Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

SPIKE: Supporting Multi Tenants (based on IP) is problematic for MeeScan

CSP Request Details

None

CSP Rejection Details

None

CSP Approved

None

Description

Sip2 currently uses IP address to distinguish a tenant within a multi tenant environment

We've recently encountered an issue on a FOLIO cluster in which 2 tenants are planning to use MeeScan for Self check.

Meescan is a cloud based solution and all of their connections will come from the same IP address. 52.204.68.73

Due to this, only 1 tenant within the FOLIO cluster is able to be configured to use edge-sip2 and MeeScan

Are there other options to make edge-sip2 support multiple tenants which supports this type of scenario

cc:

Environment

None

Potential Workaround

None

Checklist

hide

TestRail: Results

Activity

Show:

Steve Ellis May 31, 2023 at 5:51 PM

I think the simplest solution, which is likely to be the easiest for hosts and users of Meescan, is to support an additional optional configuration property for port. This can be combined with our existing support of IP addresses (the CIDR range). This will be as secure as our current implementation and allow us to support Meescan with minimal effort.

Instead of identifying the tenant only by the IP address, we can check the configuration for the inbound IP address. If the config entry has a port, we can see if the request is occurring at that port, and use the port/ip combination to identify the tenant when the port is in scope in the config.

Steve Ellis April 4, 2023 at 7:08 PM

I did talk to Meescan, and they do support TLS and certificates. We would give them a cert for each tenant which they would then use to secure the connection coming from a given machine.

They can support 3 methods of identifying the tenant from the request: 1) certs (as you mention), 2) assigning a port to a tenant, and 3) using a combination of the Location and Institution field. I think 1 and 2 would be easiest to implement, and 1 would be the most secure. 2 would probably a bit easier to maintain and implement. Could also be made backwards compatible. 

Julian Ladisch April 4, 2023 at 5:57 PM

edge-sip2 supports TLS encryption: https://github.com/folio-org/edge-sip2#security

TLS client and/or server certificates are designed to prove the identity and can be used to determine the tenant id.

MeeScan says: "Our kiosks are compatible with all types of security and various authentication methods." Does this also apply to TLS client certificates?

Steve Ellis March 16, 2023 at 5:53 PM
Edited

After some discussion we have determined that identifying tenants with something other than IP won't work well with our archtiecture. We'd like to see what MeeScan can do for us. Talking with them next week.

Steve Ellis November 22, 2022 at 1:43 PM

I think what we need to do with this spike:
1. What is the background on our current architecture for using the IP address to identify tenants. Why was this chosen instead of something else?
2. Are there any viable alternatives for using IP addresses? What would a solution that didn't use IP addresses to identify tenants look like?

Done

Details

Assignee

Reporter

Labels

Priority

Story Points

Sprint

Development Team

Volaris

Parent

Affected Institution

!!!ALL!!!

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created November 4, 2022 at 5:11 PM
Updated June 1, 2023 at 1:16 PM
Resolved May 31, 2023 at 5:43 PM
Configure
TestRail: Cases
TestRail: Runs