Using a custom TLS certificate for HTTPS connections with Watson Machine Learning Accelerator

Important: IBM Cloud Pak® for Data Version 4.7 will reach end of support (EOS) on 31 July, 2025. For more information, see the Discontinuance of service announcement for IBM Cloud Pak for Data Version 4.X.

Upgrade to IBM Software Hub Version 5.1 before IBM Cloud Pak for Data Version 4.7 reaches end of support. For more information, see Upgrading IBM Software Hub in the IBM Software Hub Version 5.1 documentation.

The Watson Machine Learning Accelerator installation includes a self-signed TLS certificate that can be used to enable HTTPS connections. By default, this certificate is untrusted by all HTTPS clients. However, you can replace the default certificate with your own TLS certificate.

Watson Machine Learning Accelerator exposes one HTTPS port as the primary access point for the web client and for API requests. On Red Hat® OpenShift®, the port is exposed as an OpenShift route.

Before you begin

Required permissions
To complete this task, you must have one of the following roles:
  • Red Hat OpenShift cluster administrator
  • Red Hat OpenShift instance administrator on the project where Cloud Pak for Data is installed

To complete this task, you must have your own certificate and private key file that meet the following requirements:

  • Both files are in PEM format.
  • The root ca certificate is named ca.crt.
  • The certificate is named tls.crt.

    The certificate can be a bundle that contains your server, intermediates, and root certificates concatenated (in the proper order) into one file. The necessary certificates must be enabled as trusted certificates on the clients that connect to the cluster.

  • The private key is named tls.key.
  • The ECDSA certificate is named tls-ecdsa.crt.
  • The private ECDSA key is named tls-ecdsa.key.

Procedure

To replace the default TLS certificate with your custom TLS certificate:

  1. Place the tls.crt and tls.key files in the same directory on your local file system.
  2. Change to the directory where the files are located.
  3. Connect to your OpenShift cluster: 
    oc login OpenShift_URL:port
  4. Set the context to the project where Watson Machine Learning Accelerator is deployed: 
    oc project Project_name
  5. Create a secret to store your certificate files:
    1. Create external-tls-secret:
      oc create secret generic external-tls-secret --from-file=ca.crt=./ca.crt --from-file=tls.crt=./tls.crt --from-file=tls.key=./tls.key --dry-run -o yaml | oc apply -f -
      Important: Do not change the name of the secret. You must use the name external-tls-secret.

      Wait for the command to return a message that the secret was created:

      secret/external-tls-secret created
    2. Create external-tls-secret-ecdsa:
      oc create secret generic external-tls-secret-ecdsa --from-file=ca.crt=./ca.crt --from-file=tls.crt=./tls-ecdsa.crt --from-file=tls.key=./tls-ecdsa.key --dry-run -o yaml | oc apply -f -
      Important: Do not change the name of the secret. You must use the name external-tls-secret-ecdsa.
      Wait for the command to return a message that the secret was created:
      secret/external-tls-secret-ecdsa created
  6. If Watson Machine Learning Accelerator is already installed in Cloud Pak for Data, apply the new certificate to all Watson Machine Learning Accelerator components. The following pods must be restarted:
    • Restart the pod used for wmla-ingress:
      oc rollout restart deploy/wmla-ingress
    • Restart the pod used for inference:
      oc rollout restart deploy/wmla-edi-lbd
    After the pod is restarted, the new certificate is applied.