256-SHA/TLS1.0:CAMELLIA256-SHA/TLS1.1:CAMELLIA256-SHA/TLS1.2:CAMELLIA256-SHA/DTLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/DTLS1.2:ECDHE-ECDSA-AES128-CCM/TLS1.2:ECDHE-ECDSA-AES128-CCM/DTLS1.2:ECDHE-ECDSA-AES128-CCM8/TLS1.2:ECDHE-ECDSA-AES128-CCM8/DTLS1.2:ECDHE-ECDSA-AES128-SHA/TLS1.0:ECDHE-ECDSA-AES128-SHA/TLS1.1:ECDHE-ECDSA-AES128-SHA/TLS1.2:ECDHE-ECDSA-AES128-SHA/DTLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA256/DTLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/DTLS1.2:ECDHE-ECDSA-AES256-CCM/TLS1.2:ECDHE-ECDSA-AES256-CCM/DTLS1.2:ECDHE-ECDSA-AES256-CCM8/TLS1.2:ECDHE-ECDSA-AES256-CCM8/DTLS1.2:ECDHE-ECDSA-AES256-SHA/TLS1.0:ECDHE-ECDSA-AES256-SHA/TLS1.1:ECDHE-ECDSA-AES256-SHA/TLS1.2:ECDHE-ECDSA-AES256-SHA/DTLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-AES256-SHA384/DTLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES128-GCM-SHA256/DTLS1.2:DHE-RSA-AES128-SHA/TLS1.0:DHE-RSA-AES128-SHA/TLS1.1:DHE-RSA-AES128-SHA/TLS1.2:DHE-RSA-AES128-SHA/DTLS1.2:DHE-RSA-AES128-SHA/DTLS1.0:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES128-SHA256/DTLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:DHE-RSA-AES256-GCM-SHA384/DTLS1.2:DHE-RSA-AES256-SHA/TLS1.0:DHE-RSA-AES256-SHA/TLS1.1:DHE-RSA-AES256-SHA/TLS1.2:DHE-RSA-AES256-SHA/DTLS1.2:DHE-RSA-AES256-SHA/DTLS1.0:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-AES256-SHA256/DTLS1.2:DHE-RSA-CAMELLIA128-SHA/TLS1.0:DHE-RSA-CAMELLIA128-SHA/TLS1.1:DHE-RSA-CAMELLIA128-SHA/TLS1.2:DHE-RSA-CAMELLIA128-SHA/DTLS1.2:DHE-RSA-CAMELLIA256-SHA/TLS1.0:DHE-RSA-CAMELLIA256-SHA/TLS1.1:DHE-RSA-CAMELLIA256-SHA/TLS1.2:DHE-RSA-CAMELLIA256-SHA/DTLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3
DH-Groups             X25519KYBER768:DEFAULT
Signature Algorithms  DEFAULT

Use the cipher rules to create cipher groups, follow the below steps:

  1. SSH into the BIG-IP system and log in with admin credentials. Type tmsh to enter the Traffic Management Shell.

  2. Create the ltm cipher group using the following commands:                                                                                                                                   

    root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm cipher group TMSH_PQC allow add { TMSH_PQC }

  3. To list or view the basic details of the created cipher group use the below command:       

    root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm cipher group TMSH_PQC
ltm cipher group TMSH_PQC {
    allow {
        TMSH_PQC { }
    }
}

  4. To view the complete details of the created cipher rule use the below command:                                                                                                 

    root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm cipher group TMSH_PQC

---------------------------
Ltm::Cipher::Group
---------------------------
Name                         TMSH_PQC
Cipher Result                ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-GCM-SHA256/DTLS1.2:ECDHE-RSA-AES128-CBC-SHA/TLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.1:ECDHE-RSA-AES128-CBC-SHA/DTLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:ECDHE-RSA-AES128-CBC-SHA/DTLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES128-SHA256/DTLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/DTLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.1:ECDHE-RSA-AES256-CBC-SHA/DTLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/DTLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:ECDHE-RSA-AES256-SHA384/DTLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-GCM-SHA256/DTLS1.2:AES128-SHA/TLS1.0:AES128-SHA/TLS1.1:AES128-SHA/TLS1.2:AES128-SHA/DTLS1.2:AES128-SHA/DTLS1.0:AES128-SHA256/TLS1.2:AES128-SHA256/DTLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-GCM-SHA384/DTLS1.2:AES256-SHA/TLS1.0:AES256-SHA/TLS1.1:AES256-SHA/TLS1.2:AES256-SHA/DTLS1.2:AES256-SHA/DTLS1.0:AES256-SHA256/TLS1.2:AES256-SHA256/DTLS1.2:CAMELLIA128-SHA/TLS1.0:CAMELLIA128-SHA/TLS1.1:CAMELLIA128-SHA/TLS1.2:CAMELLIA128-SHA/DTLS1.2:CAMELLIA256-SHA/TLS1.0:CAMELLIA256-SHA/TLS1.1:CAMELLIA256-SHA/TLS1.2:CAMELLIA256-SHA/DTLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/DTLS1.2:ECDHE-ECDSA-AES128-CCM/TLS1.2:ECDHE-ECDSA-AES128-CCM/DTLS1.2:ECDHE-ECDSA-AES128-CCM8/TLS1.2:ECDHE-ECDSA-AES128-CCM8/DTLS1.2:ECDHE-ECDSA-AES128-SHA/TLS1.0:ECDHE-ECDSA-AES128-SHA/TLS1.1:ECDHE-ECDSA-AES128-SHA/TLS1.2:ECDHE-ECDSA-AES128-SHA/DTLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA256/DTLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/DTLS1.2:ECDHE-ECDSA-AES256-CCM/TLS1.2:ECDHE-ECDSA-AES256-CCM/DTLS1.2:ECDHE-ECDSA-AES256-CCM8/TLS1.2:ECDHE-ECDSA-AES256-CCM8/DTLS1.2:ECDHE-ECDSA-AES256-SHA/TLS1.0:ECDHE-ECDSA-AES256-SHA/TLS1.1:ECDHE-ECDSA-AES256-SHA/TLS1.2:ECDHE-ECDSA-AES256-SHA/DTLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-AES256-SHA384/DTLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES128-GCM-SHA256/DTLS1.2:DHE-RSA-AES128-SHA/TLS1.0:DHE-RSA-AES128-SHA/TLS1.1:DHE-RSA-AES128-SHA/TLS1.2:DHE-RSA-AES128-SHA/DTLS1.2:DHE-RSA-AES128-SHA/DTLS1.0:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES128-SHA256/DTLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:DHE-RSA-AES256-GCM-SHA384/DTLS1.2:DHE-RSA-AES256-SHA/TLS1.0:DHE-RSA-AES256-SHA/TLS1.1:DHE-RSA-AES256-SHA/TLS1.2:DHE-RSA-AES256-SHA/DTLS1.2:DHE-RSA-AES256-SHA/DTLS1.0:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-AES256-SHA256/DTLS1.2:DHE-RSA-CAMELLIA128-SHA/TLS1.0:DHE-RSA-CAMELLIA128-SHA/TLS1.1:DHE-RSA-CAMELLIA128-SHA/TLS1.2:DHE-RSA-CAMELLIA128-SHA/DTLS1.2:DHE-RSA-CAMELLIA256-SHA/TLS1.0:DHE-RSA-CAMELLIA256-SHA/TLS1.1:DHE-RSA-CAMELLIA256-SHA/TLS1.2:DHE-RSA-CAMELLIA256-SHA/DTLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3
DH-Groups Result             P256:X25519:P384:FFDHE2048:FFDHE3072:FFDHE4096:X25519KYBER768
Signature Algorithms Result  RSA-PKCS1-SHA256:RSA-PSS-SHA256:ECDSA-SHA256:RSA-PKCS1-SHA384:RSA-PSS-SHA384:ECDSA-SHA384:RSA-PKCS1-SHA512:RSA-PSS-SHA512:ECDSA-SHA512


root@(localhost)(pid-6084)(cfg-sync Standalone)(Active)(/Common)(tmos)#

Follow the below commands to add the cipher group to a Client SSL profile

  1. SSH into the BIG-IP system and log in with admin credentials. Type tmsh to enter the Traffic Management Shell.

  2. Create the Client-SSL profile using the following command:

    root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm profile client-ssl TMSH_PQC cipher-group TMSH_PQC options { dont-insert-empty-fragments } ciphers none

  3. To list or view the basic details of the created ltm client-ssl profile use the below command:

    root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile client-ssl TMSH_PQC
ltm profile client-ssl TMSH_PQC {
    aapp-service none
    cert-key-chain {
        default_0 {
            cert default.crt
            key default.key
        }
    }
    cipher-group pqc
    ciphers none
    defaults-from clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain false
    mode enabled
    options { dont-insert-empty-fragments }
}

Follow the below commands to add the cipher group to a Server SSL profile

  1. SSH into the BIG-IP system and log in with admin credentials. Type tmsh to enter the Traffic Management Shell.

  2. Create the Server-SSL profile using the following command:

    root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm profile client-ssl TMSH_PQC cipher-group TMSH_PQC options { dont-insert-empty-fragments } ciphers none

  3. To list or view the basic details of the created ltm server-ssl profile use the below command:

    root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile client-ssl TMSH_PQC
ltm profile client-ssl TMSH_PQC {
    aapp-service none
    cert-key-chain {
        default_0 {
            cert default.crt
            key default.key
        }
    }
    cipher-group pqc
    ciphers none
    defaults-from clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain false
    mode enabled
    options { dont-insert-empty-fragments }
}