yes, I did check the docs. My serverTrustStore was populated as described in the manual, i.e. "Install a client certificate in the server's trust store:
keytool -import -alias aDerbyClient -file aClient.cert -keystore serverTrustStore.key" As said my expectation was installing just the certificate of the client(s) would suffice (as per my use case 3a). And this way the set-up of the serverTrustStore would be achieved the same way as and be consistent with how this is done for the clientTrustStore (and as said my use case 2 below where only the client requests peer Authentication works). But in case of the serverTrustStore and the server requesting peerAuthentication this only works after importing the CA certificate into the serverTrustStore as well - BUT!! then *any* client certificate signed by this CA seems to work - even if the client certificate is not part of the truststore. In fact it already works if the CA certificate is the *only* certificate in the servertruststore. It is unclear to me why the CA certificate needs to be imported into the truststore - imho this should not be necessary.