{"id":1183,"date":"2015-10-26T19:51:31","date_gmt":"2015-10-27T02:51:31","guid":{"rendered":"https:\/\/galencharlton.com\/blog\/?p=1183"},"modified":"2020-08-15T07:27:18","modified_gmt":"2020-08-15T14:27:18","slug":"securing-z39-50-traffic-from-koha-and-evergreen-z39-50-servers-using-yaz-and-tls","status":"publish","type":"post","link":"https:\/\/galencharlton.com\/blog\/2015\/10\/securing-z39-50-traffic-from-koha-and-evergreen-z39-50-servers-using-yaz-and-tls\/","title":{"rendered":"Securing Z39.50 traffic from Koha and Evergreen Z39.50 servers using YAZ and TLS"},"content":{"rendered":"\n<p>There&#8217;s often more than way to search a library catalog; or to put it another way, not all users come in via the front door. &nbsp;For example, ensuring that your public catalog supports HTTPS can help prevent bad actors from snooping on patron&#8217;s searches \u2014 but if one of your users happens to use a tool that searches your catalog over Z39.50, by default they have less protection.<\/p>\n\n\n\n<p>Consider this extract from a tcpdump of a Z39.50 session:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wrap:true lang:default decode:true\">02:32:34.657140 IP (tos 0x0, ttl 64, id 26189, offset 0, flags [DF], proto TCP (6), length 1492)\n    localhost.9999 &gt; localhost.36545: Flags [P.], cksum 0x03c9 (incorrect -&gt; 0x00cc), seq 10051:11491, ack 235, win 256, options [nop,nop,TS val 2278124301 ecr 2278124301], length 1440\nE...fM@.@...........'.....x.KEt&gt;...........\n.............0.......(...*.H...\n...p01392pam a2200361 a 4500001000500000003000500005005001700010008004100027035002100068852004900089852004900138852004900187906004500236955012300281010001700404020002800421020002800449040001800477050002300495082001600518245014300534260003500677300002400712440002900736504005100765650004300816700001800859700002800877700002800905991006200933905001000995901002501005.1445.CONS.19931221140705.2.930721s1993    mau      b    001 0 eng  .  .9(DLC)   93030748.4 .aStacks.bBR1.cACQ3164.dBR1.gACQ3202.nOn order.4 .aStacks.bBR1.cACQ3164.dBR1.gACQ3165.nOn order.4 .aStacks.bBR1.cACQ3164.dBR1.gACQ3164.nOn order.  .a7.bcbc.corignew.d1.eocip.f19.gy-gencatlg.  .apc03 to ja00 07-21-93; je39 07-22-93; je08 07-22-93; je05 to DDC 07-23-93; aa21 07-26-93; CIP ver. jf05 to sl 12\/21\/93.  .a   93030748 .  .a3764336242 (alk. paper).  .a0817636242 (alk. paper).  .aDLC.cDLC.dDLC.00.aQC173.6.b.A85 1993.00.a530.1\/1.220.04.aThe Attraction of gravitation :.bnew studies in the history of general relativity \/.cJohn Earman, Michel Janssen, John D. Norton, editord..  .aBoston :.bBirkh..user,.cc1993..  .ax, 432 p. ;.c24 cm.. 0.aEinstein studies ;.vv. 5.  .aIncludes bibliographical references and index.. 0.aGeneral relativity (Physics).xHistory..1 .aEarman, John..1 .aJanssen, Michel,.d1953-.1 .aNorton, John D.,.d1960-.  .bc-GenColl.hQC173.6.i.A85 1993.p00018915972.tCopy 1.wBOOKS.  .ugalen.  .a1445.b.c1445.tbiblio..............\n<\/pre>\n\n\n\n<p>No, MARC is <strong>not<\/strong> a cipher; it just isn&#8217;t.<\/p>\n\n\n\n<p>How to improve this state of affairs? There was <a href=\"https:\/\/lists.w3.org\/Archives\/Public\/www-zig\/2000Aug\/0007.html\">some discussion<\/a> back in 2000 of bundling SSL or TLS into the Z39.50 protocol, although it doesn&#8217;t seem like it went anywhere. Of course, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Tunneling_protocol#Secure_Shell_tunneling\">SSH tunnels<\/a> and <a href=\"https:\/\/www.stunnel.org\/index.html\">stunnel<\/a> are options, but it turns out that there can be an easier way.<\/p>\n\n\n\n<p>As is usually the case with anything involving Z39.50, we can thank the folks at IndexData for being on top of things: it turns out that TLS support is easily enabled in YAZ. Here&#8217;s how this can be applied to Evergreen and Koha.<\/p>\n\n\n\n<p>The first step is to create an SSL certificate; a self-signed one probably suffices. The certificate and its private key should be concatenated into a single PEM file, like this:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted crayon:false\">-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----\n-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n<\/pre>\n\n\n\n<p>Evergreen&#8217;s Z39.50 server can be told to require SSL via a <code>&lt;listen&gt;<\/code> element in <code>\/openils\/conf\/oils_yaz.xml<\/code>, like this:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">    ssl:@:4210\n    \n  \n        \n...\n<\/pre>\n\n\n\n<p>To supply the path to the certificate, a change to <code>oils_ctl.sh<\/code> will do the trick:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"diff\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">diff --git a\/Open-ILS\/examples\/oils_ctl.sh b\/Open-ILS\/examples\/oils_ctl.sh\nindex dde70cb..692ec00 100755\n--- a\/Open-ILS\/examples\/oils_ctl.sh\n+++ b\/Open-ILS\/examples\/oils_ctl.sh\n@@ -6,6 +6,7 @@ OPT_PID_DIR=\"LOCALSTATEDIR\/run\"\n OPT_SIP_ERR_LOG=\"LOCALSTATEDIR\/log\/oils_sip.log\";\n OPT_Z3950_CONFIG=\"SYSCONFDIR\/oils_z3950.xml\"\n OPT_YAZ_CONFIG=\"SYSCONFDIR\/oils_yaz.xml\"\n+OPT_YAZ_CERT=\"SYSCONFDIR\/yaz_ssl.pem\"\n Z3950_LOG=\"LOCALSTATEDIR\/log\/oils_z3950.log\"\n SIP_DIR=\"\/opt\/SIPServer\";\n\n@@ -115,7 +116,7 @@ function stop_sip {\n\n function start_z3950 {\n        do_action \"start\" $PID_Z3950 \"OILS Z39.50 Server\";\n-       simple2zoom -c $OPT_Z3950_CONFIG -- -f $OPT_YAZ_CONFIG &gt;&gt; \"$Z3950_LOG\" 2&gt;&amp;1 &amp;\n+       simple2zoom -c $OPT_Z3950_CONFIG -- -C $OPT_YAZ_CERT -f $OPT_YAZ_CONFIG &gt;&gt; \"$Z3950_LOG\" 2&gt;&amp;1\n        pid=$!;\n        echo $pid &gt; $PID_Z3950;\n        return 0;\n<\/pre>\n\n\n\n<p>For Koha, a <code>&lt;listen&gt;<\/code> element should be added to <code>koha-conf.xml<\/code>, e.g.,<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><!-- Uncomment the following entry if you want to run the public Z39.50 server.\n    Also uncomment the <server> and <serverinfo> sections for id 'publicserver'\n    under PUBLICSERVER'S BIBLIOGRAPHIC RECORDS title-->\nssl:@:4210\n<\/pre>\n\n\n\n<p><code>zebrasrv<\/code> will also need to know how to find the SSL certificate:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"diff\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">diff --git a\/misc\/bin\/koha-zebra-ctl.sh b\/misc\/bin\/koha-zebra-ctl.sh\nindex 3b9cd81..63f0d9c 100755\n--- a\/misc\/bin\/koha-zebra-ctl.sh\n+++ b\/misc\/bin\/koha-zebra-ctl.sh\n@@ -37,7 +37,8 @@ RUNDIR=__ZEBRA_RUN_DIR__\n LOCKDIR=__ZEBRA_LOCK_DIR__\n # you may need to change this depending on where zebrasrv is installed\n ZEBRASRV=__PATH_TO_ZEBRA__\/zebrasrv\n-ZEBRAOPTIONS=\"-v none,fatal,warn\"\n+YAZ_CERT=__KOHA_CONF_DIR__\/zebra-ssl.pem\n+ZEBRAOPTIONS=\"-C $YAZ_CERT -v none,fatal,warn\"\n\n test -f $ZEBRASRV || exit 0\n<\/pre>\n\n\n\n<p>And with that, we can test: <code>yaz-client ssl:localhost:4210\/CONS<\/code> or <code>yaz-client ssl:localhost:4210\/biblios<\/code>. Et voila!<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wrap:true lang:default decode:true\">02:47:16.655628 IP localhost.4210 &gt; localhost.41440: Flags [P.], seq 86:635, ack 330, win 392, options [nop,nop,TS val 116332994 ecr 116332994], length 549\nE..Y..@.@.j..........r...............N.....\n............ 2.........,lS...J6...5.p...,&lt;]0....r.....m....Y.H*.em......`....s....n.%..KV2.];.Z..aP.....C..+.,6..^VY.......&gt;..j...D..L..J...rB!............k....9..%H...?bu[........?&lt;       R.......y.....S.uC.2.i6..X..E)..Z..K..J..q   ..m.m.%.r+...?.l....._.8).p$.H.R2...5.|....Q,..Q....9...F.......n....8 ...R.`.&amp;..5..s.q....(.....z9...R..oD............D...jC..?O.+....,7.i.BT...*Q\n...5..\\-M...1.&lt;t;...8...(.8....a7.......@.b.`n#.$....4...:...=...j....^.0..;..3i.`. f..g.|\"l......i.....&lt;n(3x......c.om_&lt;w...p.t...`=\"\" h..8.s....(3.......rz.1s=\"\" ...@....t....=\"\" &lt;=\"\" pre=\"\"&gt;<\/pre>\n\n\n\n<p>Of course, not every Z39.50 client will know how to use TLS&#8230; but lots will, as YAZ is the basis for many of them.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wrap:true lang:default decode:true\">&lt;\/t;...8...(.8....a7.......@.b.`n#.$....4...:...=...j....^.0..;..3i.`.&gt;<\/pre>\n<div class=\"sharedaddy sd-sharing-enabled\"><div class=\"robots-nocontent sd-block sd-social sd-social-icon-text sd-sharing\"><h3 class=\"sd-title\">Share this:<\/h3><div class=\"sd-content\"><ul><li class=\"share-twitter\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"sharing-twitter-1183\" class=\"share-twitter sd-button share-icon\" href=\"https:\/\/galencharlton.com\/blog\/2015\/10\/securing-z39-50-traffic-from-koha-and-evergreen-z39-50-servers-using-yaz-and-tls\/?share=twitter\" target=\"_blank\" title=\"Click to share on Twitter\"><span>Twitter<\/span><\/a><\/li><li><a href=\"#\" class=\"sharing-anchor sd-button share-more\"><span>More<\/span><\/a><\/li><li class=\"share-end\"><\/li><\/ul><div class=\"sharing-hidden\"><div class=\"inner\" style=\"display: none;\"><ul><li class=\"share-tumblr\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"\" class=\"share-tumblr sd-button share-icon\" href=\"https:\/\/galencharlton.com\/blog\/2015\/10\/securing-z39-50-traffic-from-koha-and-evergreen-z39-50-servers-using-yaz-and-tls\/?share=tumblr\" target=\"_blank\" title=\"Click to share on Tumblr\"><span>Tumblr<\/span><\/a><\/li><li class=\"share-reddit\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"\" class=\"share-reddit sd-button share-icon\" href=\"https:\/\/galencharlton.com\/blog\/2015\/10\/securing-z39-50-traffic-from-koha-and-evergreen-z39-50-servers-using-yaz-and-tls\/?share=reddit\" target=\"_blank\" title=\"Click to share on Reddit\"><span>Reddit<\/span><\/a><\/li><li class=\"share-end\"><\/li><li class=\"share-print\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"\" class=\"share-print sd-button share-icon\" href=\"https:\/\/galencharlton.com\/blog\/2015\/10\/securing-z39-50-traffic-from-koha-and-evergreen-z39-50-servers-using-yaz-and-tls\/\" target=\"_blank\" title=\"Click to print\"><span>Print<\/span><\/a><\/li><li class=\"share-end\"><\/li><\/ul><\/div><\/div><\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>There&#8217;s often more than way to search a library catalog; or to put it another way, not all users come in via the front door&#8230;.<\/p>\n<div class=\"sharedaddy sd-sharing-enabled\"><div class=\"robots-nocontent sd-block sd-social sd-social-icon-text sd-sharing\"><h3 class=\"sd-title\">Share this:<\/h3><div class=\"sd-content\"><ul><li class=\"share-twitter\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"sharing-twitter-1183\" class=\"share-twitter sd-button share-icon\" href=\"https:\/\/galencharlton.com\/blog\/2015\/10\/securing-z39-50-traffic-from-koha-and-evergreen-z39-50-servers-using-yaz-and-tls\/?share=twitter\" target=\"_blank\" title=\"Click to share on Twitter\"><span>Twitter<\/span><\/a><\/li><li><a href=\"#\" class=\"sharing-anchor sd-button share-more\"><span>More<\/span><\/a><\/li><li class=\"share-end\"><\/li><\/ul><div class=\"sharing-hidden\"><div class=\"inner\" style=\"display: none;\"><ul><li class=\"share-tumblr\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"\" class=\"share-tumblr sd-button share-icon\" href=\"https:\/\/galencharlton.com\/blog\/2015\/10\/securing-z39-50-traffic-from-koha-and-evergreen-z39-50-servers-using-yaz-and-tls\/?share=tumblr\" target=\"_blank\" title=\"Click to share on Tumblr\"><span>Tumblr<\/span><\/a><\/li><li class=\"share-reddit\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"\" class=\"share-reddit sd-button share-icon\" href=\"https:\/\/galencharlton.com\/blog\/2015\/10\/securing-z39-50-traffic-from-koha-and-evergreen-z39-50-servers-using-yaz-and-tls\/?share=reddit\" target=\"_blank\" title=\"Click to share on Reddit\"><span>Reddit<\/span><\/a><\/li><li class=\"share-end\"><\/li><li class=\"share-print\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"\" class=\"share-print sd-button share-icon\" href=\"https:\/\/galencharlton.com\/blog\/2015\/10\/securing-z39-50-traffic-from-koha-and-evergreen-z39-50-servers-using-yaz-and-tls\/\" target=\"_blank\" title=\"Click to print\"><span>Print<\/span><\/a><\/li><li class=\"share-end\"><\/li><\/ul><\/div><\/div><\/div><\/div><\/div>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"Securing Z39.50 traffic from Koha and Evergreen Z39.50 servers using YAZ and TLS #kohails #egils","jetpack_is_tweetstorm":false},"categories":[4,25,10,6,55,1],"tags":[],"jetpack_featured_media_url":"","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p3gJ9y-j5","_links":{"self":[{"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/posts\/1183"}],"collection":[{"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/comments?post=1183"}],"version-history":[{"count":16,"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/posts\/1183\/revisions"}],"predecessor-version":[{"id":1570,"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/posts\/1183\/revisions\/1570"}],"wp:attachment":[{"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/media?parent=1183"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/categories?post=1183"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/tags?post=1183"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}