The policy and the keystore file need to be in the home directory of the user that is using the applet. For the server it doesn't matter if the applet-jar is signed or not, it's just a file served via http.
For my test I used Apache: I put an index.html, the signed applet jar, the policy file and the keystore in the htdocs of the server. Mainly I used the instructions found here
and it worked.
My problem now is to place correctly the policy and keystore file in a packaged web application. There should be a way to bring these two files on the client side
the applet did not work for another problem. The policy file and the store are useless on the server, as stated by Harald Gliebe. The instructions reported on the above site are wrong on this point.