The docs currently show:

Retrieve the Ops Manager Root CA as a File
To return the Ops Manager root CA as a file, use curl to make the following API call:

curl "https://OPS-MAN-FQDN/download_root_ca_cert \
      -X GET \
      -H "Authorization: Bearer YOUR-UAA-ACCESS-TOKEN"
Where YOUR-UAA-ACCESS-TOKEN is your Ops Manager access token without any newline characters such as \n.

I believe the command should be:

curl "https://OPS-MAN-FQDN/download_root_ca_cert" \
      -X GET \
      -H "Authorization: Bearer YOUR-UAA-ACCESS-TOKEN"
Where YOUR-UAA-ACCESS-TOKEN is your Ops Manager access token without any newline characters such as \n.

Adding the " after download_root_ca_cert made the curl command work for me; else, I got this error following the docs:

curl: (6) Could not resolve host: Bearer
curl: (6) Could not resolve host: <redacted>

https://docs.pivotal.io/pivotalcf/2-4/security/networking/diego-network-paths.html#outbound lists diego outbound connections.

There is a row for diego cell (rep) communicating to the nfs_server/blobstore. It indicates "Varies" due to the optional target for blob store. The footnote explains that it is option, but does not provide the port number in the event that they use the PAS internal blob store. The docs would be better if we indicated what port is required for internal PAS blob store.

Via internal slack with capi cf-capi team, it was determined to be TLS over 4443. https://pivotal.slack.com/archives/C3LV25ZCM/p1551192077049900 . Please consider updating the documentation footnote with this information.

https://docs.pivotal.io/pivotalcf/2-3/security/pcf-infrastructure/api-cert-rotation.html

The directions for CA rotation call out running certain errands on service tiles: "Enable the Recreate All Service Instances errand if provided.". In practice we found that no errands had this name, but several had the errand called (something like) Upgrade All Service Instances. Was this the intended errand name?

https://github.com/pivotal-cf/docs-pcf-security/blob/6aa2f4b3a0083fc6f8e28a296ceb9f0f562ae5ff/networking/loggregator-network-paths.html.md.erb#L78

only 25595 is mentioned but user gets this error we are getting the following error in the bosh-system-metrics-forwarder logs on the loggregator nodes:
unable to get token: Post https://<director>:8443/oauth/token: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

The directions for adding a Custom VM differ from the directions from a normal CA rotation in that the custom CA skips all the required steps of rebuilding all VMs before enabling the new CA. This (I think) will lead to foundation failure.

Custom CA Step 2 (just enable it!) - https://docs.pivotal.io/pivotalcf/2-3/security/pcf-infrastructure/custom-ca-cert.html#add
Normal CA Rotation - has steps 4, 5, 6, 7, 8, and 9 that I think are also needed for a Custom CA rotation - https://docs.pivotal.io/pivotalcf/2-3/security/pcf-infrastructure/api-cert-rotation.html

If the intent was to apply a custom CA BEFORE deploying PCF then I believe the Custom CA steps will work, after installation, it will not.

Please specify thatn disk encryption is only supported on Gallery Item VM´s ...

Azure Disk Encryption is only supported on specific Azure Gallery based Linux server distributions and versions. For the list of currently supported versions, refer to the Azure Disk Encryption FAQ.

Pivotal uses GITBOT to synchronize Github issues and pull requests with Pivotal Tracker.
Please add your new repo to the GITBOT config-production.yml in the Gitbot configuration repo.
If you don't have access you can send an ask ticket to the CF admins. We prefer teams to submit their changes via a pull request.

Steps:

• Fork this repo: cfgitbot-config
• Add your project to config-production.yml file
• Submit a PR

If there are any questions, please reach out to [email protected].