diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index 46b7398..1b2125f 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -351,7 +351,7 @@
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        10
-%global rpmrelease      6
+%global rpmrelease      7
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
 # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -415,6 +415,10 @@
 # images directories from upstream build
 %global jdkimage                jdk
 %global static_libs_image       static-libs
+# installation directory for static libraries
+%global static_libs_root        lib/static
+%global static_libs_arch_dir    %{static_libs_root}/linux-%{archinstall}
+%global static_libs_install_dir %{static_libs_arch_dir}/glibc
 # output dir stub
 %define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
 # we can copy the javadoc to not arched dir, or make it not noarch
@@ -824,6 +828,7 @@ exit 0
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat.upstream
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so
@@ -882,6 +887,7 @@ exit 0
 %dir %{etcjavadir -- %{?1}}/lib
 %dir %{etcjavadir -- %{?1}}/lib/security
 %{etcjavadir -- %{?1}}/lib/security/cacerts
+%{etcjavadir -- %{?1}}/lib/security/cacerts.upstream
 %dir %{etcjavadir -- %{?1}}/conf
 %dir %{etcjavadir -- %{?1}}/conf/sdp
 %dir %{etcjavadir -- %{?1}}/conf/management
@@ -1054,10 +1060,10 @@ exit 0
 }
 
 %define files_static_libs() %{expand:
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root}
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir}
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}
+%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a
 }
 
 %define files_javadoc() %{expand:
@@ -1831,6 +1837,7 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
 sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
 
 %build
+
 # How many CPU's do we have?
 export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
 export NUM_PROC=${NUM_PROC:-1}
@@ -1955,32 +1962,117 @@ function installjdk() {
     local imagepath=${1}
 
     if [ -d ${imagepath} ] ; then
-    # the build (erroneously) removes read permissions from some jars
-    # this is a regression in OpenJDK 7 (our compiler):
-    # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
-    find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
+	# the build (erroneously) removes read permissions from some jars
+	# this is a regression in OpenJDK 7 (our compiler):
+	# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
+	find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
 
-    # Build screws up permissions on binaries
-    # https://bugs.openjdk.java.net/browse/JDK-8173610
-    find ${imagepath} -iname '*.so' -exec chmod +x {} \;
-    find ${imagepath}/bin/ -exec chmod +x {} \;
+	# Build screws up permissions on binaries
+	# https://bugs.openjdk.java.net/browse/JDK-8173610
+	find ${imagepath} -iname '*.so' -exec chmod +x {} \;
+	find ${imagepath}/bin/ -exec chmod +x {} \;
 
-    # Install nss.cfg right away as we will be using the JRE above
-    install -m 644 nss.cfg ${imagepath}/conf/security/
+	# Install nss.cfg right away as we will be using the JRE above
+	install -m 644 nss.cfg ${imagepath}/conf/security/
 
-    # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
-    install -m 644 nss.fips.cfg ${imagepath}/conf/security/
+	# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
+	install -m 644 nss.fips.cfg ${imagepath}/conf/security/
 
-    # Use system-wide tzdata
-    rm ${imagepath}/lib/tzdb.dat
-    ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
+	# Turn on system security properties
+	sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
+	    ${imagepath}/conf/security/java.security
+
+	# Use system-wide tzdata
+	mv ${imagepath}/lib/tzdb.dat{,.upstream}
+	ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
+
+	# Rename OpenJDK cacerts database
+	mv ${imagepath}/lib/security/cacerts{,.upstream}
+	# Install cacerts symlink needed by some apps which hard-code the path
+	ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security
+
+	# Create fake alt-java as a placeholder for future alt-java
+	pushd ${imagepath}
+	# add alt-java man page
+	echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
+	cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
+	popd
+    fi
+}
+
+# Checks on debuginfo must be performed before the files are stripped
+# by the RPM installation stage
+function debugcheckjdk() {
+    local imagepath=${1}
+
+    if [ -d ${imagepath} ] ; then
+
+	so_suffix="so"
+	# Check debug symbols are present and can identify code
+	find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
+	do
+	    if [ -f "$lib" ] ; then
+		echo "Testing $lib for debug symbols"
+		# All these tests rely on RPM failing the build if the exit code of any set
+		# of piped commands is non-zero.
+
+		# Test for .debug_* sections in the shared object. This is the main test
+		# Stripped objects will not contain these
+		eu-readelf -S "$lib" | grep "] .debug_"
+		test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
+
+		# Test FILE symbols. These will most likely be removed by anything that
+		# manipulates symbol tables because it's generally useless. So a nice test
+		# that nothing has messed with symbols
+		old_IFS="$IFS"
+		IFS=$'\n'
+		for line in $(eu-readelf -s "$lib" | grep "00000000      0 FILE    LOCAL  DEFAULT")
+		do
+		    # We expect to see .cpp files, except for architectures like aarch64 and
+		    # s390 where we expect .o and .oS files
+		    echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$"
+		done
+		IFS="$old_IFS"
+
+		# If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
+		if [ "`basename $lib`" = "libjvm.so" ]; then
+		    eu-readelf -s "$lib" | \
+			grep -E "00000000      0 FILE    LOCAL  DEFAULT      ABS javaCalls.(cpp|o)$"
+		fi
+
+		# Test that there are no .gnu_debuglink sections pointing to another
+		# debuginfo file. There shouldn't be any debuginfo files, so the link makes
+		# no sense either
+		eu-readelf -S "$lib" | grep 'gnu'
+		if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then
+		   echo "bad .gnu_debuglink section."
+		   eu-readelf -x .gnu_debuglink "$lib"
+		   false
+		fi
+	    fi
+	done
+
+	# Make sure gdb can do a backtrace based on line numbers on libjvm.so
+	# javaCalls.cpp:58 should map to:
+	# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
+	# Using line number 1 might cause build problems. See:
+	# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
+	# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
+	gdb -q "${imagepath}/bin/java" <<EOF | tee gdb.out
+handle SIGSEGV pass nostop noprint
+handle SIGILL pass nostop noprint
+set breakpoint pending on
+break javaCalls.cpp:58
+commands 1
+backtrace
+quit
+end
+run -version
+EOF
+%ifarch %{gdb_arches}
+	grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
+%endif
 
-    # Create fake alt-java as a placeholder for future alt-java
-    pushd ${imagepath}
-    # add alt-java man page
-    echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
-    cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
-    popd
     fi
 }
 
@@ -2050,6 +2142,8 @@ for suffix in %{build_loop} ; do
   # Final setup on the main image
   top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
   installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
+  # Check debug symbols were built into the dynamic libraries
+  debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
 
 # build cycles
 done # end of release / debug cycle loop
@@ -2059,22 +2153,11 @@ done # end of release / debug cycle loop
 # We test debug first as it will give better diagnostics on a crash
 for suffix in %{build_loop} ; do
 
-top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
-%if %{include_staticlibs}
-top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
-%endif
-
-export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
-
-# Pre-test setup
-
-# Turn on system security properties
-sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
-    ${JAVA_HOME}/conf/security/java.security
+export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix}
 
 #check Shenandoah is enabled
 %if %{use_shenandoah_hotspot}
-$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
+$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
 %endif
 
 # Check unlimited policy has been used
@@ -2106,75 +2189,9 @@ if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; els
 
 %if %{include_staticlibs}
 # Check debug symbols in static libraries (smoke test)
-export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
-readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
-readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c
-%endif
-
-so_suffix="so"
-# Check debug symbols are present and can identify code
-find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
-do
-  if [ -f "$lib" ] ; then
-    echo "Testing $lib for debug symbols"
-    # All these tests rely on RPM failing the build if the exit code of any set
-    # of piped commands is non-zero.
-
-    # Test for .debug_* sections in the shared object. This is the main test
-    # Stripped objects will not contain these
-    eu-readelf -S "$lib" | grep "] .debug_"
-    test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
-
-    # Test FILE symbols. These will most likely be removed by anything that
-    # manipulates symbol tables because it's generally useless. So a nice test
-    # that nothing has messed with symbols
-    old_IFS="$IFS"
-    IFS=$'\n'
-    for line in $(eu-readelf -s "$lib" | grep "00000000      0 FILE    LOCAL  DEFAULT")
-    do
-     # We expect to see .cpp files, except for architectures like aarch64 and
-     # s390 where we expect .o and .oS files
-      echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$"
-    done
-    IFS="$old_IFS"
-
-    # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
-    if [ "`basename $lib`" = "libjvm.so" ]; then
-      eu-readelf -s "$lib" | \
-        grep -E "00000000      0 FILE    LOCAL  DEFAULT      ABS javaCalls.(cpp|o)$"
-    fi
-
-    # Test that there are no .gnu_debuglink sections pointing to another
-    # debuginfo file. There shouldn't be any debuginfo files, so the link makes
-    # no sense either
-    eu-readelf -S "$lib" | grep 'gnu'
-    if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
-      echo "bad .gnu_debuglink section."
-      eu-readelf -x .gnu_debuglink "$lib"
-      false
-    fi
-  fi
-done
-
-# Make sure gdb can do a backtrace based on line numbers on libjvm.so
-# javaCalls.cpp:58 should map to:
-# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 
-# Using line number 1 might cause build problems. See:
-# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
-# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
-gdb -q "$JAVA_HOME/bin/java" <<EOF | tee gdb.out
-handle SIGSEGV pass nostop noprint
-handle SIGILL pass nostop noprint
-set breakpoint pending on
-break javaCalls.cpp:58
-commands 1
-backtrace
-quit
-end
-run -version
-EOF
-%ifarch %{gdb_arches}
-grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
+export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir}
+readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c
+readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c
 %endif
 
 # Check src.zip has all sources. See RHBZ#1130490
@@ -2221,17 +2238,10 @@ pushd ${jdk_image}
   install -d -m 755 $RPM_BUILD_ROOT%{tapsetdir}
   for name in $tapsetFiles ; do
     targetName=`echo $name | sed "s/.stp/$suffix.stp/"`
-    ln -sf %{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName
+    ln -srvf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName
   done
 %endif
 
-  # Remove empty cacerts database
-  rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security/cacerts
-  # Install cacerts symlink needed by some apps which hard-code the path
-  pushd $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security
-      ln -sf /etc/pki/java/cacerts .
-  popd
-
   # Install version-ed symlinks
   pushd $RPM_BUILD_ROOT%{_jvmdir}
     ln -sf %{sdkdir -- $suffix} %{jrelnk -- $suffix}
@@ -2251,11 +2261,12 @@ pushd ${jdk_image}
   rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man
 
 popd
+
 # Install static libs artefacts
 %if %{include_staticlibs}
-mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc
+mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
 cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \
-  $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc
+  $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
 %endif
 
 if ! echo $suffix | grep -q "debug" ; then
@@ -2300,10 +2311,10 @@ mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
 mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/conf/  $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}
 mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib/security  $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
 pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}
-  ln -s %{etcjavadir -- $suffix}/conf  ./conf
+  ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/conf  ./conf
 popd
 pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib
-  ln -s %{etcjavadir -- $suffix}/lib/security  ./security
+  ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/lib/security  ./security
 popd
 # end moving files to /etc
 
@@ -2559,6 +2570,14 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:18.0.1.0.10-7.rolling
+- Turn on system security properties as part of the build's install section
+- Move cacerts replacement to install section and retain original of this and tzdb.dat
+- Run tests on the installed image, rather than the build image
+- Introduce variables to refer to the static library installation directories
+- Use relative symlinks so they work within the image
+- Run debug symbols check during build stage, before the install strips them
+
 * Thu Jul 07 2022 Stephan Bergmann <sbergman@redhat.com> - 1:18.0.1.0.10-6.rolling
 - Fix flatpak builds by exempting them from bootstrap