diff --git a/Dockerfile b/Dockerfile
index 2a5138d71feafb54e08de7a714a5a65ffc9d0734..811f9f0431ee39d6d6fe6ee99a9014a845bac2fd 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,6 +12,12 @@ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 # We want UTF-8 and this is the only locale in the base image that supports it
 ENV LANG="C.UTF-8"
 
+# openjdk11 (base image) does not expose all the fips ciphers, like HmacSHA256, when fips enabled
+# This causes issues with keytool & connect, so disable it for ONLY those java processes (not other processes, the OS, or K8S host)
+ARG JAVA_OPTS="-Dsecurity.useSystemPropertiesFile=false -Dcom.redhat.fips=false"
+ENV JDK_JAVA_OPTIONS=$JAVA_OPTS
+ENV JAVA_TOOL_OPTIONS=$JAVA_OPTS
+
 # Set the classpath for JARs required by `cub`
 ENV CUB_CLASSPATH='"/usr/share/java/cp-base-new/*"'
 
@@ -57,9 +63,6 @@ RUN echo "===> dnf installs" \
         && chown appuser:appuser -R /usr/logs \
     && dnfupdate 
     
-# enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP.
-RUN update-crypto-policies --set FIPS 
-
 # Disable setuid/setgid bits
 RUN find / -perm /6000 -type f -exec chmod a-s {} \; || true
 RUN find / -perm /6000 -type f -exec chmod g-s {} \; || true
diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
index 1f554992665c0d5df5fa25dcba33fa852a8f2fdd..08327c3b71a270e66fdf2b4d71b6f25e8d8a6a0b 100644
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -8,8 +8,9 @@ name: "confluentinc/cp-base-new"
 # on ironbank.dso.mil
 tags:
   - "Q4_2024_jdk17"
-  - "2024-12-11"
+  - "2025-01-06"
   - "7.7.2"
+  - "7.8.0"
   - "latest-ubi8.amd64"
   - "latest.amd64"
   - "latest_jdk17"