The Allowed Hosts list contains security exceptions. These are hosts that submitted server certificates (during the handshake), which could not be validated (the private key used to sign the server certificate does not match the public key of a root or intermediate certificate in the Trust Store). Regardless of the response to the message (Allow or Reject), the host that sent the unmatched server certificate is listed in the Allowed Hosts list.

Exceptions are also created when the certificate was issued for a different host.

If you are using the default self-signed certificate or you have not imported the CA’s root certificate into the applicable Trust Stores before initiating the Foxs connection, the connection fails and creates a host exception that needs to be approved.

If this is a station to station connection, the connection fails essentially silently. There is no prompt to approve the host exception. If this is a Workbench to station connection you are prompted with a dialog to approve the host exception.

Workbench challenges server identity at startup for unapproved hosts and, unless specific permission is granted, prohibits communication. Once permission is granted, future communication occurs automatically (you still have to log in). Both approved and unapproved hosts remain in this list until deleted.

Host identity includes the IP address and port number. Port numbers are different for secure platform and station connections, thus you can have two certificates for the same IP host. If the IP address of an approved host changes, and no matching certificate exists in the Trust Store, Workbench again challenges server identity at startup and enters a “new” host in the Allowed Hosts list.You should only approve exceptions if you are sure of the identity of the host and know why the matching certificate was not found in the Trust Store.