I am implementing a JBoss 7-backed web application that is a provider of one Web Service, as well as a client of another Web Service. Both services use a WS-SecurityPolicy, requiring the use of a JKS keystore file and/or a JKS truststore file. I'm using JBossWS (with CXF under the hood).

The code examples that I've seen for these situations have the keystore and truststore files contained within the application EAR. This concerns me for two reasons:

1. As a digital certificate expires, updating the appropriate keystore and/or truststore files requires a software release. It would be preferable for a system administrator to be able to update these resources without altering anything in the deployed EAR, or requiring some software release.
2. The JKS files that we would want to use in pre-production environments probably won't be the same files that we would want to use in a production environment.

In the JBoss world, is there a way to place the JKS files outside the EAR, but still have the JBoss-deployed web application be able to reach them? If so, then how might this be accomplished? For example, how might the org.apache.ws.security.crypto.merlin.keystore.file property be defined in order to reference the outside-the-EAR JKS file?