The IBM SDK ships with strong but limited jurisdiction policy files. United States federal law places restrictions on the level of encryption that can be freely exported. The IBM SDK complies with these restrictions, which means it only supports SSL keys of 2048-bits or less. Many keys are now being created with larger keys (e.g. 4096-bits), which will not work with the default settings.
Resolving the problem
The solution is to download and install the unlimited jurisdiction policy files. For those in the United States and other eligible countries, please visit the “IBM SDK Policy FIles” link below to download the updates policy files.
After downloading the package for “Unrestricted JCE Policy files for SDK for all newer versions 1.42+”, copy the new “US_export_policy.jar” and “local_policy.jar” to the $JAVA_HOME/jre/lib/security directory. You must restart the JVM for the changes to take effect.
If you installed the new certificate on an endpoint managed by ITDI, then you would need to apply this change to the $ITDI_HOME/jvm/jre/lib/security. If you installed the new certificate in ITDI itself for SSL communication between ITDI and ISIM, then you would need to apply the new files to both the ITDI JVM and the ISIM JVM in $WAS_HOME/AppServer/java/jre/lib/security, and restart both ITDI and WebSphere. Also, this change must be made on ALL ITDI instances and ISIM cluster nodes that will be communicating with this new certificate.