There is a facility for masking the password (see PicketLink Configuration: Mask password), but it is rather useless, because with the salt and the iteration count in picketlink.xml everything needed to unmask the password is there.
Is there a better option than using system properties instead of masked or clear text passwords?
If you use system properties: how do you set and protect them?
Do you keep your key store in your application or do you put it somewhere else on the server (I don't know if the latter is possible)?
If you have your key store in your application, do you commit it to your revision control system? Do you upload your application's binaries with the key store to your Maven repository server (e.g. Nexus)?