Merge branch 'production' into max/zt/gdrive-cert

Author: maxvp

src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx

@@ -19,8 +19,8 @@ To enable browser rendering:
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
 2. Locate the SSH or VNC application you created when [connecting the server to Cloudflare](/cloudflare-one/connections/connect-networks/use-cases/ssh/). Select **Configure**.
 3. In the **Policies** tab, ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications.
-4. In the **Settings** tab, scroll down to **Additional settings**.
-5. For **Browser rendering**, choose *SSH* or *VNC*.
+4. Go to **Advanced settings** > **Browser rendering settings**.
+5. For **Browser rendering**, choose _SSH_ or _VNC_.
 6. Select **Save application**.
 
 When users authenticate and visit the URL of the application, Cloudflare will render a terminal in their browser.

src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication.mdx

@@ -16,7 +16,7 @@ To enable automatic `cloudflared` authentication:
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
 2. Locate your application and select **Configure**.
-3. In the **Settings** tab, scroll down to **Additional settings**.
+3. Go to **Advanced settings** > **Browser rendering settings**.
 4. Turn on **Enable automatic cloudflared authentication**.
 5. Select **Save application**.
 

src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment.mdx

@@ -626,6 +626,54 @@ To install a certificate for use in a Docker container:
 
    </TabItem> </Tabs>
 
+### Java
+
+Java may have multiple certificate keystore locations depending on different installations or applications that include Java. Depending on your Java Virtual Machine (JVM) installation, you may need to install the certificate for each instance. You may also need to manually configure each Java application to use and trust the certificate.
+
+To install a Cloudflare root certificate in the system JVM, follow the procedure for your operating system. These steps require you to [download a `.pem` certificate](#download-the-cloudflare-root-certificate).
+
+<Tabs>
+<TabItem label="macOS and Linux" icon="seti:shell">
+
+1. Install [OpenSSL](https://www.openssl.org/).
+
+2. In a terminal, format the Cloudflare certificate for Java.
+
+   ```sh
+   openssl x509 -in Cloudflare_CA.pem -inform pem -out Cloudflare_CA.der -outform der
+   ```
+
+3. Import the converted certificate into the Java keystore.
+
+   ```sh
+   sudo $JAVA_HOME/bin/keytool -import -trustcacerts -alias 'Cloudflare Root CA' -file Cloudflare_CA.der -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt 2>&1
+   ```
+
+4. Restart any instances of Java.
+
+</TabItem>
+
+<TabItem label="Windows" icon="seti:windows">
+
+1. Install [OpenSSL for Windows](https://slproweb.com/products/Win32OpenSSL.html).
+
+2. In an administrator PowerShell terminal, format the Cloudflare certificate for Java.
+
+   ```powershell
+   openssl x509 -in Cloudflare_CA.pem -inform pem -out Cloudflare_CA.der -outform der
+   ```
+
+3. Import the converted certificate into the Java keystore.
+
+   ```powershell
+   "%JAVA_HOME%\bin\keytool" -import -trustcacerts -alias "Cloudflare Root CA" -file Cloudflare_CA.der -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -storepass changeit -noprompt
+   ```
+
+4. Restart any instances of Java.
+
+</TabItem>
+</Tabs>
+
 ### Google Cloud
 
 #### Google Cloud SDK
@@ -662,7 +710,7 @@ If you use Kaniko with Google Cloud SDK, you must install a Cloudflare certifica
 
 #### Google Drive for desktop
 
-To trust a Cloudflare root certificate in the Google Drive desktop application, follow the procedure for your operating system. These steps require you to [download a .pem certificate](#download-the-cloudflare-root-certificate).
+To trust a Cloudflare root certificate in the Google Drive desktop application, follow the procedure for your operating system. These steps require you to [download a `.pem` certificate](#download-the-cloudflare-root-certificate).
 
 <Tabs>
 <TabItem label="macOS" icon="apple">
@@ -764,7 +812,7 @@ To set the location of the certificate for use as an environment variable:
 
 ### PHP Composer
 
-The command below will set the [`cafile`](https://getcomposer.org/doc/06-config.md#cafile) configuration inside of `composer.json` to use the Cloudflare root certificate. Make sure to [download the certificate](#download-the-cloudflare-root-certificate) in the `.pem` file type.
+The command below will set the [`cafile`](https://getcomposer.org/doc/06-config.md#cafile) configuration inside of `composer.json` to use the Cloudflare root certificate. Make sure to [download a certificate](#download-the-cloudflare-root-certificate) in the `.pem` file type.
 
 ```sh
 composer config cafile [PATH_TO_CLOUDFLARE_CERT.pem]

src/content/docs/cloudflare-one/identity/authorization-cookie/cors.mdx

@@ -51,8 +51,8 @@ There are three ways you can resolve this error:
 You can configure Cloudflare to send OPTIONS requests directly to your origin server. To bypass Access for OPTIONS requests:
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
-2. Locate the origin that will be receiving OPTIONS requests and select **Edit**.
-3. In the **Settings** tab, scroll down to **CORS settings**.
+2. Locate the origin that will be receiving OPTIONS requests and select **Configure**.
+3. Go to **Advanced settings** > **Cross-Origin Resource Sharing (CORS) settings**.
 4. Turn on **Bypass options requests to origin**. This will remove all existing CORS settings for this application.
 
 It is still important to enforce CORS for the Access JWT -- this option should only be used if you have CORS enforcement established in your origin server.
@@ -65,11 +65,11 @@ To configure how Cloudflare responds to preflight requests:
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
 
-2. Locate the origin that will be receiving OPTIONS requests and select **Edit**.
+2. Locate the origin that will be receiving OPTIONS requests and select **Configure**.
 
-3. In the **Settings** tab, scroll down to **CORS settings**.
+3. Go to **Advanced settings** > **Cross-Origin Resource Sharing (CORS) settings**.
 
-4. Configure the dashboard [CORS settings](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#the_http_response_headers) to match the response headers sent by your origin.
+4. Configure these [CORS settings](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#the_http_response_headers) to match the response headers sent by your origin.
 
    For example, if you have configured `api.mysite.com`to return the following headers:
 

src/content/docs/cloudflare-one/identity/authorization-cookie/validating-json.mdx

@@ -67,7 +67,7 @@ As shown in the example below, `https://<your-team-name>.cloudflareaccess.com/cd
 
 
 * Validate tokens using the external endpoint rather than saving the public key as a hard-coded value.
-* Do not fetch the current key from `public_cert`, since your origin may inadvertently read an expired value from an outdated cache. Instead, match the `kid` value in the JWT to the corresponding certificate in `public_certs`. 
+* Do not fetch the current key from `public_cert`, since your origin may inadvertently read an expired value from an outdated cache. Instead, match the `kid` value in the JWT to the corresponding certificate in `public_certs`.
   :::
 
 ## Verify the JWT manually
@@ -100,7 +100,7 @@ To get the AUD tag:
 
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**.
 2. Select **Configure** for your application.
-3. On the **Overview** tab, copy the **Application Audience (AUD) Tag**.
+3. From the **Basic information** tab, copy the **Application Audience (AUD) Tag**.
 
 You can now paste the AUD tag into your token validation script. The AUD tag will never change unless you delete or recreate the Access application.
 

src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx

@@ -50,7 +50,7 @@ To enforce mTLS authentication from [Zero Trust](https://one.dash.cloudflare.com
 
 7. Next, go to **Access** > **Applications**.
 
-8. Find the application you would like to enforce mTLS on and select **Edit**. The application must be included in the **Associated hostnames** list from Step 5.
+8. Find the application you would like to enforce mTLS on and select **Configure**. The application must be included in the **Associated hostnames** list from Step 5.
 
 9. Create a new (or amend an existing) [Access policy](/cloudflare-one/policies/access/).
 

src/content/docs/cloudflare-one/identity/devices/warp-client-checks/require-gateway.mdx

@@ -11,28 +11,30 @@ head:
 
 import { Render } from "~/components"
 
-With Require Gateway, you can allow access to your applications only to devices enrolled in your organization's instance of Gateway. Unlike [Require WARP](/cloudflare-one/identity/devices/warp-client-checks/require-warp/), which will check for any WARP instance (including the consumer version), Require Gateway will only allow requests coming from devices whose traffic is filtered by your organization's Cloudflare Gateway configuration. This policy is best used when you want to protect company-owned assets by only allowing access to employees.
+With Require Gateway, you can allow access to your applications only to devices enrolled in your Zero Trust organization. Unlike [Require WARP](/cloudflare-one/identity/devices/warp-client-checks/require-warp/), which will check for any WARP instance (including the consumer version), Require Gateway will only allow requests coming from devices whose traffic is filtered by your organization's Cloudflare Gateway configuration. This policy is best used when you want to protect company-owned assets by only allowing access to employees.
 
 ## Prerequisites
 
 * <Render file="posture/prereqs-warp-is-deployed" params={{ name: "WARP Client Checks", link: "/cloudflare-one/identity/devices/warp-client-checks/" }} />
 
-## Enable the Gateway check
+## 1. Enable the Gateway check
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**.
 
 2. In **WARP client checks**, select **Add new**.
 
 3. Select **Gateway**, then select **Save**.
 
-## Add the check to an Access policy
+## 2. Add the check to an Access application
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
 
-2. Select the application for which you want to require Gateway, then select **Configure**.
+2. Locate the application for which you want to require Gateway. Select **Configure**.
 
-3. To create a new Access policy, select **Add a policy**. To require Gateway for an existing policy, select a policy, then select **Configure**.
+3. In the **Policies** tab, create a new Access policy or edit an existing policy.
 
-4. Add an Include or Require rule which uses the Gateway selector. Select **Save policy**.
+4. In the policy builder, add an Include or Require rule which uses the _Gateway_ selector. Save the policy.
 
-Before granting access to the application, your policy will now check that the device is running the WARP client and enrolled in your Zero Trust organization.
+5. Save the Access application.
+
+Before granting access to the application, the policy will check that the device is running the WARP client and enrolled in your Zero Trust organization.

src/content/docs/cloudflare-one/identity/devices/warp-client-checks/require-warp.mdx

@@ -29,22 +29,20 @@ Cloudflare Zero Trust enables you to restrict access to your applications to dev
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**.
 2. Ensure that **Proxy** is enabled.
-3. Next, go to **Settings** > **WARP Client**.
-4. Scroll down to **WARP client checks** and select **Add new**.
-5. Select **WARP**.
-
-You are now ready to start requiring WARP for your Access applications.
+3. Go to **Settings** > **WARP Client**.
+4. In **WARP client checks**, select **Add new**.
+5. Select **WARP**, then select **Save**.
 
 ## 2. Add the check to an Access policy
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
 
-2. Locate the application for which you want to require WARP.
+2. Locate the application for which you want to require WARP. Select **Configure**.
 
-3. Select **Edit**.
+3. In the **Policies** tab, create a new Access policy or edit an existing policy.
 
-4. To have an existing policy require WARP, select **Edit** for that specific policy. Then, add an **Include** or **Require** rule which uses the *WARP* selector.
+4. In the policy builder, add an Include or Require rule which uses the _WARP_ selector. Save the policy.
 
-5. Select **Save rule**.
+5. Save the Access application.
 
-Before granting access to the application, your policy will now check that the device is running the WARP client.
+Before granting access to the application, the policy will check that the device is running the WARP client.

src/content/docs/cloudflare-one/identity/users/session-management.mdx

@@ -32,6 +32,7 @@ You can set a global session duration between 15 minutes and 1 month.
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
 2. Under **Global session timeout**, select **Edit**,
 3. Select the desired timeout duration from the dropdown menu.
+4. Select **Save**.
 
 The user will be required to re-authenticate with the IdP after this period of time.
 
@@ -40,8 +41,9 @@ The user will be required to re-authenticate with the IdP after this period of t
 You can set an application session duration for self-hosted and private Access applications. Available session durations range from immediate timeout to 1 month. The default is 24 hours.
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
-2. Locate the application you want to configure and select **Edit**.
-3. In the **Overview** tab, select a **Session Duration** from the dropdown menu.
+2. Choose an application and select **Configure**.
+3. Select a **Session Duration** from the dropdown menu.
+4. Save the application.
 
 The application token will expire after this period of time (unless you have set a [policy session duration](#set-policy-session-duration)).
 
@@ -56,6 +58,7 @@ You can set a policy session duration ranging from immediate timeout to one mont
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Policies**.
 2. Choose a policy and select **Configure**.
 3. Select a **Session Duration** from the dropdown menu.
+4. Save the policy.
 
 Users who match this policy will be issued an application token with this expiration time.
 
@@ -69,9 +72,9 @@ To immediately terminate all active sessions for a specific application:
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
 
-2. Locate the application for which you would like to revoke active sessions and select **Edit**.
+2. Locate the application for which you would like to revoke active sessions and select **Configure**.
 
-3. In the **Overview** tab, select **Revoke existing tokens**.
+3. Select **Revoke existing tokens**.
 
 Unless there are changes to rules in the policy, users can start a new session if their profile in your identity provider is still active.
 

src/content/docs/cloudflare-one/policies/access/mfa-requirements.mdx

@@ -18,21 +18,25 @@ This feature is only available if you are using the following identity providers
 
 To enforce an MFA requirement to an application:
 
-1. In Zero Trust, go to **Access** > **Applications**.
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**.
 
-2. Find the application for which you want to enforce MFA and select **Edit**. Alternatively, [create a new application](/cloudflare-one/applications/configure-apps/).
+2. Find the application for which you want to enforce MFA and select **Configure**. Alternatively, [create a new application](/cloudflare-one/applications/configure-apps/).
 
-3. Go to the **Rules** section of the application.
+3. Go to **Policies**.
 
-4. If your application already has a rule containing an identity requirement, find it and select **Edit**.
+4. If your application already has a policy containing an identity requirement, find it and select **Configure**.
 
-   The rule must contain an Include rule which defines an identity. For example, the Include rule should allow for users who are part of a [rule group](/cloudflare-one/policies/access/groups/), email domain, or identity provider group.
+	:::note
+	The policy should contain an Include rule that uses identity-based selectors. For example, the Include rule could allow users who are part of a [rule group](/cloudflare-one/policies/access/groups/), email domain, or identity provider group.
+	:::
 
-5. Add a _Require_ action to the rule.
+5. Add the following rule to the policy:
 
-6. Select _Authentication Method_ and choose `mfa - multiple-factor authentication`.
+		| Rule type | Selector | Value |
+		| ---------- | -------- | ------ |
+		| Require    | Authentication method |  `mfa - multiple-factor authentication` |
 
-7. Save the rule.
+6. Save the policy.
 
 :::caution[Important]