That's great, Blake! I don't suppose you would also have a WordPress plugin that would allow it to communicate using SIP2? That's my holy grail these days.
John Lolis Coordinator of Computer Systems 100 Martine Avenue White Plains, NY 10601 tel: 1.914.422.1497 fax: 1.914.422.1452 https://whiteplainslibrary.org/ *When you think about it, *all* security is ultimately security by ignorance.* On Tue, 5 Jan 2021 at 11:56, Blake Henderson <[email protected]> wrote: > Wendell, > > I'd like to add one more idea/tool. We developed a SIP proxy for a > computer/Raspberry Pi that can be located on the library's LAN, which > negotiates the tunnel to the Evergreen server using pre-setup keys. Just > another thing that might help you: > > https://github.com/mcoia/evergreen_sip_proxy > > Lightening talk on the matter: > http://slides.mobiusconsortium.org/blake/sip_proxy/#/ > > -Blake- > Conducting Magic > Can consume data in any format > MOBIUS > > > On 1/5/2021 9:44 AM, Josh Stompro wrote: > > Wendell, I just wanted to add another confirmation, we have had 100% > success requiring encrypted tunnels for sip2 access with outside vendors. > Overdrive, Hoopla, OCLC (VDX ILL), BrainFuse, Stunnel has been the easiest > to setup, since it is just SSL one vendor was easily able to adjust their > own software to natively connect via ssl and didn't need to run stunnel on > their end at all. > > We also offer SSH tunneling, but that takes a bit more work to setup, and > I don't think anyone actually is using that method right now. I did > exchange 4 emails with OCLC support where they repeatedly used the term SSH > but then finally said that what they meant was Stunnel, sigh. I also had > to quote a library journal article from a few years ago where OCLC said "of > course we support encrypted authentication for all our products" to get > them to admit that they could do it. That was a fun email to send. > > The best thing to do is to put the encrypted sip authentication > requirement in the contract with the vendor up front, which means you have > to be at the table when negotiating with them. I think vendors that use > SIP2 are getting much better about supporting encryption in general. I > think it is getting hard for them to say yes to "So you don't want to > protect our patrons private personal information and allow us to comply > with our state laws about patron privacy?" > > If you are going to self host an evergreen system and want notes on how to > setup stunnel just let me know. Otherwise if you are looking at a hosted > solution then the hosting provider can provide those assurances about > stunnel being provided as an option. > Josh > > On Tue, Jan 5, 2021 at 8:46 AM Rogan Hamby <[email protected]> > wrote: > >> I'll just note that I have setup several Envisionware instances to use >> stunnel and encrypt the SIP2 communication back to Evergreen as Jason Boyer >> describes with no issues. It's transparent to the clients as you would >> expect. >> >> >> >> On Tue, Jan 5, 2021 at 9:42 AM Jason Boyer <[email protected]> >> wrote: >> >>> Hi Wendell, there isn’t really anything that can be done to SIP2 to make >>> it secure without making it not-SIP2. That said, what can be done is to >>> transfer it over an encrypted channel. I know some Evergreen and Koha >>> systems handle SIP2 this way and I suspect TLC is doing the same. This >>> tunneling can be done with stunnel (an openssl TLS tunnel) or ssh port >>> redirection and most vendors are capable of dealing with one or the other. >>> >>> There’s nothing special needed in Evergreen to handle this; you just >>> need to setup SIPServer to listen to a local IP rather than a public one >>> and coordinate with the vendor what type of tunnel to use. I realize this >>> is pretty non-specific but if you have any questions I or someone else on >>> the list should be able to help out. >>> >>> Jason >>> >>> -- >>> Jason Boyer >>> Senior System Administrator >>> Equinox Open Library Initiative >>> phone: +1 (877) Open-ILS (673-6457) >>> email: [email protected] <[email protected]> >>> web: https://EquinoxInitiative.org/ >>> >>> On Jan 5, 2021, at 9:05 AM, Gragg, Wendell E <[email protected]> wrote: >>> >>> Hi all. I haven’t posted in a while, but we are still in the process of >>> evaluating ILS systems and our city IT department is balking at one thing, >>> SIP2 being plain text. Apparently, one vendor, TLC claims they have an >>> encryption solution for SIP2, but I question whether it actually works or >>> not, and TLC is another proprietary system, which we are trying to avoid. >>> >>> I have been trying to research SIP2 a bit more and am not finding a lot >>> of information about security issues with it. I’m also trying to find out >>> if anyone in the Evergreen community has worked with encrypting SIP2 >>> messages, at least sensitive information like passwords and user barcodes. >>> >>> Is this even possible in Evergreen and has it caused any problems with >>> outside vendors like OCLC or Envisionware? >>> >>> I would like to find this out because I fear that our city IT is going >>> to force us into an ILS we really don’t want. >>> >>> Thanks, >>> Wendell >>> >>> Wendell Gragg, MSIS >>> Automation Services Supervisor >>> Bryan+College Station Public Library System >>> Bryan, TX >>> 979-209-5613 >>> >>> _______________________________________________ >>> Evergreen-general mailing list >>> [email protected] >>> http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general >>> >>> >>> _______________________________________________ >>> Evergreen-general mailing list >>> [email protected] >>> http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general >>> >> _______________________________________________ >> Evergreen-general mailing list >> [email protected] >> http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general >> > > > -- > Josh Stompro - IT Director > Lake Agassiz Regional Library > Desk: 218-233-3757 Ext 139 > Cell: 218-790-2110 > > _______________________________________________ > Evergreen-general mailing > [email protected]http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general > > > _______________________________________________ > Evergreen-general mailing list > [email protected] > http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general >
_______________________________________________ Evergreen-general mailing list [email protected] http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
