Initiating a transfer from XCOM for Linux to XCOM for z/OS fails with the following message:

XCOMM1510E System SSL Function gsk_secure_socket_init(soc_handle): RC = 428: Reason =Key entry does not contain a private key

Transfers initiated from z/OS to Linux are successful.

Release : 12.0

Component : XCOM Data Transport for z/OS

The SSL certificates used for XCOM transfers were defined as Usage Default and not Personal in RACF keyring.

The message is returned to XCOM from IBM System SSL. Make sure that the SSL certificates are defined correctly to the keyring in the Security package.

Per IBM documentation: 

428 Key entry does not contain a private key.
Last Updated: 2021-06-25

Explanation
The key entry does not contain a private key or the private key is not usable. This error can also occur if the private key is stored in ICSF and ICSF services are not available, if using a SAF key ring that is owned by another user, if the private key size is greater than the supported configuration limit or the application is executing in FIPS mode. Certificates that are meant to represent a server or client must be connected to a SAF key ring with a USAGE value of PERSONAL and either be owned by the user ID of the application or be SITE certificates. This error can occur when using z/OS PKCS #11 tokens if the user ID of the application does not have appropriate access to the CRYPTOZ class. This error can occur when using private keys associated with user certificates in a SAF key ring that is owned by another user if the user ID of the application does not have appropriate access to the ringOwner.ringName.LST resource in the RDATALIB class.

User response
Ensure that the ICSF started task is started before the application if the private key is stored in ICSF. When using z/OS PKCS #11 tokens, ensure that the user ID has appropriate access to the CRYPTOZ class.