The Broker will start enforcing ACLs on protected Broker objects when the Broker Server has established an identity for itself. At this point, anonymous clients are no longer able to access ACL-protected Broker objects.

The following figure illustrates how client-to-Broker Server connections work when the Broker Server has an identity.

When a Broker Server and client authenticate each other's SSL identities, a connection is made through the (two-way) SSL port. That port's number is two below that of the Broker Server's assigned port. Under these circumstances, a client can access any Broker object protected by an ACL, so long as that client's identity is listed in the object's ACL.

Clients that do not present an SSL identity to the Broker Server for authentication (through the non-SSL port) cannot access Broker objects protected by an ACL (illustrated by the crosses).

The following figure illustrates how client-to-Broker Server connections work when the Broker Server does not have an SSL identity (or its SSL identity is disabled).

If the Broker Server does not have an SSL identity (or the identity is disabled), ACLs are not enforced. Any client that can connect to the Broker Server can access any of its ACL-protected Broker objects.

For the SSL port to be used, the Broker Server must have an identity. Thus, any attempt to connect to the Broker Server by first authenticating its identity will fail (illustrated by the crosses). Only non-SSL connections will be successful.