The file /etc/crypto-policies/back-ends/java.config contains plain SHA1 in the line jdk.certpath.disabledAlgorithms. While that's in principle a good idea in this special case it's bad.

The Java settings still allow SHA1 for older CA certs (like Webbrowsers do) when it is used for the self-signing of CAs. Please adapt the line, as there are still many servers out there which use CAs which are created with SHA1 signatures. That's no security issues, as this self-signed part of the signature of an CA anyway has no real importance.

In /usr/lib64/jvm/java-21-openjdk-21/conf/security/java.security it is:

MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, SHA1 usage SignedJAR & denyAfter 2019-01-01

That's a much better setting than what's currently used in crypto-policies package.

That would be important, as the crpyto-policies overrides the java setting by default.