How VTAM determines the level of cryptography for a cryptographic session

For an OPNDST request, VTAM® determines the level of cryptography to be used in a cryptographic session by examining:

The cryptographic requirements of the primary and secondary ends of the session as established at VTAM definition or by the VTAM MODIFY operator command
The logon mode table entry
The NIB value for the PLU

Table 1 shows the combination of values and the levels of sessions established. Table 2 shows how one part of the cryptographic requirement is determined using both the logon mode table entry and the higher cryptographic level specified in the system definition for either end of the session.

For an OPNSEC request, VTAM determines the level of cryptography to be used in a cryptographic session by examining:

The cryptographic requirements of the SLU as established at VTAM definition or by the VTAM MODIFY operator command
The BIND request operands
The NIB value for the SLU

Table 3 shows the combination of values and the levels of sessions established.

For information pertaining to LU 6.2 sessions, refer to the z/OS Communications Server: SNA Programmer's LU 6.2 Guide.

Table 1. Level of cryptography for OPNDST requests
Primary end of the session, from VTAM definition or VTAM operator command (See note)	Cryptographic requirement for the SLU	NIB value for the primary end of the session	Level of the cryptographic session requested in BIND
Required	Required	Required Selective None	A required session is established.
	Selective	Required Selective None
	None, but capable of cryptography	Required Selective None
	None, and not capable of cryptography	Required Selective None	The request for session establishment fails.
Selective	Required	Required Selective None	A required session is established.
	Selective	Required	A required session is established.
	Selective	Selective None	A selective session is established.
	None, but capable of cryptography	Required	A required session is established.
	None, but capable of cryptography	Selective None	A selective session is established.
	None, and not capable of cryptography	Required Selective None	The request for session establishment fails.
Optional or no specification	Required	Required Selective None	A required session is established.
	Selective	Required	A required session is established.
	Selective	Selective None	A selective session is established.
	None, but capable of cryptography	Required	A required session is established.
		Selective	A selective session is established.
		None	A session is established without encryption.
	None, and not capable of cryptography	Required Selective	The request for session establishment fails.
	None, and not capable of cryptography	None	A session is established without encryption.
Note: The cryptographic requirements specified on the VTAM definition statement and VTAM operator command for the PLU are compared. The higher of the two cryptographic levels is used.

Table 2. Establishing cryptographic requirements using logon mode entry and definition for secondary end of session
System definition (See note)	Logon mode table entry	Resulting cryptographic requirement
Required	Required	Required
	Selective
	None
Selective	Required	Required
	Selective	Selective
	None	Selective
Optional (but capable of cryptography)	Required	Required
	Selective	Selective
	None	None
None (not capable of cryptography)	Required	The request for session establishment fails.
	Selective	The request for session establishment fails.
	None	None
Note: The cryptographic requirements specified on the VTAM definition statement and VTAM operator command for the SLU are compared. The higher of the two cryptographic levels is used.

Table 3. Level of cryptography for OPNSEC requests
Secondary end of the session, from VTAM definition or command	BIND command operands	NIB value for the secondary end of the session	Level of the cryptographic session in the BIND response
Required	Required	Required Selective None	A required session is established.
	Selective	Required Selective None	The request for session establishment fails.
	None	Required Selective None	The request for session establishment fails.
Selective	Required	Required Selective None	A required session is established.
	Selective	Required	For non-negotiable BIND: the request for session establishment fails. For negotiable BIND: a required session is established.
	Selective	Selective None	A selective session is established.
	None	Required Selective None	The request for session establishment fails.
Optional	Required	Required Selective None	A required session is established.
	Selective	Required	For non-negotiable BIND: the request for session establishment fails. For negotiable BIND: a required session is established.
	Selective	Selective None	A selective session is established.
	None	Required Selective	The request for session establishment fails.
	None	None	A clear session is established.