2) CSCdz36717

the bug CSCdz36717 doesn't describe what I'm seeing. The problem is not that the root cert isn't there -- it is. The problem is that the URL loaded by the tray does not contain the fully-qualified domain name AND that the tray launches the http, not https, URL (eg, the tray launches http://unityserver/web/sa where it should be launching https://unityserver.domain.com/web/sa). So there are 2 problems:

1) http vs https and

2) the hostname in place of the FQDN.

The FQDN doesn't matter with http, but it causes the security warning that the site name (hostname) doesn't match the cert name (FQDN).

CSCdz11456 doesn't describe what I'm seeing. While it is true that the start & stop buttons are greyed out, and that, yes, Unity could be stopped and started thru the tray icon, there's more to it than starting and stopping. The problem is that under https, SM doesn't connect, period. The bugmakes no reference to https so I don't know whether this is the same problem or not. But I cant do any of the other things I can normally do thru SM (check ports, reports, etc) when using https. So https pretty much is useless with 4.0.2 if I use SM for anything at all.

In the IIS manager, check your web site to see if there is an ISAPI filter installed called "unityflt". This filter is responsible for redirecting http requests to https (automatically correcting any URL's, such as the tray URL's). The filter requires that you have set your SA virtual directories to "require SSL" and restart the WWW services (to reload the filter). This is the quick overview, let me know if you need more detail.

hmmm. no ISAPI filters are installed & I don't see any unityflt.* anywhere. Where might one find this?

If you don't see any filters at all, you'll want to make sure you are looking in the right place. In IIS manager, highlight the server (not the default web site) and right click properties. In the master properties box choose "WWW Service" and hit edit and look at the ISAPI tab. There should be four MS installed filters there (and with any luck, the unityflt as well).

The unityflt is installed with Unity, so if you still don't see the the filter we can check to see what happened (and get it installed).

I do have these filters (if I look in the right place) and restarting the server after enabling SSL seems to get the tray to work properly (maybe I didn't need to be that extreme, but it worked).

The problem now is that everytime I switch between SA pages, I get an alert that the new page has insecure parts. If I click yes, the page is displayed normally, but insecure. If I click no, I get an error, then it paints correctly and the connection is still secure.

And PCA can't connect at all. Complains it can't find the server. (like SM).