Wendell, I just wanted to add another confirmation, we have had
100% success requiring encrypted tunnels for sip2 access with
outside vendors. Overdrive, Hoopla, OCLC (VDX ILL), BrainFuse,
Stunnel has been the easiest to setup, since it is just SSL one
vendor was easily able to adjust their own software to
natively connect via ssl and didn't need to run stunnel on their
end at all.
We also offer SSH tunneling, but that takes a bit more work to
setup, and I don't think anyone actually is using that method
right now. I did exchange 4 emails with OCLC support where they
repeatedly used the term SSH but then finally said that what they
meant was Stunnel, sigh. I also had to quote a library journal
article from a few years ago where OCLC said "of course we
support encrypted authentication for all our products" to get
them to admit that they could do it. That was a fun email to send.
The best thing to do is to put the encrypted sip authentication
requirement in the contract with the vendor up front, which means
you have to be at the table when negotiating with them. I think
vendors that use SIP2 are getting much better about supporting
encryption in general. I think it is getting hard for them to
say yes to "So you don't want to protect our patrons private
personal information and allow us to comply with our state laws
about patron privacy?"
If you are going to self host an evergreen system and want notes
on how to setup stunnel just let me know. Otherwise if you are
looking at a hosted solution then the hosting provider can
provide those assurances about stunnel being provided as an option.
Josh
On Tue, Jan 5, 2021 at 8:46 AM Rogan Hamby
<[email protected]
<mailto:[email protected]>> wrote:
I'll just note that I have setup several Envisionware
instances to use stunnel and encrypt the SIP2 communication
back to Evergreen as Jason Boyer describes with no issues.
It's transparent to the clients as you would expect.
On Tue, Jan 5, 2021 at 9:42 AM Jason Boyer
<[email protected]
<mailto:[email protected]>> wrote:
Hi Wendell, there isn’t really anything that can be done
to SIP2 to make it secure without making it not-SIP2.
That said, what can be done is to transfer it over an
encrypted channel. I know some Evergreen and Koha systems
handle SIP2 this way and I suspect TLC is doing the same.
This tunneling can be done with stunnel (an openssl TLS
tunnel) or ssh port redirection and most vendors are
capable of dealing with one or the other.
There’s nothing special needed in Evergreen to handle
this; you just need to setup SIPServer to listen to a
local IP rather than a public one and coordinate with the
vendor what type of tunnel to use. I realize this is
pretty non-specific but if you have any questions I or
someone else on the list should be able to help out.
Jason
--
Jason Boyer
Senior System Administrator
Equinox Open Library Initiative
phone: +1 (877) Open-ILS (673-6457)
email: [email protected]
<mailto:[email protected]>
web: https://EquinoxInitiative.org/
<https://EquinoxInitiative.org/>
On Jan 5, 2021, at 9:05 AM, Gragg, Wendell E
<[email protected] <mailto:[email protected]>> wrote:
Hi all. I haven’t posted in a while, but we are still
in the process of evaluating ILS systems and our city IT
department is balking at one thing, SIP2 being plain
text. Apparently, one vendor, TLC claims they have an
encryption solution for SIP2, but I question whether it
actually works or not, and TLC is another proprietary
system, which we are trying to avoid.
I have been trying to research SIP2 a bit more and am
not finding a lot of information about security issues
with it. I’m also trying to find out if anyone in the
Evergreen community has worked with encrypting SIP2
messages, at least sensitive information like passwords
and user barcodes.
Is this even possible in Evergreen and has it caused any
problems with outside vendors like OCLC or Envisionware?
I would like to find this out because I fear that our
city IT is going to force us into an ILS we really don’t
want.
Thanks,
Wendell
Wendell Gragg, MSIS
Automation Services Supervisor
Bryan+College Station Public Library System
Bryan, TX
979-209-5613
_______________________________________________
Evergreen-general mailing list
[email protected]
<mailto:[email protected]>
http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
<http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general>
_______________________________________________
Evergreen-general mailing list
[email protected]
<mailto:[email protected]>
http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
<http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general>
_______________________________________________
Evergreen-general mailing list
[email protected]
<mailto:[email protected]>
http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
<http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general>
--
Josh Stompro - IT Director
Lake Agassiz Regional Library
Desk: 218-233-3757 Ext 139
Cell: 218-790-2110
_______________________________________________
Evergreen-general mailing list
[email protected]
<mailto:[email protected]>
http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
<http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general>
