[Evergreen-general] Encrypted SIP2

Blake Henderson blake at mobiusconsortium.org
Tue Jan 5 14:31:08 EST 2021 

John,

Sorry :( no WordPress plugin. Sounds like fun though!

-Blake-
Conducting Magic
Can consume data in any format
MOBIUS

On 1/5/2021 12:12 PM, Lolis, John wrote:
> That's great, Blake!  I don't suppose you would also have a WordPress 
> plugin that would allow it to communicate using SIP2?  That's my holy 
> grail these days.
>
> John Lolis
> Coordinator of Computer Systems
>
> 100 Martine Avenue
> White Plains, NY  10601
>
> tel: 1.914.422.1497
> fax: 1.914.422.1452
>
> https://whiteplainslibrary.org/ <https://whiteplainslibrary.org/>
>
> /When you think about it, /all/ security is ultimately security by 
> ignorance./
>
>
>
> On Tue, 5 Jan 2021 at 11:56, Blake Henderson 
> <blake at mobiusconsortium.org <mailto:blake at mobiusconsortium.org>> wrote:
>
>     Wendell,
>
>     I'd like to add one more idea/tool. We developed a SIP proxy for a
>     computer/Raspberry Pi that can be located on the library's LAN,
>     which negotiates the tunnel to the Evergreen server using
>     pre-setup keys. Just another thing that might help you:
>
>     https://github.com/mcoia/evergreen_sip_proxy
>     <https://github.com/mcoia/evergreen_sip_proxy>
>
>     Lightening talk on the matter:
>     http://slides.mobiusconsortium.org/blake/sip_proxy/#/
>     <http://slides.mobiusconsortium.org/blake/sip_proxy/#/>
>
>     -Blake-
>     Conducting Magic
>     Can consume data in any format
>     MOBIUS
>
>     On 1/5/2021 9:44 AM, Josh Stompro wrote:
>>     Wendell, I just wanted to add another confirmation, we have had
>>     100% success requiring encrypted tunnels for sip2 access with
>>     outside vendors. Overdrive, Hoopla, OCLC (VDX ILL), BrainFuse, 
>>     Stunnel has been the easiest to setup, since it is just SSL one
>>     vendor was easily able to adjust their own software to
>>     natively connect via ssl and didn't need to run stunnel on their
>>     end at all.
>>
>>     We also offer SSH tunneling, but that takes a bit more work to
>>     setup, and I don't think anyone actually is using that method
>>     right now.  I did exchange 4 emails with OCLC support where they
>>     repeatedly used the term SSH but then finally said that what they
>>     meant was Stunnel, sigh.  I also had to quote a library journal
>>     article from a few years ago where OCLC said "of course we
>>     support encrypted authentication for all our products" to get
>>     them to admit that they could do it.  That was a fun email to send.
>>
>>     The best thing to do is to put the encrypted sip authentication
>>     requirement in the contract with the vendor up front, which means
>>     you have to be at the table when negotiating with them.  I think
>>     vendors that use SIP2 are getting much better about supporting
>>     encryption in general.  I think it is getting hard for them to
>>     say yes to "So you don't want to protect our patrons private
>>     personal information and allow us to comply with our state laws
>>     about patron privacy?"
>>
>>     If you are going to self host an evergreen system and want notes
>>     on how to setup stunnel just let me know.  Otherwise if you are
>>     looking at a hosted solution then the hosting provider can
>>     provide those assurances about stunnel being provided as an option.
>>     Josh
>>
>>     On Tue, Jan 5, 2021 at 8:46 AM Rogan Hamby
>>     <rhamby at equinoxinitiative.org
>>     <mailto:rhamby at equinoxinitiative.org>> wrote:
>>
>>         I'll just note that I have setup several Envisionware
>>         instances to use stunnel and encrypt the SIP2 communication
>>         back to Evergreen as Jason Boyer describes with no issues. 
>>         It's transparent to the clients as you would expect.
>>
>>
>>
>>         On Tue, Jan 5, 2021 at 9:42 AM Jason Boyer
>>         <jboyer at equinoxinitiative.org
>>         <mailto:jboyer at equinoxinitiative.org>> wrote:
>>
>>             Hi Wendell, there isn’t really anything that can be done
>>             to SIP2 to make it secure without making it not-SIP2.
>>             That said, what can be done is to transfer it over an
>>             encrypted channel. I know some Evergreen and Koha systems
>>             handle SIP2 this way and I suspect TLC is doing the same.
>>             This tunneling can be done with stunnel (an openssl TLS
>>             tunnel) or ssh port redirection and most vendors are
>>             capable of dealing with one or the other.
>>
>>             There’s nothing special needed in Evergreen to handle
>>             this; you just need to setup SIPServer to listen to a
>>             local IP rather than a public one and coordinate with the
>>             vendor what type of tunnel to use. I realize this is
>>             pretty non-specific but if you have any questions I or
>>             someone else on the list should be able to help out.
>>
>>             Jason
>>
>>             -- 
>>             Jason Boyer
>>             Senior System Administrator
>>             Equinox Open Library Initiative
>>             phone:  +1 (877) Open-ILS (673-6457)
>>             email:  JBoyer at EquinoxInitiative.org
>>             <mailto:JBoyer at EquinoxInitiative.org>
>>             web: https://EquinoxInitiative.org/
>>             <https://EquinoxInitiative.org/>
>>
>>>             On Jan 5, 2021, at 9:05 AM, Gragg, Wendell E
>>>             <WGragg at bryantx.gov <mailto:WGragg at bryantx.gov>> wrote:
>>>
>>>             Hi all.  I haven’t posted in a while, but we are still
>>>             in the process of evaluating ILS systems and our city IT
>>>             department is balking at one thing, SIP2 being plain
>>>             text. Apparently, one vendor, TLC claims they have an
>>>             encryption solution for SIP2, but I question whether it
>>>             actually works or not, and TLC is another proprietary
>>>             system, which we are trying to avoid.
>>>             I have been trying to research SIP2 a bit more and am
>>>             not finding a lot of information about security issues
>>>             with it.  I’m also trying to find out if anyone in the
>>>             Evergreen community has worked with encrypting SIP2
>>>             messages, at least sensitive information like passwords
>>>             and user barcodes.
>>>             Is this even possible in Evergreen and has it caused any
>>>             problems with outside vendors like OCLC or Envisionware?
>>>             I would like to find this out because I fear that our
>>>             city IT is going to force us into an ILS we really don’t
>>>             want.
>>>             Thanks,
>>>             Wendell
>>>             Wendell Gragg, MSIS
>>>             Automation Services Supervisor
>>>             Bryan+College Station Public Library System
>>>             Bryan, TX
>>>             979-209-5613
>>>             _______________________________________________
>>>             Evergreen-general mailing list
>>>             Evergreen-general at list.evergreen-ils.org
>>>             <mailto:Evergreen-general at list.evergreen-ils.org>
>>>             http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
>>>             <http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general>
>>
>>             _______________________________________________
>>             Evergreen-general mailing list
>>             Evergreen-general at list.evergreen-ils.org
>>             <mailto:Evergreen-general at list.evergreen-ils.org>
>>             http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
>>             <http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general>
>>
>>         _______________________________________________
>>         Evergreen-general mailing list
>>         Evergreen-general at list.evergreen-ils.org
>>         <mailto:Evergreen-general at list.evergreen-ils.org>
>>         http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
>>         <http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general>
>>
>>
>>
>>     -- 
>>     Josh Stompro - IT Director
>>     Lake Agassiz Regional Library
>>     Desk: 218-233-3757 Ext 139
>>     Cell: 218-790-2110
>>
>>     _______________________________________________
>>     Evergreen-general mailing list
>>     Evergreen-general at list.evergreen-ils.org  <mailto:Evergreen-general at list.evergreen-ils.org>
>>     http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general  <http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general>
>
>     _______________________________________________
>     Evergreen-general mailing list
>     Evergreen-general at list.evergreen-ils.org
>     <mailto:Evergreen-general at list.evergreen-ils.org>
>     http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
>     <http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general>
>
>
> _______________________________________________
> Evergreen-general mailing list
> Evergreen-general at list.evergreen-ils.org
> http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.evergreen-ils.org/pipermail/evergreen-general/attachments/20210105/494bd9d3/attachment-0001.html>

More information about the Evergreen-general mailing list