In a normal geronimo server the basic security configuration is divided into two plugins, j2ee-security and server-security-config. The stuff you are not too likely to want to change such as the jacc provider and keystore manager are in j2ee-security. The stuff that you are almost certain to want to change is in server-security config. For instance the toy properties file security realm for the admin console is in server-security-config.
You want to replace server-security-config with your own geronimo plugin (see plugin-infrastructure) that contains a security realm customized for your security setup (e.g. ldap), and includes whatever keystores you need. To make your plugin replace all uses of server-security-config, you need to include an artifact-alias element in your geronimo-plugin.xml file.
<artifact-alias key="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car">com.myco/myco-security-config/1.0/car</artifact-alias> <artifact-alias key="org.apache.geronimo.framework/server-security-config//car">com.myco/myco-security-config/1.0/car</artifact-alias>
or if you save time and effort and use maven with the car-maven-plugin you'd include this in your car-maven-plugin configuration in your pom.xml.
Note that if you want the admin console and MEJB to continue working without redeployment you have to include a security realm named geronimo-admin that supplies appropriate users with principals of class org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal and names (as appropriate) admin (for console and MEJB read access) and mejbadmin (for MEJB write access).
As with any geronimo plugin, you can include any jars in the plugin's classloader by installing the jars in the geronimo repository and listing them as dependencies in the geronimo plan. The car-maven-plugin can be used to make the geronimo dependencies the same as the maven dependencies and to have plugin installation also install all the needed jars.
You can also include security realm configuration, keystores, and credential stores in your geronimo plan for your application. Just put the gbean configurations at the end after the javaee specific configuration. In this case you may not want to remove the standard server-security-config as removing it would prevent the admin console or mejb from starting.