diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
index e807c88c..b4315f19 100644
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -315,11 +315,6 @@ class eidas_de_middleware_hsm($version="110-fixes-sc-p11",$hostname='localhost')
 
    file {['/opt/eidas-middleware','/opt/eidas-middleware/configuration','/opt/eidas-middleware/database']: ensure => directory } ->
    file {['/etc/luna','/etc/luna/cert']: ensure => directory } ->
-   file { '/opt/eidas-middleware/configuration/POSeIDAS.xml.sh':
-      ensure  => present,
-      content => template('eid/demw/POSeIDAS.xml.sh.erb'),
-      mode    => '0744',
-      }
    sunet::docker_run {'eidas-demw':
       image    => 'docker.sunet.se/eidas-demw',
       imagetag => $_version,
@@ -338,6 +333,7 @@ class eidas_de_middleware_hsm($version="110-fixes-sc-p11",$hostname='localhost')
                    "PKCS11_PIN=$pkcs11_pin",
                    "PKCS11_CONFIG_LOCATION=/opt/eidas-middleware/configuration/hsm/pkcs11.properties",
                    "POSEIDAS_ADMIN_HASHED_PASSWORD=$poseidas_admin_hashed_password",
+                   "DEMW_TLS_CLIENT_KEY=$demw_tls_client_key",
                    "DEMW_TLS_CLIENT_CERT=$demw_tls_client_cert",
                    "DEMW_TLS_SERVER_CERT=$demw_tls_server_cert",
                    "SPRING_DATASOURCE_PASSWORD=$spring_datasource_password"],
@@ -361,6 +357,11 @@ class eidas_de_middleware($version="106-rs",$hostname='localhost') {
       hiera_key => 'eidasmw-signature-keystore',
       base64    => true
    } ->
+   file { '/opt/eidas-middleware/configuration/POSeIDAS.xml.sh':
+      ensure  => present,
+      content => template('eid/demw/POSeIDAS.xml.sh.erb'),
+      mode    => '0744',
+      }
    sunet::snippets::secret_file {"/opt/eidas-middleware/configuration/eidasmw-crypto-keystore.jks":
       hiera_key => 'eidasmw-crypto-keystore',
       base64    => true
@@ -378,7 +379,6 @@ class eidas_de_middleware($version="106-rs",$hostname='localhost') {
       env      => ["CERTNAME=${::fqdn}_infra",
                    "PUBLIC_HOSTNAME=$_hostname",
                    "POSEIDAS_ADMIN_HASHED_PASSWORD=$poseidas_admin_hashed_password",
-                   "DEMW_TLS_CLIENT_KEY=$demw_tls_client_key",
                    "DEMW_TLS_CLIENT_CERT=$demw_tls_client_cert",
                    "DEMW_TLS_SERVER_CERT=$demw_tls_server_cert",
                    "SPRING_DATASOURCE_PASSWORD=$spring_datasource_password",