I am using the example code from section 11.4.3 TLS Socket Factory in the document: [Java Dynamic Management Kit 5.1 Tutorial|http://docs.oracle.com/cd/E19698-01/816-7609/6mdjrf873/index.html] . I can get it working fine, but only if the first private key entry in the server side's keystore is the one that matches a certificate in the client's truststore. This leads me to believe that there is no way to select a particular private key for use with a JMXMP connection across TLS, i.e. TLS always chooses the first key entry it encounters in the keystore. Is this true?
No. The client sends the server a list of cipher suites and the server selects a certificate from its keystore accordingly. RFC 2246: "The certificate type must be appropriate for the selected cipher suite's key exchange algorithm."
I would remove the line in the sample that sets the cipher suite. I can't see the point of crippling SSL by only allowing one cipher suite.