diff --git a/.gitignore b/.gitignore
index f5b2781..7ccb728 100644
--- a/.gitignore
+++ b/.gitignore
@@ -71,3 +71,4 @@
 /pki-10.7.3.tar.gz
 /pki-10.8.3.tar.gz
 /pki-10.9.0-a2.tar.gz
+/pki-10.9.0-b2.tar.gz
diff --git a/0001-pki-password-fix-for-FIPS.patch b/0001-pki-password-fix-for-FIPS.patch
new file mode 100644
index 0000000..5f3f691
--- /dev/null
+++ b/0001-pki-password-fix-for-FIPS.patch
@@ -0,0 +1,39 @@
+From d6c91ee4a11a55534c733d144b3108e16b0ac6aa Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Tue, 30 Jun 2020 17:22:35 +0200
+Subject: [PATCH] pki password fix for FIPS
+
+NSS DB in FIPS mode seems to require a password in all cases. When pki
+attemps to open NSS DB without password in FIPS mode, it blocks with a
+prompt to enter a password. This breaks installation in FIPS mode:
+
+    Enter password for NSS FIPS 140-2 User Private Key
+
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+---
+ base/server/python/pki/server/subsystem.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py
+index 737b4b233..cc65954f6 100644
+--- a/base/server/python/pki/server/subsystem.py
++++ b/base/server/python/pki/server/subsystem.py
+@@ -949,6 +949,7 @@ class PKISubsystem(object):
+         cmd = [
+             'pki',
+             '-d', self.instance.nssdb_dir,
++            '-f', self.instance.password_conf,
+             '-U', master_url,
+             '%s-range-request' % self.name,
+             range_type,
+@@ -996,6 +997,7 @@ class PKISubsystem(object):
+         cmd = [
+             'pki',
+             '-d', self.instance.nssdb_dir,
++            '-f', self.instance.password_conf,
+             '-U', master_url,
+             '%s-config-export' % self.name,
+             '--names', ','.join(names),
+-- 
+2.26.2
+
diff --git a/pki-core.spec b/pki-core.spec
index 24fad5c..45e7c9e 100644
--- a/pki-core.spec
+++ b/pki-core.spec
@@ -8,8 +8,8 @@ URL:              http://www.dogtagpki.org/
 License:          GPLv2 and LGPLv2
 
 Version:          10.9.0
-Release:          0.2%{?_timestamp}%{?_commit_id}%{?dist}
-%global           _phase -a2
+Release:          0.4%{?_timestamp}%{?_commit_id}%{?dist}
+%global           _phase -b2
 
 # To create a tarball from a version tag:
 # $ git archive \
@@ -26,6 +26,8 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
 #     > pki-VERSION-RELEASE.patch
 # Patch: pki-VERSION-RELEASE.patch
 
+Patch1: 0001-pki-password-fix-for-FIPS.patch
+
 ################################################################################
 # NSS
 ################################################################################
@@ -200,6 +202,7 @@ BuildRequires:    resteasy-jackson2-provider >= 3.0.17-1
 
 BuildRequires:    python3 >= 3.5
 BuildRequires:    python3-devel
+BuildRequires:    python3-setuptools
 BuildRequires:    python3-cryptography
 BuildRequires:    python3-lxml
 BuildRequires:    python3-ldap
@@ -1316,6 +1319,10 @@ fi
 
 ################################################################################
 %changelog
+* Tue Jun 30 2020 Dogtag PKI Team <pki-devel@redhat.com> - 10.9.0-0.4
+- Rebase to match upstream beta version v10.9.0-b2
+- pki password fix for FIPS
+
 * Wed Jun 10 2020 Dogtag PKI Team <pki-devel@redhat.com> - 10.9.0-0.2
 - Rebase to match upstream alpha version 10.9.0-a2
 
diff --git a/sources b/sources
index 7dea355..0e1c6d7 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (pki-10.9.0-a2.tar.gz) = 1e82038cd1107d76a5d7a49bf9088fbf36c6835d62dbb650f3e933b94e5438749ad0f39d61b2c8df7fdcd9327b70d496041e390c60ccaa1cdf253c69a5a691af
+SHA512 (pki-10.9.0-b2.tar.gz) = 49f817d17a1442bcbec86c4f2717a2489d2655329f9d2d5ea97e73aaffb4924f2855898952568717c821188e8e05dfb05ee7afee9918c27a218e8f199a24777e