When a user attempts to run SMP/E Internet Service Retrieval using a shared certificate, the following is received:                                 

GIM69137S ** USERID aaaaaaaa IS NOT AUTHORIZED TO ACCESS KEY RING uuuuuuuu/kkkkkkkk.  

The ORDERSERVER statement looks like this:

//ORDSRVR DD *
   <ORDERSERVER
     url="https://eapi.broadcom.com/receiveorder"
     keyring="uuuuuuuu/kkkkkkkk"
     certificate="cccccccc"
     inventory="all">
  </ORDERSERVER>

where:
'uuuuuuuu' is the ACID that owns the certificate
'kkkkkkkk' is the keyring name
'cccccccc' is the user certificate label

Does each user need to download their own user certificate or can they share the certificate on the owning ACID?

Release : 16.0

Component : CA Top Secret for z/OS

Users can share the same certificate on the owning ACID. The user(s) will need to be permitted the following:

IBMFAC(IRR.DIGTCERT.LIST) ACC(CONTROL)
IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)

These permits are required so the acid has permission to read other user’s key rings and certificates.