diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
index c113f55..2f75c73 100644
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -24,7 +24,7 @@ ways to do this; either directly if packaged, or via pip...
 
     # Ubuntu 19.04+, Debian 10+
     sudo apt-get install pipenv python-dev
-    
+
     # Older versions & RHEL/Amazon Linux, etc.
     sudo apt-get install -y python-pip python-dev
     # Or...
@@ -129,7 +129,7 @@ Some notable files and locations:
   /var/log/ansible-bootstrap.log.
 * The Jira installation is under /opt/atlassian/jira/<version>and symlinked to
   /opt/atlassian/jira/current.
-* The systemd service is configured in /etc/systemd/system/jira.service. Its
+* The systemd service is configured in /usr/lib/systemd/system/jira.service. Its
   stdout can be viewed with systemctl status jira.service and journalctl -u
   jira.service.
 * Other Tomcat logs can be located under /opt/atlassian/jira/current/logs/...
@@ -138,11 +138,11 @@ Some notable files and locations:
 * This repository is configured to run tests on [bitbucket pipelines](https://bitbucket.org/atlassian/dc-deployments-automation/addon/pipelines/home).
     * Pipeline definition is located in the [root of the repository](https://bitbucket.org/atlassian/dc-deployments-automation/src/master/bitbucket-pipelines.yml)
     * Pipeline configuration is generated using Jinja2 and a simple python script. Pipeline generator is located [here](https://bitbucket.org/atlassian/dc-deployments-automation/src/master/pipeline_generator/)
-    * A pipeline configuration is generated by running the following make command 
+    * A pipeline configuration is generated by running the following make command
     ```
      make generate-pipeline > ../bitbucket-pipelines.yml
-    ```  
-    
+    ```
+
 * [Molecule](https://molecule.readthedocs.io/en/stable/) tests are run in batches. A single test is run per batch to optimize for a faster dev feedback loop
 
 * If you create a new role or add a new molecule scenario, then please ensure that you generate a new pipeline configuration by running the make command described above. If a new pipeline configuration is not generated, then the CI may not run any tests as it would fail at a pre-test validate stage.
\ No newline at end of file
diff --git a/roles/bitbucket_config/tasks/main.yml b/roles/bitbucket_config/tasks/main.yml
index 4857761..4de771b 100644
--- a/roles/bitbucket_config/tasks/main.yml
+++ b/roles/bitbucket_config/tasks/main.yml
@@ -23,3 +23,12 @@
     mode: "u=rwX,g=rX,o=rX"
     recurse: true
   changed_when: false  # For Molecule idempotence check
+
+- name: Create conf/Catalina directory so catalina.out logging works
+  file:
+    path: "{{ atl_product_installation_versioned }}/conf/Catalina"
+    state: directory
+    mode: "u=rwX,g=rX,o-rwx"
+    owner: "{{ atl_product_user }}"
+    group: "{{ atl_product_user }}"
+  changed_when: false  # For Molecule idempotence check
diff --git a/roles/confluence_config/molecule/aurora/tests/test_aurora.py b/roles/confluence_config/molecule/aurora/tests/test_aurora.py
index bee0d38..66c2ed5 100644
--- a/roles/confluence_config/molecule/aurora/tests/test_aurora.py
+++ b/roles/confluence_config/molecule/aurora/tests/test_aurora.py
@@ -45,6 +45,7 @@ def test_install_permissions(host):
     assert host.file('/opt/atlassian/confluence/current/conf/server.xml').user == 'root'
     assert host.file('/opt/atlassian/confluence/current/confluence/WEB-INF/web.xml').user == 'root'
 
+    assert host.file('/opt/atlassian/confluence/current/conf/Catalina').user == 'confluence'
     assert host.file('/opt/atlassian/confluence/current/logs/').user == 'confluence'
     assert host.file('/opt/atlassian/confluence/current/work/').user == 'confluence'
     assert host.file('/opt/atlassian/confluence/current/temp/').user == 'confluence'
diff --git a/roles/confluence_config/molecule/default/tests/test_default.py b/roles/confluence_config/molecule/default/tests/test_default.py
index b574a0c..713be57 100644
--- a/roles/confluence_config/molecule/default/tests/test_default.py
+++ b/roles/confluence_config/molecule/default/tests/test_default.py
@@ -55,6 +55,7 @@ def test_install_permissions(host):
     assert host.file('/opt/atlassian/confluence/current/conf/server.xml').user == 'root'
     assert host.file('/opt/atlassian/confluence/current/confluence/WEB-INF/web.xml').user == 'root'
 
+    assert host.file('/opt/atlassian/confluence/current/conf/Catalina').user == 'confluence'
     assert host.file('/opt/atlassian/confluence/current/logs/').user == 'confluence'
     assert host.file('/opt/atlassian/confluence/current/work/').user == 'confluence'
     assert host.file('/opt/atlassian/confluence/current/temp/').user == 'confluence'
diff --git a/roles/confluence_config/tasks/main.yml b/roles/confluence_config/tasks/main.yml
index 887324e..d9c4af2 100644
--- a/roles/confluence_config/tasks/main.yml
+++ b/roles/confluence_config/tasks/main.yml
@@ -97,6 +97,15 @@
     - "{{ atl_product_installation_versioned }}/work"
   changed_when: false  # For Molecule idempotence check
 
+- name: Create conf/Catalina directory owned by product so catalina.out logging works
+  file:
+    path: "{{ atl_product_installation_versioned }}/conf/Catalina"
+    state: directory
+    mode: "u=rwX,g=rX,o-rwx"
+    owner: "{{ atl_product_user }}"
+    group: "{{ atl_product_user }}"
+  changed_when: false  # For Molecule idempotence check
+
 - name: Assert baseurl to same as atl_proxy_name
   postgresql_query:
     login_host: "{{ atl_db_host }}"
diff --git a/roles/crowd_config/tasks/main.yml b/roles/crowd_config/tasks/main.yml
index d2d158a..595d1ec 100644
--- a/roles/crowd_config/tasks/main.yml
+++ b/roles/crowd_config/tasks/main.yml
@@ -94,6 +94,15 @@
     - "{{ atl_product_installation_versioned }}/apache-tomcat/work"
   changed_when: false  # For Molecule idempotence check
 
+- name: Create conf/Catalina directory owned by product so catalina.out logging works
+  file:
+    path: "{{ atl_product_installation_versioned }}/conf/Catalina"
+    state: directory
+    mode: "u=rwX,g=rX,o-rwx"
+    owner: "{{ atl_product_user }}"
+    group: "{{ atl_product_user }}"
+  changed_when: false  # For Molecule idempotence check
+
 - name: Symlink Crowd shared home directory
   file:
     src: "{{ atl_product_home_shared }}"
diff --git a/roles/jira_config/molecule/aurora/tests/test_default.py b/roles/jira_config/molecule/aurora/tests/test_default.py
index e684eb2..6ae2e1f 100644
--- a/roles/jira_config/molecule/aurora/tests/test_default.py
+++ b/roles/jira_config/molecule/aurora/tests/test_default.py
@@ -70,6 +70,7 @@ def test_install_permissions(host):
     assert host.file('/opt/atlassian/jira-software/current/conf/server.xml').user == 'root'
     assert host.file('/opt/atlassian/jira-software/current/atlassian-jira/WEB-INF/web.xml').user == 'root'
 
+    assert host.file('/opt/atlassian/jira-software/current/conf/Catalina').user == 'jira'
     assert host.file('/opt/atlassian/jira-software/current/logs/').user == 'jira'
     assert host.file('/opt/atlassian/jira-software/current/work/').user == 'jira'
     assert host.file('/opt/atlassian/jira-software/current/temp/').user == 'jira'
diff --git a/roles/jira_config/molecule/default/tests/test_default.py b/roles/jira_config/molecule/default/tests/test_default.py
index 5a7b961..77508f0 100644
--- a/roles/jira_config/molecule/default/tests/test_default.py
+++ b/roles/jira_config/molecule/default/tests/test_default.py
@@ -76,6 +76,7 @@ def test_install_permissions(host):
     assert host.file('/opt/atlassian/jira-software/current/conf/server.xml').user == 'root'
     assert host.file('/opt/atlassian/jira-software/current/atlassian-jira/WEB-INF/web.xml').user == 'root'
 
+    assert host.file('/opt/atlassian/jira-software/current/conf/Catalina').user == 'jira'
     assert host.file('/opt/atlassian/jira-software/current/logs/').user == 'jira'
     assert host.file('/opt/atlassian/jira-software/current/work/').user == 'jira'
     assert host.file('/opt/atlassian/jira-software/current/temp/').user == 'jira'
diff --git a/roles/jira_config/molecule/jira_config_props/tests/test_default.py b/roles/jira_config/molecule/jira_config_props/tests/test_default.py
index 4287ee6..70329f1 100644
--- a/roles/jira_config/molecule/jira_config_props/tests/test_default.py
+++ b/roles/jira_config/molecule/jira_config_props/tests/test_default.py
@@ -77,6 +77,7 @@ def test_install_permissions(host):
     assert host.file('/opt/atlassian/jira-software/current/conf/server.xml').user == 'root'
     assert host.file('/opt/atlassian/jira-software/current/atlassian-jira/WEB-INF/web.xml').user == 'root'
 
+    assert host.file('/opt/atlassian/jira-software/current/conf/Catalina').user == 'jira'
     assert host.file('/opt/atlassian/jira-software/current/logs/').user == 'jira'
     assert host.file('/opt/atlassian/jira-software/current/work/').user == 'jira'
     assert host.file('/opt/atlassian/jira-software/current/temp/').user == 'jira'
diff --git a/roles/jira_config/tasks/main.yml b/roles/jira_config/tasks/main.yml
index 5064f5d..11cf442 100644
--- a/roles/jira_config/tasks/main.yml
+++ b/roles/jira_config/tasks/main.yml
@@ -100,6 +100,15 @@
     - "{{ atl_product_installation_versioned }}/work"
   changed_when: false  # For Molecule idempotence check
 
+- name: Create conf/Catalina directory owned by product so catalina.out logging works
+  file:
+    path: "{{ atl_product_installation_versioned }}/conf/Catalina"
+    state: directory
+    mode: "u=rwX,g=rX,o-rwx"
+    owner: "{{ atl_product_user }}"
+    group: "{{ atl_product_user }}"
+  changed_when: false  # For Molecule idempotence check
+
 - name: Assert baseurl to same as atl_proxy_name
   postgresql_query:
     login_host: "{{ atl_db_host }}"
diff --git a/roles/product_startup/molecule/bitbucket/playbook.yml b/roles/product_startup/molecule/bitbucket/playbook.yml
index 0542b3a..bc50920 100644
--- a/roles/product_startup/molecule/bitbucket/playbook.yml
+++ b/roles/product_startup/molecule/bitbucket/playbook.yml
@@ -29,7 +29,7 @@
   pre_tasks:
     - name: Create systemd dir if necessary
       file:
-        path: '/etc/systemd/system/'
+        path: '/usr/lib/systemd/system/'
         state: directory
 
   roles:
diff --git a/roles/product_startup/molecule/bitbucket/tests/test_default.py b/roles/product_startup/molecule/bitbucket/tests/test_default.py
index 14feb7c..8bec4b7 100644
--- a/roles/product_startup/molecule/bitbucket/tests/test_default.py
+++ b/roles/product_startup/molecule/bitbucket/tests/test_default.py
@@ -7,7 +7,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
 
 
 def test_service_file(host):
-    f = host.file('/etc/systemd/system/bitbucket.service')
+    f = host.file('/usr/lib/systemd/system/bitbucket.service')
     assert f.contains("^ExecStart=/opt/atlassian/bitbucket/current/bin/start-bitbucket.sh -fg --no-search$")
     assert f.contains("^UMask=0027$")
     assert f.contains("^LimitNOFILE=4096$")
diff --git a/roles/product_startup/molecule/default/playbook.yml b/roles/product_startup/molecule/default/playbook.yml
index ba24ddc..71e2f53 100644
--- a/roles/product_startup/molecule/default/playbook.yml
+++ b/roles/product_startup/molecule/default/playbook.yml
@@ -12,7 +12,7 @@
   pre_tasks:
     - name: Create systemd dir if necessary
       file:
-        path: '/etc/systemd/system/'
+        path: '/usr/lib/systemd/system/'
         state: directory
 
   roles:
diff --git a/roles/product_startup/molecule/default/tests/test_default.py b/roles/product_startup/molecule/default/tests/test_default.py
index 8210664..3ef51d9 100644
--- a/roles/product_startup/molecule/default/tests/test_default.py
+++ b/roles/product_startup/molecule/default/tests/test_default.py
@@ -7,7 +7,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
 
 
 def test_service_file(host):
-    f = host.file('/etc/systemd/system/jira-software.service')
+    f = host.file('/usr/lib/systemd/system/jira-software.service')
     assert f.contains("^ExecStart=/opt/atlassian/jira-software/current/bin/start-jira.sh -fg$")
     assert f.user == 'root'
     assert f.group == 'root'
diff --git a/roles/product_startup/molecule/synchrony/playbook.yml b/roles/product_startup/molecule/synchrony/playbook.yml
index 0e19553..0ee7b71 100644
--- a/roles/product_startup/molecule/synchrony/playbook.yml
+++ b/roles/product_startup/molecule/synchrony/playbook.yml
@@ -20,7 +20,7 @@
   pre_tasks:
     - name: Create systemd dir if necessary
       file:
-        path: '/etc/systemd/system/'
+        path: '/usr/lib/systemd/system/'
         state: directory
 
   roles:
diff --git a/roles/product_startup/molecule/synchrony/tests/test_default.py b/roles/product_startup/molecule/synchrony/tests/test_default.py
index 447af2e..5451915 100644
--- a/roles/product_startup/molecule/synchrony/tests/test_default.py
+++ b/roles/product_startup/molecule/synchrony/tests/test_default.py
@@ -7,7 +7,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
 
 
 def test_service_file(host):
-    f = host.file('/etc/systemd/system/synchrony.service')
+    f = host.file('/usr/lib/systemd/system/synchrony.service')
     assert f.contains("^ExecStart=/opt/atlassian/bin/start-synchrony$")
     assert f.contains("^EnvironmentFile=/etc/atl$")
     assert f.contains("^EnvironmentFile=/etc/atl.synchrony$")
diff --git a/roles/product_startup/tasks/main.yml b/roles/product_startup/tasks/main.yml
index 706bee3..c604379 100644
--- a/roles/product_startup/tasks/main.yml
+++ b/roles/product_startup/tasks/main.yml
@@ -3,7 +3,7 @@
 - name: "Install systemd service file"
   template:
     src: "product.service.j2"
-    dest: "/etc/systemd/system/{{ atl_systemd_service_name }}"
+    dest: "/usr/lib/systemd/system/{{ atl_systemd_service_name }}"
     owner: root
     group: root
     mode: 0640
diff --git a/roles/product_startup/templates/product.service.j2 b/roles/product_startup/templates/product.service.j2
index 8310e88..a99636a 100644
--- a/roles/product_startup/templates/product.service.j2
+++ b/roles/product_startup/templates/product.service.j2
@@ -14,5 +14,7 @@ ExecStart={{ atl_startup_exec_path }}{% for c in atl_startup_exec_options %} {{
 
 Restart=on-failure
 
+LimitNOFILE=65536
+
 [Install]
 WantedBy={{ atl_systemd_service_target }}