During a system IPL, if the RACF® subsystem address space initializes before the TCP/IP and Policy Agent address spaces, it is possible that RACF might try to establish a listener socket and then attempt to establish remote connections before the AT-TLS policy is available. If this happens, the connections are rejected and you will need to establish them manually after the IPL completes. The resource EZB.INITSTACK.sysname.tcpname in the SERVAUTH class controls the ability of applications to open a socket before the AT-TLS policy is loaded onto the TCP/IP stack. To prevent RACF from trying to establish connections before the AT-TLS policy is available, do not give the RACF subsystem address space user ID access to this resource if a profile is defined for it.

When the RACF subsystem address space user ID does not have access to the INITSTACK profile, and it attempts to establish a listener socket, an ICH408I message is issued to the console. RACF retries the attempt to establish a listener socket until the AT-TLS policy is available and the attempt succeeds. Depending on the length of time it takes for Policy Agent to initialize, a number of the ICH408I messages might be issued. You can ignore them.

For more information, see the section on TCP/IP stack initialization access control in z/OS Communications Server: IP Configuration Guide.