Q. The softdoc for 3.20 says it will "ignore" "dh1024" part of "des168,dh1024".
Encryption is still done using the algo in the first argument. What was changed was the key generation method, the key is generated internally now, so the "dh1024" is ignored. NETPASS and PASSWORD will create a shared session key for encryption purposes. This new encryption method is incompatible with previous Releases of XPQ. If your XYGATEPQ environment is using a multi-node configuration, the ENCRYPTION entry needs to be commented out on all the nodes before and until the upgrade of all nodes is completed.
Q. Is the pair skipped or is another default key used?
The pair is not skipped.
Q. What are valid <algorithm>,<key> pairs now?
The 3.20 document only shows FIXEDKEY, DH512, DH1024 as valid keys which the softdoc says DH are no longer used. There is no change to the valid pairs, the change was just to ignore the key exchange method.
Q. Does that mean only FIXEDKEY is valid if you need encryption?
Passwords are still encrypted when sent over expand during a network password change.
Q. Also what triggers a PQCONF reload after changes have been made?
The next XPQ request will reload the files before processing.
If this article did not provide a solution, please open a case with our support team by sending an email message to support@xypro.com.