search cancel

OCR failing TLS connection


Article ID: 215050


Updated On:


Data Loss Prevention Network Monitor and Prevent for Email and Web


  • You have installed Sensitive Image Recognition solution (OCR) integrated with your Network Prevent for Email environment
  • You use third party certificates to communicate to the downstream MTAs
  • In the FileReader logs on the detection servers you see a message similar to below
WARNING: Failed to perform OCR for item OcrRequestId: [09957932-35dc-4f64-a6bc-bdacb16224e0]
Unable to verify client and server with each other as authorized endpoints.
Please verify that the client and server keystores are configured correctly.
PKIX path building failed:
unable to find valid certification path to requested target




Release : 15.x

Component : Sensitive Image Recognition (OCR), Third party certificates


The ...\SymantecDLPOCR\Protect\keystore\ocr_keystore.jks does not contain the third party certificate chain


You need to follow a similar process to

and use the alias details from the ..SymantecDLPOCR\Protect\config\ file

  1. Create a new ocr_keystore.jks keystore
  2. Generate a certificate request and have the certificate issued as a PCKS#7 (.p7b format)
  3. Import that to the ocr_keystore