How to set up a smartcard user workstation
Smartcard user workstations require a number of applications to be installed to allow smartcards to be used the access patient, self-unlock smartcards and renew certificates.
A smartcard user workstation is any computer where a single smartcard reader is installed, which allows smartcards users to authenticate into the Care Identity Service in order to access healthcare applications.
Users who perform card management services that require 2 smartcard readers or smartcard printing will need to set up a Registration Authority workstation.
System requirements
You will need to follow this guidance in sequence. For a full list of platforms compatible with the required software, check the Warrantied Environment Specification.
These are the system requirements for an optimal smartcard user workstation setup:
- Operating system: Windows 10/Windows 11 64bit
- Browser: Edge or Chrome
- Smartcard reader: 1 x HID Omnikey 3121 USB smartcard reader
Not supported:
- Java
- Citrix / VDI / Terminal services (all users - card management services)
Downloads and setup checklist
Mandatory Optional
Step |
Action |
Item |
|
Step |
Action |
Item |
1 |
Check |
Internet-facing domains |
|
11 |
Add |
Custom NHS Identity Agent registry settings |
2 |
Check |
.NET 4.8 installation |
|
12 |
Install |
|
3 |
Install |
|
13 |
Install |
||
4 |
Install |
|
|
|
|
|
5 |
Install |
|
|
|
|
|
6 |
Install |
|
|
|
|
|
7 |
Install |
|
|
|
|
|
8 |
Install |
|
|
|
|
|
9 |
Check |
Smartcard reader drivers |
|
|
|
|
10 |
Reboot |
Restart machine |
|
|
|
|
Important note: The DIR downloads page hosts the software needed to setup a smartcard user workstation.
You must have a secure NHS HSCN Connection to access the DIR downloads website. If for example you are using a personal laptop, or not connected via VPN when working from home, this will be the reason you see a blank page or page not found error. A simple check to see if you have an HSCN connection already is just to click on a download link above.
Installation steps
1. Internet-facing services
To be able to access the newer, internet-facing parts of the Care Identity Service, the user will need to be able to access these required domains:
- CIS2 Authentication - https://am.nhsidentity.spineservices.nhs.uk
- Care Identity Management - https://manage-care-identities.care-identity-service2.nhs.uk
- NHS Credential Management - https://trustedurl.national.ncrs.nhs.uk
If you are using a smartcard with the current NHS Identity Agent (v2.x.x) to authenticate with the CIS2 Authentication service, your users must be able to access HSCN endpoints. This is found on https://gas.national.ncrs.nhs.uk
Using a web proxy / domain security
Be sure that the domains above are authorised by the proxy service, and that they are not trying to route the domains via their service. Go through step by step - for example check all the firewall rules, antivirus rules, and any other relevant web security software.
Note: only add the domains as written above. Do not add IP addresses as they are not static and will change.
Using a VPN
If your users are connecting to your organisation network from a home network using a VPN, they will need either:
- a split tunnel for the internet addresses on their home network and CIS2 Authentication on the VPN (for HSCN)
- all traffic routing through your trust network, and the internet domains reachable from your organisation network
2. Check for installation of .NET 4.8
This is a mandatory requirement for setting up a Registration Authority workstation. Windows 10 does not install the older versions of .NET by default, but you cannot proceed without it. To check/install it:
- open Control Panel
- go to Programs > Programs and Features
- on the left, choose 'Turn Windows features on or off'
- check the box for .NET 4.8
3. Install NHS Credential Management
Follow the supporting documentation for installing and configuring NHS Credential Management v1.4.2.0 which also includes troubleshooting guidance for common issues.
4. Install Gemalto middleware
Follow the supporting documentation for installing Gemalto Middleware, paying attention to the order of installation.
5. Install Oberthur middleware
Any Registration Authority workstation where the user is performing card management activities using two smartcard readers or printing series 8 smartcards must have Oberthur middleware SR8 installed. It is not needed for non-Registration Authority users performing smartcard self-renewals.
Oberthur middleware must always be installed after the Gemalto middleware.
6. Install Idemia PIV minidriver
This is a mandatory installation for all machines interacting with series 9 smartcards.
The Idemia PIV minidriver is installed automatically via Windows Update (If enabled). If automatic Windows updates are disabled, you can perform a manual install using the download.
7. Install NHS Identity Agent
Follow the installation guide for installing NHS Identity Agent v2.4.6.0, which includes an administrator’s guide for configuration, as well as troubleshooting guidance for common issues.
8. Install the correct smartcard reader drivers
Download the manufacturer drivers for the NHS supported 3121 readers. To support all variants of the Omnikey 3121 smartcard reader, it is recommended to install both the HID Omnikey CCID and HID Global X-Chip driver (BU component). If you are using other smartcard readers to login with, install the manufacturer drivers for those smartcard readers. Find out how to update drivers for other smartcard readers.
9. Check smartcard reader drivers
Check and verify that the correct driver is assigned to the standalone smartcard reader. The reader should not be using the Microsoft Usbccid Smartcard Reader (WUDF) driver.
10. Reboot the computer
Restart the machine to complete the setup process.
Optional steps
11. Custom NHS Identity Agent registry settings
Add custom NHS Identity Agent registry settings specific to your requirements. Read guidance on Identity Agent configuration and registry settings.
If you make changes to the registry, restart NHS Identity Agent.
12. CIS Diagnostic Tool
The CIS Diagnostic Tool comes as a standalone tool without an installer. It is designed to provide an easy method for support teams to gather information about the configuration of a user's computer, to help with in support diagnostics. Common troubleshooting issues are documented in the user guide. Providing a diagnostic log file is recommended when raising incidents involving Identity Agent or card management services in Care Identity Service.
13. IA Registry Editor Tool
This is a standalone tool that needs admin rights to run. It's designed to provide an easy way to configure NHS Identity Agent to switch environments and toggle certain features. For more information, read the user guide.
Troubleshooting
If you're having problems or need more help, go to our troubleshooting area.
Last edited: 4 December 2024 11:04 am