For a Broker component to be SSL authenticated, it must have a valid, authorized X.509 certificate installed in a keystore file and the trusted root for the CA that issued the certificate installed in a truststore file. The following figure illustrates these requirements and the relationship between the two files.

As shown in the above figure, the same truststore file can contain multiple trusted roots. These trusted roots may be associated with numerous keystore files. A keystore file contains the key pair for a single Broker component, and can contain the entire certificate chain required for a Broker component's authentication.