OCR failing TLS connection
search cancel

OCR failing TLS connection


Article ID: 215050


Updated On:


Data Loss Prevention Network Monitor and Prevent for Email and Web


  • You have installed Sensitive Image Recognition solution (OCR) integrated with your Network Prevent for Email environment
  • You use third party certificates to communicate to the downstream MTAs
  • In the FileReader logs on the detection servers you see a message similar to below
WARNING: Failed to perform OCR for item 

com.symantec.dlp.ocr.client.exception.OcrUnauthorizedException: OcrRequestId: [09957932-35dc-4f64-a6bc-bdacb16224e0]
Unable to verify client and server with each other as authorized endpoints.
Please verify that the client and server keystores are configured correctly. sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

at com.symantec.dlp.ocr.client.rest.OcrRestClient.getOcrException(OcrRestClient.java:352)



Release : 15.x

Component : Sensitive Image Recognition (OCR), Third party certificates


The ...\SymantecDLPOCR\Protect\keystore\ocr_keystore.jks does not contain the third party certificate chain


You need to follow a similar process to https://knowledge.broadcom.com/external/article/186829/how-to-setup-secure-icap-in-network-prev.html

and use the alias details from the ..SymantecDLPOCR\Protect\config\OCR.properties file

  1. Create a new ocr_keystore.jks keystore
  2. Generate a certificate request and have the certificate issued as a PCKS#7 (.p7b format)
  3. Import that to the ocr_keystore