Should I always load keyStore explicitely in my WebClient for authorized services?

Question

I have a java keystore with which I can connect to a protected https third-party service. I use this keystore explicitely in my code when I initialize my web client:

Answer 1

Set the truststore javax.net.ssl.trustStore for the public cert to provide to the external service. javax.net.ssl.keyStore is for storing your private cert when running on https.

// Your private cert location
System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
System.setProperty("javax.net.ssl.keyStore", env.getProperty(SSL_KEYSTORE));
System.setProperty("javax.net.ssl.keyStorePassword", env.getProperty(SSL_KEYSTORE_PASS));
// Public cert location
System.setProperty("javax.net.ssl.trustStoreType", "pkcs12");
System.setProperty("javax.net.ssl.trustStore", env.getProperty(SSL_TRUSTSTORE));
System.setProperty("javax.net.ssl.trustStorePassword", env.getProperty(SSL_TRUSTSTORE_PASS));

Also, I would recommend loading the properties (especially passwords) from a separate properties file, as mentioned by Léo Schneider.

UPDATE To your question regarding usefulness of javax.net.ssl properties, these properties are an alternative to define the truststore and keystore properties. It is useful b/c not all libraries allow for SSLContext as input where it may be needed (for example legacy libraries that don't support ssl). Furthermore, these properties can also be defined directly from the command line, increasing usability.