You're right that a client app should not contact your DB directly; that's a major security no-no. You could go through an HTTP proxy on your site, but the communication -which can be observed in traffic- should give away nothing that can be used to guess information used by other clients.
Also, with everything you do, keep in mind that Java apps can be decompiled and the security features patched out. It's not trivial to do, but won't put up unsurmountable obstacles to a determined attacker. So, whatever measures you put in place, may be circumvented by some people.
JMX isn't meant for managing remote client applications on machines; it would anyway have to make TCP/IP connections from afar, which generally isn't going to work.
keytool is meant for managing encryption keys and certificates, not for application keys; I'd go with a database for storing user and license information.
TrueLicense is an open source solution to some (or maybe all?) of the associated problems (not to deompilation, though).