Skip to main content

How to set up a smartcard user workstation

Smartcard user workstations require a number of applications to be installed to allow smartcards to be used the access patient, self-unlock smartcards and renew certificates.

A smartcard user workstation is any computer where a single smartcard reader is installed, which allows smartcards users to authenticate into the Care Identity Service in order to access healthcare applications.

Users who perform card management services that require 2 smartcard readers or smartcard printing will need to set up a Registration Authority workstation.


System requirements

You will need to follow this guidance in sequence. For a full list of platforms compatible with the required software, check the Warrantied Environment Specification.

These are the system requirements for an optimal smartcard user workstation setup:

  • Operating system: Windows 10/Windows 11 64bit
  • Browser: Edge or Chrome
  • Smartcard reader: 1 x HID Omnikey 3121 USB smartcard reader


Not supported:

  • Java
  • Citrix / VDI / Terminal services (all users - card management services)

Downloads and setup checklist

Mandatory                                                                                  Optional

Step

Action

Item

 

Step

Action

Item

1

Check

Internet-facing domains

 

11

Add

Custom NHS Identity Agent registry settings

2

Check

.NET 4.8 installation

 

12

Install

CIS Diagnostic Tool 3

3

Install

NHS Credential Management v1.4.2.0 

 

13

Install

IA Registry Editor 2.2

4

Install

Gemalto middleware 

 

 

 

 

5

Install

Oberthur middleware SR8

 

 

 

 

6

Install

Idemia PIV minidriver 1.2.8

 

 

 

 

7

Install

NHS Identity Agent v2.4.6.0

 

 

 

 

8

Install

Smartcard reader drivers

 

 

 

 

9

Check

Smartcard reader drivers

 

 

 

 

10

Reboot

Restart machine

 

 

 

 


Important note: The DIR downloads page hosts the software needed to setup a smartcard user workstation.

You must have a secure NHS HSCN Connection to access the DIR downloads website. If for example you are using a personal laptop, or not connected via VPN when working from home, this will be the reason you see a blank page or page not found error. A simple check to see if you have an HSCN connection already is just to click on a download link above.


Installation steps

1. Internet-facing services

To be able to access the newer, internet-facing parts of the Care Identity Service, the user will need to be able to access these required domains:

  • CIS2 Authentication - https://am.nhsidentity.spineservices.nhs.uk
  • Care Identity Management - https://manage-care-identities.care-identity-service2.nhs.uk
  • NHS Credential Management - https://trustedurl.national.ncrs.nhs.uk

If you are using a smartcard with the current NHS Identity Agent (v2.x.x) to authenticate with the CIS2 Authentication service, your users must be able to access HSCN endpoints. This is found on https://gas.national.ncrs.nhs.uk

Using a web proxy / domain security

Be sure that the domains above are authorised by the proxy service, and that they are not trying to route the domains via their service. Go through step by step - for example check all the firewall rules, antivirus rules, and any other relevant web security software. 

Note: only add the domains as written above. Do not add IP addresses as they are not static and will change.

Using a VPN

If your users are connecting to your organisation network from a home network using a VPN, they will need either:

  • a split tunnel for the internet addresses on their home network and CIS2 Authentication on the VPN (for HSCN)
  • all traffic routing through your trust network, and the internet domains reachable from your organisation network

 

2. Check for installation of .NET 4.8

This is a mandatory requirement for setting up a Registration Authority workstation. Windows 10 does not install the older versions of .NET by default, but you cannot proceed without it. To check/install it:

  • open Control Panel
  • go to Programs > Programs and Features
  • on the left, choose 'Turn Windows features on or off'
  • check the box for .NET 4.8

Dot NET 3.5 settings window

 

3. Install NHS Credential Management

Follow the supporting documentation for installing and configuring NHS Credential Management v1.4.2.0 which also includes troubleshooting guidance for common issues.

 

4. Install Gemalto middleware

Follow the supporting documentation for installing Gemalto Middleware, paying attention to the order of installation.

 

5. Install Oberthur middleware

Any Registration Authority workstation where the user is performing card management activities using two smartcard readers or printing series 8 smartcards must have Oberthur middleware SR8 installed. It is not needed for non-Registration Authority users performing smartcard self-renewals.

Oberthur middleware must always be installed after the Gemalto middleware.

 

6. Install Idemia PIV minidriver

This is a mandatory installation for all machines interacting with series 9 smartcards.

The Idemia PIV minidriver is installed automatically via Windows Update (If enabled). If automatic Windows updates are disabled, you can perform a manual install using the download.

 

7. Install NHS Identity Agent

Follow the installation guide for installing NHS Identity Agent v2.4.6.0, which includes an administrator’s guide for configuration, as well as troubleshooting guidance for common issues.

 

8. Install the correct smartcard reader drivers

Download the manufacturer drivers for the NHS supported 3121 readers. To support all variants of the Omnikey 3121 smartcard reader, it is recommended to install both the HID Omnikey CCID and HID Global X-Chip driver (BU component). If you are using other smartcard readers to login with, install the manufacturer drivers for those smartcard readers. Find out how to update drivers for other smartcard readers.

 

9. Check smartcard reader drivers

Check and verify that the correct driver is assigned to the standalone smartcard reader. The reader should not be using the Microsoft Usbccid Smartcard Reader (WUDF) driver.

 

10. Reboot the computer

Restart the machine to complete the setup process.


Optional steps

11. Custom NHS Identity Agent registry settings

Add custom NHS Identity Agent registry settings specific to your requirements. Read guidance on Identity Agent configuration and registry settings.

If you make changes to the registry, restart NHS Identity Agent.

 

12. CIS Diagnostic Tool

The CIS Diagnostic Tool comes as a standalone tool without an installer. It is designed to provide an easy method for support teams to gather information about the configuration of a user's computer, to help with in support diagnostics. Common troubleshooting issues are documented in the user guide. Providing a diagnostic log file is recommended when raising incidents involving Identity Agent or card management services in Care Identity Service.

 

13. IA Registry Editor Tool

This is a standalone tool that needs admin rights to run. It's designed to provide an easy way to configure NHS Identity Agent to switch environments and toggle certain features. For more information, read the user guide.


Troubleshooting

If you're having problems or need more help, go to our troubleshooting area.

Last edited: 4 December 2024 11:04 am