When trying to activate VSE Library Security by specifying SEC=YES, message 'OS20I UNAUTHORIZED ACCESS REQUEST FOR library.sublibrary' is received during IPL.

1. 'OS20I UNAUTHORIZED ACCESS REQUEST FOR library.sublibrary' during IPL at BGINIT time:
   
   A VSE ID card for the BGINIT must be present. If  TOP SECRET is active and cataloging a new BG or FB startup proc, specify the following ID card syntax:
   
   'ID USER=FORSEC,PWD=FORSEC'
   
   Note: No '//' (slashes).
   
   Explanation: If the ID card is cataloged with the '//' (slashes), Top Secret will encrypt the ID card.
   Because Top Secret has not initialized yet when the BGINIT job executes, the encrypted '// ID ' card cannot be read.The solution is to remove the '//' from the '// ID' card and re-catalog the IPL deck. Without the '//' (slashes), Top Secret will not encrypt the '// ID' card.
   
   
2. '0S20I UNAUTHORIZED ACCESS REQUEST FOR: library.sublibrary $$b_transient.phase' during CASAUTIL execution.
   

   VSE IPL 'SYSTEM' statement with SEC=YES activates VSE library security. The IPL/ASI/startup is at the mercy of IBM's VSE security until TOP SECRET has a chance to completely initialize during IPL.
   
   B-Transients are a special kind of system phase. In a system with VSE library security active, they can be loaded from protected libraries only. Any attempt to load a B-transient from an unprotected library would cause an IBM VSE '0S20I UNAUTHORIZED ACCESS" access violation.
   
   Libraries that contain B-transients of the VSE base programs are automatically protected by appropriate entries in the IBM VSE pre-generated access control table DTSECTAB.
   
   B-Transients are phase name beginning by $$B. Any library containing B-Transients phases that will be loaded prior to TOP SECRET initialization need to be added to the IBM VSE security table DTSECTAB or a VSE '0S20I UNAUTHORIZED ACCESS?" access violation will be received.
   
   For Example, CIS and DYNAM libraries.

3. No security checking being done for library/sublibrary/member.
   Verify that IBM VSE IPL 'SYSTEM' statement with parameter SEC=YES has Specified.
   
   To verify:
   
   1. Display address 80 who is the address of SYSCOM. From the VSE console, issue a:
      dsply 80
      
      Example:
      dsply 80
      
      AR 0015 00000420 00001004 0002006B 00040011 *...........,....*
      AR 0015 1I40I READY
      
      
   2. Add x'041' to the address of SYSCOM and display that address:
      x'420' + x'041' = x'461'

      Example:
      dsply 461
      AR 0015 601CE8 00200044 0240BB80 000090E0 00 *-.Y..... .......*
      AR 0015 1I40I READY

      If a x'10' was not set that means that SEC=NO was coded

Once the above is achieved, VSE will start correctly and you can define any library/sublibrary/member to be protected by TOP SECRET using TOP SECRET itself.

See Chapter 7 of the 'VSE Libarary Security' in the TOP SECRET Implementation: Batch, STC and APPC Guide.