OCR 16.0 error 4807 - The client and/or OCR server are not authorized with each other
search cancel

OCR 16.0 error 4807 - The client and/or OCR server are not authorized with each other

book

Article ID: 263274

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention API Detection for Developer Apps Virtual Appliance Data Loss Prevention API Detection Virtual Appliance Data Loss Prevention Discover Suite Data Loss Prevention Endpoint Discover Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Suite Data Loss Prevention Enforce Data Loss Prevention Enterprise Suite Data Loss Prevention Form Recognition Data Loss Prevention Network Discover Data Loss Prevention Network Email Data Loss Prevention Network Monitor Data Loss Prevention Network Monitor and Prevent for Email Data Loss Prevention Network Monitor and Prevent for Email and Web Data Loss Prevention Network Monitor and Prevent for Web Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Prevent for Email Virtual Appliance Data Loss Prevention Network Prevent for Web Virtual Appliance Data Loss Prevention Network Protect Data Loss Prevention Network Web Data Loss Prevention Sensitive Image Recognition

Issue/Introduction

After upgrading the DLP 15.8 OCR server to 16.0, the OCR server no longer receives images to process.

Events in the Enforce Console show Error 4807 - The client and/or OCR server are not authorized with each other 



The FileReader log on the Detection Server pointing to the OCR server reports a PKIX certificate error:

com.vontu.messaging.chain.ocr.OcrExecutionTask call
WARNING: Failed to perform OCR for item 'Capture.PNG'
com.symantec.dlp.ocr.client.exception.OcrUnauthorizedException: OcrRequestId: [0068371b-fde0-421b-8257-76d660a86600] Unable to verify client and server with each other as authorized endpoints. Please verify that the client and server keystores are configured correctly. PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.symantec.dlp.ocr.client.rest.OcrRestClient.getOcrException(OcrRestClient.java:500)
    at com.symantec.dlp.ocr.client.rest.OcrRestClient.submitRequest(OcrRestClient.java:426)
    at com.symantec.dlp.ocr.client.rest.OcrRestClient.submitRequest(OcrRestClient.java:361)
    at com.symantec.dlp.ocr.client.rest.OcrRestClient.submitRequest(OcrRestClient.java:334)
    at com.symantec.dlp.ocr.client.OcrClientOnPremBackCompatibleType$OcrClientChooser.submitRequest(OcrClientOnPremBackCompatibleType.java:296)
    at com.symantec.dlp.ocr.client.OcrClientOnPremBackCompatibleType.submitRequest(OcrClientOnPremBackCompatibleType.java:118)
    at com.vontu.messaging.chain.ocr.OcrExecutionTask.call(OcrExecutionTask.java:124)
    at com.vontu.messaging.chain.ocr.OcrExecutionTask.call(OcrExecutionTask.java:61)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:750)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
    at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
    at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
    at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
    at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
    at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152)
    at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392)
    at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
    at com.symantec.dlp.ocr.client.rest.OcrRestClient.submitRequest(OcrRestClient.java:384)
    ... 10 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
    at sun.security.validator.Validator.validate(Validator.java:271)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:234)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:110)
    at org.apache.http.conn.ssl.SSLContextBuilder$TrustManagerDelegate.checkServerTrusted(SSLContextBuilder.java:192)
    at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1256)
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
    ... 32 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)
    ... 40 more

Environment

Symantec Data Loss Prevention 16.0
OCR upgraded from 15.8 to 16.0

Cause

The type of certificate OCR uses was changed from jks to PEM in 16.0. The certificate error appears because the Detection server does not know OCR was updated, so it continues to communicate using jks when OCR is expecting PEM.

The Detection server will only confirm the certificate protocol when certain events occur:

  1. Detection Server startup
  2. OCR configuration update in the Enforce Console
  3. DNS refresh on the OCR server Hostname

Resolution

Restart the "Symantec DLP Detection Server Service" on the Detection server to force the server to confirm the certificate protocol being used by the OCR server.
The service can be restarted through the Enforce Console or manually on the Server.