Implementing IBM watsonx.ai (on-premises)

If using an on-premises version of IBM® Concert, you are entitled to an instance of watsonx.ai that you can connect to enable AI functionality in your Concert instance.

IBM watsonx.ai is a component of IBM watsonx that provides a studio of integrated tools for working with generative AI capabilities. Concert incorporates generative AI to deliverable valuable insights and suggestion remediation steps to address prioritized vulnerabilities or other risk factors impacting your applications and environments.

Refer to Role of generative AI in Concert for details.

If you purchased on on-premises version of Concert, your license entitles you to an instance of watsonx.ai for use with Concert only. Alternatively, you can connect an existing watsonx.ai instance (SaaS or on-premises) to your on-premises Concert instance.

Attention: No customer data is used to enrich or refine the global watsonx.ai model. Context that is collected is ephemeral and limited to a single session. For example:
  • If a CVE is found in an application, watsonx.ai references the name of the CVE and information from the Open Source Vulnerability (OSV) database to produce a recommended action. This information is returned to Concert and removed from watsonx.ai.
  • If you upload text or a PDF for evidence of compliance, watsonx.ai compares the content to the specified compliance control to determine if it is "sufficient" or "not sufficient." This outcome is returned to Concert and the data is removed from watsonx.ai.

Before you begin

  • You must be an Instance administrator to install IBM watsonx.ai.
  • You must have Administrator or Editor platform access role for the watsonx.ai account to create and associate a Watson Machine Learning service.
  • Refer to the watsonx.ai documentation for additional requirements and restrictions when creating a new project.

Step 1: Install IBM watsonx.ai

Note: Skip this step if you plan to connect an existing instance of watsonx.ai or a SaaS version of watsonx.ai to your on-premises deployment of Concert.

The installation process for the on-premises version of watsonx.ai 2.0 is the same as IBM Cloud Pak® for Data 5.0. Refer to Installing IBM watsonx.ai in the IBM Cloud Pak for Data documentation for instructions.

Step 2: Create a IBM Cloud API key

To establish a connection between watsonx.ai and Concert, generate an API key in IBM Cloud.

Note: As a best practice, limit the applications and integrations using this API key. Avoid sharing the API key secret or storing it in an non-secure location.
  1. Log in to IBM Cloud.
  2. Go to Manage > Access (IAM) from the main navigation.
  3. Click API keys in the side navigation.
  4. Enter a name for the API key and, optionally, a brief description.
  5. Click Create.
  6. Record the API key secret and store it in a secure location.
    Tip: Set this value as an environment variable, such as WATSONX_API_KEY.

Step 3: Create a watsonx project

The following steps describe the process for generating a new watsonx project. Refer to Creating a project in the watsonx documentation for additional requirements and restrictions.

  1. Log in to your watsonx instance.
    Note: Ensure the correct account is selected from the drop down menu in the main navigation.
  2. Go to Projects > View all projects.
  3. Click New project.
  4. Enter a name for the project.
  5. Optionally, edit the description, tags, and storage setting as needed.
  6. Click Create.
  7. Click the name of the project you just created to view details.
  8. Click the General tab.
  9. Record the Project ID.
    Tip: Set this value as an environment variable, such as WATSONX_API_PROJECT_ID.

Step 4: Associate a Watson Machine Learning service with your project

Watson Machine Learning is part of watsonx.ai. The following steps describe the process for associating a new or existing Watson Machine Learning service with your watsonx.ai project. For more information, refer to the IBM Cloud documentation.

  1. From your list of projects, click the name of project you created in the previous step.
  2. Click the Manage tab.
  3. Click Services & integrations from the side menu.
  4. Click Associate service.
  5. Select an existing service, if applicable or click New service.
  6. Under AI / Machine Learning, click Watson Machine Learning.
  7. Select a region.
  8. Select a pricing/learning plan.
  9. Under Configure your resource, adjust the service details as desired.
  10. Click Create.

Step 5: Export the environment variables

Export the relevant set of environment variables based on your watsonx.ai deployment type (SaaS or on-prem).

For SaaS versions of watsonx.ai, use the following command to export critical variables, replacing the values with the actual data:

export WATSONX_API_KEY=<WATSONX_API_KEY> 
export WATSONX_API_PROJECT_ID=<WATSONX_API_PROJECT_ID> 
export WATSONX_API_URL=<WATSONX_API_URL> 
export CONCERT_NAMESPACE=<CONCERT_NAMESPACE>

For on-premises software versions of watsonx.ai, use the following command to export critical variables, replacing the values with the actual data:

export WATSONX_API_KEY=<WATSONX_API_KEY> 
export WATSONX_API_PROJECT_ID=<WATSONX_API_PROJECT_ID> 
export WATSONX_API_URL=<WATSONX_API_URL> 
export WATSONX_API_USERNAME=<WATSONX_API_USERNAME>
export WATSONX_API_INSTANCE_ID=<WATSONX_API_INSTANCE_ID>
export WATSONX_API_VERSION=<WATSONX_API_VERSION>
Note: The default WATSONX_API_URL points to the Dallas environment. If the watsonx.ai project is hosted in a different region, run export WATSONX_API_URL=<YOUR_WATSONX_API_URL>. For example: 
export WATSONX_API_URL=https://us-south.ml.cloud.ibm.com
Refer to this section of the IBM watsonx documentation to see the latest available data center regions.

Step 6: Restart the service

As needed, you can export the variables again when updates are required by reapplying the configuration to the kube pod secrets, and then restart the service. Instructions vary depending on your deployment method (OCP cluster or virtual machine).

For Concert deployments on an OCP cluster, run the following command to export the variables and restart the service:

export WATSONX_API_KEY=<WATSONX_API_KEY> 
export WATSONX_API_PROJECT_ID=<WATSONX_API_PROJECT_ID> 
export WATSONX_API_URL=<WATSONX_API_URL> 
export CONCERT_NAMESPACE=<CONCERT_NAMESPACE> 
kubectl patch secret/app-cfg-secret -n $CONCERT_NAMESPACE --type=merge -p '{
  "data": {
    "WATSONX_API_KEY": "'$(echo -n $WATSONX_API_KEY | base64 )'",
    "WATSONX_API_PROJECT_ID": "'$(echo -n "$WATSONX_API_PROJECT_ID" | base64 )'",
    "WATSONX_API_URL": "'$(echo -n "$WATSONX_API_URL" | base64 )'"
  }
}'
kubectl rollout restart -n $CONCERT_NAMESPACE deployment/roja-py-utils
For Concert deployments on a virtual machine, run the following two commands to export the variables and restart the service:
  1. Apply the watsonx.ai configuration:
    echo "WATSONX_API_KEY=$WATSONX_API_KEY" >> ibm-concert-std/etc/local_config.env
echo "WATSONX_API_PROJECT_ID=$WATSONX_API_PROJECT_ID" >> ibm-concert-std/etc/local_config.env
echo WATSONX_API_URL=$WATSONX_API_URL >> ibm-concert-std/etc/local_config.env
  2. Restart the py-utils service:
    ibm-concert-std/bin/start_service ibm-roja-py-utils