My tests seem to indicate that the client java code running in JBoss is not aware of the enclosing JBoss' keystore and truststore. It is not clear where it is getting a certificate when the server asks for one during two-SSL, but the certificate sent is considered bad. I would think that it looks in the cacerts or ~/.keystore, but this does not help.
I need to find a way to tell the client code to use the JBoss keystore without changing the code...
The mbean SystemPropertiesService should allow me to set java System properties. Hopefully I can use this to set the javax.net.ssl.keyStore to the JBoss Identity keystore.