You can specify an encryption level for every client (PTERM) and every client group (LTERM pool; TPOOL) in the UTM configuration. The encryption level specifies if and how clients must encrypt messages or may encrypt messages. In this manner a UTM application can protect itself from accesses via insecure clients.

You specify the encryption level for a client in the KDCDEF generation in the PTERM or TPOOL statement of the client:

PTERM ...,ENCRYPTION-LEVEL=

TPOOL ...,ENCRYPTION-LEVEL=

There are following variants:

1. openUTM requests the use of encryption from the client.
   The client must encrypt in all cases, otherwise it will not gain access to the UTM application. The minimum length of the RSA key used is predefined. If the partner does not support encryption or cannot use the RSA key of the requisite key length, then it cannot establish any connections to the UTM application.
   In this case, generate one of the following variants:

   ENCRYPTION-LEVEL=3 (RSA key length 1024 bit, AES-CBC method )
   ENCRYPTION-LEVEL=4 (RSA key length 2048 bit, AES-CBC method )
   For LUW platforms additionally:
   ENCRYPTION-LEVEL=5 (RSA key length 2048 bit, ECDHE-RSA-AES-GCM methods)

2. openUTM does not request encryption and the client can specify whether or not the connection is to use encryption.
   The client is also allowed access without encryption, but it must encrypt if a service explicitly demands it (see "Data access control").
   In this case, generate:

   ENCRYPTION-LEVEL=NONE

3. The client is trusted (trusted client).
   Encryption is not used on connections to such clients. A trusted client can also call „protected“ services without encryption (see section below).
   You should only generate clients as trusted when you are sure that communication occurs via a secure line.
   In this case, generate with:

   ENCRYPTION-LEVEL=TRUSTED