<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Wendell,<br>
<br>
I'd like to add one more idea/tool. We developed a SIP proxy for a
computer/Raspberry Pi that can be located on the library's LAN,
which negotiates the tunnel to the Evergreen server using pre-setup
keys. Just another thing that might help you:<br>
<br>
<a moz-do-not-send="true"
href="https://github.com/mcoia/evergreen_sip_proxy">https://github.com/mcoia/evergreen_sip_proxy</a><br>
<br>
Lightening talk on the matter:<br>
<a moz-do-not-send="true"
href="http://slides.mobiusconsortium.org/blake/sip_proxy/#/">http://slides.mobiusconsortium.org/blake/sip_proxy/#/</a><br>
<br>
<pre class="moz-signature" cols="72">-Blake-
Conducting Magic
Can consume data in any format
MOBIUS
</pre>
<div class="moz-cite-prefix">On 1/5/2021 9:44 AM, Josh Stompro
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAGOQQfvFF+-dVMzNWwsmofHUM70hSyDvHCY+_=R+5UUGxPRgiw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Wendell, I just wanted to add another confirmation,
we have had 100% success requiring encrypted tunnels for sip2
access with outside vendors. Overdrive, Hoopla, OCLC (VDX ILL),
BrainFuse, Stunnel has been the easiest to setup, since it is
just SSL one vendor was easily able to adjust their own software
to natively connect via ssl and didn't need to run stunnel on
their end at all.
<div><br>
</div>
<div>We also offer SSH tunneling, but that takes a bit more work
to setup, and I don't think anyone actually is using that
method right now. I did exchange 4 emails with OCLC support
where they repeatedly used the term SSH but then finally said
that what they meant was Stunnel, sigh. I also had to quote a
library journal article from a few years ago where OCLC said
"of course we support encrypted authentication for all our
products" to get them to admit that they could do it. That
was a fun email to send.</div>
<div><br>
</div>
<div>The best thing to do is to put the encrypted sip
authentication requirement in the contract with the vendor up
front, which means you have to be at the table when
negotiating with them. I think vendors that use SIP2 are
getting much better about supporting encryption in general. I
think it is getting hard for them to say yes to "So you don't
want to protect our patrons private personal information and
allow us to comply with our state laws about patron privacy?"</div>
<div><br>
</div>
<div>If you are going to self host an evergreen system and want
notes on how to setup stunnel just let me know. Otherwise if
you are looking at a hosted solution then the hosting provider
can provide those assurances about stunnel being provided as
an option.</div>
<div>Josh</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Jan 5, 2021 at 8:46 AM
Rogan Hamby <<a href="mailto:rhamby@equinoxinitiative.org"
moz-do-not-send="true">rhamby@equinoxinitiative.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">I'll just note that I have setup several
Envisionware instances to use stunnel and encrypt the SIP2
communication back to Evergreen as Jason Boyer describes
with no issues. It's transparent to the clients as you
would expect.<br clear="all">
<div>
<div dir="ltr">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><span
style="background-color:rgb(255,255,255)"><font
size="1" color="#000000">
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br>
</p>
</font></span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Jan 5, 2021 at
9:42 AM Jason Boyer <<a
href="mailto:jboyer@equinoxinitiative.org"
target="_blank" moz-do-not-send="true">jboyer@equinoxinitiative.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>Hi Wendell, there isn’t really anything that can be
done to SIP2 to make it secure without making it
not-SIP2. That said, what can be done is to transfer it
over an encrypted channel. I know some Evergreen and
Koha systems handle SIP2 this way and I suspect TLC is
doing the same. This tunneling can be done with stunnel
(an openssl TLS tunnel) or ssh port redirection and most
vendors are capable of dealing with one or the other.
<div><br>
</div>
<div>There’s nothing special needed in Evergreen to
handle this; you just need to setup SIPServer to
listen to a local IP rather than a public one and
coordinate with the vendor what type of tunnel to use.
I realize this is pretty non-specific but if you have
any questions I or someone else on the list should be
able to help out.<br>
<div><br>
</div>
<div>Jason</div>
<div>
<div><br>
-- <br>
Jason Boyer<br>
Senior System Administrator<br>
Equinox Open Library Initiative<br>
phone: +1 (877) Open-ILS (673-6457)<br>
<a href="mailto:JBoyer@EquinoxInitiative.org"
target="_blank" moz-do-not-send="true">email:
JBoyer@EquinoxInitiative.org</a><br>
web: <a href="https://EquinoxInitiative.org/"
target="_blank" moz-do-not-send="true">https://EquinoxInitiative.org/</a></div>
</div>
<div><br>
<blockquote type="cite">
<div>On Jan 5, 2021, at 9:05 AM, Gragg, Wendell E
<<a href="mailto:WGragg@bryantx.gov"
target="_blank" moz-do-not-send="true">WGragg@bryantx.gov</a>>
wrote:</div>
<br>
<div>
<div
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">
<div style="margin:0in 0in
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Hi
all. I haven’t posted in a while, but we
are still in the process of evaluating ILS
systems and our city IT department is
balking at one thing, SIP2 being plain
text. Apparently, one vendor, TLC claims
they have an encryption solution for SIP2,
but I question whether it actually works or
not, and TLC is another proprietary system,
which we are trying to avoid.</div>
<div style="margin:0in 0in
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </div>
<div style="margin:0in 0in
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">I
have been trying to research SIP2 a bit more
and am not finding a lot of information
about security issues with it. I’m also
trying to find out if anyone in the
Evergreen community has worked with
encrypting SIP2 messages, at least sensitive
information like passwords and user
barcodes.</div>
<div style="margin:0in 0in
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </div>
<div style="margin:0in 0in
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Is
this even possible in Evergreen and has it
caused any problems with outside vendors
like OCLC or Envisionware?</div>
<div style="margin:0in 0in
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </div>
<div style="margin:0in 0in
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">I
would like to find this out because I fear
that our city IT is going to force us into
an ILS we really don’t want.</div>
<div style="margin:0in 0in
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </div>
<div style="margin:0in 0in
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Thanks,</div>
<div style="margin:0in 0in
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Wendell</div>
<div style="margin:0in 0in
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </div>
<div style="margin:0in 0in
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Wendell
Gragg, MSIS</div>
<div style="margin:0in 0in
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Automation
Services Supervisor</div>
<div style="margin:0in 0in
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Bryan+College
Station Public Library System</div>
<div style="margin:0in 0in
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Bryan,
TX</div>
<div style="margin:0in 0in
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">979-209-5613</div>
<div style="margin:0in 0in
0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </div>
</div>
<span
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">_______________________________________________</span><br
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">
<span
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">Evergreen-general
mailing list</span><br
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">
<a
href="mailto:Evergreen-general@list.evergreen-ils.org"
style="color:rgb(149,79,114);text-decoration:underline;font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
target="_blank" moz-do-not-send="true">Evergreen-general@list.evergreen-ils.org</a><br
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">
<a
href="http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general"
style="color:rgb(149,79,114);text-decoration:underline;font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
target="_blank" moz-do-not-send="true">http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general</a></div>
</blockquote>
</div>
<br>
</div>
</div>
_______________________________________________<br>
Evergreen-general mailing list<br>
<a href="mailto:Evergreen-general@list.evergreen-ils.org"
target="_blank" moz-do-not-send="true">Evergreen-general@list.evergreen-ils.org</a><br>
<a
href="http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general</a><br>
</blockquote>
</div>
_______________________________________________<br>
Evergreen-general mailing list<br>
<a href="mailto:Evergreen-general@list.evergreen-ils.org"
target="_blank" moz-do-not-send="true">Evergreen-general@list.evergreen-ils.org</a><br>
<a
href="http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general</a><br>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>Josh Stompro - IT Director</div>
<div>Lake Agassiz Regional Library<br>
</div>
<div>Desk: 218-233-3757 Ext 139</div>
<div>Cell: 218-790-2110</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Evergreen-general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Evergreen-general@list.evergreen-ils.org">Evergreen-general@list.evergreen-ils.org</a>
<a class="moz-txt-link-freetext" href="http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general">http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general</a>
</pre>
</blockquote>
<br>
</body>
</html>