DFHAM4928 Install of URIMAP failed because certificate does not have private key

When CICS is acting as a requester and supplying a client certificate then CICS has to be able to access the private key. The private key is what identifies CICS as the owner of that certificate. If the CICS region is attempting to identify itself as a different user then additional authority is required to allow it to do this, using the RDATALIB class.

The procedure that allows CICS to use the certificate that is owned by the other user ID is in section Using an existing certificate that is not owned by the CICS region user ID of the CICS documentation:

About this task
For any CICS resource that has the CERTIFICATE attribute and for Web Services Security, by default the certificate that is used must be owned by the CICS region user ID. If CICS needs to use a certificate that it does not own, for example a single certificate that is shared by multiple CICS systems where each system has a different region user ID, you can use the RACF Facility Class RDATALIB to allow multiple CICS systems to share a single certificate.

Procedure
1. Connect the certificate to its key ring with the PERSONAL usage option.
2. If the certificate is a USER certificate, grant to the CICS region user ID that you want to use the certificate UPDATE authority for the ring_owner.ring_name.LST resource in the RDATALIB class.
3. Activate the RDATALIB class by using the RACLIST command.

Results
CICS can use the certificate that is owned by the other user ID. For more information, see z/OS Security Server RACF Callable Services.