When the embedded container is started using javax.ejb.embeddable.EJBContainer#createEJBContainer, security files like the keystores (e.g. cacerts.jks) are not being copied. This appears to be a regression from 3.1, as these files are copied correctly by the 3.1 version of the glassfish-embedded-all artifact.
The problem seems to be caused by revision 47307, which introduced the use of com.sun.enterprise.security.EmbeddedSecurity when determining whether to copy the files. The root cause of the problem is that the org.glassfish.server.ServerEnvironmentImpl that is constructed and checked by com.sun.enterprise.security.embedded.EmbeddedSecurityUtil has a RuntimeType of "DAS" rather than "EMBEDDED."
In my particular case, there is an additional CA certificate that needs to be added to the CA certificate keystore. Attempting to override the javax.net.ssl.trustStore property from outside the container (whether setting it as a JVM property or passing it as an entry in the Properties object passed to createEJBContainer) doesn't work because the property is being set programmatically from within the embedded container runtime.
I'm starting the container with the following properties set:
My modified version of cacerts.jks lives in /path/to/install/root/domains/domain1/config/. However, the version of cacerts.jks actually being used (i.e. in the temporary folder) is the version included with the glassfish-embedded-all artifact.