• You have installed Sensitive Image Recognition solution (OCR) integrated with your Network Prevent for Email environment
• You use third party certificates to communicate to the downstream MTAs
• In the FileReader logs on the detection servers you see a message similar to below

WARNING: Failed to perform OCR for item 

com.symantec.dlp.ocr.client.exception.OcrUnauthorizedException: OcrRequestId: [09957932-35dc-4f64-a6bc-bdacb16224e0]
Unable to verify client and server with each other as authorized endpoints. 
Please verify that the client and server keystores are configured correctly. sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target

 at com.symantec.dlp.ocr.client.rest.OcrRestClient.getOcrException(OcrRestClient.java:352)

 ..

Release : 15.x

Component : Sensitive Image Recognition (OCR), Third party certificates

The ...\SymantecDLPOCR\Protect\keystore\ocr_keystore.jks does not contain the third party certificate chain

You need to follow a similar process to https://knowledge.broadcom.com/external/article/186829/how-to-setup-secure-icap-in-network-prev.html

and use the alias details from the ..SymantecDLPOCR\Protect\config\OCR.properties file

1. Create a new ocr_keystore.jks keystore
2. Generate a certificate request and have the certificate issued as a PCKS#7 (.p7b format)
3. Import that to the ocr_keystore

Note: This procedure is only applicable to OCR server build 15.8 or earlier. Versions 16.0 and newer no longer use a ocr_keystore.jks keystore to store certificates. 
For additional information about using the OCR keys in 16.0 and newer, refer to the tech doc in the following link:

Exporting Private Keys, Certificates, and Trusted Certificates from a 15.x OCR Server