A one-to-many relationship can exist between an instance of the IKE daemon and stacks configured with IPCONFIG IPSECURITY. A single instance of the IKE daemon can service all stacks configured with IPCONFIG IPSECURITY on a single z/OS® image. Only one instance of the IKE daemon can run on a single z/OS image.
Each stack can be configured as a network security services (NSS) client. An NSS client makes use of network security services offered by the NSS server. For details about configuring an NSS server, see Network security services.
TCP/IP stack initialization access control describes a time interval during which limited stack access is available for stacks that have been configured for AT-TLS using the TCPCONFIG statement with the TTLS parameter. To enable the IKE daemon for a stack during this interval, the IKE daemon user ID must be permitted to the EZB.INITSTACK.sysname.tcpname resource profile. For examples of the security product commands needed to grant access to this profile, see member EZARACF in sample data set SEZAINST.