I've an Apache server using mod_ssl to complete client-authenticated SSL. Apache apparently sets atmosphere variables (see this mod_ssl doc) which contain anyone's certificate, etc, however i can't have them from System.getProperty().

I have set SSLOptions -StdEnvVars +ExportCertData within the httpd-ssl.conf file (would be that the right place?) with no success.

System.getProperty(...) will get a method property, that is different then an atmosphere variable. For atmosphere variables, use System.getenv(...). As described in that method's Javadoc:

System qualities and atmosphere variables are generally conceptually mappings between names and values. Both systems may be used to pass user-defined information to some Java process. Atmosphere variables possess a more global effect, since they're visible to any or all descendants from the process which defines them, not only the immediate Java subprocess. They are able to have subtly different semantics, for example situation insensitivity, on different os's. Therefore, atmosphere variables may have unintentional unwanted effects. It is advisable to use system qualities where possible. Atmosphere variables ought to be used whenever a global effect is preferred, or when an exterior system interface requires an atmosphere variable (for example PATH).

Update in reaction to OP comment below: I truly have no idea the solution, but I'll list several things you can test to assist limit the issue (most of which you might curently have attempted):

  • Make sure to restart Apache after any switch to the primary configuration files, because it processes them on start-up. (I am betting you know this, however it appears worth mentioning, just just in case.)
  • The documentation for ExportCertData talks of "additional CGI/SSI atmosphere variables" (instead of "the conventional set" controlled by StdEnvVars). The documentation does not clearly state that ExportCertData is totally separate from StdEnvVars it can't shock me if you cannot get individuals additional variables without first obtaining the standard set. So, it might be really worth trying SSLOptions +StdEnvVars +ExportCertData. (Even when that does not repair the problem around the try, I'd suggest adhering with +StdEnvVars til you have an answer that does work, and just then switching to -StdEnvVars, since then make certain it's O.K. to do this.)
  • SSLOptions is recorded to operate within an .htaccess, so you might like to try putting it there (since that bypasses the question of httpd-ssl.conf versus. httpd.conf and whatnot).
  • The documentation states this configuration is "to supply several products of SSL information to supplement atmosphere variables towards the SSI and CGI namespace" (emphasis mine). I am unsure what which means poor ColdFusion-invoked Java it might be worth developing a real CGI script within the same directory and verifying it does not receive these variables, either.
  • I'm not sure much about ColdFusion. Is it feasible it's in some way realizing these atmosphere variables as sensitive, so not passing these to the Java program? (Or is it feasible that it features a limit on the size of an atmosphere variable that it'll pass for an exterior program?) It might be worth adding code within the cfm page to check on of these variables, just to ascertain if there is a difference.
  • Within your Java code, new java.util.ArrayList<String>((System.getenv().keySet()).toString() is a String that contains a (lengthy) listing of all atmosphere variables that you simply are getting. It might be worth analyzing it, just to ascertain if maybe the secrets look a little different for whatever reason from what you'd expect. (The ArrayList part is most likely unnecessary &mdash on my small system just System.getenv().keySet().toString() works &mdash however the JDK documentation does not appear to be sure the latter.)

Use [cde], not [cde], to retrieve atmosphere vars.