Removal of expired Oracle signer certificate from recent IBM Java 
 

We recently received multiple reports that the third-party Java crypto providers threw errors at server startup after WebSphere upgrade.   It turned out the expired Oracle signer certificates were removed from Java that comes with the recent WebSphere. As a result, older crypto providers are no longer trusted. 

The change introduced by IJ25459: ADD ORACLE'S NEW SIGNER CERTIFICATE went into the following IBM SDK versions:

Java 8 SR6 FP25 (8.0.6.25)
Java 7 SR10 FP75 (7.0.10.75)
Java 7 R1 SR4 FP75 (7.1.4.75)

which correspond to following WebSphere versions 

Traditional WebSphere 9.0.5.7
Traditional 8.5.5.20
WebSphere Liberty 21.0.0.3

according to "Verify Java SDK version shipped with IBM WebSphere Application Server fix packs" page. 

After investigation, there is no manual way to work around the issue.  The users of older crypto providers are advised to plan ahead so that a newer versions of the crypto provider is installed at the time of WebSphere/Java upgrade to avoid provider issues.