Thanks for the information.
We will try few things and share our experience.
Team Leader, Application Development | Digital Initiatives | McGill University Library
P:514-398-1846 |E:[log in to unmask]
From: Code for Libraries [mailto:[log in to unmask]] On Behalf Of Josh Welker
Sent: April-29-19 5:34 PM
To: [log in to unmask]
Subject: Re: [CODE4LIB] Configuring stunnel and question about the origins of SSL certificates
Hi Gagandeep et al,
I am working on setting this up as part of my integration right now. We are moving from Sierra, which uses a non-encrypted SIP connection, to Alma, which is encrypted using Stunnel. The SIP protocol is not secure at all.
It's a known shortcoming. The options, as far as I can tell, are to just live with unencrypted data, to use a VPN between your self-check station and the ILS/LSP, or to use something like Stunnel to encrypt your message on the self-check machine and then decrypt it on the ILS/LSP server. The choice is based entirely on how your ILS/LSP vendor handles it. If they don't have a method for handling Stunnel-encrypted SIP messages, there's nothing you can do about it (except complain I guess).
In Alma, the LSP assigns us a random SSL certificate that contains a public key for encrypting the data. On the backend somewhere, they have a matching private key that knows how to decrypt that data into a plain SIP message.
Stunnel intercepts the data before it leaves your self-check station and encrypts it into a meaningless blob of text. The vendor has set up a process on their server to decrypt the data before trying to process it as a SIP message.
Library Systems and Discovery Coordinator James C. Kirkpatrick Library University of Central Missouri Warrensburg, MO 64093 JCKL 2260
On Mon, Apr 29, 2019 at 3:30 PM Gagandeep Dhillon, Mr. < [log in to unmask]> wrote:
> Hi folks,
> We are stepping through configuring secure transmission between our
> Bibliotheca self-check machines and our new LSP, OCLC's WorldShare,
> using stunnel. We are in the process of migrating from Aleph (an Ex
> product) to WorldShare and, in the past, have set up our Bibliotheca
> self-checks with Aleph using stunnel and an SSL certificate provided
> by Ex Libris. This is not something that OCLC does, or has apparently
> needed to do with other libraries. On their end they authenticate
> whether our machine is our machine based on its IP address but beyond
> that data transmission is insecure.
> Most of us working on this are new to SSL certificates, stunnel, and
> securing transmission between our self-checks and a vendor system
> hosted on a server that we don't have control over. Has anyone had
> experience doing something similar to this? If so, could we pick your brain?
> On a related, but broader, note: what is the origin of SSL certificates?
> Where did this come from and why wouldn't it be a standard thing a
> vendor supports?
> Please feel free to contact any of us.
> Clara Turp
> Eka Grguric
> Awais Mehmood Khalid
> Mutugi Gathuri
> Gagandeep Dhillon
> Team Leader, Application Development | Digital Initiatives | McGill
> University Library
> P:514-398-1846 |E:[log in to unmask]