Should I always load keyStore explicitely in my WebClient for authorized services?

Question

I have a java keystore with which I can connect to a protected https third-party service. I use this keystore explicitely in my code when I initialize my web client:

Answer 1

You can do something like the first solution, but you have to remove the password as a String, the password should be either in your properties file that is loaded at runtime, or specify it as an environment variable when you start the JVM.

I would say that the main point is that the password should not be in the code.

For the second solution you might want to check the trustStore environment variables.

https://docs.oracle.com/javadb/10.8.3.0/adminguide/cadminsslserver.html