diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 751380a..d1fb4c6 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -298,7 +298,7 @@
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        33
-%global rpmrelease      3
+%global rpmrelease      4
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
 # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -1175,8 +1175,11 @@ Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
 Patch1007: rh1915071-always_initialise_configurator_access.patch
 # RH1929465: Improve system FIPS detection
 Patch1008: rh1929465-improve_system_FIPS_detection.patch
+Patch1011: rh1929465-dont_define_unused_throwioexception.patch
 # RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
 Patch1009: rh1995150-disable_non-fips_crypto.patch
+# RH1996182: Login to the NSS software token in FIPS mode
+Patch1010: rh1996182-login_to_nss_software_token.patch
 
 #############################################
 #
@@ -1540,6 +1543,8 @@ popd # openjdk
 %patch1007
 %patch1008
 %patch1009
+%patch1010
+%patch1011
 
 # Extract systemtap tapsets
 %if %{with_systemtap}
@@ -2257,6 +2262,14 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Sat Aug 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.4.ea
+- Fix unused function compiler warning found in systemconf.c
+- Related: rhbz#1995889
+
+* Sat Aug 28 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.4.ea
+- Add patch to login to the NSS software token when in FIPS mode.
+- Resolves: rhbz#1997359
+
 * Fri Aug 27 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.3.ea
 - Add patch to disable non-FIPS crypto in the SUN and SunEC security providers.
 - Resolves: rhbz#1995889
diff --git a/rh1929465-dont_define_unused_throwioexception.patch b/rh1929465-dont_define_unused_throwioexception.patch
new file mode 100644
index 0000000..eba090f
--- /dev/null
+++ b/rh1929465-dont_define_unused_throwioexception.patch
@@ -0,0 +1,69 @@
+commit 90e344e7d4987af610fa0054c92d18fe1c2edd41
+Author: Andrew Hughes <gnu.andrew@redhat.com>
+Date:   Sat Aug 28 01:15:28 2021 +0100
+
+    RH1929465: Don't define unused throwIOException function when using NSS detection
+
+diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+index 6f4656bfcb6..38919d6bb0f 100644
+--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+@@ -34,14 +34,34 @@
+ 
+ #include "java_security_SystemConfigurator.h"
+ 
+-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+ #define MSG_MAX_SIZE 96
+ 
+ static jmethodID debugPrintlnMethodID = NULL;
+ static jobject debugObj = NULL;
+ 
+-static void throwIOException(JNIEnv *env, const char *msg);
+-static void dbgPrint(JNIEnv *env, const char* msg);
++// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read
++#ifndef SYSCONF_NSS
++
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++    jclass cls = (*env)->FindClass(env, "java/io/IOException");
++    if (cls != 0)
++        (*env)->ThrowNew(env, cls, msg);
++}
++
++#endif
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++    jstring jMsg;
++    if (debugObj != NULL) {
++        jMsg = (*env)->NewStringUTF(env, msg);
++        CHECK_NULL(jMsg);
++        (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++    }
++}
+ 
+ /*
+  * Class:     java_security_SystemConfigurator
+@@ -149,20 +169,3 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
+ 
+ #endif // SYSCONF_NSS
+ }
+-
+-static void throwIOException(JNIEnv *env, const char *msg)
+-{
+-    jclass cls = (*env)->FindClass(env, "java/io/IOException");
+-    if (cls != 0)
+-        (*env)->ThrowNew(env, cls, msg);
+-}
+-
+-static void dbgPrint(JNIEnv *env, const char* msg)
+-{
+-    jstring jMsg;
+-    if (debugObj != NULL) {
+-        jMsg = (*env)->NewStringUTF(env, msg);
+-        CHECK_NULL(jMsg);
+-        (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+-    }
+-}
diff --git a/rh1996182-login_to_nss_software_token.patch b/rh1996182-login_to_nss_software_token.patch
new file mode 100644
index 0000000..475c521
--- /dev/null
+++ b/rh1996182-login_to_nss_software_token.patch
@@ -0,0 +1,65 @@
+commit 93c9f6330bf2b4405c789bf893a5256c3f4a4923
+Author: Martin Balao <mbalao@redhat.com>
+Date:   Sat Aug 28 00:35:44 2021 +0100
+
+    RH1996182: Login to the NSS Software Token in FIPS Mode
+
+diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
+index 39e69362458..aeb5fc2eb46 100644
+--- openjdk.orig/src/java.base/share/classes/module-info.java
++++ openjdk/src/java.base/share/classes/module-info.java
+@@ -151,6 +151,7 @@ module java.base {
+         java.management,
+         java.naming,
+         java.rmi,
++        jdk.crypto.cryptoki,
+         jdk.crypto.ec,
+         jdk.jartool,
+         jdk.jlink,
+diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+index 112b639aa96..5d3963ea893 100644
+--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -42,6 +42,7 @@ import javax.security.auth.callback.PasswordCallback;
+ 
+ import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
+ 
++import jdk.internal.access.SharedSecrets;
+ import jdk.internal.misc.InnocuousThread;
+ import sun.security.util.Debug;
+ import sun.security.util.ResourcesMgr;
+@@ -62,6 +63,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
+  */
+ public final class SunPKCS11 extends AuthProvider {
+ 
++    private static final boolean systemFipsEnabled = SharedSecrets
++            .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
+     private static final long serialVersionUID = -1354835039035306505L;
+ 
+     static final Debug debug = Debug.getInstance("sunpkcs11");
+@@ -379,6 +383,24 @@ public final class SunPKCS11 extends AuthProvider {
+             if (nssModule != null) {
+                 nssModule.setProvider(this);
+             }
++            if (systemFipsEnabled) {
++                // The NSS Software Token in FIPS 140-2 mode requires a user
++                // login for most operations. See sftk_fipsCheck. The NSS DB
++                // (/etc/pki/nssdb) PIN is empty.
++                Session session = null;
++                try {
++                    session = token.getOpSession();
++                    p11.C_Login(session.id(), CKU_USER, new char[] {});
++                } catch (PKCS11Exception p11e) {
++                    if (debug != null) {
++                        debug.println("Error during token login: " +
++                                p11e.getMessage());
++                    }
++                    throw p11e;
++                } finally {
++                    token.releaseSession(session);
++                }
++            }
+         } catch (Exception e) {
+             if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
+                 throw new UnsupportedOperationException