Moving IBM Content Manger OnDemand (CMOD) from AIX to z/OS.
Imported an AES key from AIX into the CSF CKDS. 
To allow the CMOD acid to use the key in the CKDS a permit (shown below) to access CSKEYS resources is needed:

CSFKEYS = ONDEMAND.ARCHIVE.ROOT.*
ACCESS  = READ                  
CRITERIA = SMS(DSENCRYPTION)    
ASYMUSE = SECXPORT    HANDSHAKE 
SYMXPORT= BYANY                 
SYMCPACFWRAP=YES                
SYMCPACFRET=YES        

The OMVS report immediately shows a failure reading the keys/certificates on the keyring:

R_datalib        CMOD     OMVSGRP            0           0   8      8     44
   01/12/22  22.012    8.29.53 ARSSOCKD                   ssss
   Failed - Record not found
    Function: DataGetNext       Userid: CMOD
    Ring name: CMODRING

Release : 16.0

Component :

IBM determined there is bug in the CMOD code having to do with CSF.   
Please contact IBM for PTF UI78990.