Reset Hybrid Data Security service account passwords

When your organization's passwords are nearing expiration, you receive a "Password Expiry Notice" from the Webex team, asking you to reset the password for your machine account. (The email includes the text, "Use the machine account API to update the password.")

Use this procedure to update the passwords.

Before you begin

  • The HDS Setup tool runs as a Docker container on a local machine. To access it, Docker must be running on the machine, and you need Control Hub customer admin sign-in credentials for your organization.

  • You need a copy of the current configuration ISO file to generate a new configuration. The ISO file contains the key for encrypting the PostgresDB, which is required any time you make configuration changes, including database credentials, certificate updates, or changes to authorization policy.

  • For more configuration and maintenance information, see the Deployment Guide for Hybrid Data Security at

The docker repository we use for the HDS Setup tool changed to ciscocitg in December 2022 (from ciscosparkhds previously).

Using Docker on a local machine, run the HDS Setup Tool.

  1. At your machine's command line, type docker login -u hdscustomersro -p dckr_pat_aDP6V4KkrvpBwaQf6m6ROkvKUIo and press Enter.

  2. After logging in, type docker pull ciscocitg/hds-setup:stable and press Enter.

    Make sure you pull the latest Setup tool for this procedure. Versions of the tool created before February 22, 2018 do not have the password reset screens.

  3. When the pull completes, type docker run -p 8080:8080 --rm -it ciscocitg/hds-setup:stable and press Enter.

  4. Use a browser to connect to the localhost,

  5. When prompted, enter your Control Hub customer sign-in credentials and then click Accept to continue.

  6. Import the current configuration ISO file.

  7. On the X.509 Certificate screen, make sure you indicate whether to keep your current certificate, and then click Continue.

  8. Click Continue three times to continue past the Database Credentials, System Logs, and Key Access Level Options screens.

    You do not need to change any of these details in order to complete the password reset.

  9. On the Reset Service Account Passwords screen, if you have loaded the current ISO file and still have time remaining before your passwords expire, you have two options.

    • Soft Reset gives you up to 10 days to deploy the new ISO file on HDS nodes. (You will have less time if your expiry date is within the next 10 days.)

    • Hard Reset immediately expires your current passwords. You must deploy the new ISO file immediately. This is your only option if your passwords have already expired, or if you loaded an older configuration file.

  10. Once you have chosen an option, or if you want to skip reset at this time, click Continue.

  11. When prompted, download the new configuration ISO file.

    To shut down the Setup tool, type CTRL+C.

  12. Create a backup copy of the updated ISO file in another data center.


If you only have one HDS node running, create a new Hybrid Data Security node VM and register it using the new configuration ISO file. For more detailed instructions, see "Create and Register More Nodes" in the "Set up a Hybrid Data Security Cluster" chapter of the Deployment Guide for Hybrid Data Security.

  1. Install the HDS host OVA.

  2. Set up the HDS VM.

  3. Mount the updated configuration file.

  4. Register the new node in Control Hub.


On an existing HDS node running the older configuration file, do the following substeps:

  1. Turn off the virtual machine.

  2. (Optional) To prevent alerting, remove the node from the cluster. See "Remove a Node" in the "Manage HDS Deployment" chapter of the Deployment Guide for Hybrid Data Security.

  3. In the VMware vSphere client's left navigation pane, right-click on the VM and click Edit Settings.

  4. Click CD/DVD Drive 1, select the option to mount from an ISO file, and browse to the location where you downloaded the new configuration ISO file.

  5. Check Connect at power on.

  6. Save your changes and power on the virtual machine.


Repeat step 3 to replace the configuration on each remaining node that is running the old configuration.