JoyLearnGit
diff --git a/‎datacenter/dtr/2.1/guides/high-availability/backups-and-disaster-recovery.md‎
Lines changed: 3 additions & 4 deletions b/‎datacenter/dtr/2.1/guides/high-availability/backups-and-disaster-recovery.md‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎datacenter/dtr/2.1/guides/install/scale-your-deployment.md‎
Lines changed: 6 additions & 3 deletions b/‎datacenter/dtr/2.1/guides/install/scale-your-deployment.md‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎datacenter/install/linux.md‎
Lines changed: 4 additions & 4 deletions b/‎datacenter/install/linux.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎datacenter/ucp/2.0/guides/access-ucp/cli-based-access.md‎
Lines changed: 22 additions & 36 deletions b/‎datacenter/ucp/2.0/guides/access-ucp/cli-based-access.md‎
Lines changed: 22 additions & 36 deletions
diff --git a/‎datacenter/ucp/2.0/guides/access-ucp/index.md‎
Lines changed: 4 additions & 0 deletions b/‎datacenter/ucp/2.0/guides/access-ucp/index.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎datacenter/ucp/2.0/guides/applications/deploy-app-cli.md‎
Lines changed: 7 additions & 7 deletions b/‎datacenter/ucp/2.0/guides/applications/deploy-app-cli.md‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎datacenter/ucp/2.0/guides/applications/index.md‎
Lines changed: 1 addition & 1 deletion b/‎datacenter/ucp/2.0/guides/applications/index.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎datacenter/ucp/2.0/guides/configuration/index.md‎
Lines changed: 27 additions & 17 deletions b/‎datacenter/ucp/2.0/guides/configuration/index.md‎
Lines changed: 27 additions & 17 deletions
@@ -56,8 +56,7 @@ backup command to learn about all the available flags.
 
 As an example, to create a backup of a DTR node, you can use:
 
-```bash
-# Create the backup
+```none
 $ docker run -i --rm docker/dtr backup \
   --ucp-url <ucp-url> \
   --ucp-insecure-tls \
@@ -76,7 +75,7 @@ Where:
 To validate that the backup was correctly performed, you can print the contents
 of the tar file created:
 
-```bash
+```none
 $ tar -tf /tmp/backup.tar
 ```
 
@@ -105,7 +104,7 @@ backup command to learn about all the available flags.
 As an example, to install DTR on the host and restore its
 state from an existing backup:
 
-```bash
+```none
 # Install and restore configurations from an existing backup
 $ docker run -i --rm \
   docker/dtr restore \
 
@@ -20,9 +20,9 @@ you're going to install these replicas also need to be managed by UCP.
 
 To add replicas to an existing DTR deployment:
 
-1. Load your UCP user bundle.
+1. Use ssh to log into a node that is already part of UCP.
 
-2.  Run the join command.
+2.  Run the DTR join command:
 
     ```none
     docker run -it --rm \
@@ -39,7 +39,10 @@ To add replicas to an existing DTR deployment:
 
 ## Remove existing replicas
 
-To remove a DTR replica from a deployment, run:
+To remove a DTR replica from your deployment:
+
+1. Use ssh to log into a node that is already part of UCP.
+2.  Run the DTR remove command:
 
 ```none
 docker run -it --rm \
 
@@ -33,7 +33,7 @@ Also make sure the hosts are running one of these operating systems:
 Install the commercially supported Docker Engine on all hosts you want to manage
 with Docker Datacenter.
 
-Log in into each node using ssh, and install CS Docker Engine:
+Log in into each host using ssh, and install CS Docker Engine:
 
 ```bash
 curl -SLf https://packages.docker.com/1.12/install.sh | sh
@@ -59,6 +59,8 @@ docker run --rm -it --name ucp \
 This runs the install command in interactive mode, so that you're prompted
 for any necessary configuration values.
 
+[Learn more about the UCP installation](../ucp/2.9/guides/installation/index.md)
+
 ### Step 4: License your installation
 
 Now that UCP is installed, you need to license it. In your browser, navigate
@@ -110,7 +112,5 @@ by UCP.
 
 ## Where to go next
 
-* [Create and manage users](../ucp/2.0/guides/user-management/create-and-manage-users.md)
 * [Deploy an application](../ucp/2.0/guides/applications/index.md)
-* [Push an image to DTR](../dtr/2.1/guides/repos-and-images/push-an-image.md)
-* [Considerations for a High Availability Deployment](../ucp/2.0/guides/high-availability/index.md)
+* [Considerations for high availability](../ucp/2.0/guides/high-availability/index.md)
@@ -11,10 +11,10 @@ For this reason, when running docker commands on a UCP node, you need to
 authenticate your request using client certificates. When trying to run docker
 commands without a valid certificate, you get an authentication error:
 
-```markdown
+```none
 $ docker ps
 
-An error occurred trying to connect: Get https://ucp:443/v1.22/containers/json: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" when trying to verify candidate authority certificate "UCP Client Root CA")
+x509: certificate signed by unknown authority
 ```
 
 There are two different types of client certificates:
@@ -26,8 +26,8 @@ controller node.
 
 ## Download client certificates
 
-To download a client certificate bundle, **log into UCP**, and navigate to your
-**profile page**.
+To download a client certificate bundle, log into the **UCP web UI**, and
+navigate to your user **profile page**.
 
 ![](../images/cli-based-access-1.png)
 
@@ -36,66 +36,52 @@ Click the **Create a Client Bundle** button, to download the certificate bundle.
 
 ## Use client certificates
 
-Once you've downloaded a client certificate bundle, you can use it to
-authenticate your requests.
+Once you've downloaded a client certificate bundle to your local computer, you
+can use it to authenticate your requests.
 
-Navigate to the directory where you downloaded the bundle, and unzip it. Then
-run the `env.sh` script to start using the client certificates.
+Navigate to the directory where you downloaded the user bundle, and unzip it.
+Then source the `env.sh` script.
 
-```bash
+```none
 $ unzip ucp-bundle-dave.lauper.zip
 $ cd ucp-bundle-dave.lauper
 $ eval $(<env.sh)
 ```
 
-The env.sh script updates the `DOCKER_HOST` and `DOCKER_CERT_PATH`
-environment variables to use the certificates you downloaded.
+The `env.sh` script updates the `DOCKER_HOST` environment variable to make your
+local Docker CLI communicate with UCP. It also updates the `DOCKER_CERT_PATH`
+environment variables to use the client certificates that are included in the
+client bundle you downloaded.
 
 From now on, when you use the Docker CLI client, it includes your client
-certificates as part of the request to the Docker Engine. You can now use the
-`docker info` command to see if the certificates are being sent to the Docker
-Engine.
-
-```markdown
-$ docker info
-
-Containers: 11
-Nodes: 2
- ucp: 192.168.99.100:12376
-  └ Status: Healthy
- ucp-node: 192.168.99.101:12376
-  └ Status: Healthy
-Cluster Managers: 1
- 192.168.99.104: Healthy
-  └ Orca Controller: https://192.168.99.100:443
-  └ Swarm Manager: tcp://192.168.99.100:3376
-  └ KV: etcd://192.168.99.100:12379
-```
-
+certificates as part of the request to the Docker Engine.
+You can now use the Docker CLI to create services, networks, volumes and other
+resources on a swarm managed by UCP.
 
 ## Download client certificates using the REST API
 
-You can also download client certificate bundles using the UCP REST API. In
+You can also download client bundles using the UCP REST API. In
 this example we'll be using `curl` for making the web requests to the API, and
 `jq` to parse the responses.
 
-To install these tools on an Ubuntu distribution, you can run:
+To install these tools on a Ubuntu distribution, you can run:
 
-```bash
+```none
 $ sudo apt-get update && apt-get install curl jq
 ```
 
 Then you get an authentication token from UCP, and use it to download the
 client certificates.
 
-```bash
+```none
 # Create an environment variable with the user security token
 $ AUTHTOKEN=$(curl -sk -d '{"username":"<username>","password":"<password>"}' https://<ucp-ip>/auth/login | jq -r .auth_token)
+
 # Download the client certificate bundle
 $ curl -k -H "Authorization: Bearer $AUTHTOKEN" https://<ucp-ip>/api/clientbundle -o bundle.zip
 ```
 
 ## Where to go next
 
-* [Deploy an app from the UI](../applications/index.md)
+* [Access the UCP web UI](index.md)
 * [Deploy an app from the CLI](../applications/deploy-app-cli.md)
@@ -21,3 +21,7 @@ browser, Administrators can:
 
 Non-admin users can only see and change the images, networks, volumes, and
 containers, they are granted access.
+
+# Where to go next
+
+* [Access UCP from the CLI](cli-based-access.md)
@@ -13,8 +13,8 @@ application.
 
 Docker UCP secures your Docker swarm with role-based access control, so that only
 authorized users can deploy applications. To be able to run
-Docker commands on a swarm managed by UCP, you need to authenticate your
-requests using client certificates.
+Docker commands on a swarm managed by UCP, you need to configure your Docker CLI
+client to authenticate to UCP using client certificates.
 
 [Learn how to set your CLI to use client certificates](../access-ucp/cli-based-access.md).
 
@@ -25,7 +25,7 @@ The WordPress application we're going to deploy is composed of two services:
 * wordpress: The service that runs Apache, PHP, and WordPress.
 * db: A MariaDB database used for data persistence.
 
-After setting up your terminal to authenticate using client certificates,
+After setting up your Docker CLI client to authenticate using client certificates,
 create a file named `docker-compose.yml` with the following service definition:
 
 ```none
@@ -58,14 +58,14 @@ volumes:
 ```
 
 In your command line, navigate to the place where you've created the
-`docker-compose.yml` file and run:
+`docker-compose.yml` file and deploy the application to UCP by running:
 
 ```bash
 $ docker-compose --project-name wordpress up -d
 ```
 
-Test that the WordPress service is up and running, and find where you can
-reach it.
+Test that the WordPress service is up and running, and find on which node it
+was deployed.
 
 ```bash
 $ docker-compose --project-name wordpress ps
@@ -76,7 +76,7 @@ wordpress_db_1          docker-entrypoint.sh mysqld      Up      3306/tcp
 wordpress_wordpress_1   docker-entrypoint.sh apach ...   Up      172.31.18.153:8000->80/tcp
 ```
 
-In this example, WordPress can be accessed at 172.31.18.153:8000. Navigate to
+In this example, WordPress was deployed to 172.31.18.153:8000. Navigate to
 this address in your browser, to start using the WordPress app you just
 deployed.
 
 
@@ -11,7 +11,7 @@ WordPress application.
 
 ## Deploy WordPress
 
-On your browser, **log in** to UCP, and navigate to the **Applications** page.
+In your browser, **log in** to UCP, and navigate to the **Applications** page.
 There, click the **Deploy compose.yml** button, to deploy a new application.
 
 ![](../images/deploy-app-ui-1.png)
 
@@ -5,39 +5,49 @@ keywords: Universal Control Plane, UCP, certificate, authentiation, tls
 title: Use externally-signed certificates
 ---
 
-By default the UCP web UI is exposed using HTTPS, to ensure all
-communications between clients and UCP are encrypted. Since UCP
-controllers use self-signed certificates for this, when a client accesses
-UCP their browsers won't trust this certificate, so the browser displays a
-warning message.
+All UCP services are exposed using HTTPS, to ensure all communications between
+clients and UCP are encrypted. By default this is done using self-signed TLS
+certificates that are not trusted by client tools like web browsers. So when
+you try to access UCP, your browser will warn that it doesn't trust UCP or that
+UCP has an invalid certificate.
 
-You can configure UCP to use your own certificates, so that it is automatically
-trusted by your users' browser and client tools.
+![invalid certificate](../images/use-externally-signed-certs-1.png)
+
+The same happens with other client tools.
+
+```none
+$ curl https://ucp.example.org
+
+SSL certificate problem: Invalid certificate chain
+```
+
+You can configure UCP to use your own TLS certificates, so that it is
+automatically trusted by your browser and client tools.
 
 To ensure minimal impact to your business, you should plan for this change to
-happen outside business peak hours. Your applications will continue
-running normally, but UCP will be unresponsive while the controller containers
-are restarted.
+happen outside business peak hours. Your applications will continue running
+normally, but existing UCP client certificates will become invalid, so users
+will have to download new ones to [access UCP from the CLI](../access-ucp/cli-based-access.md).
 
-## Replace the server certificates
+## Customize the UCP TLS certificates
 
-To configure UCP to use your own certificates and keys, go to the
+To configure UCP to use your own TLS certificates and keys, go to the
 **UCP web UI**, navigate to the **Admin Settings** page,
 and click **Certificates**.
 
-![](../images/use-externally-signed-certs-1.png)
+![](../images/use-externally-signed-certs-2.png)
 
 Upload your certificates and keys:
 
 * A ca.pem file with the root CA public certificate.
-* A cert.pem file with the server certificate and any intermediate CA public
+* A cert.pem file with the TLS certificate and any intermediate CA public
 certificates. This certificate should also have SANs for all addresses used to
-reach the UCP controller, including load balancers.
-* A key.pem file with server private key.
+access UCP, including load balancers.
+* A key.pem file with TLS private key.
 
 Finally, click **Update** for the changes to take effect.
 
-After replacing the certificates your users won't be able to authenticate
+After replacing the TLS certificates your users won't be able to authenticate
 with their old client certificate bundles. Ask your users to go to the UCP
 web UI and [get new client certificate bundles](../access-ucp/cli-based-access.md).