set umask for tomcat8 via tomcat.service

Try adding UMASK as Environment variable into tomcat's service file:

[Service]
...
Environment='UMASK=0022'
...

Default catalina.sh is checking for environment's $UMASK:

# Set UMASK unless it has been overridden
 if [ -z "$UMASK" ]; then
  UMASK="0027"
 fi
 umask $UMASK

(It seems to me, that UMask from systemd is not used by Tomcat, but I am not completely sure.)

I think you can achieve this with systemd by doing the following:

~]# mkdir -p /etc/systemd/system/tomcat.service.d
~]# echo -e "[Service]\nUMask=0022" >/etc/systemd/system/tomcat.service.d/custom-umask.conf
~]# systemctl daemon-reload
~]# systemctl restart tomcat

/etc/systemd/system/tomcat.service.d/umask-user.conf should overwrite the default values.

Source: https://access.redhat.com/solutions/2220161

P.S: A umask of 0022 would give a file 0644 permissions and a directory 0755