Wendell,
I'd like to add one more idea/tool. We developed a SIP proxy for a
computer/Raspberry Pi that can be located on the library's LAN, which
negotiates the tunnel to the Evergreen server using pre-setup keys. Just
another thing that might help you:
https://github.com/mcoia/evergreen_sip_proxy
<https://github.com/mcoia/evergreen_sip_proxy>
Lightening talk on the matter:
http://slides.mobiusconsortium.org/blake/sip_proxy/#/
<http://slides.mobiusconsortium.org/blake/sip_proxy/#/>
-Blake-
Conducting Magic
Can consume data in any format
MOBIUS
On 1/5/2021 9:44 AM, Josh Stompro wrote:
Wendell, I just wanted to add another confirmation, we have had 100%
success requiring encrypted tunnels for sip2 access with outside
vendors. Overdrive, Hoopla, OCLC (VDX ILL), BrainFuse, Stunnel has
been the easiest to setup, since it is just SSL one vendor was easily
able to adjust their own software to natively connect via ssl and
didn't need to run stunnel on their end at all.
We also offer SSH tunneling, but that takes a bit more work to setup,
and I don't think anyone actually is using that method right now. I
did exchange 4 emails with OCLC support where they repeatedly used the
term SSH but then finally said that what they meant was Stunnel,
sigh. I also had to quote a library journal article from a few years
ago where OCLC said "of course we support encrypted authentication for
all our products" to get them to admit that they could do it. That
was a fun email to send.
The best thing to do is to put the encrypted sip authentication
requirement in the contract with the vendor up front, which means you
have to be at the table when negotiating with them. I think vendors
that use SIP2 are getting much better about supporting encryption in
general. I think it is getting hard for them to say yes to "So you
don't want to protect our patrons private personal information and
allow us to comply with our state laws about patron privacy?"
If you are going to self host an evergreen system and want notes on
how to setup stunnel just let me know. Otherwise if you are looking
at a hosted solution then the hosting provider can provide those
assurances about stunnel being provided as an option.
Josh
On Tue, Jan 5, 2021 at 8:46 AM Rogan Hamby
<[email protected] <mailto:[email protected]>>
wrote:
I'll just note that I have setup several Envisionware instances to
use stunnel and encrypt the SIP2 communication back to Evergreen
as Jason Boyer describes with no issues. It's transparent to the
clients as you would expect.
On Tue, Jan 5, 2021 at 9:42 AM Jason Boyer
<[email protected]
<mailto:[email protected]>> wrote:
Hi Wendell, there isn’t really anything that can be done to
SIP2 to make it secure without making it not-SIP2. That said,
what can be done is to transfer it over an encrypted channel.
I know some Evergreen and Koha systems handle SIP2 this way
and I suspect TLC is doing the same. This tunneling can be
done with stunnel (an openssl TLS tunnel) or ssh port
redirection and most vendors are capable of dealing with one
or the other.
There’s nothing special needed in Evergreen to handle this;
you just need to setup SIPServer to listen to a local IP
rather than a public one and coordinate with the vendor what
type of tunnel to use. I realize this is pretty non-specific
but if you have any questions I or someone else on the list
should be able to help out.
Jason
--
Jason Boyer
Senior System Administrator
Equinox Open Library Initiative
phone: +1 (877) Open-ILS (673-6457)
email: [email protected]
<mailto:[email protected]>
web: https://EquinoxInitiative.org/
<https://EquinoxInitiative.org/>
On Jan 5, 2021, at 9:05 AM, Gragg, Wendell E
<[email protected] <mailto:[email protected]>> wrote:
Hi all. I haven’t posted in a while, but we are still in the
process of evaluating ILS systems and our city IT department
is balking at one thing, SIP2 being plain text. Apparently,
one vendor, TLC claims they have an encryption solution for
SIP2, but I question whether it actually works or not, and
TLC is another proprietary system, which we are trying to avoid.
I have been trying to research SIP2 a bit more and am not
finding a lot of information about security issues with it.
I’m also trying to find out if anyone in the Evergreen
community has worked with encrypting SIP2 messages, at least
sensitive information like passwords and user barcodes.
Is this even possible in Evergreen and has it caused any
problems with outside vendors like OCLC or Envisionware?
I would like to find this out because I fear that our city IT
is going to force us into an ILS we really don’t want.
Thanks,
Wendell
Wendell Gragg, MSIS
Automation Services Supervisor
Bryan+College Station Public Library System
Bryan, TX
979-209-5613
_______________________________________________
Evergreen-general mailing list
[email protected]
<mailto:[email protected]>
http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
<http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general>
_______________________________________________
Evergreen-general mailing list
[email protected]
<mailto:[email protected]>
http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
<http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general>
_______________________________________________
Evergreen-general mailing list
[email protected]
<mailto:[email protected]>
http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
<http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general>
--
Josh Stompro - IT Director
Lake Agassiz Regional Library
Desk: 218-233-3757 Ext 139
Cell: 218-790-2110
_______________________________________________
Evergreen-general mailing list
[email protected]
http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
_______________________________________________
Evergreen-general mailing list
[email protected]
http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
