When a Universal Messaging realm starts for the first time, it automatically generates a public/private key pair for encryption purposes and stores it in the internal keystore server.jks file in the realm's data/RealmSpecific directory. The public keys of other nodes are also added to this file whenever the realms are added to form a cluster.

These auto-generated keys are used for server identification only; basically whenever two realms establish a connection, they will exchange a single signed message as part of the handshake routine, in order to confirm they know each other.

After this initial handshake has taken place, all encrypted communication between realms in a cluster uses separate keys and keystores.