Occasionally you may need to change the configuration of your Hybrid Data Security node: updating machine accounts, updating certificates, updating database settings, or creating a new configuration to prepare a new data center.
Machine account updates
Changing x.509 certificates due to expiration or other reasons.
We don't support changing the CN domain name of a certificate. The domain must match the original domain used to register the cluster.
Updating database settings to change to a replica of the PostgreSQL or Microsoft SQL Server database.
We don’t support migrating data from PostgreSQL to Microsoft SQL Server, or the opposite way. To switch the database environment, start a new deployment of Hybrid Data Security.
Creating a new configuration to prepare a new data center.
Also, for security purposes, Hybrid Data Security uses service account passwords that have a nine-month lifespan. After the HDS Setup tool generates these passwords, you deploy them to each of your HDS nodes in the ISO config file. When your organization's passwords are nearing expiration, you receive a notice from the Webex team to reset the password for your machine account. (The email includes the text, "Use the machine account API to update the password.") If your passwords haven't expired yet, the tool gives you two options:
Soft reset—The old and new passwords both work for up to 10 days. Use this period to replace the ISO file on the nodes gradually.
Hard reset—The old passwords stop working immediately.
If your passwords expire without a reset, it impacts your HDS service, requiring an immediate hard reset and replacement of the ISO file on all nodes.
Use this procedure to generate a new configuration ISO file and apply it to your cluster.
Before you begin
The HDS Setup tool runs as a Docker container on a local machine. To access it, run Docker on that machine. The setup process requires the credentials of a Control Hub account with full administrator rights for your organization.
If the HDS Setup tool runs behind a proxy in your environment, provide the proxy settings (server, port, credentials) through Docker environment variables when bringing up the Docker container. This table gives some possible environment variables:
The docker repository we use for the HDS Setup tool changed to
ciscocitgin December 2022 (from
HTTP Proxy without authentication
HTTPS Proxy without authentication
HTTP Proxy with authentication
HTTPS Proxy with authentication
You need a copy of the current configuration ISO file to generate a new configuration. The ISO contains the main key encrypting the PostgreSQL or Microsoft SQL Server database. You need the ISO when you make configuration changes, including database credentials, certificate updates, or changes to authorization policy.
Using Docker on a local machine, run the HDS Setup Tool.
If you only have one HDS node running, create a new Hybrid Data Security node VM and register it using the new configuration ISO file. For more detailed instructions, see Create and Register More Nodes in the deployment guide.
For existing HDS nodes that are running the older configuration file, mount the ISO file. Perform the following procedure on each node in turn, updating each node before turning off the next node:
Repeat step 3 to replace the configuration on each remaining node that is running the old configuration.