What is typically coded for the userid? Would it be the userid that AT-TLS is running with or the application that AT-TLS is providing SSL/TLS for?

According to the ACF2 documentation, the first node of the keyring name should be the userid of the task that uses the keyring. We're implementing AT-TLS to perform our SSL/TLS on behalf of other applications and in the AT-TLS policy, we're able to specify both the userid and the keyring.

We currently have AT-TLS performing SSL/TLS for three Telnet servers all using the same userid/keyring with the userid belonging to just one of the Telnet servers and this appears to be working properly.

CA ACF2 for Z/OS Release 16

The KEYRING recid of Keyring Profile Data Record is the userid that is to be associated with the keyring which should match the logonid of the AT-TLS started task. You may check the joblog of the task and look for the ACF9CCCD message which identifies the logonid; the task will run under.

ACF9CCCD message:

USERID userid IS ASSIGNED TO THIS JOB - jobname

Reason:

This message is issued whenever a job, started task, or TSO session begins execution. It indicates the user ID and jobname under which the job runs (something that may not be obvious if it was inherited, or if a default user ID was used). This is the CA ACF2 counterpart of IBM messages ICH097I, IEF097I and IRR010I.