diff --git a/tasks/8.5-acls.yml b/tasks/8.5-acls.yml
new file mode 100644
index 0000000..474419e
--- /dev/null
+++ b/tasks/8.5-acls.yml
@@ -0,0 +1,38 @@
+---
+- name: Register libraries in Tomcat installation
+  tags: tomcat
+  become: true
+  register: tomcat_registered_files
+  always_run: true
+  changed_when: false
+  when: tomcat_fact_is_not_initial_check_mode
+  shell: ls -1 {{ acl_dir }}/*.jar
+
+- name: Update installation folder access controls
+  tags: tomcat
+  become: true
+  file:
+    state: directory
+    dest: '{{ acl_dir }}'
+    mode: 'o=rx'
+
+- name: Update installation libraries access controls
+  tags: tomcat
+  become: true
+  with_items: '{{ (tomcat_registered_files|default({})).stdout_lines|default([]) }}'
+  file:
+    state: file
+    mode: 'o=r'
+    dest: '{{ item }}'
+
+- name: Update installation executables access controls
+  tags: tomcat
+  become: true
+  when: '{{ ansible_local.util.init.system != "systemd" }}'
+  with_items:
+    - catalina.sh
+    - setclasspath.sh
+  file:
+    state: file
+    mode: 'o=rx'
+    dest: '{{ tomcat_env_catalina_home }}/bin/{{ item }}'
diff --git a/tasks/main.yml b/tasks/main.yml
index 57cf285..4a89a7e 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -119,6 +119,22 @@
   args:
     creates: "{{ tomcat_env_catalina_home }}/lib"
 
+# Tomcat 8.5 is packaged with umask 027 which breaks current paradigm
+#   to keep CATALINA_HOME and CATALINA_BASE files separated.
+#   Identify all jars in bin/ and lib/ directory and make them accessible
+#   to the tomcat service user(s).
+- name: Include file system access controls for tomcat >= 8.5
+  tags: tomcat
+  when:
+    - '{{ tomcat_version|version_compare("8.5", ">=") }}'
+    - '{{ tomcat_fact_is_not_initial_check_mode }}'
+  with_items:
+    - '{{ tomcat_env_catalina_home }}/bin'
+    - '{{ tomcat_env_catalina_home }}/lib'
+  loop_control:
+    loop_var: acl_dir
+  include: 8.5-acls.yml
+
 
 - name: Install instance directories
   tags: tomcat
@@ -135,6 +151,7 @@
 
 - name: Register static/unmanaged conf files
   tags: tomcat
+  become: true
   register: tomcat_registered_conf_files
   always_run: true
   changed_when: false
diff --git a/templates/service_systemd.j2 b/templates/service_systemd.j2
index 35665a6..3433620 100644
--- a/templates/service_systemd.j2
+++ b/templates/service_systemd.j2
@@ -43,6 +43,9 @@ ExecStart={{ ansible_local.java.general.java_home }}/bin/java \
 {% endif %}
 {% if item.prefer_ipv4|default(tomcat_default_prefer_ipv4) %}
   -Djava.net.preferIPv4Stack=true \
+{% endif %}
+{% if tomcat_version|version_compare('8.5', '>=') %}
+  -Djava.protocol.handler.pkgs=org.apache.catalina.webresources \
 {% endif %}
   -classpath "{{ tomcat_env_catalina_home }}/bin/bootstrap.jar:{{ tomcat_env_catalina_home }}/bin/tomcat-juli.jar" \
   org.apache.catalina.startup.Bootstrap start
@@ -71,6 +74,9 @@ ExecStop={{ ansible_local.java.general.java_home }}/bin/java \
 {% endif %}
 {% if item.prefer_ipv4|default(tomcat_default_prefer_ipv4) %}
   -Djava.net.preferIPv4Stack=true \
+{% endif %}
+{% if tomcat_version|version_compare('8.5', '>=') %}
+  -Djava.protocol.handler.pkgs=org.apache.catalina.webresources \
 {% endif %}
   -classpath "{{ tomcat_env_catalina_home }}/bin/bootstrap.jar:{{ tomcat_env_catalina_home }}/bin/tomcat-juli.jar" \
   org.apache.catalina.startup.Bootstrap stop
diff --git a/vars/versions/8.5.6.yml b/vars/versions/8.5.6.yml
new file mode 100644
index 0000000..3d7dc47
--- /dev/null
+++ b/vars/versions/8.5.6.yml
@@ -0,0 +1,4 @@
+---
+# SHA256 sum for the Tomcat redistributable package
+tomcat_redis_checksum: "sha256:8564cd9570adfd23394fd62a4cf999a294429e5f29017e4bb292c604eae9677b"
+tomcat_web_xml_schema_version: 3.1