You need to authorize the ipsec command to the external security manager.
To authorize the ipsec command to RACF®, perform the steps in Steps for authorizing the ipsec command to RACF.
For more information about ipsec command security and the SERVAUTH profile, see z/OS Communications Server: IP System Administrator's Commands.