diff --git a/src/roles/candlepin/defaults/main.yml b/src/roles/candlepin/defaults/main.yml
index a0a8b15b4..b17b503a0 100644
--- a/src/roles/candlepin/defaults/main.yml
+++ b/src/roles/candlepin/defaults/main.yml
@@ -1,17 +1,6 @@
 ---
 candlepin_ssl_port: 23443
 candlepin_hostname: localhost
-candlepin_tls_versions:
-  - "TLSv1.2"
-candlepin_ciphers:
-  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-  - TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
-  - TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
-  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-  - TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
-  - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
 candlepin_container_image: quay.io/foreman/candlepin
 candlepin_container_tag: "4.4.14"
 candlepin_registry_auth_file: /etc/foreman/registry-auth.json
diff --git a/src/roles/candlepin/tasks/main.yml b/src/roles/candlepin/tasks/main.yml
index 3d8b4b518..f90220660 100644
--- a/src/roles/candlepin/tasks/main.yml
+++ b/src/roles/candlepin/tasks/main.yml
@@ -14,36 +14,27 @@
   ansible.builtin.include_tasks:
     file: certs.yml
 
-- name: Create Candlepin configuration
+- name: Create DB URL secret
   containers.podman.podman_secret:
     state: present
-    name: candlepin-candlepin-conf
-    data: "{{ lookup('ansible.builtin.template', 'candlepin.conf.j2') }}"
-    labels:
-      filename: candlepin.conf
-      app: candlepin
+    name: candlepin-db-url
+    data: "jdbc:postgresql://{{ candlepin_database_host }}:{{ candlepin_database_port }}/{{ candlepin_database_name }}?sslmode={{ candlepin_database_ssl_mode }}{% if candlepin_database_ssl_ca is defined %}&sslrootcert={{ candlepin_database_ssl_ca_path }}{% endif %}"
   notify:
     - Restart candlepin
 
-- name: Create Tomcat server.xml
+- name: Create DB URL secret
   containers.podman.podman_secret:
     state: present
-    name: candlepin-tomcat-server-xml
-    data: "{{ lookup('ansible.builtin.template', 'server.xml.j2') }}"
-    labels:
-      filename: server.xml
-      app: tomcat
+    name: candlepin-db-username
+    data: "{{ candlepin_database_user }}"
   notify:
     - Restart candlepin
 
-- name: Create Tomcat server configuration
+- name: Create DB URL secret
   containers.podman.podman_secret:
     state: present
-    name: candlepin-tomcat-conf
-    data: "{{ lookup('ansible.builtin.template', 'tomcat.conf') }}"
-    labels:
-      filename: tomcat.conf
-      app: tomcat
+    name: candlepin-db-password
+    data: "{{ candlepin_database_password }}"
   notify:
     - Restart candlepin
 
@@ -55,6 +46,14 @@
   notify:
     - Restart candlepin
 
+- name: Create oauth secret
+  containers.podman.podman_secret:
+    state: present
+    name: candlepin-oauth-secret
+    data: "{{ candlepin_oauth_secret }}"
+  notify:
+    - Restart candlepin
+
 - name: Pull the Candlepin container image
   containers.podman.podman_image:
     name: "{{ candlepin_container_image }}:{{ candlepin_container_tag }}"
@@ -73,10 +72,14 @@
       - 'candlepin-ca-cert,target=/etc/candlepin/certs/candlepin-ca.crt,mode=0440,type=mount'
       - 'candlepin-ca-key,target=/etc/candlepin/certs/candlepin-ca.key,mode=0440,type=mount'
       - 'candlepin-tomcat-keystore,target=/etc/candlepin/certs/keystore,mode=0440,type=mount'
-      - 'candlepin-candlepin-conf,target=/etc/candlepin/candlepin.conf,mode=0440,type=mount'
-      - 'candlepin-tomcat-server-xml,target=/etc/tomcat/server.xml,mode=440,type=mount'
-      - 'candlepin-tomcat-conf,target=/etc/tomcat/tomcat.conf,mode=440,type=mount'
+      - 'candlepin-tomcat-keystore-password,target=CANDLEPIN_KEYSTORE_PASSWORD,type=env'
       - 'candlepin-db-ca,target={{ candlepin_database_ssl_ca_path }},mode=0440,type=mount'
+      - 'candlepin-db-url,target=CANDLEPIN_DB_URL,type=env'
+      - 'candlepin-db-username,target=CANDLEPIN_DB_USERNAME,type=env'
+      - 'candlepin-db-password,target=CANDLEPIN_DB_PASSWORD,type=env'
+      - 'candlepin-oauth-secret,target=CANDLEPIN_OAUTH_SECRET,type=env'
+    env:
+      CANDLEPIN_PORT: "{{ candlepin_ssl_port }}"
     volumes:
       - /var/log/candlepin:/var/log/candlepin:Z
       - /var/log/tomcat:/var/log/tomcat:Z
@@ -90,7 +93,7 @@
         After=redis.service postgresql.service
         [Service]
         TimeoutStartSec=300
-    healthcheck: curl --fail --insecure https://localhost:23443/candlepin/status
+    healthcheck: "curl --fail --insecure https://localhost:{{ candlepin_ssl_port }}/candlepin/status"
     sdnotify: healthy
 
 - name: Run daemon reload to make Quadlet create the service files
diff --git a/src/roles/candlepin/templates/candlepin.conf.j2 b/src/roles/candlepin/templates/candlepin.conf.j2
deleted file mode 100644
index 0bbca142d..000000000
--- a/src/roles/candlepin/templates/candlepin.conf.j2
+++ /dev/null
@@ -1,38 +0,0 @@
-candlepin.consumer_system_name_pattern=.+
-
-candlepin.environment_content_filtering=true
-candlepin.auth.basic.enable=false
-candlepin.auth.trusted.enable=false
-
-candlepin.db.database_manage_on_startup=Manage
-
-candlepin.auth.oauth.enable=true
-candlepin.auth.oauth.consumer.katello.secret={{ candlepin_oauth_secret }}
-
-module.config.adapter_module=org.candlepin.katello.KatelloModule
-
-candlepin.ca_key=/etc/candlepin/certs/candlepin-ca.key
-candlepin.ca_cert=/etc/candlepin/certs/candlepin-ca.crt
-
-candlepin.async.jobs.ExpiredPoolsCleanupJob.schedule=0 0 0 * * ?
-
-jpa.config.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
-jpa.config.hibernate.hbm2ddl.auto=validate
-jpa.config.hibernate.connection.username={{ candlepin_database_user }}
-jpa.config.hibernate.connection.password={{ candlepin_database_password }}
-jpa.config.hibernate.connection.driver_class=org.postgresql.Driver
-jpa.config.hibernate.connection.url=jdbc:postgresql://{{ candlepin_database_host }}:{{ candlepin_database_port }}/{{ candlepin_database_name }}?sslmode={{ candlepin_database_ssl_mode }}{% if candlepin_database_ssl_ca is defined %}&sslrootcert={{ candlepin_database_ssl_ca_path }}{% endif %}
-
-
-org.quartz.jobStore.misfireThreshold=60000
-org.quartz.jobStore.useProperties=false
-org.quartz.jobStore.dataSource=myDS
-org.quartz.jobStore.tablePrefix=QRTZ_
-org.quartz.jobStore.class=org.quartz.impl.jdbcjobstore.JobStoreTX
-org.quartz.jobStore.driverDelegateClass=org.quartz.impl.jdbcjobstore.PostgreSQLDelegate
-
-org.quartz.dataSource.myDS.driver=org.postgresql.Driver
-org.quartz.dataSource.myDS.user={{ candlepin_database_user }}
-org.quartz.dataSource.myDS.password={{ candlepin_database_password }}
-org.quartz.dataSource.myDS.maxConnections=5
-org.quartz.dataSource.myDS.URL=jdbc:postgresql://{{ candlepin_database_host }}:{{ candlepin_database_port }}/{{ candlepin_database_name }}?sslmode={{ candlepin_database_ssl_mode }}{% if candlepin_database_ssl_ca is defined %}&sslrootcert={{ candlepin_database_ssl_ca_path }}{% endif %}
diff --git a/src/roles/candlepin/templates/server.xml.j2 b/src/roles/candlepin/templates/server.xml.j2
deleted file mode 100644
index 99db65da1..000000000
--- a/src/roles/candlepin/templates/server.xml.j2
+++ /dev/null
@@ -1,139 +0,0 @@
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<!-- Note:  A "Server" is not itself a "Container", so you may not
-     define subcomponents such as "Valves" at this level.
-     Documentation at /docs/config/server.html
- -->
-<Server port="8005" shutdown="SHUTDOWN">
-
-  <!--APR library loader. Documentation at /docs/apr.html -->
-  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
-  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
-  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
-  <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
-  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
-<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
-  <!-- Global JNDI resources
-       Documentation at /docs/jndi-resources-howto.html
-  -->
-  <GlobalNamingResources>
-    <!-- Editable user database that can also be used by
-         UserDatabaseRealm to authenticate users
-    -->
-    <Resource name="UserDatabase" auth="Container"
-              type="org.apache.catalina.UserDatabase"
-              description="User database that can be updated and saved"
-              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
-              pathname="conf/tomcat-users.xml" />
-  </GlobalNamingResources>
-
-  <!-- A "Service" is a collection of one or more "Connectors" that share
-       a single "Container" Note:  A "Service" is not itself a "Container",
-       so you may not define subcomponents such as "Valves" at this level.
-       Documentation at /docs/config/service.html
-   -->
-  <Service name="Catalina">
-
-    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
-    <!--
-    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
-        maxThreads="150" minSpareThreads="4"/>
-    -->
-
-
-    <!-- A "Connector" represents an endpoint by which requests are received
-         and responses are returned. Documentation at :
-         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
-         Java AJP  Connector: /docs/config/ajp.html
-         APR (HTTP/AJP) Connector: /docs/apr.html
-         Define a non-SSL HTTP/1.1 Connector on port 8080
-    -->
-    <!-- Define a SSL HTTP/1.1 Connector on port <%= $ssl_port %>
-         This connector uses the JSSE configuration, when using APR, the
-         connector should be using the OpenSSL style configuration
-         described in the APR documentation -->
-
-    <Connector port="{{ candlepin_ssl_port }}"
-               address="{{ candlepin_hostname }}"
-               protocol="HTTP/1.1"
-               SSLEnabled="true"
-               maxThreads="150" scheme="https" secure="true"
-               clientAuth="want"
-               sslProtocol="{{ candlepin_tls_versions | join(',') }}"
-               sslEnabledProtocols="{{ candlepin_tls_versions | join(',') }}"
-               keystoreFile="/etc/candlepin/certs/keystore"
-               keystorePass="{{ candlepin_keystore_password }}"
-               keystoreType="PKCS12"
-               ciphers="{{ candlepin_ciphers | join(',\n                   ') }}"
-    />
-
-
-    <!-- An Engine represents the entry point (within Catalina) that processes
-         every request.  The Engine implementation for Tomcat stand alone
-         analyzes the HTTP headers included with the request, and passes them
-         on to the appropriate Host (virtual host).
-         Documentation at /docs/config/engine.html -->
-
-    <!-- You should set jvmRoute to support load-balancing via AJP ie :
-    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-    -->
-    <Engine name="Catalina" defaultHost="localhost">
-
-      <!--For clustering, please take a look at documentation at:
-          /docs/cluster-howto.html  (simple how to)
-          /docs/config/cluster.html (reference documentation) -->
-      <!--
-      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-      -->
-
-      <!-- The request dumper valve dumps useful debugging information about
-           the request and response data received and sent by Tomcat.
-           Documentation at: /docs/config/valve.html -->
-      <!--
-      <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
-      -->
-
-      <!-- This Realm uses the UserDatabase configured in the global JNDI
-           resources under the key "UserDatabase".  Any edits
-           that are performed against this UserDatabase are immediately
-           available for use by the Realm.  -->
-      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-             resourceName="UserDatabase"/>
-
-      <!-- Define the default virtual host
-           Note: XML Schema validation will not work with Xerces 2.2.
-       -->
-      <Host name="localhost"  appBase="webapps"
-            unpackWARs="true" autoDeploy="true">
-
-        <!-- SingleSignOn valve, share authentication between web applications
-             Documentation at: /docs/config/valve.html -->
-        <!--
-        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-        -->
-
-        <!-- Access log processes all example.
-             Documentation at: /docs/config/valve.html -->
-        <!--
-        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
-               prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
-        -->
-
-      </Host>
-    </Engine>
-  </Service>
-</Server>
diff --git a/src/roles/candlepin/templates/tomcat.conf b/src/roles/candlepin/templates/tomcat.conf
deleted file mode 100644
index 5e9fdfa52..000000000
--- a/src/roles/candlepin/templates/tomcat.conf
+++ /dev/null
@@ -1,44 +0,0 @@
-# System-wide configuration file for tomcat services
-# This will be loaded by systemd as an environment file,
-# so please keep the syntax. For shell expansion support
-#
-# There are 2 "classes" of startup behavior in this package.
-# The old one, the default service named tomcat.service.
-# The new named instances are called tomcat@instance.service.
-#
-# Use this file to change default values for all services.
-# Change the service specific ones to affect only one service.
-# For tomcat.service it's /etc/sysconfig/tomcat, for
-# tomcat@instance it's /etc/sysconfig/tomcat@instance.
-
-# This variable is used to figure out if config is loaded or not.
-TOMCAT_CFG_LOADED="1"
-
-# In new-style instances, if CATALINA_BASE isn't specified, it will
-# be constructed by joining TOMCATS_BASE and NAME.
-TOMCATS_BASE="/var/lib/tomcats/"
-
-# Where your java installation lives
-JAVA_HOME="/usr/lib/jvm/jre-17"
-
-# Where your tomcat installation lives
-CATALINA_HOME="/usr/share/tomcat"
-
-# System-wide tmp
-CATALINA_TMPDIR="/var/cache/tomcat/temp"
-
-# You can pass some parameters to java here if you wish to
-JAVA_OPTS="-Xms1024m -Xmx4096m -Dcom.redhat.fips=false"
-
-# You can change your tomcat locale here
-
-#LANG="en_US"
-
-
-# Run tomcat under the Java Security Manager
-SECURITY_MANAGER="0"
-
-# Time to wait in seconds, before killing process
-# TODO(stingray): does nothing, fix.
-
-# SHUTDOWN_WAIT="30"
diff --git a/src/vars/images.yml b/src/vars/images.yml
index 65356335f..e5b2bd4ee 100644
--- a/src/vars/images.yml
+++ b/src/vars/images.yml
@@ -20,8 +20,8 @@ iop_vulnerability_frontend_registry_auth_file: "{{ registry_auth_file }}"
 iop_advisor_frontend_registry_auth_file: "{{ registry_auth_file }}"
 
 container_tag_stream: "nightly"
-candlepin_container_image: quay.io/foreman/candlepin
-candlepin_container_tag: "foreman-{{ container_tag_stream }}"
+candlepin_container_image: quay.io/foreman/candlepin-stage
+candlepin_container_tag: on-pr-9a8f5cc0dbaffc38bd9f43273333fc0393e76df9
 foreman_container_image: quay.io/foreman/foreman
 foreman_container_tag: "{{ container_tag_stream }}"
 foreman_proxy_container_image: "quay.io/foreman/foreman-proxy"