We are implementing SSL security to the CA LDAP server.  We added a keyring in CA ACF2

KEYRING / LDAP.RING LAST CHANGED BY SECADM ON mm/dd/yy-hh:mm 
DEFAULT(ACF2LDAP.CERT) RINGNAME(LDAPRING) 

In the LDAP parameters, we added the ringname

TLSKeyringName STCLDAP/LDAPRING    <=== STCLDAP is the started task name of the server

When we start the STC, it fails with RC=256.  We see this error in the STDERR.

TLS: could not initialize environment handle. 
TLS: Error detected while opening the certificate database 
main: TLS init def ctx failed: -1 

The OMVS SECTRACE shows:

N 4000000 YYYY 17158 10:04:07.48 S0100008 00000094 CAS2206I Function=DataGetFirst ,Userid=STCLDAP 
N 4000000 YYYY 17158 10:04:07.48 S0100008 00000094 CAS2206I Ring Name=LDAPRING 
N 4000000 YYYY 17158 10:04:07.49 S0100008 00000094 CAS2205I REQUEST=R_datalib ,EXIT=POST,RC=8/8:84 

N 4000000 YYYY 17158 10:04:07.49 S0100008 00000094 CAS2205I REQUEST=R_datalib ,EXIT=PRE ,RC=N/A  

The normal convention used in naming the KEYRING record is the owner is specified.  The owner would be the logonid used

KEYRING / STCLDAP.RING LAST CHANGED BY SECADM ON mm/dd/yy-hh:mm 
DEFAULT(ACF2LDAP.CERT) RINGNAME(LDAPRING) 

But in this case, the name chosen was LDAP.RING, not STCLDAP.RING

KEYRING / LDAP.RING LAST CHANGED BY SECADM ON mm/dd/yy-hh:mm 
DEFAULT(ACF2LDAP.CERT) RINGNAME(LDAPRING)

There are two choices.  One is to have a keyring record with the real owner:

KEYRING / STCLDAP.RING LAST CHANGED BY SECADM ON mm/dd/yy-hh:mm 

DEFAULT(ACF2LDAP.CERT) RINGNAME(LDAPRING) 

The other choice is to correct the LDAP parameters and have the owner of the keyring;

TLSKeyringName LDAP/LDAPRING

The same problem would have occurred if only the ringname was specified in the LDAP parms, which is valid to do.

TLSKeyringName  LDAPRING