joeeltgroth
diff --git a/‎brokered.html.md.erb
+1-1 b/‎brokered.html.md.erb
+1-1
diff --git a/‎cf-concepts.html.md.erb
+1-1 b/‎cf-concepts.html.md.erb
+1-1
diff --git a/‎concourse.html.md.erb
+1-1 b/‎concourse.html.md.erb
+1-1
diff --git a/‎create-credhub-vars.html.md.erb
+99-6 b/‎create-credhub-vars.html.md.erb
+99-6
diff --git a/‎credhub-index.html.md.erb
+1-1 b/‎credhub-index.html.md.erb
+1-1
diff --git a/‎credhub.html.md.erb
+2-2 b/‎credhub.html.md.erb
+2-2
diff --git a/‎environments.html.md.erb
+1-1 b/‎environments.html.md.erb
+1-1
diff --git a/‎get-credhub-vars.html.md.erb
+1-1 b/‎get-credhub-vars.html.md.erb
+1-1
diff --git a/‎index.html.md.erb
+2-2 b/‎index.html.md.erb
+2-2
diff --git a/‎migrating-credhub-credentials.html.md.erb
+6-8 b/‎migrating-credhub-credentials.html.md.erb
+6-8
diff --git a/‎migrating-syslog-configuration.html.md.erb
+11-10 b/‎migrating-syslog-configuration.html.md.erb
+11-10
diff --git a/‎nozzle.html.md.erb
+2-2 b/‎nozzle.html.md.erb
+2-2
diff --git a/‎odb-resource-defaults.html.md.erb
+4-4 b/‎odb-resource-defaults.html.md.erb
+4-4
@@ -10,7 +10,7 @@ You can achieve the first real improvement in your <%= vars.platform_name %> use
 
 A brokered service runs external to <%= vars.platform_name %>, but it has a tile
 on [VMware Tanzu Network](http://network.pivotal.io). You install, configure, and upgrade the tile through the
-Ops Manager Installation Dashboard.
+Tanzu Operations Manager Installation Dashboard.
 
 The service broker eliminates the need for you to know the URLs and
 credentials for your services. They are managed automatically by the broker.
 
@@ -23,7 +23,7 @@ use the following links:
 
 Cloud Foundry is primarily a cloud-native application platform. To understand how to integrate your services with Cloud Foundry, you must understand how your customers are using the platform to develop, deploy, and operate their applications.
 
-- [Tanzu Operations Manager Tile Developer guide](https://docs.vmware.com/en/Tile-Developer-Guide/3.0/tile-dev-guide/index.html) explains how to push an app to run on <%= vars.platform_name %> and use services.
+- [Tanzu Operations Manager Tile Developer Guide](https://docs.vmware.com/en/Tile-Developer-Guide/3.0/tile-dev-guide/index.html) explains how to push an app to run on <%= vars.platform_name %> and use services.
 - [Overview of logging and metrics](https://docs.vmware.com/en/Tile-Developer-Guide/3.0/tile-dev-guide/cf-concepts.html) describes how <%= vars.app_runtime_abbr %> aggregates and streams logs and metrics from the apps it hosts and from internal system components.
 
 ## <a id="services"></a> Services
 
@@ -74,7 +74,7 @@ For new tiles, this can take up to an hour.
 After the stage and scan tasks, you must configure your tile on the Tile Dashboard.
 The configuration specfies how the tile is installed on the test environment.
 
-Configuring your tile through the Tile Dashboard is equivalent to configuring the tile on Ops Manager
+Configuring your tile through the Tile Dashboard is equivalent to configuring the tile on Tanzu Operations Manager
 after you download it from the VMware Tanzu Network.
 
 There are two ways that you can configure the tile on the Tile Dashboard:
 
@@ -5,7 +5,7 @@ owner: CredHub
 
 You can use CredHub to manage variables in the context of a larger deployment, and create new variables.
 
-When a tile author defines a top-level `variables` section in the product template, Ops Manager passes
+When a tile author defines a top-level `variables` section in the product template, Tanzu Operations Manager passes
 the `variables` section to the
 product manifest.
 
@@ -23,12 +23,12 @@ You can reference these variables in the manifest snippets in their tile metadat
 ((( EXAMPLE-CREDHUB-PASSWORD )))
 ```
 
-When you use triple parentheses, use Ops Manager to identify CredHub variables while still supporting the BOSH double
+When you use triple parentheses, use Tanzu Operations Manager to identify CredHub variables while still supporting the BOSH double
 parentheses syntax. A variable that is referenced
 within triple parentheses is replaced by double parentheses in the generated manifest. After contacting CredHub,
 BOSH populates that variable value internally.
 
-The benefit of this approach is that the Ops Manager YAML file does not contain sensitive credentials when the metadata
+The benefit of this approach is that the Tanzu Operations Manager YAML file does not contain sensitive credentials when the metadata
 manifest snippets have triple parentheses. The resulting manifest file contains variables within double
 parentheses, rather than unobscured credentials.
 
@@ -39,7 +39,7 @@ For example, a tile author adds credentials to a manifest snippet in the followi
   key: prefix-((( ANOTHER-CREDHUB-PASSWORD )))-suffix
 ```
 
-Ops Manager then evaluates the preceding example to generate the following section in the product manifest:
+Tanzu Operations Manager then evaluates the preceding example to generate the following section in the product manifest:
 
 ```
   (( EXAMPLE-CREDHUB-PASSWORD ))
@@ -48,7 +48,7 @@ Ops Manager then evaluates the preceding example to generate the following secti
 
 ## <a id='how-it-works'></a> How CredHub works within a deployment
 
-CredHub is distributed as a BOSH release. As part of this installation, Ops Manager co-locates the
+CredHub is distributed as a BOSH release. As part of this installation, Tanzu Operations Manager co-locates the
 CredHub release on the BOSH Director, including the CredHub job configurations, and the BOSH Director is configured to point
 to the CredHub API.
 
@@ -84,7 +84,7 @@ instance_groups:
           private_key: ((EXAMPLE-TLS.private_key))
 ```
 
-Ops Manager configures the BOSH Director to generate a credential if it does not exist. The manifest includes generation
+Tanzu Opertions Manager configures the BOSH Director to generate a credential if it does not exist. The manifest includes generation
 parameters that define how the
 credential must be generated. These generation parameters are defined in the variables section.
 
@@ -135,3 +135,96 @@ Here is an example of a precisely typed variable:
 ```
 ((/EXAMPLE-PASSWORD))
 ```
+
+## <a id='credhub-ca-refs'></a> Reference existing CAs in CredHub variables
+
+This section describes how to reference existing CAs stored in CredHub correctly in your tile's property configuration.
+
+In Tanzu Operations Manager v2.9 and later, you can perform a bulk rotation of all CAs and certificates in a foundation, which might include leaf certificates used by individual service tiles. Tanzu Operations Manager invokes CredHub Maestro to perform this operation.
+
+CredHub Maestro requires that any triple parentheses references to CAs that sign leaf certificates must return a concatenated version of the CA. The concatenated version, which includes the older and newer CA, ensures that jobs using leaf certificates do not lose trusted state during CA rotation. This translates to the least amount of downtime of your tile's services during certificate rotation.
+
+When referencing a CA stored in CredHub, use the format `LEAF-CERTIFICATE-NAME.ca` to ensure that a concatenated version of the CA is returned. Do not reference the CA directly with the format `CA-CERTIFICATE-NAME.certificate`.
+
+The following table presents examples of the correct and incorrect way to reference CAs and leaf certificates in order to support certificate rotation by CredHub Maestro.
+
+<div>
+  <table class="nice">
+    <style>
+      main table {
+        table-layout: fixed;
+      }
+    </style>
+  <col width="50%">
+  <col width="50%">
+  <tr>
+    <th> Correct Format </th>
+    <th> Incorrect Format </th>
+  </tr>
+  <tr>
+    <td>
+     <pre>
+templates:
+ - name: bpm
+   release: bpm
+ - manifest: |
+...
+.properties.routing_backends_client_cert_with_san.cert_pem ))
+    private_key: (( .properties.routing_backends_client_cert_with_san.private_key_pem ))
+    ca_certs: |
+      (( .properties.routing_custom_ca_certificates.value ))
+      (( $ops_manager.ca_certificate ))
+      <span style="font-weight: bold;background-color: #98FB98;">((( /cf/some-diego-leaf-cert.ca )))</span>
+      <span style="font-weight: bold;background-color: #98FB98;">((( /cf/some-diego-leaf-2-6.ca)))</span>
+      forwarded_client_cert: (( .properties.routing_tls_termination.selected_option.parsed_manifest(gorouter_forwarded_client_cert) ))
+variables:
+ - name: /cf/diego-instance-identity-root-ca
+    options:
+      common_name: Diego Instance Identity Root CA
+      duration: 1095
+      is_ca: true
+      type: certificate
+ - name: /cf/diego-instance-identity-root-ca-2-6
+    options:
+      common_name: Diego Instance Identity Root CA
+      duration: 1095
+      is_ca: true
+      type: certificate
+  <span style="font-weight:bold; background-color: #98FB98;">- name: /cf/some-diego-leaf-cert.ca</span>
+    options:
+      ca: /cf/diego-instance-identity-root-ca
+      type: certificate
+  <span style="font-weight:bold; background-color: #98FB98;">- name: /cf/some-diego-leaf-2-6.ca</span>
+    options:
+      ca: /cf/diego-instance-identity-root-ca-2-6
+      type: certificate </pre></td>
+<td valign="top">
+      <pre>
+templates:
+ - name: bpm
+   release: bpm
+ - manifest: |
+...
+.properties.routing_backends_client_cert_with_san.cert_pem ))
+    private_key: (( .properties.routing_backends_client_cert_with_san.private_key_pem ))
+    ca_certs: |
+      (( .properties.routing_custom_ca_certificates.value ))
+      (( $ops_manager.ca_certificate ))
+      <span style="font-weight: bold;background-color: #FFCCCB;">((( /cf/diego-instance-identity-root-ca.certificate )))</span>
+      <span style="font-weight: bold;background-color: #FFCCCB;">((( /cf/diego-instance-identity-root-ca-2-6.certificate )))</span>
+      forwarded_client_cert: (( .properties.routing_tls_termination.selected_option.parsed_manifest(gorouter_forwarded_client_cert) ))
+variables:
+ - name: /cf/diego-instance-identity-root-ca
+   options:
+     common_name: Diego Instance Identity Root CA
+     duration: 1095
+     is_ca: true
+     type: certificate
+- name: /cf/diego-instance-identity-root-ca-2-6
+  options:
+     common_name: Diego Instance Identity Root CA
+     duration: 1095
+     is_ca: true
+     type: certificate</pre></td>
+  </tr>
+</table>
@@ -9,4 +9,4 @@ Here are resources for using CredHub.
 *   [Creating new variables in CredHub](/docs-tiledev/create-credhub-vars.html)
 *   [Migrating existing credentials to CredHub](/docs-tiledev/migrating-credhub-credentials.html)
 *   [Fetching variable names and values](/docs-tiledev/get-credhub-vars.html)
-*   [Securing service credentials with runtime CredHub](/docs-tiledev/ssi-creds-tiledev.html)
+*   [Securing service credentials with Runtime CredHub](/docs-tiledev/ssi-creds-tiledev.html)
@@ -17,7 +17,7 @@ See the [CredHub documentation](https://docs.cloudfoundry.org/credhub/index.html
 Many <%= vars.platform_name %> components use credentials to authenticate connections, and <%= vars.platform_name %> installations often have hundreds of active credentials. Secure credential management is essential to prevent data and security breaches.
 
 In <%= vars.platform_name %> v1.11.0 and later, CredHub runs on the BOSH VM, alongside the
-BOSH Director and UAA. Ops Manager v1.11 and later stores its credentials in CredHub,
+BOSH Director and UAA. Tanzu Operations Manager v1.11 and later stores its credentials in CredHub,
 and you can retrieve them using the CredHub API or the **Credentials** tab of the BOSH Director tile.
 You can embed CredHub calls in [manifest snippets](#snippets) and <%= vars.app_runtime_abbr %> apps can retrieve credentials using the CredHub API.ile developers
 
@@ -49,7 +49,7 @@ For more information on how to create new varaiables in Credhub, see <a href="./
 ## <a id="migrate-creds"></a>Migrating credentials
 
 To migrate existing non-configurable credentials to CredHub, such as blobstore secrets and backup encryption keys,
-use the JavaScript migration process. After a successful migration, Ops Manager deletes the migrated credentials from installation.yml file.
+use the JavaScript migration process. After a successful migration, Tanzu Operations Manager deletes the migrated credentials from installation.yml file.
 
 For more information about migrating Credhub credentials, see [Migrating existing credentials to CredHub](./migrating-credhub-credentials.html).
 
 
@@ -18,7 +18,7 @@ for Pivotal Technical Partnership Program (PTPP) program members to develop thei
 
 To use your assigned PIE environment:
 
-1. Log on to the <%= vars.company_name %> Tile Dashboard using the credentials that you use for [Partners Slack](https://pivotalpartners.slack.com/).
+1. Log in to <%= vars.company_name %> Tile Dashboard using the credentials that you use for [Partners Slack](https://pivotalpartners.slack.com/).
 
 1. Click the `pie-xx` environment assigned to you.
 
 
@@ -14,7 +14,7 @@ The API endpoints perform these functions:
 
 ### <a id="use-api-endpoints"></a> Using the API endpoints
 
-You can Use endpoints to view variables for any product in Ops Manager, except the BOSH Director. These
+You can Use endpoints to view variables for any product in Tanzu Operations Manager, except the BOSH Director. These
 endpoints are read-only. You
 cannot use them to add, remove, or rotate variables.
 
 
@@ -1,10 +1,10 @@
 ---
-title: Ops Manager Tile Developer guide
+title: Tanzu Operations Manager Tile Developer Guide
 owner: Services
 ---
 
 You can use the following VMware Tanzu Partners information to learn how to build and publish processes for an
-Ops Manager tile on [VMware Tanzu Network](https://network.pivotal.io/).
+Tanzu Operations Manager tile on [VMware Tanzu Network](https://network.pivotal.io/).
 
 For advanced developers with previous experience building tiles, see [Property and template references](./property-template-references.html) and [Development workflow reference](./dev-workflow.html).
 
 
@@ -3,20 +3,18 @@ title: Migrating existing credentials to CredHub
 owner: CredHub
 ---
 
-You can migrate non-configurable secrets from Ops Manager into CredHub.
+You can migrate non-configurable secrets from Tanzu Operations Manager into CredHub.
 
-## <a id="cred-types"></a>CredHub credential types
+CredHub uses BOSH credential types, which can have different names than Tanzu Operations Manager credential types.
 
-CredHub uses BOSH credential types, which can have different names than Ops Manager credential types.
-
-The following table lists the Ops Manager credential types you can migrate to CredHub and the
+The following table lists the Tanzu Operations Manager credential types you can migrate to CredHub and the
 corresponding CredHub credential types:
 
 <table>
   <tr>
-    <th>Ops Manager Credential Type</th>
+    <th>Tanzu Operations Manager Credential Type</th>
     <th>CredHub Credential Type</th>
-    <th>Supported Ops Manager Version</th>
+    <th>Supported Tanzu Operations Manager Version</th>
   </tr>
   <tr>
     <td><code>secret</code></td>
@@ -46,7 +44,7 @@ See [Property and template references](./property-template-references.html#secre
 
 ## <a id="javascript"></a> Use the javaScript migration process
 
-Tile authors can write a JavaScript migration to move their existing non-configurable secrets into CredHub. After a successful migration, Ops Manager deletes credentials from the  `installation.yml` file.
+You can write a JavaScript migration to move their existing non-configurable secrets into CredHub. After a successful migration, Tanzu Operations Manager deletes credentials from the  `installation.yml` file.
 
 1. Use the following example to write the JavaScript migration.
 Save the JavaScript file to the `PRODUCT/migrations/v1` directory of your `.pivotal` tile,
 
@@ -1,20 +1,20 @@
 ---
-title: Migrating existing syslog configuration to Ops Manager
+title: Migrating existing Syslog configuration to Tanzu Operations Manager
 owner: Ops Manager
 ---
 
 You can migrate existing syslog properties that are defined by a tile into a syslog form that
-is provided in Ops Manager v2.9 and later.
+is provided in Tanzu Operations Manager v2.9 and later.
 
-When you enable the Ops Manager syslog feature, Ops Manager:
+When you enable the Tanzu Operations Manager syslog feature, Tanzu Operations Manager:
 
 * Provides your tile with its own syslog form.
 * Ensures that the syslog BOSH release is automatically injected into the instance groups of your product.
-* Includes syslog configuration properties when Ops Manager injects the syslog release into your product.
+* Includes syslog configuration properties when Tanzu Operations Manager injects the syslog release into your product.
 
 ## <a id="syslog-data-model"></a>Syslog data model
 
- The following table lists the Ops Manager syslog parameters that you can use to migrate your existing
+ The following table lists the Tanzu Operations Manager syslog parameters that you can use to migrate your existing
  configurations:
 
 <table class="nice">
@@ -95,8 +95,8 @@ When you enable the Ops Manager syslog feature, Ops Manager:
 ## <a id="javascript"></a> Use the JavaScript migration process
 
 Tile authors can write a JavaScript migration to move their existing syslog properties into the
-syslog form provided by Ops Manager. After a successful migration, Ops Manager presents the
-migrated syslog properties in the syslog form of the tile.
+syslog form provided by Tanzu Operations Manager. After a successful migration, Tanzu Operations Manager presents the
+migrated syslog properties in the Syslog form of the tile.
 
 1. Set the `opsmanager_syslog` property to `true` in your `metadata.yml` file.
 For more information, see [opsmanager_syslog](./property-template-references.html#syslog-flag).
@@ -140,11 +140,12 @@ longer used to configure the syslog.
 
 1. Run a deployment test of your tile using the procedures in [Testing Tiles](./testing.html).
 
-1. Verify that your syslog properties are migrated into the Ops Manager syslog
+1. Verify that your syslog properties are migrated into the Tanzu Operations Manager syslog
 configuration:
 
-    * View the configurations in the **Syslog** pane in Ops Manager **Settings** page.
-    * View your syslog properties using the `syslog_configuration` Ops Manager API endpoint.
+    * View the configurations in the **Syslog** pane in Tanzu Operations Manager **Settings** page.
+    * View your syslog properties using the `syslog_configuration` Tanzu Operations Manager API endpoint.
+
     For more information about the `syslog_configuration` API endpoint, see
     [Retrieving syslog configuration for a product](https://docs.pivotal.io/platform/2-10/opsman-api/#tag/Syslog-Configuration/paths/~1api~1v0~1staged~1products~1{product_guid}~1syslog_configuration/get).
 
 
@@ -1,5 +1,5 @@
 ---
-title: How to integrate services with Cloud Foundry's logging system
+title: Logs, metrics, and nozzles
 owner: Services
 ---
 You can integrate services with Cloud Foundry's logging system, _Loggregator_, by writing to and
@@ -71,7 +71,7 @@ do the following:
 
     Where `CERTIFICATE` and `KEY` are the values used for mutual TLS communication. For example, `.properties.agent_certificate.cert_pem` and `.properties.agent_certificate.private_key_pem`.
 
-1. Generate the Ops Manager CA certificate and sign the certificate that is needed for mutual TLS communication,
+1. Generate the Tanzu Operations Manager CA certificate and sign the certificate that is needed for mutual TLS communication,
 with the following properties:
 
     ```
 
@@ -9,15 +9,15 @@ On-Demand service tiles have a configuration pane for each service plan.
 You can use the drop-down menu on the configuration pane to set the VM type and persistent disk type for
 each instance of that plan.
 
-Ops Manager populates the menu with options that are based on the VM and disk options available
+Tanzu Operations Manager populates the menu with options that are based on the VM and disk options available
 on the current IaaS.
 When you set default values for VMs and disk types, it helps you to select the right
 resources for on-demand service
 broker (ODB) services when you use on-demand plans.
 
 <p class="note">
 <span class="note__title">Note</span>
-Ops Manager 2.9 and later supports defining VM and disk type defaults and constraints.
+Tanzu Operations Manager 2.9 and later supports defining VM and disk type defaults and constraints.
 </p>
 
 ## <a id="defaults"></a>VM and Persistent disk types
@@ -27,12 +27,12 @@ disk type come from the `disk_type_dropdown` property.
 
 Tile authors do not specify the menu items in the product template.
 
-Because VM and disk options differ by IaaS, Ops Manager uses a best-fit algorithm to match
+Because VM and disk options differ by IaaS, Tanzu Operations Manager uses a best-fit algorithm to match
 defaults to their closest equivalents on the IaaS, similar to how the **Resource Config** pane
 handles the **VM Type** and **Persistent Disk Type** options.
 
 If a tile developer does not include a default value for a VM or disk resource, and then you configure the tile and do not choose a value from
-  the drop-down menu, Ops Manager by default sets the resource to the smallest option available on the IaaS.
+  the drop-down menu, Tanzu Operations Manager by default sets the resource to the smallest option available on the IaaS.
 
 ### <a id="vm-type"></a>Set VM type defaults