This document discusses how to securely implement real-time collaboration using Etherpad and SecurePass. Etherpad allows real-time collaborative editing of documents. SecurePass provides single sign-on authentication and authorization. The solution uses Apache as a reverse proxy for SecurePass authentication and to limit access to authorized users and domains. Etherpad is configured with a plugin to identify users via the HTTP header passed from Apache.

1. Secure real-time
collaboration with
SecurePass and
Etherpad
Giuseppe Paterno', IT Security Architect and CTO, GARL
Luca Oldano, Senior Network and Security Engineer, Moresi.com

2. What is a "Pad"
A "Pad" is an on-line web-based collaborative
real-time editor, allowing authors to
simultaneously edit a text document, and see all
of the participants' edits in real-time, with the
ability to display each author's text in their own
color.
Anyone can create a new collaborative
document, known as a "pad". Each pad has its
own URL and anyone who knows this URL can
edit the pad and participate in the associated
chats. Password-protected pads are also
possible. Each participant is identified by a color
and a name.
The software auto-saves the document at regular,
short intervals, but participants can permanently
save specific versions (checkpoints) at any
time. A "time machine" feature allows anyone to
explore the history of the pad, going back in the
past release. The major "milestones" can also be
tagged (or "stared").
A great feature of some pads is that document
can be imported and exported in plain text,
HTML, Open Document, Microsoft Word, or PDF
format.
Secure real-time collaboration with and Etherpad

3. Working with "Pads"
Working with pads is business going social: social networks get us used to be always
updated and connected to our community anytime and anywhere. A pad follow that
mindset and enables you with a simple tool to collaborate with your colleagues and
partners while ensuring the right level of privacy online.
Consider a pad like a clear whiteboard, open a new one and simply start writing an
idea or a challenge. Invite your team, your partners, your external collaborators -no
matter where they are- to share your ideas at the same time.
Let the pad grow with the contribution and the experience of trusted people, every
projects has the right team that are ready to contribute. Review and compare the text
with preview versions, until you'll find the answer and achieve your goal.
Then export it, in your favourite format and share it. For example, write project
documentations with your team through a pad and deliver it in a professional way
using your favorite tool such as Microsoft Word.
Secure real-time collaboration with and Etherpad

4. Secure real-time
collaboration
Innovate, experiment, engage your customers in an easy and
secure way. With a shared pad in a protected enviroment, it's easy focus
on core facts and forget about your information being accessed from
unauthorized users. All you have to do is following the speed of business.
Secure cooperation with employees and partners is now possible on the
cloud with the protection of SecurePass.
Access to a pad is as easy as sharing the web adress of your pad, SecurePass
will ensure that access to information is allowed only to authorized users.
By integrating a pad with SecurePass you will be able to:
‣identify your employees and partners in a proper way
‣limit access to your company and/or your partners (with Apache module)
‣cooperate from anywhere, also through tablets and smartphones, without
fear of loosing precious company information
Secure real-time collaboration with and Etherpad

5. Architecture
Secure real-time collaboration with and Etherpad

6. Etherpad
Etherpad is probably the most famous
pad server implementation: it was born
in 2008 by some Google employees.
Etherpad itself is implemented in
JavaScript, through the Node,js
application environment.
Etherpad was the first web application
of its kind to achieve true real-time
performance,
The home page is on: http://etherpad.org
Secure real-time collaboration with and Etherpad

7. Apache HTTPd
Apache will be handling all data comunication from the external world, playing an important role for securing
communication. In particular, the Apache web server will be performing the following roles:
SSL termination
Reverse proxy to the Etherpad web server on Node.js
Authenticating the user using the SecurePass Web Single Sing-On feature
Limitation of the SecurePass domains/realm for using the pad only within your company or allowing external partners
Translating the user identity into something that Etherpad is able to understand
We will not go in details on how to create a virtual server with the SSL feature.
The configuration has been tested with CentOS 6.
Secure real-time collaboration with and Etherpad

8. Apache configuration
for SecurePass
Follow the instructions on this website:
http://support.secure-pass.net/wiki/index.php/Apache
and ensure you have these values set:
CASCookiePath /var/cache/mod_auth_cas/
CASValidateServer Off
CASLoginURL https://login.secure-pass.net/cas/login
CASValidateURL https://login.secure-pass.net/cas/serviceValidate
CASAllowWildcardCert On
In CentOS you have to create the path
/var/cache/mod_auth_cas/
Secure real-time collaboration with and Etherpad

9. Apache Reverse Proxy
The following statement has to be copied
in the Apache virtual host and will reverse
proxy all the requests to the Etherpad
service, with the exception of the
administrative interface of Etherpad.
ProxyVia On
ProxyRequests Off
ProxyPass /admin !
ProxyPass / http://127.0.0.1:9001/ retry=0
ProxyPassReverse / http://127.0.0.1:9001/
ProxyPreserveHost on
<Proxy *>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Proxy>
Secure real-time collaboration with and Etherpad

10. Install SecurePass
Apache module
This module will introduce the feature of limiting the access
to the Etherpad to your company or the partners/companies
you wish to cooperate with.
Please download from the following site:
https://github.com/AlessandroLorenzi/mod_authz_securepass
and follow the instructions in the INSTALL file
Secure real-time collaboration with and Etherpad

11. Configure authentication
in Apache
The following statement has to be copied in the <Location />
Apache virtual host and will enable: AuthType CAS
Require sprealm mycompany.com partner.net
1. Authentication with SecurePass RewriteEngine On
2. Limit the access to the realms listed in "Require RewriteCond %{REMOTE_USER} (.+)
sprealm" directive (modify as appropriate) RewriteRule . - [E=RU:%1]
RequestHeader add X-Forwarded-User %{RU}e
3. Pass the REMOTE_USER variable as the
X-Forwarded-User header Header Set Cache-Control "max-age=0, no-store"
</Location>
Secure real-time collaboration with and Etherpad

12. Install and Integration
Etherpad
To install Etherpad in your system, please Install the plugin sotauth to be able to
follow the instructions in the web site: identify the user via the X-Forwarded-
user HTTP header:
https://help.ubuntu.com/community/ https://github.com/wtsi-hgi/ep_sotauth
Etherpad-liteInstallation
Note that in the website there is also an
upstart configuration file that will work In the Etherpad configuration file
also on CentOS 6. "settings.json" enable
"requireAuthentication" and
In our installation we also used MySQL to "requireAuthorization"
have a more production-ready database.
Secure real-time collaboration with and Etherpad

13. Conclusions
A lot of organisations are now
adopting a collaboration tool
to improve efficiency: the easy
model of Etherpad with the
trusted protection of
SecurePass let the cloud be the
right tool to save your time and
money.
Once the secure pad tool has
been implemented and become a
part of everyday business,
your business could rely on a new
fast way to engage with partners,
customers and your team.
Secure real-time collaboration with and Etherpad

14. Your daily
secure
business
online
Sponsored by
www.secure-pass.net www.moresi.com