To establish an LU-LU cross-domain cryptographic session, VTAM® must first establish a session between the SSCPs in each domain. When VTAM receives a request to establish a cryptographic session with a resource in another domain (at the secondary end of the requested LU-LU session), VTAM obtains a session-cryptography key. One copy of this key is enciphered under the cross-domain key of the SSCP of the primary end of the requested LU-LU session, and one copy is enciphered under the SLU key. VTAM then puts the latter copy in the BIND image in the CDCINIT request, the former copy in the CDCINIT request after the BIND image, and sends the CDCINIT request to the SSCP of the primary end of the requested session.

The VTAM at the primary end of the requested session processes the CDCINIT request by using the cross-domain key of the other SSCP to translate the session-cryptography key that is enciphered under the cross-domain key, so that it is enciphered under the host master key in its domain. VTAM then schedules the application program's LOGON exit routine; the application program then issues an OPNDST macroinstruction. VTAM processes the OPNDST macroinstruction by moving the session-cryptography key (enciphered under the SLU key) into a BIND request and by saving the session-cryptography key (enciphered under the host master key). The BIND request is then sent either to the host processor at the SLU (if the secondary end is an application program) or directly to the cryptographic device (if the secondary end is a cryptographic device). If the SLU is a cryptographic device, the cryptographic session-establishment processing is the same from this point as that for a single-domain cryptographic session. See Establishing single-domain cryptographic sessions for information about single-domain sessions.

If the SLU is an application program, VTAM at the SLU takes the session-cryptography key sent in the BIND request, translates it using the application program's SLU key so that it is enciphered under the local host master key, and saves it. Then VTAM generates an initial chaining value, saves a copy of it, enciphers it (under the session-cryptography key), and passes it to the primary end of the session in the BIND response. From this point, the cryptographic session-establishment processing is the same as that for a single-domain cryptographic session. See Establishing single-domain cryptographic sessions for information about single-domain sessions.

The level of cryptography cannot be set by the application program in the negotiable BIND response; it must be specified in the NIB, using the ENCR operand of the NIB macroinstruction.