Specifying the Level of Conversation Security for VTAM

As described in Planning Sessions, conversation security is a factor in planning LUs and defining them to VTAM®. On the VTAM APPL statement that defines an LU to VTAM, you must specify the greatest level of security to be allowed on inbound conversation requests for TPs at the LU. You do this by specifying one of the following values on the APPL statement's SECACPT keyword:

Value: Means VTAM will accept:
NONE: Requests that contain no security information (the default)
CONV: Requests with security information specified
ALREADYV: Requests with security information specified, and requests with an indication that security information is already verified (includes CONV). Use only between trusted LUs.
PERSISTV: Requests with security information specified, and requests with an indication of persistent verification. For more information about persistent verification, see Using Persistent Verification (PV).
AVPV: Requests with security information specified, and requests with indications of already verified or persistent verification.

The value you specify in the SECACPT keyword must be appropriate for the TPs that are to use the LU. SECACPT must allow the type of security information that the TPs expect to receive. For example, the following SECACPT value would be appropriate for LU02 and TPB as shown in Figure 1:

APPL ACBNAME=LU02... SECACPT=CONV

The above statement tells VTAM to accept conversation requests for LU02 that have security information (user ID and password) such as TPA specifies.

Figure 1. Sending Security Information through VTAM

Suppose the APPL definition for LU02 specified SECACPT=NONE instead of CONV, and TPA issues the same Allocate call, as shown in Figure 1. The security information for the outbound TP is greater than the SECACPT value of the partner LU. In such cases, the system downgrades or removes security information from the outbound Allocate request, so that the request matches the minimum security requirements for the partner LU. The results might not be what you expected for this conversation.

The SECACPT value that you specify on the VTAM APPL statement provides the default level of acceptable conversation security. You can override that level using the RACF® APPCLU profiles, as described in Defining Conversation Security Levels that Sessions Allow.