This is because jafeFIPS.jar makes a call to getProtectionDomain().getCodeSource() which returns null when instead it should return the path to the jsafeFIPS.jar file. The call to getProtectionDomain().getCodeSource() is made to make sure that the jsafe code is being called from the correct jar file to help avoid security issues.
The reason why null is returned is due to the Websphere Liberty class loaders not loading the getProtectionDomain().getCodeSource() information as documented in the following Websphere Liberty bug:
http://www-01.ibm.com/support/docview.wss?uid=swg1PI60749
This can be demonstrated in your own apps on Websphere Liberty, by making sure jsafeFIPS.jar is in a <library> in server.xml and this code is used before you try to access a database with the PIM JDBC SDK:
Class c = Class.forName("com.rsa.cryptoj.f.lx");
CodeSource localCodeSource = c.getProtectionDomain().getCodeSource();
System.out.println("localCodeSource: " + localCodeSource.toString());
With websphere liberty 8.5.5.8, this will return something like the following in console.log:
localCodeSource: (null <no signer certificates>)
With websphere liberty 16.0.0.2, this will return something like the following in console.log:
localCodeSource: (file:/C:/JDBC/jsafeFIPS.jar <no signer certificates>)
Note the "file:/C:/JDBC/jsafeFIPS.jar". The Websphere Liberty classloader does not load this information prior to version 16.0.0.2 and this is what jsafeFIPS.jar expects.