diff --git a/pom.xml b/pom.xml
index 7a6ca4ad7f3..0e737093138 100644
--- a/pom.xml
+++ b/pom.xml
@@ -73,7 +73,7 @@
       <dependency>
           <groupId>org.elasticsearch</groupId>
           <artifactId>securemock</artifactId>
-          <version>1.1</version>
+          <version>${securemock.version}</version>
           <scope>test</scope>
       </dependency>
     </dependencies>
diff --git a/watcher/pom.xml b/watcher/pom.xml
index ca903a7e361..957110dcd80 100644
--- a/watcher/pom.xml
+++ b/watcher/pom.xml
@@ -162,6 +162,17 @@
                     <include>test/**/*.yaml</include>
                 </includes>
             </testResource>
+            <!-- copied from plugins parent module, because watcher resources are insane -->
+            <!-- shared test resources like log4j.properties -->
+            <testResource>
+                <directory>${elasticsearch.tools.directory}/shared-test-resources</directory>
+                <filtering>false</filtering>
+            </testResource>
+            <!-- plugin metadata as a test resource -->
+            <testResource>
+                <directory>${basedir}/target/metadata-test-resources</directory>
+                <filtering>false</filtering>
+            </testResource>
         </testResources>
         <plugins>
             <plugin>
diff --git a/watcher/src/main/assemblies/plugin.xml b/watcher/src/main/assemblies/plugin.xml
index db07b214b22..cc0b2676d32 100644
--- a/watcher/src/main/assemblies/plugin.xml
+++ b/watcher/src/main/assemblies/plugin.xml
@@ -11,6 +11,14 @@
             <directory>bin/watcher</directory>
             <outputDirectory>bin</outputDirectory>
         </fileSet>
+        <fileSet>
+            <directory>${project.basedir}/src/main/plugin-metadata</directory>
+            <includes>
+              <include>plugin-security.policy</include>
+            </includes>
+            <outputDirectory></outputDirectory>
+            <filtered>false</filtered>
+        </fileSet>
     </fileSets>
     <dependencySets>
         <dependencySet>
diff --git a/watcher/src/main/java/org/elasticsearch/watcher/actions/email/service/Account.java b/watcher/src/main/java/org/elasticsearch/watcher/actions/email/service/Account.java
index 97a12b56ee1..0d11598da76 100644
--- a/watcher/src/main/java/org/elasticsearch/watcher/actions/email/service/Account.java
+++ b/watcher/src/main/java/org/elasticsearch/watcher/actions/email/service/Account.java
@@ -5,6 +5,7 @@
  */
 package org.elasticsearch.watcher.actions.email.service;
 
+import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.common.logging.ESLogger;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsException;
@@ -17,6 +18,9 @@ import javax.mail.Session;
 import javax.mail.Transport;
 import javax.mail.internet.InternetAddress;
 import javax.mail.internet.MimeMessage;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.Map;
 import java.util.Properties;
 
@@ -29,13 +33,23 @@ public class Account {
 
     static {
         // required as java doesn't always find the correct mailcap to properly handle mime types
-        MailcapCommandMap mailcap = (MailcapCommandMap) CommandMap.getDefaultCommandMap();
+        final MailcapCommandMap mailcap = (MailcapCommandMap) CommandMap.getDefaultCommandMap();
         mailcap.addMailcap("text/html;; x-java-content-handler=com.sun.mail.handlers.text_html");
         mailcap.addMailcap("text/xml;; x-java-content-handler=com.sun.mail.handlers.text_xml");
         mailcap.addMailcap("text/plain;; x-java-content-handler=com.sun.mail.handlers.text_plain");
         mailcap.addMailcap("multipart/*;; x-java-content-handler=com.sun.mail.handlers.multipart_mixed");
         mailcap.addMailcap("message/rfc822;; x-java-content-handler=com.sun.mail.handlers.message_rfc822");
-        CommandMap.setDefaultCommandMap(mailcap);
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            sm.checkPermission(new SpecialPermission());
+        }
+        AccessController.doPrivileged(new PrivilegedAction<Void>() {
+            @Override
+            public Void run() {
+                CommandMap.setDefaultCommandMap(mailcap);
+                return null;
+            }
+        });
     }
 
     private final Config config;
diff --git a/watcher/src/main/java/org/elasticsearch/watcher/support/http/HttpClient.java b/watcher/src/main/java/org/elasticsearch/watcher/support/http/HttpClient.java
index 838061dd3b8..1547a3806b5 100644
--- a/watcher/src/main/java/org/elasticsearch/watcher/support/http/HttpClient.java
+++ b/watcher/src/main/java/org/elasticsearch/watcher/support/http/HttpClient.java
@@ -8,6 +8,7 @@ package org.elasticsearch.watcher.support.http;
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.ElasticsearchTimeoutException;
 import org.elasticsearch.ExceptionsHelper;
+import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.component.AbstractLifecycleComponent;
 import org.elasticsearch.common.inject.Inject;
@@ -29,7 +30,9 @@ import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.security.AccessController;
 import java.security.KeyStore;
+import java.security.PrivilegedAction;
 import java.security.SecureRandom;
 import java.util.HashMap;
 import java.util.List;
@@ -158,8 +161,19 @@ public class HttpClient extends AbstractLifecycleComponent<HttpClient> {
 
         HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection(proxyToUse.proxy());
         if (urlConnection instanceof HttpsURLConnection && sslSocketFactory != null) {
-            HttpsURLConnection httpsConn = (HttpsURLConnection) urlConnection;
-            httpsConn.setSSLSocketFactory(sslSocketFactory);
+            final HttpsURLConnection httpsConn = (HttpsURLConnection) urlConnection;
+            final SSLSocketFactory factory = sslSocketFactory;
+            SecurityManager sm = System.getSecurityManager();
+            if (sm != null) {
+                sm.checkPermission(new SpecialPermission());
+            }
+            AccessController.doPrivileged(new PrivilegedAction<Void>() {
+                @Override
+                public Void run() {
+                    httpsConn.setSSLSocketFactory(factory);
+                    return null;
+                }
+            });
         }
 
         urlConnection.setRequestMethod(request.method().method());
diff --git a/watcher/src/main/plugin-metadata/plugin-security.policy b/watcher/src/main/plugin-metadata/plugin-security.policy
new file mode 100644
index 00000000000..90d022e4106
--- /dev/null
+++ b/watcher/src/main/plugin-metadata/plugin-security.policy
@@ -0,0 +1,4 @@
+grant {
+  // needed to set expert SSL options, etc
+  permission java.lang.RuntimePermission "setFactory";
+};
diff --git a/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/support/EmailServer.java b/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/support/EmailServer.java
index 5a837fe5e4d..141dfd8f09f 100644
--- a/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/support/EmailServer.java
+++ b/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/support/EmailServer.java
@@ -52,7 +52,7 @@ public class EmailServer {
             @Override
             public void deliver(String from, String recipient, InputStream data) throws TooMuchDataException, IOException {
                 try {
-                    Session session = Session.getDefaultInstance(new Properties());
+                    Session session = Session.getInstance(new Properties());
                     MimeMessage msg = new MimeMessage(session, data);
                     for (Listener listener : listeners) {
                         try {
diff --git a/watcher/src/test/resources/log4j.xml b/watcher/src/test/resources/log4j.xml
deleted file mode 100644
index 052175f3aed..00000000000
--- a/watcher/src/test/resources/log4j.xml
+++ /dev/null
@@ -1,42 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" ?>
-<!-- Licensed to Elasticsearch under one or more contributor
-license agreements. See the NOTICE file distributed with this work for additional
-information regarding copyright ownership. ElasticSearch licenses this file to you
-under the Apache License, Version 2.0 (the "License"); you may not use this
-file except in compliance with the License. You may obtain a copy of the
-License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by
-applicable law or agreed to in writing, software distributed under the License
-is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-KIND, either express or implied. See the License for the specific language
-governing permissions and limitations under the License. -->
-
-<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
-
-<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/">
-    <appender name="console" class="org.apache.log4j.ConsoleAppender">
-        <param name="Target" value="System.out" />
-        <layout class="org.apache.log4j.PatternLayout">
-            <param name="ConversionPattern" value="%d %-5p %c{1} - %m%n" />
-        </layout>
-    </appender>
-
-    <logger name="org.elasticsearch">
-        <level value="info" />
-    </logger>
-
-    <logger name="org.elasticsearch.cloud.aws">
-        <level value="trace" />
-    </logger>
-    <logger name="org.elasticsearch.discovery.aws">
-        <level value="trace" />
-    </logger>
-    <logger name="org.elasticsearch.repositories.aws">
-        <level value="trace" />
-    </logger>
-
-    <root>
-        <priority value="info" />
-        <appender-ref ref="console" />
-    </root>
-
-</log4j:configuration>