diff --git a/roles/keycloak/README.md b/roles/keycloak/README.md
index 1ab0aba..1b7ee9f 100644
--- a/roles/keycloak/README.md
+++ b/roles/keycloak/README.md
@@ -31,6 +31,17 @@ Versions
 |`7.5.0 GA`      |September 20, 2021 |`15.0.2`          | `7.4.0`     |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html/release_notes/index)|
 
 
+Patching
+--------
+
+When variable `keycloak_rhsso_apply_patches` is `True` (default: `True`), the role will automatically apply the latest cumulative patch for the selected base version.
+
+| RH-SSO VERSION | Release Date      | RH-SSO LATEST CP | Notes           |
+|:---------------|:------------------|:-----------------|:----------------|
+|`7.5.0 GA`      |January 20, 2022   |`7.5.1 GA`        |[Release Notes](https://access.redhat.com/articles/6646321)|
+
+
+
 Role Defaults
 -------------
 
@@ -62,7 +73,7 @@ Role Defaults
 
 | Variable | Description | Default |
 |:---------|:------------|:---------|
-|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation  | `False` |
+|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation | `False` |
 |`keycloak_offline_install` | perform an offline install | `False`|
 |`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`| 
 |`keycloak_rhsso_download_url`| Download URL for RHSSO | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=<productID>`|
@@ -72,6 +83,7 @@ Role Defaults
 |`keycloak_dest`| Installation root path | `/opt/keycloak` |
 |`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` |
 |`keycloak_rhn_url` | Base download URI for customer portal | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=` |
+|`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
 
 
 * Miscellaneous configuration
diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml
index 6515664..7f5e786 100644
--- a/roles/keycloak/defaults/main.yml
+++ b/roles/keycloak/defaults/main.yml
@@ -30,6 +30,7 @@ keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/co
 keycloak_service_user: keycloak
 keycloak_service_group: keycloak
 keycloak_service_pidfile: "/run/keycloak.pid"
+keycloak_configure_firewalld: False
 
 ### Common configuration settings
 keycloak_bind_address: 0.0.0.0
diff --git a/roles/keycloak/meta/argument_specs.yml b/roles/keycloak/meta/argument_specs.yml
index 311f57a..bd3313a 100644
--- a/roles/keycloak/meta/argument_specs.yml
+++ b/roles/keycloak/meta/argument_specs.yml
@@ -11,6 +11,11 @@ argument_specs:
                 default: "keycloak-{{ keycloak_version }}.zip"
                 description: "keycloak install archive filename"
                 type: "str"
+            keycloak_configure_firewalld:
+                # line 33 of keycloak/defaults/main.yml
+                default: false
+                description: "Ensure firewalld is running and configure keycloak ports"
+                type: "bool"
             keycloak_download_url:
                 # line 5 of keycloak/defaults/main.yml
                 default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml
index 7ed5efe..ef00cd0 100644
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@@ -6,11 +6,28 @@
   tags:
     - prereqs
 
+- name: Include firewall config tasks
+  ansible.builtin.include_tasks: firewalld.yml
+  when: keycloak_configure_firewalld
+  tags:
+    - firewall
+
 - name: Include install tasks
   ansible.builtin.include_tasks: install.yml
+  tags:
+    - install
 
 - name: Include systemd tasks
   ansible.builtin.include_tasks: systemd.yml
+  tags:
+    - systemd
+
+- name: Include patch install tasks
+  ansible.builtin.include_tasks: rhsso_patch.yml
+  when: keycloak_rhsso_apply_patches and keycloak_rhsso_enable
+  tags:
+    - install
+    - patch
 
 - name: Link default logs directory
   ansible.builtin.file:
diff --git a/roles/keycloak/tasks/rhsso_cli.yml b/roles/keycloak/tasks/rhsso_cli.yml
index 9e9d7f5..c51cdc7 100644
--- a/roles/keycloak/tasks/rhsso_cli.yml
+++ b/roles/keycloak/tasks/rhsso_cli.yml
@@ -6,15 +6,8 @@
     fail_msg: "Missing required parameters to execute CLI."
     quiet: true
 
-- name: Verify server management interface is functional
-  ansible.builtin.uri:
-    url: "{{ keycloak_management_url }}"
-  register: result
-  until: result.status == 200
-  retries: 5
-  delay: 5
-
 - name: "Execute CLI query: {{ query }}"
   ansible.builtin.command: >
-    {{ path_to_cli }} -c --output-json --command='{{ query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }}
-  changed_when: false
\ No newline at end of file
+    {{ keycloak.cli_path }} --connect --command='{{ query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }}
+  changed_when: false
+  register: cli_result
\ No newline at end of file
diff --git a/roles/keycloak/tasks/rhsso_patch.yml b/roles/keycloak/tasks/rhsso_patch.yml
new file mode 100644
index 0000000..d0ba46d
--- /dev/null
+++ b/roles/keycloak/tasks/rhsso_patch.yml
@@ -0,0 +1,87 @@
+---
+## check remote patch archive
+- name: Set download patch archive path
+  ansible.builtin.set_fact:
+    patch_archive: "{{ keycloak_dest }}/{{ keycloak.patch_bundle }}"
+
+- name: Check download patch archive path
+  ansible.builtin.stat:
+    path: "{{ patch_archive }}"
+  register: patch_archive_path
+
+- name: Perform download from RHN
+  middleware_automation.redhat_csp_download.redhat_csp_download:
+    url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.id }}"
+    dest: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}"
+    username: "{{ rhn_username }}"
+    password: "{{ rhn_password }}"
+  no_log: "{{ omit_rhn_output | default(true) }}"
+  delegate_to: localhost
+  when:
+    - patch_archive_path is defined
+    - patch_archive_path.stat is defined
+    - not patch_archive_path.stat.exists
+    - keycloak_rhsso_enable
+    - not keycloak_offline_install
+
+## copy and unpack
+- name: Copy patch archive to target nodes
+  ansible.builtin.copy:
+    src: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}"
+    dest: "{{ patch_archive }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0750
+  register: new_version_downloaded
+  when:
+    - not patch_archive_path.stat.exists
+    - local_archive_path.stat is defined
+    - local_archive_path.stat.exists
+  become: yes
+
+- name: "Check installed patches"
+  ansible.builtin.include_tasks: rhsso_cli.yml
+  vars:
+    query: "patch info"
+
+- name: "Perform patching"
+  when: 
+    - cli_result is defined
+    - cli_result.stdout is defined
+    - rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout
+  block:
+    - name: "Apply patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} to server"
+      ansible.builtin.include_tasks: rhsso_cli.yml
+      vars:
+        query: "patch apply {{ patch_archive }}"
+
+    - name: "Restart server to ensure patch content is running"
+      ansible.builtin.include_tasks: rhsso_cli.yml
+      vars:
+        query: "shutdown --restart"
+      when:
+        - cli_result.rc == 0
+
+    - name: "Wait until Keycloak becomes active {{ keycloak.health_url }}"
+      ansible.builtin.uri:
+        url: "{{ keycloak.health_url }}"
+      register: keycloak_status
+      until: keycloak_status.status == 200
+      retries: 25
+      delay: 10
+
+    - name: "Query installed patch after restart"
+      ansible.builtin.include_tasks: rhsso_cli.yml
+      vars:
+        query: "patch info"
+  
+    - name: "Verify installed patch version"
+      ansible.builtin.assert:
+        that:
+          - rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout
+        fail_msg: "Patch installation failed"
+        success_msg: "Patch installation successful"
+
+- name: "Skipping patch"
+  debug:
+    msg: "Latest cumulative patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} already installed, skipping patch installation."
diff --git a/roles/keycloak/tasks/stop_keycloak.yml b/roles/keycloak/tasks/stop_keycloak.yml
index 2f76c9d..ecf4411 100644
--- a/roles/keycloak/tasks/stop_keycloak.yml
+++ b/roles/keycloak/tasks/stop_keycloak.yml
@@ -1,5 +1,5 @@
 ---
-- name: "Stop SSO service"
+- name: Stop keycloak
   ansible.builtin.systemd:
     name: keycloak
     enabled: yes
diff --git a/roles/keycloak/templates/standalone-infinispan.xml.j2 b/roles/keycloak/templates/standalone-infinispan.xml.j2
index 544638e..8e58b53 100644
--- a/roles/keycloak/templates/standalone-infinispan.xml.j2
+++ b/roles/keycloak/templates/standalone-infinispan.xml.j2
@@ -726,7 +726,7 @@
         <interface name="management">
             <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
         </interface>
-	    <interface name="jgroups">
+        <interface name="jgroups">
 {% if ansible_default_ipv4 is defined %}
             <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
 {% else %}
diff --git a/roles/keycloak/vars/main.yml b/roles/keycloak/vars/main.yml
index f639a3c..ff7456a 100644
--- a/roles/keycloak/vars/main.yml
+++ b/roles/keycloak/vars/main.yml
@@ -20,8 +20,10 @@ keycloak:
   home: "{{ keycloak_jboss_home }}"
   config_dir: "{{ keycloak_config_dir }}"
   bundle: "{{ keycloak_rhsso_archive if keycloak_rhsso_enable else keycloak_archive }}"
+  patch_bundle: "rh-sso-{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }}-patch.zip"
   service_name: "{{ 'rhsso' if keycloak_rhsso_enable else 'keycloak' }}"
   health_url: "{{ keycloak_management_url }}/health"
+  cli_path: "{{ keycloak_jboss_home }}/bin/jboss-cli.sh"
 
 # database
 keycloak_jdbc: