A non-TLS z/OS agent experiences connection failures when connecting to an Automation Engine via a TLS Gateway.

When the mainframe agent's started task begins, a HOST object for this new agent is created in client 0, but the agent subsequently fails to connect and authenticate. The agent throws the following error message: U02000105 Error when calling the function 'gss_acquire_cred' (Ret='458752', minor='1004')

Other V24 TLS agents in the environment (such as Windows, Unix, SQL, and the Gateway itself) successfully route through the proxy.

Troubleshooting steps such as deleting the HOST object from client 0, deleting or renaming the KEYSTORE file, authenticating the newly created HOST object in client 0, and restarting the agent do not resolve the problem.

z/OS Agent: (Classic/Non-TLS)   

TLS Gateway: v24.4.x+   

Automation Engine: 24.4.x+

The issue is caused by a bug in how the TLS Gateway handles proxy configurations for legacy, non-TLS agents (also known as GSS agents, such as the V21 Mainframe agent or v12.3 Windows agents).

When proxy settings (proxy_host and proxy_port) are configured in the TLS Gateway's .ini file, the Gateway correctly uses the proxy for its own connection to the Automic SaaS environment. However, it fails to apply those same proxy settings to the individual connections of the legacy agents routing through it.

Instead of routing the GSS agent's traffic through the proxy, the TLS Gateway attempts to make a direct connection to the SaaS environment on the agent's behalf. Because your network environment strictly requires traffic to go through the proxy, this direct connection attempt is blocked, resulting in the agent failing to connect and authenticate.

Please upgrade the TLS Gateway to the following versions. TLS Gateway 24.4.5 (Unavailable), 26.0.0 (Available), and 26.1.0 (Unavailable).

This will ensure the TLS Gateway properly routes legacy GSS agent connections through the proxy configured in its .ini file, preventing the blocked direct connection attempts.