0335301A

Explanation
The key entry does not contain a private key or
the private key is not usable. This error might also occur if: The private key is stored in ICSF, and ICSF services are not available.
If the private key size is greater than the supported configuration
limit or the application is executing in FIPS mode.
This error can occur when using a SAF key ring if:The key ring is owned by another user.
Using a private key that is associated with a user certificate
in a SAF key ring that is owned by another user, and if the user ID
of the application does not have appropriate access to the ringOwner.ringName.LST
resource in the RDATALIB class.
Certificates meant to represent a server or client must be connected
to a SAF key ring with a USAGE value of PERSONAL, and either owned
by the user ID of the application or SITE certificates.

This error can occur when using z/OS® PKCS
#11 tokens if:The user ID of the application does not have appropriate access
to the CRYPTOZ class.
The label name is not valid for a certificate's PKCS #11 TKDS
secure key.
The PKCS #11 key object does not exist.
The certificate's PKCS #11 TKDS secure key algorithm is not supported.
Using  gsk_make_enveloped_private_key_msg()  and the PKCS
#11 secure key object that is used as input exists in the PKDS instead
of the TKDS.

User response
Verify that the ICSF started task is running if
the private key is stored in ICSF.  Otherwise, repeat the failing
request by using a database entry containing a private key. If using z/OS PKCS #11 tokens, ensure that
the user ID has appropriate access to the CRYPTOZ class.
If
executing in FIPS mode, ensure that the certificate that is being
used does not have its private key stored in ICSF.
If using
PKCS # 11 tokens: Verify that the certificate's PKCS #11 secure key label name is
valid within the TKDS.
Verify that the PKCS #11 TKDS secure key algorithm is supported. 
If you are using  gsk_make_enveloped_private_key_msg(),
verify that the input PKCS #11 key object exists in the TKDS.