When the client makes a connection request, the server presents its public certificate for the client to accept or deny. The client checks the issuer of the certificate against a list of trusted Certificate Authorities (CAs) that resides in an encrypted file on the client known as a truststore. If the certificate matches a trusted CA in the truststore, an encrypted connection is established between the client and server. If the certificate does not match, the connection fails and the client generates an error.
Most truststores are password-protected. The client must be able to locate the truststore and unlock the truststore with the appropriate password. Two connection properties are available to the client to provide this information: TrustStore and TrustStorePassword. The value of TrustStore is a pathname that specifies the location of the truststore file. The value of TrustStorePassword is the password required to access the contents of the truststore.
Alternatively, you can configure the client to trust any certificate sent by the server, even if the issuer is not a trusted CA. Allowing a client to trust any certificate sent from the server is useful in test environments because it eliminates the need to specify truststore information on each client in the test environment. ValidateServerCertificate, another connection property, allows the client to accept any certificate returned from the server regardless of whether the issuer of the certificate is a trusted CA.
Finally, the connection property, HostNameInCertificate, allows an additional method of server verification. When a value is specified for HostNameInCertificate, it must match the host name of the server, which has been established by the SSL administrator. This prevents malicious intervention between the client and the server and ensures that the client is connecting to the server that was requested.
