Some roles use a hardened java.security config which overrides some security settings which are more strict than the Java defaults. But the default java.security files changes fairly often, which means that we need to rebase our Puppet template (which is error-prone and time-consuming).
I searched around and there seems to be an option to selectively override only some settings (and otherwise retain the default config), which we should test:
https://dzone.com/articles/how-override-java-security