diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java
index 9bacf62f094..0c8dc3c32ca 100644
--- a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java
+++ b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java
@@ -585,10 +585,10 @@ private void initProviders() {
                 // Provider with argument (provider name + optional argument).
                 providers.add(pNum - 1, providerName);
 
-                // Remove the provider's optional arguments if there are.
+                // Remove the provider's optional arguments if present.
                 pos = providerName.indexOf(' ');
                 providerName = (pos < 0) ? providerName.trim() : providerName.substring(0, pos).trim();
-                // Remove the provider's class package names if there are.
+                // Remove the provider's class package names if present.
                 pos = providerName.lastIndexOf('.');
                 providerName = (pos < 0) ? providerName : providerName.substring(pos + 1, providerName.length());
                 // Provider without arguments and package names.
@@ -673,7 +673,7 @@ private void initConstraints() {
                     continue;
                 }
 
-                // Remove the whitespaces in the format separator if there are.
+                // Remove the whitespaces in the format separator if present.
                 providerInfo = providerInfo.trim()
                         .replaceAll("\\[\\s+\\{", "[{")
                         .replaceAll("\\}\\s+\\]", "}]")
@@ -759,6 +759,10 @@ boolean isRestrictedServiceAllowed(Service service) {
 
             if (constraints == null) {
                 // Disallow unknown providers.
+                if (debug != null) {
+                    debug.println("Security constraints check."
+                            + " Disallow unknown provider: " + providerName);
+                }
                 return false;
             } else if (constraints.length == 0) {
                 // Allow this provider with no constraints.
@@ -779,7 +783,7 @@ boolean isRestrictedServiceAllowed(Service service) {
                     continue;
                 }
                 if (!isAsterisk(cAlgorithm) && !algorithm.equalsIgnoreCase(cAlgorithm)) {
-                    // The constraint doesn't apply to the service algorith.
+                    // The constraint doesn't apply to the service algorithm.
                     continue;
                 }
 
@@ -789,7 +793,7 @@ boolean isRestrictedServiceAllowed(Service service) {
                         debug.println("Security constraints check."
                                 + " Service type: " + type
                                 + " Algorithm: " + algorithm
-                                + " is allowed in provider " + providerName);
+                                + " is allowed in provider: " + providerName);
                     }
                     return true;
                 }
@@ -832,7 +836,7 @@ boolean isRestrictedServiceAllowed(Service service) {
                 debug.println("Security constraints check."
                         + " Service type: " + type
                         + " Algorithm: " + algorithm
-                        + " is NOT allowed in provider " + providerName);
+                        + " is NOT allowed in provider: " + providerName);
             }
             // No match for any constraint, return NOT allowed.
             return false;
@@ -849,11 +853,11 @@ boolean isRestrictedProviderAllowed(String providerName) {
                 debug.println("Checking the provider " + providerName + " in restricted security mode.");
             }
 
-            // Remove argument, e.g. -NSS-FIPS, if there is.
+            // Remove argument, e.g. -NSS-FIPS, if present.
             int pos = providerName.indexOf('-');
             providerName = (pos < 0) ? providerName : providerName.substring(0, pos);
 
-            // Remove the provider class package name if there is.
+            // Remove the provider class package name if present.
             pos = providerName.lastIndexOf('.');
             providerName = (pos < 0) ? providerName : providerName.substring(pos + 1, providerName.length());
 
diff --git a/src/java.base/share/classes/java/security/Provider.java b/src/java.base/share/classes/java/security/Provider.java
index 1a06e3f3d8c..e5b677bfc54 100644
--- a/src/java.base/share/classes/java/security/Provider.java
+++ b/src/java.base/share/classes/java/security/Provider.java
@@ -1293,8 +1293,10 @@ public Service getService(String type, String algorithm) {
         Service s = serviceMap.get(key);
         if (s == null) {
             s = legacyMap.get(key);
-            if (s != null && !s.isValid()) {
+            if (s != null && (!s.isValid() || !RestrictedSecurity.isServiceAllowed(s))) {
                 legacyMap.remove(key, s);
+                // don't return invalid or disallowed legacy services
+                s = null;
             }
         }
 
@@ -1336,7 +1338,7 @@ public Set<Service> getServices() {
             }
             if (!legacyMap.isEmpty()) {
                 legacyMap.entrySet().forEach(entry -> {
-                    if (!entry.getValue().isValid()) {
+                    if (!entry.getValue().isValid() || !RestrictedSecurity.isServiceAllowed(entry.getValue())) {
                         legacyMap.remove(entry.getKey(), entry.getValue());
                     } else {
                         set.add(entry.getValue());