Occasionally you may need to change the configuration of your Hybrid Data Security node for a reason such as:

  • Machine account updates

  • Changing x.509 certificates due to expiration or other reasons.

    We don't support changing the CN domain name of a certificate. The domain must match the original domain used to register the cluster.

  • Updating database settings to change to a replica of the PostgreSQL or Microsoft SQL Server database.

    We don’t support migrating data from PostgreSQL to Microsoft SQL Server, or the opposite way. To switch the database environment, start a new deployment of Hybrid Data Security.

  • Creating a new configuration to prepare a new data center.

Also, for security purposes, Hybrid Data Security uses service account passwords that have a nine-month lifespan. After the HDS Setup tool generates these passwords, you deploy them to each of your HDS nodes in the ISO config file. When your organization's passwords are nearing expiration, you receive a notice from the Webex team to reset the password for your machine account. (The email includes the text, "Use the machine account API to update the password.") If your passwords haven't expired yet, the tool gives you two options:

  • Soft reset—The old and new passwords both work for up to 10 days. Use this period to replace the ISO file on the nodes gradually.

  • Hard reset—The old passwords stop working immediately.

If your passwords expire without a reset, it impacts your HDS service, requiring an immediate hard reset and replacement of the ISO file on all nodes.

Use this procedure to generate a new configuration ISO file and apply it to your cluster.

Before you begin

  • The HDS Setup tool runs as a Docker container on a local machine. To access it, run Docker on that machine. The setup process requires the credentials of a Control Hub account with full administrator rights for your organization.

    If the HDS Setup tool runs behind a proxy in your environment, provide the proxy settings (server, port, credentials) through Docker environment variables when bringing up the Docker container. This table gives some possible environment variables:

    The docker repository we use for the HDS Setup tool changed to ciscocitg in December 2022 (from ciscosparkhds previously)

    Description

    Variable

    HTTP Proxy without authentication

    GLOBAL_AGENT_HTTP_PROXY=http://SERVER_IP:PORT

    HTTPS Proxy without authentication

    GLOBAL_AGENT_HTTPS_PROXY=http://SERVER_IP:PORT

    HTTP Proxy with authentication

    GLOBAL_AGENT_HTTP_PROXY=http://USERNAME:PASSWORD@SERVER_IP:PORT

    HTTPS Proxy with authentication

    GLOBAL_AGENT_HTTPS_PROXY=http://USERNAME:PASSWORD@SERVER_IP:PORT

  • You need a copy of the current configuration ISO file to generate a new configuration. The ISO contains the main key encrypting the PostgreSQL or Microsoft SQL Server database. You need the ISO when you make configuration changes, including database credentials, certificate updates, or changes to authorization policy.

1

Using Docker on a local machine, run the HDS Setup Tool.

  1. At your machine's command line, enter the appropriate command for your environment:

    In regular environments:

    docker rmi ciscocitg/hds-setup:stable

    In FedRAMP environments:

    docker rmi ciscocitg/hds-setup-fedramp:stable

    This step cleans up previous HDS setup tool images. If there are no previous images, it returns an error which you can ignore.

  2. To sign in to the Docker image registry, enter the following:

    docker login -u hdscustomersro

  3. At the password prompt, enter this hash:

    dckr_pat_aDP6V4KkrvpBwaQf6m6ROkvKUIo

  4. Download the latest stable image for your environment:

    In regular environments:

    docker pull ciscocitg/hds-setup:stable

    In FedRAMP environments:

    docker pull ciscocitg/hds-setup-fedramp:stable

    Make sure you pull the latest Setup tool for this procedure. Versions of the tool created before February 22, 2018 don’t have the password reset screens.

  5. When the pull completes, enter the appropriate command for your environment:

    • In regular environments without a proxy:

      docker run -p 8080:8080 --rm -it ciscocitg/hds-setup:stable

    • In regular environments with an HTTP proxy:

      docker run -p 8080:8080 --rm -it -e GLOBAL_AGENT_HTTP_PROXY=http://SERVER_IP:PORT ciscocitg/hds-setup:stable

    • In regular environments with an HTTPS proxy:

      docker run -p 8080:8080 --rm -it -e GLOBAL_AGENT_HTTPS_PROXY=http://SERVER_IP:PORT ciscocitg/hds-setup:stable

    • In FedRAMP environments without a proxy:

      docker run -p 8080:8080 --rm -it ciscocitg/hds-setup-fedramp:stable

    • In FedRAMP environments with an HTTP proxy:

      docker run -p 8080:8080 --rm -it -e GLOBAL_AGENT_HTTP_PROXY=http://SERVER_IP:PORT ciscocitg/hds-setup-fedramp:stable

    • In FedRAMP environments with an HTTPS proxy:

      docker run -p 8080:8080 --rm -it -e GLOBAL_AGENT_HTTPS_PROXY=http://SERVER_IP:PORT ciscocitg/hds-setup-fedramp:stable

    When the container is running, you see "Express server listening on port 8080."

  6. Use a browser to connect to the localhost, http://127.0.0.1:8080.

    The Setup tool does not support connecting to localhost through http://localhost:8080. Use http://127.0.0.1:8080 to connect to localhost.

  7. When prompted, enter your Control Hub customer sign-in credentials and then click Accept to continue.

  8. Import the current configuration ISO file.

  9. Follow the prompts to complete the tool and download the updated file.

    To shut down the Setup tool, type CTRL+C.

  10. Create a backup copy of the updated file in another data center.

2

If you only have one HDS node running, create a new Hybrid Data Security node VM and register it using the new configuration ISO file. For more detailed instructions, see Create and Register More Nodes in the deployment guide.

  1. Install the HDS host OVA.

  2. Set up the HDS VM.

  3. Mount the updated configuration file.

  4. Register the new node in Control Hub.

3

For existing HDS nodes that are running the older configuration file, mount the ISO file. Perform the following procedure on each node in turn, updating each node before turning off the next node:

  1. Turn off the virtual machine.

  2. In the VMware vSphere client's left navigation pane, right-click on the VM and click Edit Settings.

  3. Click CD/DVD Drive 1, select the option to mount from an ISO file, and browse to the location where you downloaded the new configuration ISO file.

  4. Check Connect at power on.

  5. Save your changes and power on the virtual machine.

4

Repeat step 3 to replace the configuration on each remaining node that is running the old configuration.