Tomcat 7 / 8 and IBM JRE won't initialize DSA key

I'm reproducing a problem reported by one of our customers.

He has a Tomcat 7 running on AIX 7.1 with IBM JRE 7.

The Tomcat has a HTTPS connector defined:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           keystoreFile="/path/to/keystore.key" keystorePass="password"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" />

The keystore contains a 1024 bits DSA keypair.

When a HTTPS request comes in the DSA key won't be initialized, which results in a handshake failure. Output from catalina.out with -Djavax.net.debug=all:

%% Initialized:  [Session-2, SSL_NULL_WITH_NULL_NULL]
ssl: ServerHandshaker.setupPrivateKeyAndChain EC_EC
ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseServerAlias null
ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseServerAlias null
ssl: ServerHandshaker.setupPrivateKeyAndChain EC_EC
ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseServerAlias null
ssl: ServerHandshaker.setupPrivateKeyAndChain EC_RSA
ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseServerAlias null
%% Invalidated:  [Session-2, SSL_NULL_WITH_NULL_NULL]

If I switch to IBM JRE 8 the key get's initialized:

%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
ssl: ServerHandshaker.setupPrivateKeyAndChain EC_EC
ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseServerAlias null
ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseServerAlias null
ssl: ServerHandshaker.setupPrivateKeyAndChain EC_EC
ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseServerAlias null
ssl: ServerHandshaker.setupPrivateKeyAndChain EC_RSA
ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseServerAlias null
ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseServerAlias null
ssl: ServerHandshaker.setupPrivateKeyAndChain DSA
matching alias: mykey
ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseServerAlias mykey
ssl: ServerHandshaker.setupPrivateKeyAndChain, return true
JsseJCE:  Using KeyPairGenerator DiffieHellman from provider TBD via init
DHCrypt:  DH KeyPairGenerator  from provider from init IBMJCE version 1.8
%% Negotiating:  [Session-1, SSL_DHE_DSS_WITH_AES_128_CBC_SHA]

Our customer stated that the same keystore worked in Tomcat 6 and with the same JRE 7.

I did some tests with the original keystore in the following environment:

AIX

oslevel -s
7100-04-04-1717

Java

Java7 - IBM JRE - java7_64_SR3 (also SR10_FP1)
Java8 - IBM JRE - java8_64_SR3_FP22

Tomcat

apache-tomcat-6.0.36
apache-tomcat-7.0.69
apache-tomcat-8.5.16

The results are:

Working:

Tomcat 6 + Java 7

Tomcat 6 + Java 8

Tomcat 7 + Java 8

Tomcat 8 + Java 8

Not working:

Tomcat 7 + Java 7

Tomcat 8 + Java 7

It seems to be some issue which occours when running Tomcat 7 / 8 with IMB JRE 7, but not in other combinations.

The JREs have been installed only for reproducing this problem.

I really can't find the reason why it's not working in those combinations.

Any ideas what could be the reason or what I could try?

EDIT: Simply using JRE 8 is not possible due to other limitations. We got a workaround by providing a keystore with 2048 bits RSA keys which works with all combinations. It still is really unsatisfying not to know what's the problem with the original keystore.