diff --git a/mgmt-hub/css-tmpl.conf b/mgmt-hub/css-tmpl.conf
index d7fdfde..fceb005 100644
--- a/mgmt-hub/css-tmpl.conf
+++ b/mgmt-hub/css-tmpl.conf
@@ -1,13 +1,12 @@
-TraceRootPath /tmp/trace
-TraceLevel TRACE
-UnsecureListeningPort ${CSS_PORT}
-PersistenceRootPath /var/wiotp-edge/persist/
 NodeType CSS
-MongoAuthDbName d_edge
-MongoAddressCsv mongo:${MONGO_PORT}
-LogTraceDestination stdout,glog
-LogRootPath /tmp
-LogLevel TRACE
 ListeningType unsecure
+UnsecureListeningPort ${CSS_PORT}
 CommunicationProtocol ${HZN_TRANSPORT}
-OrgID ${EXCHANGE_USER_ORG}
+LogLevel INFO
+LogTraceDestination stdout
+TraceLevel INFO
+MongoAddressCsv mongo:${MONGO_PORT}
+MongoAuthDbName admin
+MongoUsername admin
+MongoPassword
+MongoUseSSL false
diff --git a/mgmt-hub/deploy-mgmt-hub.sh b/mgmt-hub/deploy-mgmt-hub.sh
index ecf3abe..1563541 100755
--- a/mgmt-hub/deploy-mgmt-hub.sh
+++ b/mgmt-hub/deploy-mgmt-hub.sh
@@ -2,33 +2,35 @@
 
 # Deploy the management hub components (agbot, exchange, css, postgre, mongo), the agent, and the CLI
 
-# Default environment variables
+# Default environment variables. Note: they have to be exported for envsubst.
 #HZN_LISTEN_IP   # the host IP address the hub components should listen on. Can be set to 0.0.0.0 to mean all interfaces. Defaults to the private IP address
-HZN_TRANSPORT=${HZN_TRANSPORT:-http}
+export HZN_TRANSPORT=${HZN_TRANSPORT:-http}
 
-EXCHANGE_IMAGE_TAG=${EXCHANGE_IMAGE_TAG:latest}   # or can be set to stable or a specific version
-EXCHANGE_PORT=${EXCHANGE_PORT:3090}
-EXCHANGE_LOG_LEVEL=${EXCHANGE_LOG_LEVEL:-INFO}
-EXCHANGE_SYSTEM_ORG=${EXCHANGE_SYSTEM_ORG:-IBM}
-EXCHANGE_USER_ORG=${EXCHANGE_USER_ORG:-myorg}
+export EXCHANGE_IMAGE_TAG=${EXCHANGE_IMAGE_TAG:-latest}   # or can be set to stable or a specific version
+export EXCHANGE_PORT=${EXCHANGE_PORT:-3090}
+export EXCHANGE_LOG_LEVEL=${EXCHANGE_LOG_LEVEL:-INFO}
+export EXCHANGE_SYSTEM_ORG=${EXCHANGE_SYSTEM_ORG:-IBM}
+export EXCHANGE_USER_ORG=${EXCHANGE_USER_ORG:-myorg}
 
 
-AGBOT_IMAGE_TAG=${AGBOT_IMAGE_TAG:latest}   # or can be set to stable or a specific version
-AGBOT_PORT=${AGBOT_PORT:3091}
-AGBOT_ID=${AGBOT_ID:agbot}   # its agbot id in the exchange
-AGBOT_TOKEN=${AGBOT_TOKEN:$(cat /dev/urandom | env LC_CTYPE=C tr -dc 'a-zA-Z0-9' | fold -w 30 | head -n 1)}   # its agbot token in the exchange
+export AGBOT_IMAGE_TAG=${AGBOT_IMAGE_TAG:-latest}   # or can be set to stable or a specific version
+export AGBOT_PORT=${AGBOT_PORT:-3091}
+export AGBOT_ID=${AGBOT_ID:-agbot}   # its agbot id in the exchange
+export AGBOT_TOKEN=${AGBOT_TOKEN:-$(cat /dev/urandom | env LC_CTYPE=C tr -dc 'a-zA-Z0-9' | fold -w 30 | head -n 1)}   # its agbot token in the exchange
 
-CSS_IMAGE_TAG=${CSS_IMAGE_TAG:latest}   # or can be set to stable or a specific version
-CSS_PORT=${CSS_PORT:9443}
+export CSS_IMAGE_TAG=${CSS_IMAGE_TAG:-latest}   # or can be set to stable or a specific version
+export CSS_PORT=${CSS_PORT:-9443}
 
-POSTGRES_IMAGE_TAG=${POSTGRES_IMAGE_TAG:latest}   # or can be set to stable or a specific version
-POSTGRES_PORT=${POSTGRES_PORT:5432}
-POSTGRES_USER=${POSTGRES_USER:-admin}
-EXCHANGE_DATABASE=${EXCHANGE_DATABASE:-exchange}   # the db the exchange uses in the postgres instance
-AGBOT_DATABASE=${AGBOT_DATABASE:-agbot}   # the db the agbot uses in the postgres instance
+export POSTGRES_IMAGE_TAG=${POSTGRES_IMAGE_TAG:-latest}   # or can be set to stable or a specific version
+export POSTGRES_PORT=${POSTGRES_PORT:-5432}
+export POSTGRES_USER=${POSTGRES_USER:-admin}
+export EXCHANGE_DATABASE=${EXCHANGE_DATABASE:-exchange}   # the db the exchange uses in the postgres instance
+export AGBOT_DATABASE=${AGBOT_DATABASE:-agbot}   # the db the agbot uses in the postgres instance
 
-MONGO_IMAGE_TAG=${MONGO_IMAGE_TAG:latest}   # or can be set to stable or a specific version
-MONGO_PORT=${MONGO_PORT:27017}
+export MONGO_IMAGE_TAG=${MONGO_IMAGE_TAG:-latest}   # or can be set to stable or a specific version
+export MONGO_PORT=${MONGO_PORT:-27017}
+
+export OH_DEVOPS_REPO=${OH_DEVOPS_REPO:-https://raw.githubusercontent.com/open-horizon/devops/master}
 
 usage() {
     exitCode=${1:-0}
@@ -41,8 +43,8 @@ Flags:
   -h    Show this usage.
 
 Required Environment Variables:
-  EXCHANGE_ROOT_PW_BCRYPTED: the bcrypted exchange root pw to be put in the exchange config file. Can be the clear pw, but that is not recommended.
   EXCHANGE_ROOT_PW: the clear exchange root pw to use temporarily to prime the exchange.
+  EXCHANGE_ROOT_PW_BCRYPTED: the bcrypted exchange root pw to be put in the exchange config file. Can be the clear pw, but that is not recommended.
 
 Optional Environment Variables:
   For a list of optional environment variables, their defaults and descriptions, see the beginning of this script.
@@ -87,6 +89,9 @@ chkHttp() {
     if [[ $httpCode == 200 ]]; then return; fi
     echo "Error: http code $httpCode from: $task"
     if [[ $dontExit != 'continue' ]]; then
+        if [[ ! "$httpCode" =~ ^[0-9]+$ ]]; then
+            httpCode=5   # some times httpCode is the curl error msg
+        fi
         exit $httpCode
     fi
 }
@@ -116,9 +121,16 @@ ensureWeAreRoot() {
 # Download a file via a URL
 getUrlFile() {
     local url="$1"
+    local localFile="$2"
     echo "Downloading $url ..."
-    httpCode=$(curl -sS -w "%{http_code}" -L -O $url)
-    chkHttp $? $httpCode "downloading $url"
+    if [[ $url == *@* ]]; then
+        # special case for development:
+        scp $url $localFile
+        chk $? "scp'ing $url"
+    else
+        httpCode=$(curl -sS -w "%{http_code}" -L -o $localFile $url)
+        chkHttp $? $httpCode "downloading $url"
+    fi
 }
 
 getPrivateIp() {
@@ -137,13 +149,16 @@ while getopts ":h" opt; do
 	esac
 done
 
-# Initial checking of the OS
+# Initial checking of the input and OS
+if [[ -z "$EXCHANGE_ROOT_PW" || -z "$EXCHANGE_ROOT_PW_BCRYPTED" ]]; then
+    fatal 1 "these environment variables must be set: EXCHANGE_ROOT_PW, EXCHANGE_ROOT_PW_BCRYPTED"
+fi
 ensureWeAreRoot
 confirmCmds grep awk curl
 
 # Get private IP to listen on, if they did not specify it otherwise
 if [[ -z $HZN_LISTEN_IP ]]; then
-    HZN_LISTEN_IP=getPrivateIp
+    export HZN_LISTEN_IP=$(getPrivateIp)
     chk $? 'getting private IP'
     if [[ -z $HZN_LISTEN_IP ]]; then fatal 2 "Could not get the private IP address"; fi
 fi
@@ -154,8 +169,20 @@ apt install -y jq gettext-base docker-compose
 chk $? 'installing required software'
 
 # Download and process templates from open-horizon/devops
+#echo "Downloading template files..."
+getUrlFile $OH_DEVOPS_REPO/mgmt-hub/docker-compose.yml docker-compose.yml
+getUrlFile $OH_DEVOPS_REPO/mgmt-hub/exchange-tmpl.json /tmp/exchange-tmpl.json
+getUrlFile $OH_DEVOPS_REPO/mgmt-hub/agbot-tmpl.json /tmp/agbot-tmpl.json
+getUrlFile $OH_DEVOPS_REPO/mgmt-hub/css-tmpl.conf /tmp/css-tmpl.conf
+
+echo "Substituting environment variables into template files..."
+cat /tmp/exchange-tmpl.json | envsubst > exchange.json
+cat /tmp/agbot-tmpl.json | envsubst > agbot.json
+cat /tmp/css-tmpl.conf | envsubst > css.conf
 
 # Start mgmt hub components
+echo "Starting Horizon management hub components..."
+docker-compose up -d --no-build
 
 # Prime exchange with the user org and admin, and horizon examples
 
diff --git a/mgmt-hub/docker-compose-tmpl.yml b/mgmt-hub/docker-compose.yml
similarity index 74%
rename from mgmt-hub/docker-compose-tmpl.yml
rename to mgmt-hub/docker-compose.yml
index 3bf2bdc..15e4334 100644
--- a/mgmt-hub/docker-compose-tmpl.yml
+++ b/mgmt-hub/docker-compose.yml
@@ -31,6 +31,11 @@ services:
     depends_on:
       exchange-api:
         condition: service_healthy
+    healthcheck:
+      test: test $$(curl -sS -w "%{http_code}" -o /dev/null http://localhost:${AGBOT_PORT}/status) == 200
+      interval: 2s
+      timeout: 2s
+      retries: 10
 
   exchange-api:
     image:  openhorizon/amd64_exchange-api:${EXCHANGE_IMAGE_TAG}
@@ -44,7 +49,7 @@ services:
       postgres:
         condition: service_healthy
     healthcheck:
-      test: test $(curl -sS -w "%{http_code}" -o /dev/null http://localhost:8080/v1/admin/version) == 201
+      test: test $$(curl -sS -w "%{http_code}" -o /dev/null http://localhost:8080/v1/admin/version) == 200
       interval: 2s
       timeout: 2s
       retries: 10
@@ -66,6 +71,8 @@ services:
       timeout: 2s
       retries: 10
 
+x-disabled:
+
   css-api:
     image: openhorizon/amd64_cloud-sync-service:${CSS_IMAGE_TAG}
     container_name: css-api
@@ -74,13 +81,18 @@ services:
       - ${CSS_PORT}:${CSS_PORT}
     networks: horizonnet
     volumes:
-      - ${PWD}/css:/etc/edge-sync-service
+      - ${PWD}/css.conf:/etc/edge-sync-service/sync.conf
       - mongovol:/var/wiotp-edge/persist
     environment:
       - HZN_EXCHANGE_URL=${HZN_TRANSPORT}://exhange-api:8080/v1
     depends_on:
       mongo:
         condition: service_healthy
+    healthcheck:
+      test: test $$(curl -sS -w "%{http_code}" -o /dev/null http://localhost:${CSS_PORT}/v1/health) == 200
+      interval: 2s
+      timeout: 2s
+      retries: 10
 
   mongo:
     image: mongo:${MONGO_IMAGE_TAG}
@@ -89,3 +101,8 @@ services:
     volumes:
       - mongovol:/var/wiotp-edge/persist
     networks: horizonnet
+    healthcheck:
+      test: test $$(echo 'db.runCommand("ping").ok' | mongo localhost:${MONGO_PORT}/test --quiet) == 1
+      interval: 2s
+      timeout: 2s
+      retries: 10