From 91bee1de5ab7b97cc32c8ba1c9942823757b86a6 Mon Sep 17 00:00:00 2001
From: jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68>
Date: Mon, 2 Aug 2010 01:42:59 +0000
Subject: Fix HTTPS config scripts to enable SSL certicates, HTTP basic auth,
 and OpenID to coexist. Add OpenID support to sample.

git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@981352 13f79535-47bb-0310-9956-ffa450edef68
---
 sca-cpp/trunk/modules/http/Makefile.am             |   2 +-
 sca-cpp/trunk/modules/http/httpd-auth-conf         |  46 +++++++
 sca-cpp/trunk/modules/http/httpd-conf              |  18 +--
 sca-cpp/trunk/modules/http/httpd-ssl-conf          | 134 ++++++++++++++++-----
 sca-cpp/trunk/modules/http/proxy-conf              |   3 +-
 sca-cpp/trunk/modules/http/proxy-ssl-conf          |  27 ++---
 sca-cpp/trunk/modules/http/proxy-ssl-member-conf   |   2 +-
 sca-cpp/trunk/modules/http/ssl-ca-conf             |   6 +-
 sca-cpp/trunk/modules/http/ssl-cert-conf           |   6 +-
 sca-cpp/trunk/modules/http/vhost-conf              |   2 +-
 sca-cpp/trunk/modules/http/vhost-ssl-conf          |   4 +-
 sca-cpp/trunk/modules/openid/Makefile.am           |   2 +-
 sca-cpp/trunk/modules/openid/openid-conf           |  28 +++--
 sca-cpp/trunk/modules/openid/start-test            |   3 +
 sca-cpp/trunk/modules/server/mod-eval.hpp          |   5 +-
 .../htdocs/domains/jane/login/index.html           |  97 +++++++++++++++
 .../htdocs/domains/jane/logout/index.html          |  33 +++++
 .../htdocs/domains/joe/login/index.html            |  97 +++++++++++++++
 .../htdocs/domains/joe/logout/index.html           |  33 +++++
 .../samples/store-cluster/htdocs/login/index.html  |  97 +++++++++++++++
 .../samples/store-cluster/htdocs/logout/index.html |  33 +++++
 sca-cpp/trunk/samples/store-cluster/ssl-start      |   7 ++
 sca-cpp/trunk/samples/store-python/ssl-start       |   1 +
 23 files changed, 609 insertions(+), 77 deletions(-)
 create mode 100755 sca-cpp/trunk/modules/http/httpd-auth-conf
 create mode 100644 sca-cpp/trunk/samples/store-cluster/htdocs/domains/jane/login/index.html
 create mode 100644 sca-cpp/trunk/samples/store-cluster/htdocs/domains/jane/logout/index.html
 create mode 100644 sca-cpp/trunk/samples/store-cluster/htdocs/domains/joe/login/index.html
 create mode 100644 sca-cpp/trunk/samples/store-cluster/htdocs/domains/joe/logout/index.html
 create mode 100644 sca-cpp/trunk/samples/store-cluster/htdocs/login/index.html
 create mode 100644 sca-cpp/trunk/samples/store-cluster/htdocs/logout/index.html

diff --git a/sca-cpp/trunk/modules/http/Makefile.am b/sca-cpp/trunk/modules/http/Makefile.am
index 17fd8ac3c7..03f5c234f5 100644
--- a/sca-cpp/trunk/modules/http/Makefile.am
+++ b/sca-cpp/trunk/modules/http/Makefile.am
@@ -20,7 +20,7 @@ INCLUDES = -I${HTTPD_INCLUDE}
 incl_HEADERS = *.hpp
 incldir = $(prefix)/include/modules/http
 
-dist_mod_SCRIPTS = httpd-conf httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf httpd-ssl-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf
+dist_mod_SCRIPTS = httpd-conf httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf httpd-ssl-conf httpd-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf
 moddir=$(prefix)/modules/http
 
 curl_test_SOURCES = curl-test.cpp
diff --git a/sca-cpp/trunk/modules/http/httpd-auth-conf b/sca-cpp/trunk/modules/http/httpd-auth-conf
new file mode 100755
index 0000000000..cfe81f778a
--- /dev/null
+++ b/sca-cpp/trunk/modules/http/httpd-auth-conf
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#  
+#    http://www.apache.org/licenses/LICENSE-2.0
+#    
+#  Unless required by applicable law or agreed to in writing,
+#  software distributed under the License is distributed on an
+#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#  KIND, either express or implied.  See the License for the
+#  specific language governing permissions and limitations
+#  under the License.
+
+# Generate a minimal HTTPD SSL configuration
+here=`readlink -f $0`; here=`dirname $here`
+root=`readlink -f $1`
+conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
+host=`echo $conf | awk '{ print $6 }'`
+httpd_prefix=`cat $here/httpd.prefix`
+
+# Generate basic authentication configuration
+cat >>$root/conf/vhost-ssl.conf <<EOF
+# Generated by: httpd-auth-conf $*
+# Require clients to present a userid + password for HTTP
+# basic authentication
+<Location />
+AuthType Basic
+AuthName "$host"
+AuthUserFile "$root/conf/httpd.passwd"
+Require valid-user
+</Location>
+
+EOF
+
+# Create test users
+$httpd_prefix/bin/htpasswd -bc $root/conf/httpd.passwd test test 2>/dev/null
+$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd admin admin 2>/dev/null
+$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd foo foo 2>/dev/null
+$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd bar bar 2>/dev/null
+
diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf
index 149bc56c4d..2cbf5120e9 100755
--- a/sca-cpp/trunk/modules/http/httpd-conf
+++ b/sca-cpp/trunk/modules/http/httpd-conf
@@ -44,7 +44,9 @@ cat >$root/conf/httpd.conf <<EOF
 ServerName http://$host:$pport
 PidFile $root/logs/httpd.pid
 
-# Minimal set of modules
+# Load a minimal set of modules, the load order is important
+# (e.g. load mod_headers before mod_rewrite, so its hooks execute
+# after mod_rewrite's hooks)
 LoadModule alias_module ${modules_prefix}/modules/mod_alias.so
 LoadModule authn_file_module ${modules_prefix}/modules/mod_authn_file.so
 LoadModule authn_default_module ${modules_prefix}/modules/mod_authn_default.so
@@ -58,13 +60,14 @@ LoadModule proxy_module ${modules_prefix}/modules/mod_proxy.so
 LoadModule proxy_connect_module ${modules_prefix}/modules/mod_proxy_connect.so
 LoadModule proxy_http_module ${modules_prefix}/modules/mod_proxy_http.so
 LoadModule proxy_balancer_module ${modules_prefix}/modules/mod_proxy_balancer.so
+LoadModule headers_module ${modules_prefix}/modules/mod_headers.so
 LoadModule ssl_module ${modules_prefix}/modules/mod_ssl.so
+LoadModule rewrite_module ${modules_prefix}/modules/mod_rewrite.so
 LoadModule mime_module ${modules_prefix}/modules/mod_mime.so
 LoadModule status_module ${modules_prefix}/modules/mod_status.so
 LoadModule asis_module ${modules_prefix}/modules/mod_asis.so
 LoadModule negotiation_module ${modules_prefix}/modules/mod_negotiation.so
 LoadModule dir_module ${modules_prefix}/modules/mod_dir.so
-LoadModule rewrite_module ${modules_prefix}/modules/mod_rewrite.so
 LoadModule setenvif_module ${modules_prefix}/modules/mod_setenvif.so
 <IfModule !log_config_module>
 LoadModule log_config_module ${modules_prefix}/modules/mod_log_config.so
@@ -80,17 +83,17 @@ Timeout 45
 LimitRequestBody 1048576
 HostNameLookups Off
 
-# Logging
+# Log HTTP requests
+LogLevel info
 ErrorLog $root/logs/error_log
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
 CustomLog $root/logs/access_log combined
-LogLevel warn
 
 # Configure Mime types
 DefaultType text/plain
 TypesConfig $here/conf/mime.types
 
-# Set document root
+# Set default document root
 DocumentRoot $htdocs
 DirectoryIndex index.html
 
@@ -113,16 +116,17 @@ Options FollowSymLinks
 Allow from all
 </Directory>
 
-# Allow access to service components
+# Allow access to root location
 <Location />
 Options FollowSymLinks
 Order deny,allow  
 Allow from all
 </Location>
 
-# Setup HTTP virtual host
+# Listen on HTTP port
 Listen $port
 
+# Setup HTTP virtual host
 <VirtualHost *:$port>
 ServerName http://$host:$pport
 
diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf
index f2f8b01614..f36da55b12 100755
--- a/sca-cpp/trunk/modules/http/httpd-ssl-conf
+++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf
@@ -45,7 +45,7 @@ RewriteCond %{SERVER_PORT} !^$sslpport$
 RewriteRule .* https://%{SERVER_NAME}:$sslpport%{REQUEST_URI} [R,L]
 </Location>
 
-# Setup SSL support
+# Configure SSL support
 AddType application/x-x509-ca-cert .crt
 AddType application/x-pkcs7-crl .crl
 SSLPassPhraseDialog  builtin
@@ -55,19 +55,19 @@ SSLMutex "file:$root/logs/ssl_mutex"
 SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin
 
-# Setup HTTPS virtual host
+# Listen on HTTPS port
 Listen $sslport
 
+# HTTPS virtual host
 <VirtualHost *:$sslport>
 ServerName https://$host:$sslpport
 
-Include conf/ssl-svhost.conf
+Include conf/svhost-ssl.conf
 
 # Allow the server admin to view the server status
 <Location /server-status>
 SetHandler server-status
 HostnameLookups on
-Deny from All
 Allow from all
 Require user admin
 </Location>
@@ -80,7 +80,7 @@ ExtendedStatus On
 EOF
 
 # Generate HTTPS vhost configuration
-cat >$root/conf/ssl-vhost.conf <<EOF
+cat >$root/conf/vhost-ssl.conf <<EOF
 # Generated by: httpd-ssl-conf $*
 # Virtual host configuration
 UseCanonicalName Off
@@ -89,39 +89,113 @@ UseCanonicalName Off
 SSLEngine on
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
+SSLOptions -StrictRequire +OptRenegotiate
 
-# Logging
-CustomLog "$root/logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-LogFormat "%h %l %u %t %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" sslcombined
+# Verify client certificates
+SSLVerifyClient optional
+SSLVerifyDepth 1
+
+# Log SSL requests
+#CustomLog "$root/logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+LogFormat "%h %l %u %t %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" \"%{SSL_CLIENT_I_DN}x\" \"%{SSL_CLIENT_S_DN}x\"" sslcombined
 CustomLog $root/logs/ssl_access_log sslcombined
-LogLevel warn
 
-# Require clients to present either:
-# a certificate signed with our certification authority certificate
-# or a userid + password for HTTP basic authentication
+EOF
+
+# Generate HTTPS authentication requirement
+cat >>$root/conf/vhost-ssl.conf <<EOF
 <Location />
+# Require clients to use SSL and authenticate
+SSLRequireSSL
+
+# Also accept other forms of authentication (e.g. HTTP basic
+# authentication, or OpenID authentication)
 Satisfy Any
 
-SSLVerifyClient optional
-SSLVerifyDepth 1
-SSLOptions +FakeBasicAuth
-SSLRequireSSL
-SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 and %{SSL_CLIENT_I_DN_O} == "$org"
+EOF
 
-AuthType Basic
-AuthName "$host"
-AuthUserFile "$root/conf/httpd.passwd"
-Require valid-user
+proxyconf=`cat $root/conf/vhost.conf | grep "# Generated by: proxy-conf"`
+if [ "$proxyconf" != "" ]; then
+    cat >>$root/conf/vhost-ssl.conf <<EOF
+# In an proxy, only require a 128+ cipher key
+SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
+
+# Forward received SSL client certificate info in proxied requests
+RewriteEngine on
+RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}]
+RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}]
+RewriteCond %{SSL:SSL_CLIENT_I_DN} !="" 
+RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}] 
+RewriteCond %{SSL:SSL_CLIENT_S_DN} !="" 
+RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}] 
+RewriteCond %{SSL:SSL_CLIENT_I_DN_O} !="" 
+RewriteRule .* - [E=SSL_I_DN_O:%{SSL:SSL_CLIENT_I_DN_O}] 
+RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} !="" 
+RewriteRule .* - [E=SSL_S_DN_OU:%{SSL:SSL_CLIENT_S_DN_OU}] 
+RequestHeader unset X-Forwarded-SSL-Protocol
+RequestHeader unset X-Forwarded-SSL-Cipher
+RequestHeader unset X-Forwarded-SSL-Issuer-DN
+RequestHeader unset X-Forwarded-SSL-Client-DN
+RequestHeader unset X-Forwarded-SSL-Issuer-DN-O
+RequestHeader unset X-Forwarded-SSL-Client-DN-OU
+RequestHeader set X-Forwarded-SSL-Protocol %{SSL_PROTOCOL}e env=SSL_PROTOCOL
+RequestHeader set X-Forwarded-SSL-Cipher %{SSL_CIPHER}e env=SSL_CIPHER
+RequestHeader set X-Forwarded-SSL-Issuer-DN %{SSL_I_DN}e env=SSL_I_DN
+RequestHeader set X-Forwarded-SSL-Client-DN %{SSL_S_DN}e env=SSL_S_DN
+RequestHeader set X-Forwarded-SSL-Issuer-DN-O %{SSL_I_DN_O}e env=SSL_I_DN_O
+RequestHeader set X-Forwarded-SSL-Client-DN-OU %{SSL_S_DN_OU}e env=SSL_S_DN_OU
+
+EOF
+else
+    cat >>$root/conf/vhost-ssl.conf <<EOF
+# In a server, require a 128+ cipher key and one of the following
+# - another server's certificate issued by our certificate authority
+# - a proxy certificate + forwarded info on the client request certificate,
+#   both signed by our certificate authority
+# - OpenID authentication (set by mod_auth_openid in the auth_type)
+# - another valid form of authentication as per the Satisfy directive
+SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 and ( \
+( %{SSL_CLIENT_I_DN_O} == "$org" and %{SSL_CLIENT_S_DN_OU} == "server" ) or \
+( %{SSL_CLIENT_I_DN_O} == "$org" and %{SSL_CLIENT_S_DN_OU} == "proxy" and \
+  %{HTTP:X-Forwarded-SSL-Issuer-DN-O} == "$org" and %{HTTP:X-Forwarded-SSL-Client-DN-OU} == "server" ) or \
+%{REQUEST_URI} =~ m/^.(login|logout|openid|unprotected).*$/ )
+
+# Record received SSL client certificate info in environment vars
+RewriteEngine on
+RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}]
+RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}]
+RewriteCond %{SSL:SSL_CLIENT_I_DN} !="" 
+RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}] 
+RewriteCond %{SSL:SSL_CLIENT_S_DN} !="" 
+RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}] 
+
+# Store the client certificate DN in the SSL_REMOTE_USER var,
+# that's similar to the SSLUserName directive but more flexible as
+# it can pick a client certificate DN forwarded by a proxy
+RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org"
+RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "server"
+RewriteRule .* - [E=SSL_REMOTE_USER:%{SSL:SSL_CLIENT_S_DN}] 
+
+RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org"
+RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "proxy"
+RewriteCond %{HTTP:X-Forwarded-SSL-Issuer-DN-O} "$org"
+RewriteCond %{HTTP:X-Forwarded-SSL-Client-DN-OU} "server"
+RewriteRule .* - [E=SSL_REMOTE_USER:%{HTTP:X-Forwarded-SSL-Client-DN}] 
+
+EOF
+fi
+
+cat >>$root/conf/vhost-ssl.conf <<EOF
 </Location>
 
 EOF
 
-cat >$root/conf/ssl-svhost.conf <<EOF
+cat >$root/conf/svhost-ssl.conf <<EOF
 # Generated by: httpd-ssl-conf $*
 # Static virtual host configuration
-Include conf/ssl-vhost.conf
+Include conf/vhost-ssl.conf
 
-# Configure SSL certificates
+# Declare SSL certificates used in this virtual host
 SSLCACertificateFile "$root/conf/ca.crt"
 SSLCertificateChainFile "$root/conf/ca.crt"
 SSLCertificateFile "$root/conf/server.crt"
@@ -129,12 +203,12 @@ SSLCertificateKeyFile "$root/conf/server.key"
 
 EOF
 
-cat >$root/conf/ssl-dvhost.conf <<EOF
+cat >$root/conf/dvhost-ssl.conf <<EOF
 # Mass dynamic virtual host configuration
 # Generated by: httpd-ssl-conf $*
-Include conf/ssl-vhost.conf
+Include conf/vhost-ssl.conf
 
-# Configure SSL certificates
+# Declare wildcard SSL certificates used in this virtual host
 SSLCACertificateFile "$root/conf/ca.crt"
 SSLCertificateChainFile "$root/conf/ca.crt"
 SSLCertificateFile "$root/conf/vhost.crt"
@@ -142,9 +216,3 @@ SSLCertificateKeyFile "$root/conf/vhost.key"
 
 EOF
 
-# Create test users for HTTP basic authentication
-$httpd_prefix/bin/htpasswd -bc $root/conf/httpd.passwd test test 2>/dev/null
-$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd admin admin 2>/dev/null
-$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd foo foo 2>/dev/null
-$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd bar bar 2>/dev/null
-
diff --git a/sca-cpp/trunk/modules/http/proxy-conf b/sca-cpp/trunk/modules/http/proxy-conf
index 4970950623..dd6f344fa6 100755
--- a/sca-cpp/trunk/modules/http/proxy-conf
+++ b/sca-cpp/trunk/modules/http/proxy-conf
@@ -23,11 +23,12 @@ root=`readlink -f $1`
 
 cat >>$root/conf/vhost.conf <<EOF
 # Generated by: proxy-conf $*
-# Configure HTTP proxy and balancer
+# Enable HTTP reverse proxy
 ProxyRequests Off
 ProxyPreserveHost On
 ProxyStatus On
 
+# Enable load balancing
 ProxyPass / balancer://cluster/
 
 <Proxy balancer://cluster>
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-conf b/sca-cpp/trunk/modules/http/proxy-ssl-conf
index bc1b63fc7d..fe7e6a5be6 100755
--- a/sca-cpp/trunk/modules/http/proxy-ssl-conf
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-conf
@@ -21,17 +21,14 @@
 here=`readlink -f $0`; here=`dirname $here`
 root=`readlink -f $1`
 
-cat >>$root/conf/ssl-vhost.conf <<EOF
+cat >>$root/conf/vhost-ssl.conf <<EOF
 # Generated by: proxy-ssl-conf $*
-# Enable SSL proxy
-SSLProxyEngine on
-SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-
-# Configure proxy and balancer
+# Enable HTTPS proxy
 ProxyRequests Off
 ProxyPreserveHost On
 ProxyStatus On
 
+# Enable load balancing
 ProxyPass /balancer-manager !
 ProxyPass / balancer://sslcluster/
 
@@ -50,21 +47,21 @@ Allow from all
 Require user admin
 </Location> 
 
-EOF
+# Enable SSL proxy engine
+SSLProxyEngine on
+SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 
-cat >>$root/conf/ssl-svhost.conf <<EOF
-# Generated by: proxy-ssl-conf $*
-# Setup SSL proxy certificates
-SSLProxyCACertificateFile "$root/conf/ca.crt"
-SSLProxyMachineCertificateFile "$root/conf/server.pem"
+# Verify server certificates
+SSLProxyVerify require
+SSLProxyVerifyDepth 1
 
 EOF
 
-cat >>$root/conf/ssl-dvhost.conf <<EOF
+cat >>$root/conf/vhost-ssl.conf <<EOF
 # Generated by: proxy-ssl-conf $*
-# Setup SSL proxy certificates
+# Declare the proxy SSL client certificates
 SSLProxyCACertificateFile "$root/conf/ca.crt"
-SSLProxyMachineCertificateFile "$root/conf/server.pem"
+SSLProxyMachineCertificateFile "$root/conf/proxy.pem"
 
 EOF
 
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
index 9f20933e35..55930b7ef2 100755
--- a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
@@ -23,7 +23,7 @@ root=`readlink -f $1`
 host=$2
 sslport=`echo $3 | awk -F "/" '{ print $1 }'`
 
-cat >>$root/conf/ssl-vhost.conf <<EOF
+cat >>$root/conf/vhost-ssl.conf <<EOF
 # Generated by: proxy-ssl-member-conf $*
 # Add proxy balancer member
 BalancerMember balancer://sslcluster https://$host:$sslport
diff --git a/sca-cpp/trunk/modules/http/ssl-ca-conf b/sca-cpp/trunk/modules/http/ssl-ca-conf
index b3c6dbbfa0..bd24ca8c21 100755
--- a/sca-cpp/trunk/modules/http/ssl-ca-conf
+++ b/sca-cpp/trunk/modules/http/ssl-ca-conf
@@ -43,10 +43,10 @@ x509_extensions = v3_ca
 C = US
 ST = CA
 L = San Francisco
-O = Test Authority Organization
-OU = Test Authority Unit
+O = $host
+OU = authority
 CN = $host
-emailAddress = root@$host
+emailAddress = admin@$host
 
 [ v3_ca ]
 subjectKeyIdentifier = hash
diff --git a/sca-cpp/trunk/modules/http/ssl-cert-conf b/sca-cpp/trunk/modules/http/ssl-cert-conf
index 959b5059e1..8b6208a449 100755
--- a/sca-cpp/trunk/modules/http/ssl-cert-conf
+++ b/sca-cpp/trunk/modules/http/ssl-cert-conf
@@ -47,10 +47,10 @@ distinguished_name = req_distinguished_name
 C = US
 ST = CA
 L = San Francisco
-O = Test Organization
-OU = Test Unit
+O = $host
+OU = $certname
 CN = $host
-emailAddress = root@$host
+emailAddress = admin@$host
 EOF
 
 # Generate a certificate request
diff --git a/sca-cpp/trunk/modules/http/vhost-conf b/sca-cpp/trunk/modules/http/vhost-conf
index e49a1cd415..4f563b673e 100755
--- a/sca-cpp/trunk/modules/http/vhost-conf
+++ b/sca-cpp/trunk/modules/http/vhost-conf
@@ -32,7 +32,7 @@ htdocs=`readlink -f $htdocs`
 
 cat >>$root/conf/httpd.conf <<EOF
 # Generated by: vhost-conf $*
-# Setup mass dynamic virtual hosting
+# Enable mass dynamic virtual hosting
 NameVirtualHost *:$port
 
 <VirtualHost *:$port>
diff --git a/sca-cpp/trunk/modules/http/vhost-ssl-conf b/sca-cpp/trunk/modules/http/vhost-ssl-conf
index 8a660278a3..e6801248c4 100755
--- a/sca-cpp/trunk/modules/http/vhost-ssl-conf
+++ b/sca-cpp/trunk/modules/http/vhost-ssl-conf
@@ -33,7 +33,7 @@ htdocs=`readlink -f $htdocs`
 
 cat >>$root/conf/httpd.conf <<EOF
 # Generated by: vhost-ssl-conf $*
-# Setup mass dynamic virtual hosting
+# Enable mass dynamic virtual hosting over HTTPS
 NameVirtualHost *:$sslport
 SSLStrictSNIVHostCheck Off
 
@@ -42,7 +42,7 @@ ServerName https://vhost.$host:$sslpport
 ServerAlias *.$host
 VirtualDocumentRoot $htdocs/domains/%1/
 
-Include conf/ssl-dvhost.conf
+Include conf/dvhost-ssl.conf
 </VirtualHost>
 
 EOF
diff --git a/sca-cpp/trunk/modules/openid/Makefile.am b/sca-cpp/trunk/modules/openid/Makefile.am
index a28611dc41..158dd8902b 100644
--- a/sca-cpp/trunk/modules/openid/Makefile.am
+++ b/sca-cpp/trunk/modules/openid/Makefile.am
@@ -18,7 +18,7 @@
 
 if WANT_OPENID
 
-dist_mod_SCRIPTS = openid-conf
+dist_mod_SCRIPTS = openid-conf openid-step2-conf
 moddir = $(prefix)/modules/openid
 
 mod_DATA = openid.prefix
diff --git a/sca-cpp/trunk/modules/openid/openid-conf b/sca-cpp/trunk/modules/openid/openid-conf
index 206281db38..19d7d06d99 100755
--- a/sca-cpp/trunk/modules/openid/openid-conf
+++ b/sca-cpp/trunk/modules/openid/openid-conf
@@ -20,32 +20,46 @@
 # Generate an OpenID server conf
 here=`readlink -f $0`; here=`dirname $here`
 root=`readlink -f $1`
-openid_prefix=`cat openid.prefix`
+conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
+host=`echo $conf | awk '{ print $6 }'`
+openid_prefix=`cat $here/openid.prefix`
 
 # Configure HTTPD mod_auth_openid module
 cat >>$root/conf/httpd.conf <<EOF
 # Generated by: openid-conf $*
-# Support for OpenID authentication
+# Load support for OpenID authentication
 LoadModule authopenid_module  $openid_prefix/modules/mod_auth_openid.so
 
+# Enable OpenID authentication
 <Location />
+AuthType OpenID
 AuthOpenIDEnabled On
 AuthOpenIDCookiePath /
 AuthOpenIDLoginPage /login
 AuthOpenIDAXAdd EMAIL http://axschema.org/contact/email
 </Location>
 
-<Location /unprotected>
-AuthOpenIDEnabled Off
-</Location>
-
+# Enable unauthenticated access to unprotected areas
 <Location /login>
 AuthOpenIDEnabled Off
 </Location>
-
 <Location /logout>
 AuthOpenIDEnabled Off
 </Location>
+<Location /unprotected>
+AuthOpenIDEnabled Off
+</Location>
+
+EOF
+
+cat >>$root/conf/vhost-ssl.conf <<EOF
+# Generated by: openid-conf $*
+# Require OpenID authentication
+<Location />
+AuthType OpenID
+AuthName "$host"
+Require valid-user
+</Location>
 
 EOF
 
diff --git a/sca-cpp/trunk/modules/openid/start-test b/sca-cpp/trunk/modules/openid/start-test
index b9d3191b11..67020cf701 100755
--- a/sca-cpp/trunk/modules/openid/start-test
+++ b/sca-cpp/trunk/modules/openid/start-test
@@ -18,7 +18,10 @@
 #  under the License.
 
 # Setup
+../../modules/http/ssl-ca-conf tmp localhost
+../../modules/http/ssl-cert-conf tmp localhost
 ../../modules/http/httpd-conf tmp localhost 8090 htdocs
+../../modules/http/httpd-ssl-conf tmp 8453
 ./openid-conf tmp
 ./openid-step2-conf tmp
 ../../modules/server/server-conf tmp
diff --git a/sca-cpp/trunk/modules/server/mod-eval.hpp b/sca-cpp/trunk/modules/server/mod-eval.hpp
index 857fd0a1e1..0aff56f59d 100644
--- a/sca-cpp/trunk/modules/server/mod-eval.hpp
+++ b/sca-cpp/trunk/modules/server/mod-eval.hpp
@@ -612,8 +612,9 @@ const int postConfigMerge(const ServerConf& mainsc, server_rec* s) {
         return OK;
     ServerConf& sc = httpd::serverConf<ServerConf>(s, &mod_tuscany_eval);
     debug(httpd::serverName(s), "modeval::postConfigMerge::serverName");
-    if (sc.wiringServerName == "") sc.wiringServerName = httpd::serverName(s);
-    debug(httpd::serverName(s), "modeval::postConfigMerge::wiringServerName");
+    if (sc.wiringServerName == "")
+        sc.wiringServerName = mainsc.wiringServerName != ""? mainsc.wiringServerName : httpd::serverName(s);
+    debug(sc.wiringServerName, "modeval::postConfigMerge::wiringServerName");
     sc.contributionPath = mainsc.contributionPath;
     sc.compositeName = mainsc.compositeName;
     sc.virtualHostContributionPath = mainsc.virtualHostContributionPath;
diff --git a/sca-cpp/trunk/samples/store-cluster/htdocs/domains/jane/login/index.html b/sca-cpp/trunk/samples/store-cluster/htdocs/domains/jane/login/index.html
new file mode 100644
index 0000000000..14f378e968
--- /dev/null
+++ b/sca-cpp/trunk/samples/store-cluster/htdocs/domains/jane/login/index.html
@@ -0,0 +1,97 @@
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one
+   or more contributor license agreements.  See the NOTICE file
+   distributed with this work for additional information
+   regarding copyright ownership.  The ASF licenses this file
+   to you under the Apache License, Version 2.0 (the
+   "License"); you may not use this file except in compliance
+   with the License.  You may obtain a copy of the License at
+   
+     http://www.apache.org/licenses/LICENSE-2.0
+     
+   Unless required by applicable law or agreed to in writing,
+   software distributed under the License is distributed on an
+   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+   KIND, either express or implied.  See the License for the
+   specific language governing permissions and limitations
+   under the License.
+-->
+
+<html><body><h1>Sign in with an OpenID provider</h1>
+
+<script type="text/javascript">
+function queryParams() {
+    qp = new Array();
+    qs = window.location.search.substring(1).split('&');
+    for (i = 0; i < qs.length; i++) {
+        e = qs[i].indexOf('=');
+        if (e > 0)
+            qp[qs[i].substring(0, e)] = unescape(qs[i].substring(e + 1));
+    }
+    return qp;
+}
+
+function openidReferrer() {
+    r = queryParams()['modauthopenid.referrer'];
+    if (typeof(r) == 'undefined')
+        return r;
+    q = r.indexOf('?');
+    if (q > 0)
+        return r.substring(0, q);
+    return r;
+}
+
+if (typeof(openidReferrer()) == 'undefined') {
+    document.location = '/';
+}
+
+function submitSignin(w) {
+    document.signin.openid_identifier.value = w();
+    document.signin.action = openidReferrer();
+    document.signin.submit();
+}
+
+
+function withGoogle() {
+    return 'https://www.google.com/accounts/o8/id';
+}
+
+function withYahoo() {
+    return 'https://me.yahoo.com/';
+}
+
+function withMyOpenID() {
+    return 'http://www.myopenid.com/xrds';
+}
+
+function withVerisign() {
+    return 'https://pip.verisignlabs.com/';
+}
+
+function withGoogleApps() {
+    return 'https://www.google.com/accounts/o8/site-xrds?ns=2&hd=' + document.fields.domain.value;
+}
+
+function withXRDSEndpoint() {
+    return document.fields.endpoint.value;
+}
+</script>
+
+<form name="signin" action="/" method="GET">
+<input type="hidden" name="openid_identifier" value="https://www.google.com/accounts/o8/id"/>
+</form>
+
+<form name="fields">
+<p>Sign in with your Google account<br/><input type="button" onclick="submitSignin(withGoogle)" value="Sign in"/></p>
+<p>Sign in with your Yahoo account<br/><input type="button" onclick="submitSignin(withYahoo)" value="Sign in"/></p>
+<p>Sign in with your MyOpenID account<br/><input type="button" onclick="submitSignin(withMyOpenID)" value="Sign in"/></p>
+<p>Sign in with your Verisign account<br/><input type="button" onclick="submitSignin(withVerisign)" value="Sign in"/></p>
+<p>Sign in with a Google apps domain<br/>
+<input type="text" size="20" name="domain" value="example.com"/><br/>
+<input type="button" onclick="submitSignin(withGoogleApps)" value="Sign in"/></p>
+<p>Sign in with an OpenID endpoint<br/>
+<input type="text" size="50" name="endpoint" value="https://www.google.com/accounts/o8/id"/><br/>
+<input type="button" onclick="submitSignin(withXRDSEndpoint)" value="Sign in"/></p>
+</form>
+
+</body></html>
diff --git a/sca-cpp/trunk/samples/store-cluster/htdocs/domains/jane/logout/index.html b/sca-cpp/trunk/samples/store-cluster/htdocs/domains/jane/logout/index.html
new file mode 100644
index 0000000000..55cbfac110
--- /dev/null
+++ b/sca-cpp/trunk/samples/store-cluster/htdocs/domains/jane/logout/index.html
@@ -0,0 +1,33 @@
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one
+   or more contributor license agreements.  See the NOTICE file
+   distributed with this work for additional information
+   regarding copyright ownership.  The ASF licenses this file
+   to you under the Apache License, Version 2.0 (the
+   "License"); you may not use this file except in compliance
+   with the License.  You may obtain a copy of the License at
+   
+     http://www.apache.org/licenses/LICENSE-2.0
+     
+   Unless required by applicable law or agreed to in writing,
+   software distributed under the License is distributed on an
+   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+   KIND, either express or implied.  See the License for the
+   specific language governing permissions and limitations
+   under the License.
+-->
+
+<html><body>
+<h1>Sign out</h1>
+
+<form name="signout" action="/login" method="GET">
+<script type="text/javascript">
+function submitSignout() {
+    document.cookie = 'open_id_session_id=;expires=' + new Date(1970,01,01).toGMTString() + ';path=/';
+    document.signout.submit();
+    return true;
+}
+</script>
+<input type="button" onclick="submitSignout()" value="Sign out"/>
+</form>
+</body></html>
diff --git a/sca-cpp/trunk/samples/store-cluster/htdocs/domains/joe/login/index.html b/sca-cpp/trunk/samples/store-cluster/htdocs/domains/joe/login/index.html
new file mode 100644
index 0000000000..14f378e968
--- /dev/null
+++ b/sca-cpp/trunk/samples/store-cluster/htdocs/domains/joe/login/index.html
@@ -0,0 +1,97 @@
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one
+   or more contributor license agreements.  See the NOTICE file
+   distributed with this work for additional information
+   regarding copyright ownership.  The ASF licenses this file
+   to you under the Apache License, Version 2.0 (the
+   "License"); you may not use this file except in compliance
+   with the License.  You may obtain a copy of the License at
+   
+     http://www.apache.org/licenses/LICENSE-2.0
+     
+   Unless required by applicable law or agreed to in writing,
+   software distributed under the License is distributed on an
+   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+   KIND, either express or implied.  See the License for the
+   specific language governing permissions and limitations
+   under the License.
+-->
+
+<html><body><h1>Sign in with an OpenID provider</h1>
+
+<script type="text/javascript">
+function queryParams() {
+    qp = new Array();
+    qs = window.location.search.substring(1).split('&');
+    for (i = 0; i < qs.length; i++) {
+        e = qs[i].indexOf('=');
+        if (e > 0)
+            qp[qs[i].substring(0, e)] = unescape(qs[i].substring(e + 1));
+    }
+    return qp;
+}
+
+function openidReferrer() {
+    r = queryParams()['modauthopenid.referrer'];
+    if (typeof(r) == 'undefined')
+        return r;
+    q = r.indexOf('?');
+    if (q > 0)
+        return r.substring(0, q);
+    return r;
+}
+
+if (typeof(openidReferrer()) == 'undefined') {
+    document.location = '/';
+}
+
+function submitSignin(w) {
+    document.signin.openid_identifier.value = w();
+    document.signin.action = openidReferrer();
+    document.signin.submit();
+}
+
+
+function withGoogle() {
+    return 'https://www.google.com/accounts/o8/id';
+}
+
+function withYahoo() {
+    return 'https://me.yahoo.com/';
+}
+
+function withMyOpenID() {
+    return 'http://www.myopenid.com/xrds';
+}
+
+function withVerisign() {
+    return 'https://pip.verisignlabs.com/';
+}
+
+function withGoogleApps() {
+    return 'https://www.google.com/accounts/o8/site-xrds?ns=2&hd=' + document.fields.domain.value;
+}
+
+function withXRDSEndpoint() {
+    return document.fields.endpoint.value;
+}
+</script>
+
+<form name="signin" action="/" method="GET">
+<input type="hidden" name="openid_identifier" value="https://www.google.com/accounts/o8/id"/>
+</form>
+
+<form name="fields">
+<p>Sign in with your Google account<br/><input type="button" onclick="submitSignin(withGoogle)" value="Sign in"/></p>
+<p>Sign in with your Yahoo account<br/><input type="button" onclick="submitSignin(withYahoo)" value="Sign in"/></p>
+<p>Sign in with your MyOpenID account<br/><input type="button" onclick="submitSignin(withMyOpenID)" value="Sign in"/></p>
+<p>Sign in with your Verisign account<br/><input type="button" onclick="submitSignin(withVerisign)" value="Sign in"/></p>
+<p>Sign in with a Google apps domain<br/>
+<input type="text" size="20" name="domain" value="example.com"/><br/>
+<input type="button" onclick="submitSignin(withGoogleApps)" value="Sign in"/></p>
+<p>Sign in with an OpenID endpoint<br/>
+<input type="text" size="50" name="endpoint" value="https://www.google.com/accounts/o8/id"/><br/>
+<input type="button" onclick="submitSignin(withXRDSEndpoint)" value="Sign in"/></p>
+</form>
+
+</body></html>
diff --git a/sca-cpp/trunk/samples/store-cluster/htdocs/domains/joe/logout/index.html b/sca-cpp/trunk/samples/store-cluster/htdocs/domains/joe/logout/index.html
new file mode 100644
index 0000000000..55cbfac110
--- /dev/null
+++ b/sca-cpp/trunk/samples/store-cluster/htdocs/domains/joe/logout/index.html
@@ -0,0 +1,33 @@
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one
+   or more contributor license agreements.  See the NOTICE file
+   distributed with this work for additional information
+   regarding copyright ownership.  The ASF licenses this file
+   to you under the Apache License, Version 2.0 (the
+   "License"); you may not use this file except in compliance
+   with the License.  You may obtain a copy of the License at
+   
+     http://www.apache.org/licenses/LICENSE-2.0
+     
+   Unless required by applicable law or agreed to in writing,
+   software distributed under the License is distributed on an
+   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+   KIND, either express or implied.  See the License for the
+   specific language governing permissions and limitations
+   under the License.
+-->
+
+<html><body>
+<h1>Sign out</h1>
+
+<form name="signout" action="/login" method="GET">
+<script type="text/javascript">
+function submitSignout() {
+    document.cookie = 'open_id_session_id=;expires=' + new Date(1970,01,01).toGMTString() + ';path=/';
+    document.signout.submit();
+    return true;
+}
+</script>
+<input type="button" onclick="submitSignout()" value="Sign out"/>
+</form>
+</body></html>
diff --git a/sca-cpp/trunk/samples/store-cluster/htdocs/login/index.html b/sca-cpp/trunk/samples/store-cluster/htdocs/login/index.html
new file mode 100644
index 0000000000..14f378e968
--- /dev/null
+++ b/sca-cpp/trunk/samples/store-cluster/htdocs/login/index.html
@@ -0,0 +1,97 @@
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one
+   or more contributor license agreements.  See the NOTICE file
+   distributed with this work for additional information
+   regarding copyright ownership.  The ASF licenses this file
+   to you under the Apache License, Version 2.0 (the
+   "License"); you may not use this file except in compliance
+   with the License.  You may obtain a copy of the License at
+   
+     http://www.apache.org/licenses/LICENSE-2.0
+     
+   Unless required by applicable law or agreed to in writing,
+   software distributed under the License is distributed on an
+   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+   KIND, either express or implied.  See the License for the
+   specific language governing permissions and limitations
+   under the License.
+-->
+
+<html><body><h1>Sign in with an OpenID provider</h1>
+
+<script type="text/javascript">
+function queryParams() {
+    qp = new Array();
+    qs = window.location.search.substring(1).split('&');
+    for (i = 0; i < qs.length; i++) {
+        e = qs[i].indexOf('=');
+        if (e > 0)
+            qp[qs[i].substring(0, e)] = unescape(qs[i].substring(e + 1));
+    }
+    return qp;
+}
+
+function openidReferrer() {
+    r = queryParams()['modauthopenid.referrer'];
+    if (typeof(r) == 'undefined')
+        return r;
+    q = r.indexOf('?');
+    if (q > 0)
+        return r.substring(0, q);
+    return r;
+}
+
+if (typeof(openidReferrer()) == 'undefined') {
+    document.location = '/';
+}
+
+function submitSignin(w) {
+    document.signin.openid_identifier.value = w();
+    document.signin.action = openidReferrer();
+    document.signin.submit();
+}
+
+
+function withGoogle() {
+    return 'https://www.google.com/accounts/o8/id';
+}
+
+function withYahoo() {
+    return 'https://me.yahoo.com/';
+}
+
+function withMyOpenID() {
+    return 'http://www.myopenid.com/xrds';
+}
+
+function withVerisign() {
+    return 'https://pip.verisignlabs.com/';
+}
+
+function withGoogleApps() {
+    return 'https://www.google.com/accounts/o8/site-xrds?ns=2&hd=' + document.fields.domain.value;
+}
+
+function withXRDSEndpoint() {
+    return document.fields.endpoint.value;
+}
+</script>
+
+<form name="signin" action="/" method="GET">
+<input type="hidden" name="openid_identifier" value="https://www.google.com/accounts/o8/id"/>
+</form>
+
+<form name="fields">
+<p>Sign in with your Google account<br/><input type="button" onclick="submitSignin(withGoogle)" value="Sign in"/></p>
+<p>Sign in with your Yahoo account<br/><input type="button" onclick="submitSignin(withYahoo)" value="Sign in"/></p>
+<p>Sign in with your MyOpenID account<br/><input type="button" onclick="submitSignin(withMyOpenID)" value="Sign in"/></p>
+<p>Sign in with your Verisign account<br/><input type="button" onclick="submitSignin(withVerisign)" value="Sign in"/></p>
+<p>Sign in with a Google apps domain<br/>
+<input type="text" size="20" name="domain" value="example.com"/><br/>
+<input type="button" onclick="submitSignin(withGoogleApps)" value="Sign in"/></p>
+<p>Sign in with an OpenID endpoint<br/>
+<input type="text" size="50" name="endpoint" value="https://www.google.com/accounts/o8/id"/><br/>
+<input type="button" onclick="submitSignin(withXRDSEndpoint)" value="Sign in"/></p>
+</form>
+
+</body></html>
diff --git a/sca-cpp/trunk/samples/store-cluster/htdocs/logout/index.html b/sca-cpp/trunk/samples/store-cluster/htdocs/logout/index.html
new file mode 100644
index 0000000000..55cbfac110
--- /dev/null
+++ b/sca-cpp/trunk/samples/store-cluster/htdocs/logout/index.html
@@ -0,0 +1,33 @@
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one
+   or more contributor license agreements.  See the NOTICE file
+   distributed with this work for additional information
+   regarding copyright ownership.  The ASF licenses this file
+   to you under the Apache License, Version 2.0 (the
+   "License"); you may not use this file except in compliance
+   with the License.  You may obtain a copy of the License at
+   
+     http://www.apache.org/licenses/LICENSE-2.0
+     
+   Unless required by applicable law or agreed to in writing,
+   software distributed under the License is distributed on an
+   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+   KIND, either express or implied.  See the License for the
+   specific language governing permissions and limitations
+   under the License.
+-->
+
+<html><body>
+<h1>Sign out</h1>
+
+<form name="signout" action="/login" method="GET">
+<script type="text/javascript">
+function submitSignout() {
+    document.cookie = 'open_id_session_id=;expires=' + new Date(1970,01,01).toGMTString() + ';path=/';
+    document.signout.submit();
+    return true;
+}
+</script>
+<input type="button" onclick="submitSignout()" value="Sign out"/>
+</form>
+</body></html>
diff --git a/sca-cpp/trunk/samples/store-cluster/ssl-start b/sca-cpp/trunk/samples/store-cluster/ssl-start
index d9d0fec67d..da55846654 100755
--- a/sca-cpp/trunk/samples/store-cluster/ssl-start
+++ b/sca-cpp/trunk/samples/store-cluster/ssl-start
@@ -21,6 +21,7 @@
 ../../modules/http/ssl-ca-conf tmp/ssl sca-store.com
 ../../modules/http/ssl-cert-conf tmp/ssl sca-store.com server
 ../../modules/http/ssl-cert-conf tmp/ssl *.sca-store.com vhost
+../../modules/http/ssl-cert-conf tmp/ssl sca-store.com proxy
 
 # Start three identical app servers
 ../../modules/http/httpd-conf tmp/server1 sca-store.com 8101/80 htdocs
@@ -28,6 +29,8 @@
 cp `../../modules/http/ssl-ls tmp/ssl` tmp/server1/conf
 ../../modules/http/httpd-ssl-conf tmp/server1 8441/443
 ../../modules/http/vhost-ssl-conf tmp/server1
+../../modules/openid/openid-conf tmp/server1
+../../modules/openid/openid-step2-conf tmp/server1
 ../../modules/server/server-conf tmp/server1
 ../../modules/python/python-conf tmp/server1
 cat >>tmp/server1/conf/httpd.conf <<EOF
@@ -43,6 +46,8 @@ EOF
 cp `../../modules/http/ssl-ls tmp/ssl` tmp/server2/conf
 ../../modules/http/httpd-ssl-conf tmp/server2 8442/443
 ../../modules/http/vhost-ssl-conf tmp/server2
+../../modules/openid/openid-conf tmp/server2
+../../modules/openid/openid-step2-conf tmp/server2
 ../../modules/server/server-conf tmp/server2
 ../../modules/python/python-conf tmp/server2
 cat >>tmp/server2/conf/httpd.conf <<EOF
@@ -58,6 +63,8 @@ EOF
 cp `../../modules/http/ssl-ls tmp/ssl` tmp/server3/conf
 ../../modules/http/httpd-ssl-conf tmp/server3 8443/443
 ../../modules/http/vhost-ssl-conf tmp/server3
+../../modules/openid/openid-conf tmp/server3
+../../modules/openid/openid-step2-conf tmp/server3
 ../../modules/server/server-conf tmp/server3
 ../../modules/python/python-conf tmp/server3
 cat >>tmp/server3/conf/httpd.conf <<EOF
diff --git a/sca-cpp/trunk/samples/store-python/ssl-start b/sca-cpp/trunk/samples/store-python/ssl-start
index 8f83508578..83f7a5a271 100755
--- a/sca-cpp/trunk/samples/store-python/ssl-start
+++ b/sca-cpp/trunk/samples/store-python/ssl-start
@@ -21,6 +21,7 @@
 ../../modules/http/ssl-cert-conf tmp localhost
 ../../modules/http/httpd-conf tmp localhost 8090 htdocs
 ../../modules/http/httpd-ssl-conf tmp 8453
+../../modules/http/httpd-auth-conf tmp
 ../../modules/server/server-conf tmp
 ../../modules/python/python-conf tmp
 cat >>tmp/conf/httpd.conf <<EOF
-- 
cgit v1.2.3