Handshake failure Messages seen in Component Trace: 

   BSYS      MESSAGE   00000004  15:42:05.854673  SSL_ERROR
    Job TCPIP     Process 000002D4  Thread 00000004  gsk_get_local_certificates
  Record 'SITECERT.TEST' does not have a private key
 
   BSYS      MESSAGE   00000004  15:42:05.854708  SSL_ERROR
    Job TCPIP     Process 000002D4  Thread 00000004  send_v3_server_messages
    Unable to obtain server certificates: Error 428

Commands were issued to validate the certificate data and showed that SITECERT.MULESFTB did in fact have a private key:

SET PROFILE(USER) DIV(CERTDATA)
CHK SITECERT.TEST CHAIN

ACF2 R16.0 

TCPIP 

DB2 

These messages will be seen when access to facility IRR.DIGTCERT.GENCERT SERVICE(DELETE) is denied at TCPIP IPL. This renders the private key of the keyring SITECERT.TEST unavailable to TCPIP.  

The details of RACROUTE call that results in the 'Record SITECERT.keyring does not have a private key' message must be exposed. Although the TCPIP STC issued the RACROUTE call, it did not use its own LID. A temporary rule change was added to give UID(*) access to the FACILITY class resource IRR.DIGTCERT.GENCERT and log the access. The ACFRPTRV report showed that TCPIP was issuing the RACROUTE call using LID of (in this case) the associated DB2 address space.