You Can't Get There from Here Issues in Science and Technology Librarianship Spring 1999 DOI:10.5062/F4F47M3Z URLs in this document have been updated. Links enclosed in {curly brackets} have been changed. If a replacement link was located, the new URL was added and the link is active; if a new site could not be identified, the broken link was removed. You Can't Get There from Here: Issues in Remote Access to Electronic Journals for a Health Sciences Library Dennis Krieb Assistant Director for Library Automation Saint Louis University Health Sciences Center Library St. Louis, Missouri 63104 krieb@slu.edu Abstract As many libraries have embraced electronic journals as a part of their serials collections, the issue of making these journals available to eligible patrons in remote locations can be vexing, particularly for health science libraries. For most publishers and aggregators of electronic journals, the definition of an eligible user is based upon physical point of access rather than the credentials of the individual, regardless of their location. This article will share the experience of Saint Louis University's Health Sciences Center Library, one of three campus libraries within a statewide consortium of higher education libraries, in providing access to electronic journals to a dispersed constituency. Information concerning IP filtering, proxy servers, dissemination of passwords, web certificates and others will be discussed. Introduction I think most people would agree that the integration of electronic journals within academic and special libraries is a good thing. The ability to access the full text of an article without the hassles of foraging for a misshelved issue or waiting its return from the bindery has certainly been a value-added service for patrons. In fact, electronic journals are arguably an enhancement of their print cousins. Articles in electronic journals can be downloaded, searched with embedded hot links and accessed by multiple users. Another bonus is that electronic journals don't have those annoying subscription cards that litter the library floor. For many libraries today, the electronic journal has become an integral part of serials collection development. Some libraries have chosen to drop long standing print subscriptions in favor of their electronic counterparts to save both money and shelf space. Although this reasoning makes sense, there are still important and unresolved issues with electronic journals concerning costs, archival access, and authentication methods. Because these issues are still hotly debated, it is imperative that librarians and publishers work together and seek a common understanding. One organization, The International Coalition of Library Consortia, has taken a leadership role in this effort on behalf of libraries by drafting their Statement of Current Perspective and Preferred Practices for the Selection and Purchase of Electronic Information (International Coalition of Library Consortia ICOLC 1998). This document addresses fair use, archiving, pricing, contracts, licenses and authentication among other issues. Early evidence of this document's success can be seen from the official responses of major publishers such as Elsevier, HighWire Marketing Group, and MCB Press each agreeing with parts of the document. More importantly, the ICOLC has created a point of departure from which all parties can begin the process of establishing standards and practices for electronic journals. For libraries serving dispersed constituencies the issue of authentication to electronic journals is paramount. The approach taken by many publishers to limit access options at the expense of some eligible users is understandable, considering their concern that profits from print subscriptions may be negatively affected by electronic journals. Unfortunately, this strategy of caution undermines the responsibility of libraries to provide access to all patrons. Who Are You? It is interesting that the current model used for determining access to an electronic journal is primarily based upon users' physical locations rather than their credentials. This is ironic because the attribute of universal access that makes this resource so unique and valuable for education today is not being fully utilized. This is an important factor considering that in 1995, one-third of higher education institutions offered distance education courses with another quarter planning to offer courses in the next three years. (National Center for Education Statistics 1998). Because IP filtering requires little maintenance, aggregators and publishers have adopted this form of access control, effectively shifting the onus of authentication to the subscribing library. As a result, many libraries must now be able to identify IP address information and the total number of computers associated with each subnet for their institution's network. To complicate this maintenance, some publishers require that the entire IP address be submitted for class B networks. For institutions using dynamic IP addressing, this information can be difficult to discern. The Saint Louis University Health Sciences Center Library The Saint Louis University Health Sciences Center Library serves the schools of medicine, nursing, allied health, and public health at Saint Louis University. Our library is one of three university libraries that belong to a consortium of higher education libraries in Missouri named MERLIN (Missouri Education and Research Libraries Information Network). MERLIN libraries share a common integrated library system (ILS) and many electronic journal subscriptions. Indicative of health sciences libraries, our library has a dispersed patron base with many of our clinical users scattered among various hospitals and clinics in the St. Louis metropolitan area. As well, our library also supports distance education students in the graduate school of nursing from Missouri, Illinois, Wisconsin, Oklahoma, Texas, Florida and Puerto Rico. Because IP filtering is the predominant method of determining who gets access to electronic journals, libraries such as ours with distributed clientele are at a disadvantage. Another factor our library must contend with is that our subscriptions to electronic journals are divided between those shared within the MERLIN consortium and those purchased uniquely by our library. This issue becomes relevant when discussing a proxy server. As a librarian in a health sciences library, I am admittedly still learning about authentication strategies like many of my colleagues. As our library continues to add more electronic journal subscriptions, my thoughts immediately turn to the question of accessibility. The conundrum that many libraries, including ours, now face is how to work within the established definition of eligibility being based upon proximity rather than credentials. For libraries supporting off campus faculty, distance education students, and local students dialing in to the Internet from home, the current definition of eligibility established by many publishers doesn't work. The intent of this article is to share one library's experience with learning about the issues of remote access and authentication. Different access methods will be discussed in the context of our library's particular situation and patron needs. Because we are still in the learning phase with this issue, readers of this article expecting to learn of a new authentication process will be disappointed. Hopefully by sharing our experience at Saint Louis University other libraries will realize that the problems they are facing are not unique to their institution. How Publishers and Aggregators Establish Access Control Generally speaking access control can be divided into two general categories. The first method is handled completely by the vendor, with the dissemination of usernames and passwords to eligible users. The second involves allowing access from only specific IP addresses commonly known as IP filtering. Unfortunately or fortunately, depending upon your point of view, few electronic journal publishers offer password access to their journals. One of the major advantages of passwords being distributed by a publisher is that the user can access the electronic journal from any location because access is based upon the user's credentials. Another advantage is that this method shifts the burden of authentication to the vendor, freeing the library of the responsibility of providing IP address information for their institution. When publishers and aggregators offer institutional passwords, libraries are faced with the question of how to manage and distribute these passwords to patrons. To address this issue, our library had originally decided to create a secure web page that would list links to electronic journals with their respective password information. A single password would be created for this page and only given out to our patrons after we had personally authenticated their status. To ensure protection for the publishers, we would change the password every semester. However some electronic journals, such as Lancet, require that only a librarian see the password to access their journal. This means that a librarian must physically log a user into the journal. As a result of this stipulation, our original plan to offer password information to our patrons behind a secure web page could not be used. Because most of the electronic journals that our library subscribes to are IP filtered, we began the process of investigating strategies that would allow all of our users to be associated with our university Internet domain. There are two general approaches to funneling disparate users through a common Internet domain, credential-based access and a proxy server. Each method has distinct advantages and disadvantages. Credential-Based Authentication Credential-based authentication involves providing the end user with a certificate or token that certifies their identity within a community, sometimes through an intermediary server. When the identity of the user is verified, the user is passed on either to the server that houses the electronic resources desired or to a server that acts as a proxy. Caveats associated with credential-based methods of authentication include their expense, complexity, and need for a local server with an access control list of eligible users. Today there are many flavors of credential-based authentication being used in libraries and electronic commerce. Our library looked specifically at two methods. X.509, still in the process of becoming a ubiquitous standard, is a fairly sophisticated authentication technique built upon public keys and certificates for establishing a user's identity. A user is required to provide an encrypted certificate with personal information about his or her identity. This certificate is then paired with the user's public key information that can be seen by other servers. Certificates can be created with special software or received from third party entities known as certification authorities. A certification authority is essentially an Internet notary, attesting to the identity of an individual. Certificates are sent via a web browser and authentication handled on a server that accepts X.509 certificates with an access control list of eligible users. Although this approach to authentication has intriguing potential, it is still new and doesn't fit well for most libraries at this time. For our library, X.509 was not a serious option for many reasons. First, the infrastructure needed to establish and maintain an X.509 authentication system was too substantial for our library. There is also the problem that a certificate is associated with a specific computer. This model works for an individual's computer but not for public computers that are shared. For the distance education student using a computer in a public library, the X.509 certificate is not a feasible solution. There is also the issue of government regulation of X.509 cryptography with certain foreign countries. Legislation dealing with this issue includes the PROTECT Act [S 798], the E-RIGHTS Act [S 854] and the SAFE Act [HR 850]. (Center for Democracy and Technology 1999). Another authentication scheme based on encrypted credentials is Kerberos (Massachusetts Institute of Technology 1998). Created at MIT and freely available, Kerberos uses hidden tickets that can be used over open networks for authentication. A central server with account information authenticates each ticket and then passes the user through to the resources on that server. Kerberos was developed with an emphasis on security and uses a strong cryptography protocol that can be used on insecure networks. Unfortunately for our library, the paradigm for Kerberos is based upon the local central server housing the restricted resources. For databases loaded locally in the library this may be an option for authentication; however the electronic journals our library subscribes to are housed on aggregator and publisher servers. Another issue with Kerberos, like that of X.509, is that authentication is tied to a physical workstation and not to a user. When considering a credential-based scheme with our library's authentication needs, we collectively concluded that this approach was not a viable option for our library at this time. The investment in establishing an access control server with a database of health sciences patrons was simply too large of an undertaking for our small systems department. However there are many authentication schemes of this type being successfully used by other libraries including the Big Ten's ICAAP Project, Bluestem at the University of Illinois and UCLA' s authentication system developed with Public Key Infrastructure (PKI). Proxy Servers Today, proxy servers probably hold the most promise for libraries attempting to support a dispersed patron base. However, as with credential-based authentication, there are pros and cons to establishing a server to act as a proxy for remote users. Basically the proxy server works by masking remote users with the accepted IP address needed to access an electronic journal, database, or other resource restricted by an IP address. Users configure their browsers to access a proxy server and are prompted to authenticate themselves upon linking to an access-controlled resource. Authentication may require a user's name, social security number, student identification number, or other unique piece of information that will identify a user. The most attractive feature of the proxy server is that a user may access a restricted resource from any location. Configuring a browser to use a proxy server is a relatively straightforward process that most patrons can do with little support. As with all good things, there are negative aspects associated with a proxy server. The most salient problem being that some publishers and aggregators refuse access to their electronic journals via a proxy server. The American Association for the Study of Liver Diseases which provides access to Hepatology and Liver Transplantation and Surgery and The Federation of American Societies for Experimental Biology which publishes FJ Online, are two examples of publishers that both explicitly prohibit the use of a proxy server to access their electronic journals. Another point to consider is that a proxy server can also be a potential bottleneck for access. Because all users are funneled through a proxy server, it represents a single point of failure if it becomes unavailable. With respect to our library, many of us felt that the proxy server represented the best option for remote support. However as we began the investigative process into what was entailed with setting up a proxy server, we discovered that there were many practical and technical issues to consider and that this project would be better implemented on the enterprise level of our university rather than by our library. Our library also discovered that a proxy server did not adequately address the issue of granularity, the ability to distinguish users based upon specific IP addresses and subnets. This is important because some publishers base access upon IP addresses for specific subnets and individual computers within a network. Another factor for our library is that our electronic journals are comprised of both unique and shared subscriptions. This was a potential problem because our consortium was planning to develop a proxy server that would provide access for only shared resources. For our university to establish a second proxy server for unique resources would mean that users would have to reconfigure the proxy settings in their browsers depending upon the journal they chose to access. Obviously this would create too much confusion and work on behalf of the patron. Our other option would be for our university to create its own proxy server for all of our electronic journal subscriptions, effectively duplicating much of the work of the consortium proxy server. Overview of Authentication Models Secure Low Maintenance Low Cost Authentication Based on User Authentication Based on Computer Authentication Based on Location Privacy Issues Granularity IP Filter X   X     X X X Username/Password   X X X     X   Credential-Based X       X       Proxy Server         X       Where Do We Go From Here? Currently the Health Sciences Center Library at Saint Louis University is using IP filtering as the primary method for authentication. We are still in the planning process with establishing a university proxy server; however we are also investigating a forwarding utility within our ILS that will work much like a proxy server. This utility, Web Access Management (WAM) developed by Innovative Interfaces, offers many features, including the ability to handle shared and unique resources within a consortium. WAM also provides usage statistics for patron groups defined by the library. To many of us, having our ILS function as a proxy server is an attractive option because it eliminates the need for a secondary access control server. One negative trade-off is the extra burden of more users being handled by our ILS server. Conclusion I recently took the opportunity to check the usage statistics for our electronic journals and was dismayed by their lack of use. This was in spite of our library's publicity about electronic journals and their ability to be directly accessed from both our web page and online catalog. Though originally disappointed, it occurred to me that this usage only reflected those users who are physically on our campus or using our university PPP service. More importantly, it reinforced to me our library's need to develop strategies to better support access for remote patrons. As I mentioned earlier in this article, readers who expected to learn of a new authentication process would be disappointed. In fact, I believe that this issue requires more than just technology to bring about a long term solution. It is my hope that by sharing our library's experience, we may help foster discussion on how to ensure that all patrons are able to access the materials they are entitled to use. References Center for Democracy and Technology. May 1999. Legislation. [Online]. Available: {http://www.cdt.org/crypto/index.php} [May 5, 1999]. International Coalition of Library Consortia ICOLC. March 1998. Statement of Current Perspective and Preferred Practices for the Selection and Purchase of Electronic Information. [Online]. Available: {http://web.archive.org/web/20120101192037/http://www.library.yale.edu/consortia/statement.html} [May 5, 1999]. Massachusetts Institute of Technology. June 1998. What is Kerberos? [Online]. Available: http://web.mit.edu/kerberos/www/ [May 5, 1999]. National Center for Education Statistics. February 1998. Distance Education in Higher Education Institutions: Incidence, Audiences, and Plans to Expand. [Online]. Available: {https://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=98132} [May 5, 1999]. We welcome your comments about this article.