 |
 |
Hello Joshua, Thanks for the information. We will try few things and share our experience. Regards, --- Gagandeep Dhillon Team Leader, Application Development | Digital Initiatives | McGill University Library P:514-398-1846 |E:[log in to unmask] -----Original Message----- From: Code for Libraries [mailto:[log in to unmask]] On Behalf Of Josh Welker Sent: April-29-19 5:34 PM To: [log in to unmask] Subject: Re: [CODE4LIB] Configuring stunnel and question about the origins of SSL certificates Hi Gagandeep et al, I am working on setting this up as part of my integration right now. We are moving from Sierra, which uses a non-encrypted SIP connection, to Alma, which is encrypted using Stunnel. The SIP protocol is not secure at all. It's a known shortcoming. The options, as far as I can tell, are to just live with unencrypted data, to use a VPN between your self-check station and the ILS/LSP, or to use something like Stunnel to encrypt your message on the self-check machine and then decrypt it on the ILS/LSP server. The choice is based entirely on how your ILS/LSP vendor handles it. If they don't have a method for handling Stunnel-encrypted SIP messages, there's nothing you can do about it (except complain I guess). In Alma, the LSP assigns us a random SSL certificate that contains a public key for encrypting the data. On the backend somewhere, they have a matching private key that knows how to decrypt that data into a plain SIP message. Stunnel intercepts the data before it leaves your self-check station and encrypts it into a meaningless blob of text. The vendor has set up a process on their server to decrypt the data before trying to process it as a SIP message. Joshua Welker Library Systems and Discovery Coordinator James C. Kirkpatrick Library University of Central Missouri Warrensburg, MO 64093 JCKL 2260 660.543.8022 On Mon, Apr 29, 2019 at 3:30 PM Gagandeep Dhillon, Mr. < [log in to unmask]> wrote: > Hi folks, > > > > We are stepping through configuring secure transmission between our > Bibliotheca self-check machines and our new LSP, OCLC's WorldShare, > using stunnel. We are in the process of migrating from Aleph (an Ex > Libris > product) to WorldShare and, in the past, have set up our Bibliotheca > self-checks with Aleph using stunnel and an SSL certificate provided > by Ex Libris. This is not something that OCLC does, or has apparently > needed to do with other libraries. On their end they authenticate > whether our machine is our machine based on its IP address but beyond > that data transmission is insecure. > > > > Most of us working on this are new to SSL certificates, stunnel, and > securing transmission between our self-checks and a vendor system > hosted on a server that we don't have control over. Has anyone had > experience doing something similar to this? If so, could we pick your brain? > > > > On a related, but broader, note: what is the origin of SSL certificates? > Where did this come from and why wouldn't it be a standard thing a > vendor supports? > > Please feel free to contact any of us. > > Thanks, > > Clara Turp > Eka Grguric > Awais Mehmood Khalid > Mutugi Gathuri > > --- > Gagandeep Dhillon > Team Leader, Application Development | Digital Initiatives | McGill > University Library > P:514-398-1846 |E:[log in to unmask] >