It depends on a lot of factors.
There is nothing wrong with an application specifying a single keystore/truststore with only one certificate as a trusted certificate in it for the entire JVM, as long as anyone using that JVM recognizes that its keystore/truststore is customized. This is a much more paranoid setting than the default which trusts more than 50 Certification Authorities all over the world.
Generally, an application's security review determines what must be trusted, what other applications are running on the same machine and do they need to use the same JVM, etc. Once you've reviewed these, there are many different ways to configure this.
1) You can create different keystores/truststores for each applications and specify these properties on the command line that starts the JVM with the -D options (see
http://docs.oracle.com/javaee/1.4/tutorial/doc/Security6.html for explanation). Now each application will start its own JVM with its own keystore/truststore;
2) You can create a common keystore/truststore and have all the applications on the machine use the same *stores when they start the JVM; this assumes that they all have the same security profile and its OK for them to be sharing these resources;
3) You can write the code manually to read your own keystore/truststore and establish your own SSL session without use the System properties; this is harder and more work, but it will work for those who are super-paranoid;
4) There may be other ways, but I would usually pick a solution from either #1 or #2.
Arshad Noor
StrongAuth, Inc.