After upgrading the DLP 15.8 OCR server to 16.0, the OCR server no longer receives images to process.
Events in the Enforce Console show Error 4807 - The client and/or OCR server are not authorized with each other
The FileReader log on the Detection Server pointing to the OCR server reports a PKIX certificate error:
com.vontu.messaging.chain.ocr.OcrExecutionTask call
WARNING: Failed to perform OCR for item 'Capture.PNG'
com.symantec.dlp.ocr.client.exception.OcrUnauthorizedException: OcrRequestId: [0068371b-fde0-421b-8257-76d660a86600] Unable to verify client and server with each other as authorized endpoints. Please verify that the client and server keystores are configured correctly. PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.symantec.dlp.ocr.client.rest.OcrRestClient.getOcrException(OcrRestClient.java:500)
at com.symantec.dlp.ocr.client.rest.OcrRestClient.submitRequest(OcrRestClient.java:426)
at com.symantec.dlp.ocr.client.rest.OcrRestClient.submitRequest(OcrRestClient.java:361)
at com.symantec.dlp.ocr.client.rest.OcrRestClient.submitRequest(OcrRestClient.java:334)
at com.symantec.dlp.ocr.client.OcrClientOnPremBackCompatibleType$OcrClientChooser.submitRequest(OcrClientOnPremBackCompatibleType.java:296)
at com.symantec.dlp.ocr.client.OcrClientOnPremBackCompatibleType.submitRequest(OcrClientOnPremBackCompatibleType.java:118)
at com.vontu.messaging.chain.ocr.OcrExecutionTask.call(OcrExecutionTask.java:124)
at com.vontu.messaging.chain.ocr.OcrExecutionTask.call(OcrExecutionTask.java:61)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:750)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at com.symantec.dlp.ocr.client.rest.OcrRestClient.submitRequest(OcrRestClient.java:384)
... 10 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:234)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:110)
at org.apache.http.conn.ssl.SSLContextBuilder$TrustManagerDelegate.checkServerTrusted(SSLContextBuilder.java:192)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1256)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
... 32 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)
... 40 more
Symantec Data Loss Prevention 16.0
OCR upgraded from 15.8 to 16.0
The type of certificate OCR uses was changed from jks to PEM in 16.0. The certificate error appears because the Detection server does not know OCR was updated, so it continues to communicate using jks when OCR is expecting PEM.
The Detection server will only confirm the certificate protocol when certain events occur:
Restart the "Symantec DLP Detection Server Service" on the Detection server to force the server to confirm the certificate protocol being used by the OCR server.
The service can be restarted through the Enforce Console or manually on the Server.