You need to define the security product authorization for PAGENT.
When using AT-TLS, z/OS will not allow any socket-based applications to start before PAGENT is up and running. This restriction is needed to verify that all the security policies are enforced. However, some essential applications need to start before PAGENT. For these applications, you need to define a resource INITSTACK profile in the SERVAUTH class. The resource name consists of the following parts:
EZB is the constant.
INITSTACK is the constant for this resource type.
sysname is the system name.
tcpprocname is the TCP/IP proc name.
When TCPCONFIG TTLS is defined in the initial TCPIP.PROFILE, the INITSTACK profile must be defined. Policy Agent—and any socket -based programs it requires—must be given permission to this resource.
Be sure that the program name is the name used to invoke the program—not the module name.
Most TCP/IP applications are invoked by ALIAS name. This example lists both names:
SETROPTS CLASSACT(SERVAUTH) SETROPTS RACLIST (SERVAUTH) SETROPTS GENERIC (SERVAUTH) RDEFINE SERVAUTH EZB.INITSTACK.*.TCP* UACC(NONE) PERMIT EZB.INITSTACK.*.TCP* CLASS(SERVAUTH) ID(*) ACCESS(READ)- WHEN(PROGRAM(PAGENT,EZAPAGEN) SETROPTS GENERIC(SERVAUTH) REFRESH SETROPTS RACLIST(SERVAUTH) REFRESH SETROPTS WHEN(PROGRAM) REFRESH