Currently, the SSL configuration for glassfish appears to rely on the JVM-wide
system properties for keystore and truststore. Each "<ssl.../>" listener can
specify an alias to use for its server certificate – that works OK.
It would be useful to be able to specify at least a separate trust store for
each listener. This would allow for the case where the system may have a
publically-facing listener for Internet requests and a private-network-facing
listener for internal requests. The public ones may require real
Verisign/Thawte client certificates while the private ones may require a
specific private CA.
Tomcat allows each SSL listener to specify its own keystore, keystore type,
keystore password, truststore, truststore type, and truststore password. It
would be nice if glassfish offered equivalent functionality.