Security settings to watsonx Orchestrate on IBM Software Hub

For security settings, follow the following sections for watsonx Orchestrate on IBM Software Hub.

Managing custom Transport Layer Security (TLS) certificates

The TLS certificate is enabled by default for all internal micro service communication. Some platform features such as configuring external APIs, Python tools, and OpenAPI tools, provide support to define outbound HTTPS endpoints. Outbound calls from watsonx Orchestrate fails the TLS verification if any endpoint uses a self‑signed certificate or a certificate from a private or unknown CA that is not trusted by the system truststore.

When watsonx Orchestrate fails to establish trust with outbound HTTPS endpoints, you might see errors similar to the following ones :

certificate verify failed
self signed certificate
unable to get local issuer certificate
CERTIFICATE_VERIFY_FAILED

To address this, the required certificates must be added to the watsonx Orchestrate truststore that uses the IBM Software Hub capability for injecting custom certificates.

Adding CA certificate

Add your CA certificate to the truststore if your endpoint uses:

A self-signed certificate
An internal corporate CA
Certificates issued by a private PKI

For more details, see Creating a secret to store shared custom certificates.

Don't add a CA certificate if your endpoint uses a public CA such as:

DigiCert
Let's Encrypt
GlobalSign