diff --git a/.gitignore b/.gitignore
index 6bf87cf..0e8da83 100644
--- a/.gitignore
+++ b/.gitignore
@@ -19,3 +19,4 @@
 /pki-10.10.3.tar.gz
 /pki-10.10.5.tar.gz
 /pki-10.11.0-alpha1.tar.gz
+/pki-10.11.0-alpha2.tar.gz
diff --git a/0001-Fix-build.sh-without-test.patch b/0001-Fix-build.sh-without-test.patch
deleted file mode 100644
index eb134ca..0000000
--- a/0001-Fix-build.sh-without-test.patch
+++ /dev/null
@@ -1,217 +0,0 @@
-From 4a282212f73ae2ed225e6906b76b4ecbcfc239ab Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 26 May 2021 21:20:25 -0500
-Subject: [PATCH] Fix build.sh --without-test
-
-The cmake files have been modified not to build the test
-classes when the --without-test is specified. Also, the
-spec file has been modified not to run the test when the
-option is specified.
----
- base/server/CMakeLists.txt | 89 +++++++++++++++++++-------------------
- base/util/CMakeLists.txt   | 56 ++++++++++++------------
- build.sh                   |  5 +--
- pki.spec                   |  2 +-
- 4 files changed, 77 insertions(+), 75 deletions(-)
-
-diff --git a/base/server/CMakeLists.txt b/base/server/CMakeLists.txt
-index fddb60c4b7..e470b0d487 100644
---- a/base/server/CMakeLists.txt
-+++ b/base/server/CMakeLists.txt
-@@ -52,51 +52,52 @@ if(WITH_SYSTEMD_NOTIFICATION)
- add_subdirectory(systemd)
- endif(WITH_SYSTEMD_NOTIFICATION)
- 
--# build pki-server-test
--# TODO: build test only when the test is invoked
--javac(pki-server-test-classes
--    DEPENDS
--        pki-util-test-classes pki-cmsutil-jar pki-certsrv-jar pki-cms-jar pki-cmsbundle-jar
--    SOURCES
--        src/test/java/*.java
--    CLASSPATH
--        ${PKI_CMSUTIL_JAR} ${PKI_CERTSRV_JAR} ${PKI_CMS_JAR} ${PKI_CMSBUNDLE_JAR}
--        ${LDAPJDK_JAR} ${SERVLET_JAR} ${XALAN_JAR} ${XERCES_JAR}
--        ${JSS_JAR} ${COMMONS_CODEC_JAR} ${SYMKEY_JAR}
--        ${HAMCREST_JAR} ${JUNIT_JAR} ${COMMONS_IO_JAR}
--        ${CMAKE_BINARY_DIR}/test/classes
--    OUTPUT_DIR
--        ${CMAKE_BINARY_DIR}/test/classes
--)
-+if(WITH_TEST)
-+    # build pki-server-test
-+    javac(pki-server-test-classes
-+        DEPENDS
-+            pki-util-test-classes pki-cmsutil-jar pki-certsrv-jar pki-cms-jar pki-cmsbundle-jar
-+        SOURCES
-+            src/test/java/*.java
-+        CLASSPATH
-+            ${PKI_CMSUTIL_JAR} ${PKI_CERTSRV_JAR} ${PKI_CMS_JAR} ${PKI_CMSBUNDLE_JAR}
-+            ${LDAPJDK_JAR} ${SERVLET_JAR} ${XALAN_JAR} ${XERCES_JAR}
-+            ${JSS_JAR} ${COMMONS_CODEC_JAR} ${SYMKEY_JAR}
-+            ${HAMCREST_JAR} ${JUNIT_JAR} ${COMMONS_IO_JAR}
-+            ${CMAKE_BINARY_DIR}/test/classes
-+        OUTPUT_DIR
-+            ${CMAKE_BINARY_DIR}/test/classes
-+    )
- 
--# create test target
--# do not include xalan and xerces in class path
--# TODO: create CMake function to find all JUnit test classes
--add_junit_test(test-pki-server
--    DEPENDS
--        pki-server-test-classes
--    CLASSPATH
--        ${SLF4J_API_JAR} ${SLF4J_SIMPLE_JAR}
--        ${PKI_CMSUTIL_JAR} ${PKI_CERTSRV_JAR} ${PKI_CMS_JAR} ${PKI_CMSBUNDLE_JAR}
--        ${LDAPJDK_JAR} ${SERVLET_JAR}
--        ${COMMONS_CODEC_JAR} ${COMMONS_LANG3_JAR}
--        ${JSS_JAR} ${SYMKEY_JAR}
--        ${HAMCREST_JAR} ${JUNIT_JAR} ${COMMONS_IO_JAR}
--        ${CMAKE_BINARY_DIR}/test/classes
--    TESTS
--        com.netscape.cmscore.authentication.AuthTokenTest
--        com.netscape.cmscore.dbs.CertRecordListTest
--        com.netscape.cmscore.dbs.DBRegistryTest
--        com.netscape.cmscore.request.AgentApprovalsTest
--        com.netscape.cmscore.request.ExtAttrDynMapperTest
--        com.netscape.cmscore.request.ExtDataHashtableTest
--        com.netscape.cmscore.request.RequestQueueTest
--        com.netscape.cmscore.request.RequestRecordTest
--        com.netscape.cmscore.request.RequestTest
--        com.netscape.cmscore.password.PlainPasswordFileTest
--    REPORTS_DIR
--        reports
--)
-+    # create test target
-+    # do not include xalan and xerces in class path
-+    # TODO: create CMake function to find all JUnit test classes
-+    add_junit_test(test-pki-server
-+        DEPENDS
-+            pki-server-test-classes
-+        CLASSPATH
-+            ${SLF4J_API_JAR} ${SLF4J_SIMPLE_JAR}
-+            ${PKI_CMSUTIL_JAR} ${PKI_CERTSRV_JAR} ${PKI_CMS_JAR} ${PKI_CMSBUNDLE_JAR}
-+            ${LDAPJDK_JAR} ${SERVLET_JAR}
-+            ${COMMONS_CODEC_JAR} ${COMMONS_LANG3_JAR}
-+            ${JSS_JAR} ${SYMKEY_JAR}
-+            ${HAMCREST_JAR} ${JUNIT_JAR} ${COMMONS_IO_JAR}
-+            ${CMAKE_BINARY_DIR}/test/classes
-+        TESTS
-+            com.netscape.cmscore.authentication.AuthTokenTest
-+            com.netscape.cmscore.dbs.CertRecordListTest
-+            com.netscape.cmscore.dbs.DBRegistryTest
-+            com.netscape.cmscore.request.AgentApprovalsTest
-+            com.netscape.cmscore.request.ExtAttrDynMapperTest
-+            com.netscape.cmscore.request.ExtDataHashtableTest
-+            com.netscape.cmscore.request.RequestQueueTest
-+            com.netscape.cmscore.request.RequestRecordTest
-+            com.netscape.cmscore.request.RequestTest
-+            com.netscape.cmscore.password.PlainPasswordFileTest
-+        REPORTS_DIR
-+            reports
-+    )
-+endif(WITH_TEST)
- 
- # Create /usr/share/pki/server/lib. This can be customized for different platforms in RPM spec.
- 
-diff --git a/base/util/CMakeLists.txt b/base/util/CMakeLists.txt
-index 6664be008b..174d128b43 100644
---- a/base/util/CMakeLists.txt
-+++ b/base/util/CMakeLists.txt
-@@ -43,34 +43,36 @@ install(
- 
- set(PKI_CMSUTIL_JAR ${CMAKE_BINARY_DIR}/dist/pki-cmsutil.jar CACHE INTERNAL "pki-cmsutil jar file")
- 
--javac(pki-util-test-classes
--    SOURCES
--        src/test/java/*.java
--    CLASSPATH
--        ${PKI_CMSUTIL_JAR}
--        ${JSS_JAR} ${LDAPJDK_JAR} ${COMMONS_CODEC_JAR} ${XALAN_JAR} ${XERCES_JAR}
--        ${HAMCREST_JAR} ${JUNIT_JAR}
--    OUTPUT_DIR
--        ${CMAKE_BINARY_DIR}/test/classes
--    DEPENDS
--        pki-cmsutil-jar
--)
-+if(WITH_TEST)
-+    javac(pki-util-test-classes
-+        SOURCES
-+            src/test/java/*.java
-+        CLASSPATH
-+            ${PKI_CMSUTIL_JAR}
-+            ${JSS_JAR} ${LDAPJDK_JAR} ${COMMONS_CODEC_JAR} ${XALAN_JAR} ${XERCES_JAR}
-+            ${HAMCREST_JAR} ${JUNIT_JAR}
-+        OUTPUT_DIR
-+            ${CMAKE_BINARY_DIR}/test/classes
-+        DEPENDS
-+            pki-cmsutil-jar
-+    )
- 
--# TODO: create CMake function to find all JUnit test classes
--add_junit_test(test-pki-util
--    CLASSPATH
--        ${SLF4J_API_JAR} ${SLF4J_JDK14_JAR}
--        ${PKI_CMSUTIL_JAR}
--        ${JSS_JAR} ${LDAPJDK_JAR} ${COMMONS_CODEC_JAR}
--        ${HAMCREST_JAR} ${JUNIT_JAR}
--        ${CMAKE_BINARY_DIR}/test/classes
--    TESTS
--        com.netscape.cmsutil.crypto.KeyIDCodecTest
--    REPORTS_DIR
--        reports
--    DEPENDS
--        pki-util-test-classes
--)
-+    # TODO: create CMake function to find all JUnit test classes
-+    add_junit_test(test-pki-util
-+        CLASSPATH
-+            ${SLF4J_API_JAR} ${SLF4J_JDK14_JAR}
-+            ${PKI_CMSUTIL_JAR}
-+            ${JSS_JAR} ${LDAPJDK_JAR} ${COMMONS_CODEC_JAR}
-+            ${HAMCREST_JAR} ${JUNIT_JAR}
-+            ${CMAKE_BINARY_DIR}/test/classes
-+        TESTS
-+            com.netscape.cmsutil.crypto.KeyIDCodecTest
-+        REPORTS_DIR
-+            reports
-+        DEPENDS
-+            pki-util-test-classes
-+    )
-+endif(WITH_TEST)
- 
- install(
-     FILES
-diff --git a/build.sh b/build.sh
-index 533888ab97..67cf339cab 100755
---- a/build.sh
-+++ b/build.sh
-@@ -153,9 +153,8 @@ generate_rpm_spec() {
- 
-     # hard-code test option
-     if [ "$WITHOUT_TEST" = true ] ; then
--        commands="${commands}; s/%\(bcond_without *test\)\$/# \1\n%global with_test 0/g"
--    else
--        commands="${commands}; s/%\(bcond_without *test\)\$/# \1\n%global with_test 1/g"
-+        # convert bcond_without into bcond_with such that unit tests do not run by default
-+        commands="${commands}; s/%\(bcond_without *test\)\$/# \1\n%bcond_with test/g"
-     fi
- 
-     # hard-code packages to build
-diff --git a/pki.spec b/pki.spec
-index 9bfe2d9af1..505e9ce06d 100644
---- a/pki.spec
-+++ b/pki.spec
-@@ -906,7 +906,7 @@ cd %{_vpath_builddir}
-     --no-print-directory \
-     install
- 
--%if %{with_test}
-+%if %{with test}
- ctest --output-on-failure
- %endif
- 
--- 
-2.31.1
-
diff --git a/dogtag-pki.spec b/dogtag-pki.spec
index f0d86d2..9048589 100644
--- a/dogtag-pki.spec
+++ b/dogtag-pki.spec
@@ -13,8 +13,8 @@ License:          GPLv2 and LGPLv2
 # For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
 # For official (i.e. supported) releases, use x.y.z-r where r >=1.
 Version:          10.11.0
-Release:          0.2.alpha1%{?_timestamp}%{?_commit_id}%{?dist}
-%global           _phase -alpha1
+Release:          0.4.alpha2%{?_timestamp}%{?_commit_id}%{?dist}
+%global           _phase -alpha2
 
 # To create a tarball from a version tag:
 # $ git archive \
@@ -30,7 +30,6 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
 #     <version tag> \
 #     > pki-VERSION-RELEASE.patch
 # Patch: pki-VERSION-RELEASE.patch
-Patch1: 0001-Fix-build.sh-without-test.patch
 
 # md2man isn't available on i686. Additionally, we aren't generally multi-lib
 # compatible (https://fedoraproject.org/wiki/Packaging:Java)
@@ -60,16 +59,9 @@ ExcludeArch: i686
 # Java
 ################################################################################
 
-%define java_devel java-devel
-%define java_headless java-headless
-
-%if 0%{?fedora} >= 33 || 0%{?rhel} > 8
-%define min_java_version 1:11
-%define java_home /usr/lib/jvm/java-11-openjdk
-%else
-%define min_java_version 1:1.8.0
-%define java_home /usr/lib/jvm/java-1.8.0-openjdk
-%endif
+%define java_devel java-11-openjdk-devel
+%define java_headless java-11-openjdk-headless
+%define java_home /usr/lib/jvm/jre-11-openjdk
 
 ################################################################################
 # RESTEasy
@@ -82,10 +74,10 @@ ExcludeArch: i686
 # PKI
 ################################################################################
 
-# By default the build will not execute unit tests unless --with test
+# By default the build will execute unit tests unless --without test
 # option is specified.
 
-%bcond_with test
+%bcond_without test
 
 # By default all packages will be built except the ones specified with
 # --without <package> option (exclusion method).
@@ -175,7 +167,7 @@ BuildRequires:    make
 BuildRequires:    cmake >= 3.0.2
 BuildRequires:    gcc-c++
 BuildRequires:    zip
-BuildRequires:    %java_devel >= %{min_java_version}
+BuildRequires:    %{java_devel}
 BuildRequires:    javapackages-tools
 BuildRequires:    redhat-rpm-config
 BuildRequires:    ldapjdk >= 4.22.0
@@ -183,6 +175,7 @@ BuildRequires:    apache-commons-cli
 BuildRequires:    apache-commons-codec
 BuildRequires:    apache-commons-io
 BuildRequires:    apache-commons-lang3 >= 3.2
+BuildRequires:    apache-commons-logging
 BuildRequires:    apache-commons-net
 BuildRequires:    glassfish-jaxb-api
 BuildRequires:    slf4j
@@ -345,7 +338,7 @@ PKI consists of the following components:
 
 Summary:          PKI Symmetric Key Package
 
-Requires:         %java_headless >= %{min_java_version}
+Requires:         %{java_headless}
 Requires:         jpackage-utils >= 0:1.7.5-10
 Requires:         jss >= 4.9.0
 Requires:         nss >= 3.38.0
@@ -413,7 +406,7 @@ This package contains PKI client library for Python 3.
 Summary:          PKI Base Java Package
 BuildArch:        noarch
 
-Requires:         %java_headless >= %{min_java_version}
+Requires:         %{java_headless}
 Requires:         apache-commons-cli
 Requires:         apache-commons-codec
 Requires:         apache-commons-io
@@ -852,8 +845,8 @@ cd build
     -DVAR_INSTALL_DIR:PATH=/var \
     -DP11_KIT_TRUST=/etc/alternatives/libnssckbi.so.%{_arch} \
     -DJAVA_VERSION=${java_version} \
-    -DJAVA_HOME=%java_home \
-    -DPKI_JAVA_PATH=%java_home/bin/java \
+    -DJAVA_HOME=%{java_home} \
+    -DPKI_JAVA_PATH=%{java_home}/bin/java \
     -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
     -DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \
     -DAPP_SERVER=$app_server \
@@ -987,6 +980,10 @@ fi
 ##        from EITHER 'sysVinit' OR previous 'systemd' processes to the new
 ##        PKI deployment process
 
+# CVE-2021-3551
+# Remove world access from existing installation logs
+find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \;
+
 # Reload systemd daemons on upgrade only
 if [ "$1" == "2" ]
 then
@@ -1357,41 +1354,44 @@ fi
 
 ################################################################################
 %changelog
-* Tue Jun  1 2021 Dogtag PKI Team <pki-devel@redhat.com - 10.11.0-0.2
+* Thu Jun 10 2021 Dogtag PKI Team <devel@lists.dogtagpki.org> - 10.11.0-0.4
+- Rebase to PKI 10.11.0-alpha2
+
+* Tue Jun  1 2021 Dogtag PKI Team <devel@lists.dogtagpki.org> - 10.11.0-0.2
 - Drop git dependency
 - Disable unit tests by default
 
-* Tue May 18 2021 Dogtag PKI Team <pki-devel@redhat.com - 10.11.0-0.1
+* Tue May 18 2021 Dogtag PKI Team <devel@lists.dogtagpki.org> - 10.11.0-0.1
 - Rebase to PKI 10.11.0-alpha1
 
-* Wed Mar 10 2021 Dogtag PKI Team <pki-devel@redhat.com> - 10.10.5-3
+* Wed Mar 10 2021 Dogtag PKI Team <devel@lists.dogtagpki.org> - 10.10.5-3
 - Use tomcat instead of pki-servlet-engine in ELN
 
-* Wed Mar 10 2021 Dogtag PKI Team <pki-devel@redhat.com> - 10.10.5-2
+* Wed Mar 10 2021 Dogtag PKI Team <devel@lists.dogtagpki.org> - 10.10.5-2
 - Drop dependency on esc for s390(x) architectures
 
-* Thu Feb 25 2021 Dogtag PKI Team <pki-devel@redhat.com> - 10.10.5-1
+* Thu Feb 25 2021 Dogtag PKI Team <devel@lists.dogtagpki.org> - 10.10.5-1
 - Rebase to upstream stable v10.10.5 release
 
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 10.10.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 
-* Thu Jan 14 2021 Dogtag PKI Team <pki-devel@redhat.com> - 10.10.3-1
+* Thu Jan 14 2021 Dogtag PKI Team <devel@lists.dogtagpki.org> - 10.10.3-1
 - Rebase to upstream stable v10.10.3 release
 
-* Fri Oct 30 2020 Dogtag PKI Team <pki-devel@redhat.com> - 10.10.0-1
+* Fri Oct 30 2020 Dogtag PKI Team <devel@lists.dogtagpki.org> - 10.10.0-1
 - Rebase to upstream stable v10.10.0-1 release
 
-* Thu Oct 22 2020 Dogtag PKI Team <pki-devel@redhat.com> - 10.10.0-0.2
+* Thu Oct 22 2020 Dogtag PKI Team <devel@lists.dogtagpki.org> - 10.10.0-0.2
 - Rebase to upstream beta v10.10.0-b2 release
 
-* Fri Sep 11 2020 Dogtag PKI Team <pki-devel@redhat.com> - 10.9.4-1
+* Fri Sep 11 2020 Dogtag PKI Team <devel@lists.dogtagpki.org> - 10.9.4-1
 - Rebase to stable upstream v10.9.4 release
 
-* Tue Aug 18 2020 Dogtag PKI Team <pki-devel@redhat.com> - 10.9.2-1
+* Tue Aug 18 2020 Dogtag PKI Team <devel@lists.dogtagpki.org> - 10.9.2-1
 - Second attempt at JDK11 Support
 
-* Tue Aug 18 2020 Dogtag PKI Team <pki-devel@redhat.com> - 10.9.1-2
+* Tue Aug 18 2020 Dogtag PKI Team <devel@lists.dogtagpki.org> - 10.9.1-2
 - Rebuilt to fix packaging issues introduced upstream
 
 * Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 10.9.0-0.6
@@ -1401,30 +1401,30 @@ fi
 * Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 10.9.0-0.5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 
-* Tue Jun 30 2020 Dogtag PKI Team <pki-devel@redhat.com> - 10.9.0-0.4
+* Tue Jun 30 2020 Dogtag PKI Team <devel@lists.dogtagpki.org> - 10.9.0-0.4
 - Rebase to upstream beta version v10.9.0-b2
 
-* Wed Jun 10 2020 Dogtag PKI Team <pki-devel@redhat.com> - 10.9.0-0.2
+* Wed Jun 10 2020 Dogtag PKI Team <devel@lists.dogtagpki.org> - 10.9.0-0.2
 - Rebase to upstream alpha version 10.9.0-a2
 
-* Thu Mar 05 2020 Dogtag PKI Team <pki-devel@redhat.com> - 10.8.3-1
+* Thu Mar 05 2020 Dogtag PKI Team <devel@lists.dogtagpki.org> - 10.8.3-1
 - Rebase to latest upstream version
 - Spec cleanup to match with upstream spec
 
 * Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 10.7.3-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 
-* Wed Aug 14 2019 Dogtag PKI Team <pki-devel@redhat.com> - 10.7.3-3
+* Wed Aug 14 2019 Dogtag PKI Team <devel@lists.dogtagpki.org> - 10.7.3-3
 - Rebuild with patches applied
 
-* Wed Aug 14 2019 Dogtag PKI Team <pki-devel@redhat.com> - 10.7.3-2
+* Wed Aug 14 2019 Dogtag PKI Team <devel@lists.dogtagpki.org> - 10.7.3-2
 - Fix URL redirection for KRA and OCSP web UI
 
-* Thu Aug 08 2019 Dogtag PKI Team <pki-devel@redhat.com> - 10.7.3-1
+* Thu Aug 08 2019 Dogtag PKI Team <devel@lists.dogtagpki.org> - 10.7.3-1
 - Rebased to PKI 10.7.3
 
 * Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 10.7.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 
-* Tue May 07 2019 Dogtag PKI Team <pki-devel@redhat.com> - 10.7.0-1
+* Tue May 07 2019 Dogtag PKI Team <devel@lists.dogtagpki.org> - 10.7.0-1
 - Rebased to PKI 10.7.0
diff --git a/sources b/sources
index 2fdc29f..40f2823 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (pki-10.11.0-alpha1.tar.gz) = 4f4c9b29dc9126c91de9258063f370a05591447cbae76109e6841bdb2ea502994e945a4dd9d00ee85d3b783021b25a7bb243acc060b88901eb4e6b4c01c4f7db
+SHA512 (pki-10.11.0-alpha2.tar.gz) = 1c80effcc4d4516b8e6f1405425913e68d3f4931da0aff796fed297041944d0a4d5239249353d6ece8e8306a118a9cc2439896f49c1731e989d0a8c310acf1a4