For proper communication within your Automation Engine (AE) environment, Domain Name System (DNS) resolution is essential in the following scenarios:
Be aware that Agents regularly receive updated lists of available CPs and JCPs from the Automation Engine, which include DNS hostnames. This means Agents (and AWI, Analytics, TLS-gateway(s), Integrations, RA Solutions etc.) might need DNS resolution even if they initially connected via an IP address.
Michael K. Dolinek
Original Message:
Sent: Jul 16, 2025 05:30 PM
From: Kenneth Hutchins
Subject: Problem configuring TLS Gateway on OS/400
Thanks Michael. Can you confirm if I need to add the Windows server (Automation Engines) DNS record to my AS400 host file to resolve the JOBF using the TLS-GATEWay from throwing false errors? Or am I facing an issue with Agent/AE compatibility?
ref: https://knowledge.broadcom.com/external/article/282117/jobf-from-as400-to-other-system-agent-fa.html
AE: Version: Automic Web Interface 21.0.6-release-21.0.6-1683907809487-500cf955ee1
AS/OS400 Agent: 21.0.5+build.1675092225494 OS400 41A/EPX6/1 OS/400 V7R3M0
Original Message:
Sent: Jul 16, 2025 12:09 PM
From: Michael Dolinek
Subject: Problem configuring TLS Gateway on OS/400
Hi all!
I want to make things clearer how our system works
- How the OS/400 agent connects:
The OS/400 agent usually connects directly to the Automation Engine's CP. It uses an older connection method known as the "GSS protocol." - When is the TLS-gateway used to connection to the Automation Engine:
The TLS-gateway can be used only if no Automation Engine's CP is configured and running. In that situation, the TLS-gateway can act as a CP, allowing the OS/400 agent (and some other agents) to connect to the Automation Engine through it. Of course, TLS-gateway must be setup to "offer" a CP and the Agent must be configured in that way that it connects to the TLS-gateway's CP. - What is the main purpose of the TLS-gateway:
The main purpose of the TLS-gateway is to help agents transfer files to each other, only when they use different connection types. For example, if one agent connects using the newer, secure "TLS" method and another uses the older "GSS" method, the TLS-gateway helps them exchange files. - How the TLS-gateway Itself connects:
The TLS-gateway itself connects to the Automation Engine's JCP. This is the same way modern e.g. Windows agents (version 21 and newer) connect. - When TLS certificates are needed:
You need TLS certificates when you use the secure "TLS" connection method to connect to the Automation Engine's JCP. Many newer components (like AWI, Analytics, and most Agents and Integrations from version 21 onwards) use this secure TLS connection.
Hopefully this helps
Michael
------------------------------
Michael K. Dolinek
Engineering Program Manager | Agile Operation Division
Broadcom Software
Original Message:
Sent: Jul 16, 2025 03:53 AM
From: Santiago Fernandez
Subject: Problem configuring TLS Gateway on OS/400
Whether a connection certificate is needed between an IBM i (AS/400) system and Automic Automation v21.x depends on the type of communication being established between the two systems.
When is a certificate required?
If you're using encrypted communication (SSL/TLS):
For example, if you're using the AS/400 Agent from Automic (AGENT IBM i) and configure it to communicate with the Automation Engine (AE) via TLS, then yes, a certificate is required (either self-signed or issued by a certificate authority).
The Automation Engine and the agents can encrypt communication if configured accordingly in their .ini
files and certificates are defined.
If REST API is used over SSL from AS/400:
For example, if Automic's REST API is called from AS/400 programs (via CURL, sockets, or HTTP modules), and the API uses HTTPS, then AS/400 must trust the server's certificate (AE REST).
This means importing the root certificate or the server certificate into IBM i's trust store (via Digital Certificate Manager - DCM).
If the connection is unencrypted (not recommended):
Recommendations
Check the .ini
files of the AS/400 agent, especially the communication
and security
sections, to see if TLS is enabled.
If you're enabling TLS, configure:
The certificate on the Automation Engine (CP/Java).
The agent's certificate trust store on AS/400, using DCM (Digital Certificate Manager).
Make sure the AE port (e.g., 2217) accepts TLS if enabled.
Let's go through the configuration needed to enable TLS (certificates) for communication between the Automation Engine (AE) and the AS/400 Agent in Automic v21.x.
On the Automation Engine (ucsrv.ini
)
Typical location: /bin/ucsrv.ini
on the AE server.
Section [TCP]
Enable TLS mode:
------------------------------
Santiago Fernández
UC SOFTWARE
santiago.fernandez@ucsoftware.es
Original Message:
Sent: Jul 15, 2025 06:29 PM
From: Kenneth Hutchins
Subject: Problem configuring TLS Gateway on OS/400
Also how do you manage the Certificate (I assume the TLS/KEYSTORE). Are you using a Certificate connection between the AS400 and AE?
Original Message:
Sent: Jul 15, 2025 02:45 PM
From: Santiago Fernandez
Subject: Problem configuring TLS Gateway on OS/400
I'm glad to hear you're making progress on the case. Not knowing the agent and AE versions you're using, I'd assume that, given the issue you mentioned, you're already experiencing issues with v24. If so, we had a similar problem with AS400 communication with AE in 24.4. It was resolved by also updating the agent to the same AE version. Our problem was communication and FT between the AS400 and the Automic Server, but not the other way around. In other words, there was a problem or bug between versions 24.x and earlier than 24.4 in the agent and AE running 24.4. If it's something else, please let us know. Another possibility is certificate management.
------------------------------
Santiago Fernández
UC SOFTWARE
santiago.fernandez@ucsoftware.es
Original Message:
Sent: Jul 15, 2025 12:41 PM
From: Kenneth Hutchins
Subject: Problem configuring TLS Gateway on OS/400
Thanks this was helpful. The root cause of our issue was The SBMJOB
command (SBMJOB CMD(CALL PGM(UC4/IRSTRJOB))
) was returning an exit code 1 when run directly on the AS/400.<u5:p></u5:p>
The QPJOBLOG
indicated the random missing library, which once deleted allowed SBMJOB to run. Now we are dealing with an issue with the TLS Gateway/Non-TLS connection for the AS400 File transfer jobs working intermittently.
Currently reviewing what the requirements are for AS400 to be configured connect and run with the TLS Gateway properly.
Original Message:
Sent: Jul 15, 2025 03:56 AM
From: Santiago Fernandez
Subject: Problem configuring TLS Gateway on OS/400
Hi again, Kenneth, I think your problem has little to do with ours, except that it occurs on an OS/400 system.I've asked around here, and we have some ideas, at least on how to approach your solution.
Error: 'CPF1338 - Errors occurred on SBMJOB command. Cause: See the messages previously listed. Recovery: Correct the errors and then submit the command again. >ProcessBuilder.cpp#sys::ProcessBuilder::start(const UserPrincipal'
is related to a failed execution of the SBMJOB command on an IBM i (AS/400) system, likely triggered from Automic Automation (probably via an AS400 Agent or through an external process call).
1. Check Previous Messages (AS/400 Job Log)
The error says:
"See the messages previously listed"
This means the real error happened before the CPF1338 message.
Open the Job Log for the user on IBM i (e.g., using WRKJOB or DSPJOBLOG).
Look for messages like:
CPF2105 - Object not found
CPF9801 - Library not found
CPF0000 - Error in command
These will show the real reason why the SBMJOB
failed.
2. Review the SBMJOB
Command Sent from Automic
3. Check the User Context
The error includes a reference to ProcessBuilder::start(const UserPrincipal)
, suggesting a problem with the user context used to launch the process, for example:
User not authenticated properly.
User profile is disabled, lacks permissions, or has expired.
Required environment variables for that user are not properly set.
4. Review the Automic Agent Logs
Go to the Automic AS400 Agent directory (on IBM i or wherever the agent runs).
Check the following logs:
These may contain more detailed info about what failed in the SBMJOB
.
Manual Test Example
From an interactive IBM i session, try running the same command manually:
SBMJOB CMD(CALL PGM(MYPROGRAM)) JOB(MYTEST)
If it fails, the system will show you the real error, which can help determine if the problem is:
Common Fix
Make sure the agent user has the correct libraries in their JOBD
or job environment.
If the job uses a custom library that is not in the default list, you can add:
------------------------------
Santiago Fernández
UC SOFTWARE
santiago.fernandez@ucsoftware.es
Original Message:
Sent: Jul 15, 2025 03:32 AM
From: Kenneth Hutchins
Subject: Problem configuring TLS Gateway on OS/400
Yes. Been on call with Carahsoft who my go between with Broadcom for over 5 hours.
No one has a clue what Error: 'CPF1338 - Errors occurred on SBMJOB command.Cause . . . . . : See the messages previously listed. Recovery . . . : Correct the errors and then submit the command again. >ProcessBuilder.cpp#sys::ProcessBuilder::start(const UserPrincipal'.
Means.
Kenny Hutchins Gilchrist, PMP(r), SAFe6 RTE, SAFe6 Scrum Master, CSM, DOL, CSPO
Manager, Workload Automation & Dev Ops | IT-Infrastructure and Operations
[cid:image001.png@01DBF539.183CCB60]
8403 Colesville Rd, 14th fl
Silver Spring, MD 20910
Office: 202.682.6603
Mobile: 240.338.5307
Fax: 202.962.8842
Khutchin@ullico.com<mailto:khutchin@ullico.com>
Notice. This message is intended only for use by the person or entity to which it is addressed. Because it may contain confidential information intended solely for the addressee, you are notified that any disclosing, copying, downloading, distributing or retaining of this message, and any attached files, is prohibited and may be a violation of state or federal law. If you received this message in error, please notify the sender by reply email, and delete the message and all attached files. Please be aware that Ullico utilizes Transport Layer Security (TLS) encryption by default with all recipients, when feasible. All email communications sent or received through ullico.com email accounts are processed through Mimecast. Thank you
Original Message:
Sent: 7/15/2025 3:28:00 AM
From: Santiago Fernandez
Subject: RE: Problem configuring TLS Gateway on OS/400
Hi, that's solved. Need some help? Regards.
------------------------------
Santiago Fernández
UC SOFTWARE
santiago.fernandez@ucsoftware.es
Original Message:
Sent: Jul 14, 2025 05:53 PM
From: Kenneth Hutchins
Subject: Problem configuring TLS Gateway on OS/400
Hi Did you ever get this fixed?
Original Message:
Sent: Feb 26, 2025 03:22 AM
From: Santiago Fernandez
Subject: Problem configuring TLS Gateway on OS/400
Hi everyone,We are setting up a TLS Gateway to communicate a non-TLS OS/400 portWe have followed the installation manual, but we can only see it trying to communicate and after a few minutes it ends without result.The log I copied gives little information, but it seems to be searching for the IPs, although I do not see the server machine.

20250225/082102.346 - U02000097 Connection with partner 'wss://10.254.169.70:2222/agent(/10.254.169.70:60804)' accepted.
20250225/082102.424 - U02002039 - 1 Successfully established connection with 'PCUC4001' (socket handle = '1158237757').
20250225/082102.440 - U00063013 - 1 FT '19517004': Connecting to '10.17.16.4' at port '2309'.
20250225/082102.752 - U02000060 - 1 Closing connection to Agent '0.0.0.0/0.0.0.0'.
20250225/082102.752 - U02000412 - 1 '0.0.0.0/0.0.0.0' ordered to close TLS connection with agent 'PCUC4001'.
20250225/082102.752 - U02100051 Web socket connection 'PCUC4001 closed with status code 'No code present (1005)', reason '-'.\
20250225/082102.768 - U02000327 Unexpected error on connection 'PCUC4001' (socket handle = '2'), reason '-'.
20250225/082102.768 - U00045014 Exception 'java.nio.channels.ClosedChannelException: "null"' at 'org.eclipse.jetty.websocket.core.internal.WebSocketSessionState.onEof():169'.
20250225/082102.768 - U02100051 Web socket connection 'PCUC4001 closed with status code 'No code present (1005)', reason '-'.\
In the screenshot you can see what happened when triggering a JOBF in AS400.
It remains connecting.... but does not do anything.
I look forward to any help on this matter.
Thanks in advance
------------------------------
Santiago Fernández
UC SOFTWARE
santiago.fernandez@ucsoftware.es
------------------------------
</mailto:khutchin@ullico.com>