diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index d1fb4c6..3474cf4 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -298,7 +298,7 @@
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        33
-%global rpmrelease      4
+%global rpmrelease      5
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
 # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -1180,6 +1180,7 @@ Patch1011: rh1929465-dont_define_unused_throwioexception.patch
 Patch1009: rh1995150-disable_non-fips_crypto.patch
 # RH1996182: Login to the NSS software token in FIPS mode
 Patch1010: rh1996182-login_to_nss_software_token.patch
+Patch1012: rh1996182-extend_security_policy.patch
 
 #############################################
 #
@@ -1545,6 +1546,7 @@ popd # openjdk
 %patch1009
 %patch1010
 %patch1011
+%patch1012
 
 # Extract systemtap tapsets
 %if %{with_systemtap}
@@ -2262,6 +2264,10 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Mon Aug 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.5.ea
+- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access.
+- Resolves: rhbz#1997359
+
 * Sat Aug 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.4.ea
 - Fix unused function compiler warning found in systemconf.c
 - Related: rhbz#1995889
diff --git a/rh1996182-extend_security_policy.patch b/rh1996182-extend_security_policy.patch
new file mode 100644
index 0000000..7622622
--- /dev/null
+++ b/rh1996182-extend_security_policy.patch
@@ -0,0 +1,18 @@
+commit bfd7c5dae9c15266799cb885b8c60199217b65b9
+Author: Andrew Hughes <gnu.andrew@redhat.com>
+Date:   Mon Aug 30 16:14:14 2021 +0100
+
+    RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access
+
+diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy
+index 8356e56367b..23925f048be 100644
+--- openjdk.orig/src/java.base/share/lib/security/default.policy
++++ openjdk/src/java.base/share/lib/security/default.policy
+@@ -128,6 +128,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
+ grant codeBase "jrt:/jdk.crypto.cryptoki" {
+     permission java.lang.RuntimePermission
+                    "accessClassInPackage.com.sun.crypto.provider";
++    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access";
+     permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
+     permission java.lang.RuntimePermission
+                    "accessClassInPackage.sun.security.*";