<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    Wendell,<br>
    <br>
    I'd like to add one more idea/tool. We developed a SIP proxy for a
    computer/Raspberry Pi that can be located on the library's LAN,
    which negotiates the tunnel to the Evergreen server using pre-setup
    keys. Just another thing that might help you:<br>
    <br>
    <a moz-do-not-send="true"
      href="https://github.com/mcoia/evergreen_sip_proxy">https://github.com/mcoia/evergreen_sip_proxy</a><br>
    <br>
    Lightening talk on the matter:<br>
    <a moz-do-not-send="true"
      href="http://slides.mobiusconsortium.org/blake/sip_proxy/#/">http://slides.mobiusconsortium.org/blake/sip_proxy/#/</a><br>
    <br>
    <pre class="moz-signature" cols="72">-Blake-
Conducting Magic
Can consume data in any format
MOBIUS

</pre>
    <div class="moz-cite-prefix">On 1/5/2021 9:44 AM, Josh Stompro
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAGOQQfvFF+-dVMzNWwsmofHUM70hSyDvHCY+_=R+5UUGxPRgiw@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">Wendell, I just wanted to add another confirmation,
        we have had 100% success requiring encrypted tunnels for sip2
        access with outside vendors.  Overdrive, Hoopla, OCLC (VDX ILL),
        BrainFuse,  Stunnel has been the easiest to setup, since it is
        just SSL one vendor was easily able to adjust their own software
        to natively connect via ssl and didn't need to run stunnel on
        their end at all.
        <div><br>
        </div>
        <div>We also offer SSH tunneling, but that takes a bit more work
          to setup, and I don't think anyone actually is using that
          method right now.  I did exchange 4 emails with OCLC support
          where they repeatedly used the term SSH but then finally said
          that what they meant was Stunnel, sigh.  I also had to quote a
          library journal article from a few years ago where OCLC said
          "of course we support encrypted authentication for all our
          products" to get them to admit that they could do it.  That
          was a fun email to send.</div>
        <div><br>
        </div>
        <div>The best thing to do is to put the encrypted sip
          authentication requirement in the contract with the vendor up
          front, which means you have to be at the table when
          negotiating with them.  I think vendors that use SIP2 are
          getting much better about supporting encryption in general.  I
          think it is getting hard for them to say yes to "So you don't
          want to protect our patrons private personal information and
          allow us to comply with our state laws about patron privacy?"</div>
        <div><br>
        </div>
        <div>If you are going to self host an evergreen system and want
          notes on how to setup stunnel just let me know.  Otherwise if
          you are looking at a hosted solution then the hosting provider
          can provide those assurances about stunnel being provided as
          an option.</div>
        <div>Josh</div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr" class="gmail_attr">On Tue, Jan 5, 2021 at 8:46 AM
          Rogan Hamby <<a href="mailto:rhamby@equinoxinitiative.org"
            moz-do-not-send="true">rhamby@equinoxinitiative.org</a>>
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px
          0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
          <div dir="ltr">I'll just note that I have setup several
            Envisionware instances to use stunnel and encrypt the SIP2
            communication back to Evergreen as Jason Boyer describes
            with no issues.  It's transparent to the clients as you
            would expect.<br clear="all">
            <div>
              <div dir="ltr">
                <div dir="ltr">
                  <div>
                    <div dir="ltr">
                      <div>
                        <div dir="ltr"><span
                            style="background-color:rgb(255,255,255)"><font
                              size="1" color="#000000">
                              <p dir="ltr"
                                style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br>
                              </p>
                            </font></span></div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
          <br>
          <div class="gmail_quote">
            <div dir="ltr" class="gmail_attr">On Tue, Jan 5, 2021 at
              9:42 AM Jason Boyer <<a
                href="mailto:jboyer@equinoxinitiative.org"
                target="_blank" moz-do-not-send="true">jboyer@equinoxinitiative.org</a>>
              wrote:<br>
            </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
              0.8ex;border-left:1px solid
              rgb(204,204,204);padding-left:1ex">
              <div>Hi Wendell, there isn’t really anything that can be
                done to SIP2 to make it secure without making it
                not-SIP2. That said, what can be done is to transfer it
                over an encrypted channel. I know some Evergreen and
                Koha systems handle SIP2 this way and I suspect TLC is
                doing the same. This tunneling can be done with stunnel
                (an openssl TLS tunnel) or ssh port redirection and most
                vendors are capable of dealing with one or the other.
                <div><br>
                </div>
                <div>There’s nothing special needed in Evergreen to
                  handle this; you just need to setup SIPServer to
                  listen to a local IP rather than a public one and
                  coordinate with the vendor what type of tunnel to use.
                  I realize this is pretty non-specific but if you have
                  any questions I or someone else on the list should be
                  able to help out.<br>
                  <div><br>
                  </div>
                  <div>Jason</div>
                  <div>
                    <div><br>
                      -- <br>
                      Jason Boyer<br>
                      Senior System Administrator<br>
                      Equinox Open Library Initiative<br>
                      phone:  +1 (877) Open-ILS (673-6457)<br>
                      <a href="mailto:JBoyer@EquinoxInitiative.org"
                        target="_blank" moz-do-not-send="true">email:
                         JBoyer@EquinoxInitiative.org</a><br>
                      web:  <a href="https://EquinoxInitiative.org/"
                        target="_blank" moz-do-not-send="true">https://EquinoxInitiative.org/</a></div>
                  </div>
                  <div><br>
                    <blockquote type="cite">
                      <div>On Jan 5, 2021, at 9:05 AM, Gragg, Wendell E
                        <<a href="mailto:WGragg@bryantx.gov"
                          target="_blank" moz-do-not-send="true">WGragg@bryantx.gov</a>>
                        wrote:</div>
                      <br>
                      <div>
                        <div
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">
                          <div style="margin:0in 0in
                            0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Hi
                            all.  I haven’t posted in a while, but we
                            are still in the process of evaluating ILS
                            systems and our city IT department is
                            balking at one thing, SIP2 being plain
                            text.  Apparently, one vendor, TLC claims
                            they have an encryption solution for SIP2,
                            but I question whether it actually works or
                            not, and TLC is another proprietary system,
                            which we are trying to avoid.</div>
                          <div style="margin:0in 0in
                            0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </div>
                          <div style="margin:0in 0in
                            0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">I
                            have been trying to research SIP2 a bit more
                            and am not finding a lot of information
                            about security issues with it.  I’m also
                            trying to find out if anyone in the
                            Evergreen community has worked with
                            encrypting SIP2 messages, at least sensitive
                            information like passwords and user
                            barcodes.</div>
                          <div style="margin:0in 0in
                            0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </div>
                          <div style="margin:0in 0in
                            0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Is
                            this even possible in Evergreen and has it
                            caused any problems with outside vendors
                            like OCLC or Envisionware?</div>
                          <div style="margin:0in 0in
                            0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </div>
                          <div style="margin:0in 0in
                            0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">I
                            would like to find this out because I fear
                            that our city IT is going to force us into
                            an ILS we really don’t want.</div>
                          <div style="margin:0in 0in
                            0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </div>
                          <div style="margin:0in 0in
                            0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Thanks,</div>
                          <div style="margin:0in 0in
                            0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Wendell</div>
                          <div style="margin:0in 0in
                            0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </div>
                          <div style="margin:0in 0in
                            0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Wendell
                            Gragg, MSIS</div>
                          <div style="margin:0in 0in
                            0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Automation
                            Services Supervisor</div>
                          <div style="margin:0in 0in
                            0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Bryan+College
                            Station Public Library System</div>
                          <div style="margin:0in 0in
                            0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Bryan,
                            TX</div>
                          <div style="margin:0in 0in
                            0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">979-209-5613</div>
                          <div style="margin:0in 0in
                            0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </div>
                        </div>
                        <span
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">_______________________________________________</span><br
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">
                        <span
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">Evergreen-general
                          mailing list</span><br
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">
                        <a
                          href="mailto:Evergreen-general@list.evergreen-ils.org"
style="color:rgb(149,79,114);text-decoration:underline;font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                          target="_blank" moz-do-not-send="true">Evergreen-general@list.evergreen-ils.org</a><br
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">
                        <a
href="http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general"
style="color:rgb(149,79,114);text-decoration:underline;font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                          target="_blank" moz-do-not-send="true">http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general</a></div>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </div>
              _______________________________________________<br>
              Evergreen-general mailing list<br>
              <a href="mailto:Evergreen-general@list.evergreen-ils.org"
                target="_blank" moz-do-not-send="true">Evergreen-general@list.evergreen-ils.org</a><br>
              <a
href="http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general"
                rel="noreferrer" target="_blank" moz-do-not-send="true">http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general</a><br>
            </blockquote>
          </div>
          _______________________________________________<br>
          Evergreen-general mailing list<br>
          <a href="mailto:Evergreen-general@list.evergreen-ils.org"
            target="_blank" moz-do-not-send="true">Evergreen-general@list.evergreen-ils.org</a><br>
          <a
href="http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general"
            rel="noreferrer" target="_blank" moz-do-not-send="true">http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general</a><br>
        </blockquote>
      </div>
      <br clear="all">
      <div><br>
      </div>
      -- <br>
      <div dir="ltr" class="gmail_signature">
        <div dir="ltr">
          <div>
            <div dir="ltr">
              <div>Josh Stompro - IT Director</div>
              <div>Lake Agassiz Regional Library<br>
              </div>
              <div>Desk: 218-233-3757 Ext 139</div>
              <div>Cell: 218-790-2110</div>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
Evergreen-general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Evergreen-general@list.evergreen-ils.org">Evergreen-general@list.evergreen-ils.org</a>
<a class="moz-txt-link-freetext" href="http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general">http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>