OK, so I have taken some time and now I found the reason why this is not working with our OpenJDK. Here is the background while I am trying to come with a solution: In JDK 11, Oracle removed several JavaEE modules from which also the java.activation module that contains javax.activation package. Since Java 9 those modules were not directly visible without making them visible with --add-modules command-line option. The x-pack-watcher module of elastic search uses the javax.activation and also distributes the activation-1.1.1.jar. The plugin-security.policy files gives to the plugin and the dependent jars all permissions they need to operate. Now, in openSUSE version of OpenJDK 11, we bring back some of the JavaEE modules that a load of our packages use. The way we bring them back makes them directly visible. That means, that if elasticsearch runs with our OpenJDK 11, the javax.activation package is not resolved from the distributed jar, but from the module included in the OpenJDK. But, this module does not have the same security permission as the activation-1.1.1.jar included with elasticsearch. Hence, elasticsearch exits with a security exception. I am currently trying to look at a way to merge the modules without making them visible by default. Without success for the while, but I am not giving up. Eventually, there is a flag in our OpenJDK 11 build that disables the back merging of those modules. But if we disable that, a load of our packages will stop building.