Sea-Watch Legal Aid Fund
To support the activities of our Legal Aid Fund, which are distributed all across Europe, the team of seawatch decided in 2021 to implement a collaborative, self-hosted private cloud platform. Finally, all applications were requested to be accessible using a central web-based portal. All applications are available via a central identity management system that uses a personalized uniform account.
Rescuing people from distress at sea is for Seawatch not only a humanitarian act, but also a legal obligation under international law. According to Art. 98 of the United Nations Convention on the Law of the Sea (UNCLOS), masters of ships are obliged to “to render assistance to any person found at sea in danger of being lost”.
Regardless of this obligation, civilian sea rescue operations were increasingly being criminalized by the European Union and its Member States, affecting not only sea rescue NGOs and their activists but also the crews of commercial ships and private vessels.
Against this background, the Sea-Watch Legal Aid Fund (in German: Rechtshilfefonds e. V., RHF) was established on June 22, 2018. The Fund seeks to protect and help enforce the rights of individuals and groups which are criminalized in the context of civilian sea rescue.
The criminal proceedings many of them face are lengthy and expensive—in the opinion of Seawatch a strategy aimed at discouraging rescue initiatives. As a result, both commercial and private vessels were increasingly reluctant to rescue persons in distress, and the added risks and challenges make activists’ work even more difficult. The same would be applied to the criminalization of land-based relief efforts.
This is where the RHF comes in: It assists refugee helpers in safeguarding and enforcing their rights, making sure that the humanitarian and legal duty of rescuing people in distress will continue to be fulfilled in the future.
Implementation of a modern and secure Open Source infrastructure
To serve its purpose, the RHF provides funding and other legal assistance. Decisions on the distribution of funds as well as on other possible means of support are made by experts, whose basic motive and top priority are to safeguard and protect the rights of human rights defenders.
To support the activities of the Legal Aid Fund of Seawatch, which are distributed all across Europe, they decided in 2021 to implement a collaborative, self-hosted private cloud platform.
After an in-depth and extensive evaluation of specialized applications for file and contract management, the lawyers on the Legal Aid team chose the software LECARE. It’s developed and maintained by the Hamburg-based company of the same name, the LECARE Gesellschaft für Softwareentwicklung mbH, and won the Pitch Fever Award.
Together with the LECARE support team, the Sea-Watch IT team carried out the planning and the implementation of the platform. The LECARE software is accessed via an Apache Tomcat web server, which is part of a Microsoft-based environment. In a lot of cases, other services like the database server, for example, are installed on the same system. Thus the server acts as domain controller. However, this single server setup is rather difficult to manage, mainly because of the large number of complex services. LECARE leaves it up to its customers on which server the database is located, so it can also be hosted externally. Therefore, the team decided to go this route because of the flexibility it offers.
Collaborative and self-hostetd private cloud patform
UCS, Nextcloud, ONLYOFFICE, Kopano, Matrix, Element, and Zammad
Based on the experience of the Sea-Watch services used so far, there was also a request to expand LECARE with additional web-based solutions. Above all, they wanted to set up Nextcloud as file sharing solution in combination with OnlyOffice to edit documents collaboratively and directly in the web browser. In addition, there was a request to set up Kopano as a groupware solution with S/MIME support, calendars, address books, and ActiveSync support for mobile devices. Other tools on the wish list: Matrix and Element as a chat environment, as well as Zammad as helpdesk and ticketing software.
Finally, it was decided that all applications should be accessible via a central web-based portal. A central identity management system is supposed to manage the user accounts so that all applications are available via a personalized unified account.
This meant the team had to deal with a number of problems right from the start. For example, LECARE requires an existing Active Directory. On the one hand, a Windows server implements a Kerberos-based Active Directory. On the other hand, web applications use local user sources or LDAP, SAML, OpenID, and other mechanisms to connect to directory services.
Univention Corporate Server as identity manamgent and web-based admin and user portal
Therefore the team decided to use Univention Corporate Server (UCS) as a dedicated identity management system. UCS brings everything together: Kerberos, SAML and OpenID. All applications use the same user account source. A UCS IDM automatically takes care of the necessary synchronization and replication and also provides a portal. Check!
To make it easier to maintaining the environment, the team decided against a single-server installation. Instead, they distributed some services—without losing sight of the intended target group (15 users), because such a setup also means an additional costs in terms of time. However, the simplified maintenance and the possibility to customize services and outsource them to other instances as the number of accesses increases, justifies this effort. The services cannot be accessed directly, but are provided via a reverse proxy.
So, for all these reasons, the core services were distributed to the following instances:
– Reverse Proxy Server
– Identity Management Server
– Groupware Server
– Docker Application Server
– Database Server
– LECARE Server
As far as possible, all applications can be installed via the Univention App Center. Additional subscriptions from the respective manufacturers are available. Thus, professional vendor support, as well as a standardized update management, is provided.
In the future, the team plans to upgrade the platform from UCS 4.x to UCS 5. Currently, the applications are connected to the directory service via standard LDAP and Kerberos bind. However, they would like to migrate the applications to SAML or OpenID-based login procedures to enable real web single sign-on.
The IT Team of Seawatch would like to thank the companies Hetzner, LECARE, Nextcloud, OnlyOffice, and Kopano for their assistance als well as very engaged persons like Zara, Folkert, Mareike, Harald, Peter, Moritz, Jonas, Naeydar, Sea, Joshi, Nic, and all other supporters who made this project possible.