[Evergreen-general] Encrypted SIP2

Lolis, John jlolis at whiteplainsny.gov
Tue Jan 5 13:12:44 EST 2021 

That's great, Blake!  I don't suppose you would also have a WordPress
plugin that would allow it to communicate using SIP2?  That's my holy grail
these days.

John Lolis
Coordinator of Computer Systems

100 Martine Avenue
White Plains, NY  10601

tel: 1.914.422.1497
fax: 1.914.422.1452

https://whiteplainslibrary.org/

*When you think about it, *all* security is ultimately security by
ignorance.*



On Tue, 5 Jan 2021 at 11:56, Blake Henderson <blake at mobiusconsortium.org>
wrote:

> Wendell,
>
> I'd like to add one more idea/tool. We developed a SIP proxy for a
> computer/Raspberry Pi that can be located on the library's LAN, which
> negotiates the tunnel to the Evergreen server using pre-setup keys. Just
> another thing that might help you:
>
> https://github.com/mcoia/evergreen_sip_proxy
>
> Lightening talk on the matter:
> http://slides.mobiusconsortium.org/blake/sip_proxy/#/
>
> -Blake-
> Conducting Magic
> Can consume data in any format
> MOBIUS
>
>
> On 1/5/2021 9:44 AM, Josh Stompro wrote:
>
> Wendell, I just wanted to add another confirmation, we have had 100%
> success requiring encrypted tunnels for sip2 access with outside vendors.
> Overdrive, Hoopla, OCLC (VDX ILL), BrainFuse,  Stunnel has been the easiest
> to setup, since it is just SSL one vendor was easily able to adjust their
> own software to natively connect via ssl and didn't need to run stunnel on
> their end at all.
>
> We also offer SSH tunneling, but that takes a bit more work to setup, and
> I don't think anyone actually is using that method right now.  I did
> exchange 4 emails with OCLC support where they repeatedly used the term SSH
> but then finally said that what they meant was Stunnel, sigh.  I also had
> to quote a library journal article from a few years ago where OCLC said "of
> course we support encrypted authentication for all our products" to get
> them to admit that they could do it.  That was a fun email to send.
>
> The best thing to do is to put the encrypted sip authentication
> requirement in the contract with the vendor up front, which means you have
> to be at the table when negotiating with them.  I think vendors that use
> SIP2 are getting much better about supporting encryption in general.  I
> think it is getting hard for them to say yes to "So you don't want to
> protect our patrons private personal information and allow us to comply
> with our state laws about patron privacy?"
>
> If you are going to self host an evergreen system and want notes on how to
> setup stunnel just let me know.  Otherwise if you are looking at a hosted
> solution then the hosting provider can provide those assurances about
> stunnel being provided as an option.
> Josh
>
> On Tue, Jan 5, 2021 at 8:46 AM Rogan Hamby <rhamby at equinoxinitiative.org>
> wrote:
>
>> I'll just note that I have setup several Envisionware instances to use
>> stunnel and encrypt the SIP2 communication back to Evergreen as Jason Boyer
>> describes with no issues.  It's transparent to the clients as you would
>> expect.
>>
>>
>>
>> On Tue, Jan 5, 2021 at 9:42 AM Jason Boyer <jboyer at equinoxinitiative.org>
>> wrote:
>>
>>> Hi Wendell, there isn’t really anything that can be done to SIP2 to make
>>> it secure without making it not-SIP2. That said, what can be done is to
>>> transfer it over an encrypted channel. I know some Evergreen and Koha
>>> systems handle SIP2 this way and I suspect TLC is doing the same. This
>>> tunneling can be done with stunnel (an openssl TLS tunnel) or ssh port
>>> redirection and most vendors are capable of dealing with one or the other.
>>>
>>> There’s nothing special needed in Evergreen to handle this; you just
>>> need to setup SIPServer to listen to a local IP rather than a public one
>>> and coordinate with the vendor what type of tunnel to use. I realize this
>>> is pretty non-specific but if you have any questions I or someone else on
>>> the list should be able to help out.
>>>
>>> Jason
>>>
>>> --
>>> Jason Boyer
>>> Senior System Administrator
>>> Equinox Open Library Initiative
>>> phone:  +1 (877) Open-ILS (673-6457)
>>> email:  JBoyer at EquinoxInitiative.org <JBoyer at EquinoxInitiative.org>
>>> web:  https://EquinoxInitiative.org/
>>>
>>> On Jan 5, 2021, at 9:05 AM, Gragg, Wendell E <WGragg at bryantx.gov> wrote:
>>>
>>> Hi all.  I haven’t posted in a while, but we are still in the process of
>>> evaluating ILS systems and our city IT department is balking at one thing,
>>> SIP2 being plain text.  Apparently, one vendor, TLC claims they have an
>>> encryption solution for SIP2, but I question whether it actually works or
>>> not, and TLC is another proprietary system, which we are trying to avoid.
>>>
>>> I have been trying to research SIP2 a bit more and am not finding a lot
>>> of information about security issues with it.  I’m also trying to find out
>>> if anyone in the Evergreen community has worked with encrypting SIP2
>>> messages, at least sensitive information like passwords and user barcodes.
>>>
>>> Is this even possible in Evergreen and has it caused any problems with
>>> outside vendors like OCLC or Envisionware?
>>>
>>> I would like to find this out because I fear that our city IT is going
>>> to force us into an ILS we really don’t want.
>>>
>>> Thanks,
>>> Wendell
>>>
>>> Wendell Gragg, MSIS
>>> Automation Services Supervisor
>>> Bryan+College Station Public Library System
>>> Bryan, TX
>>> 979-209-5613
>>>
>>> _______________________________________________
>>> Evergreen-general mailing list
>>> Evergreen-general at list.evergreen-ils.org
>>> http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
>>>
>>>
>>> _______________________________________________
>>> Evergreen-general mailing list
>>> Evergreen-general at list.evergreen-ils.org
>>> http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
>>>
>> _______________________________________________
>> Evergreen-general mailing list
>> Evergreen-general at list.evergreen-ils.org
>> http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
>>
>
>
> --
> Josh Stompro - IT Director
> Lake Agassiz Regional Library
> Desk: 218-233-3757 Ext 139
> Cell: 218-790-2110
>
> _______________________________________________
> Evergreen-general mailing listEvergreen-general at list.evergreen-ils.orghttp://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
>
>
> _______________________________________________
> Evergreen-general mailing list
> Evergreen-general at list.evergreen-ils.org
> http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.evergreen-ils.org/pipermail/evergreen-general/attachments/20210105/01a1b07b/attachment-0001.html>

More information about the Evergreen-general mailing list