# EDDI technical installation and troubleshooting guidance

Guidance to support the technical installation of the Emergency Department Digital Integration (EDDI) product.

## Introduction

To ensure optimal performance when using EDDI, it is important that users have the correct IT infrastructure in place. The purpose of this guidance is to provide a consolidated set of instructions/guidelines relating to installation and troubleshooting.

This document contains the following:

• pre-deployment checklist - a checklist to ensure your organisation has considered each item prior to accessing EDDI
• desktop setup - a detailed guide on how to configure desktop PCs for use with EDDI
• connection troubleshooting - a section to identify and correct problems with the local configuration settings that may be preventing connectivity to EDDI

## Checklist

This checklist is intended as a quick guide to ensure your PCs are configured correctly to access EDDI.

## Desktop setup: requirements and configuration

To successfully use the EDDI application, the following installation and configuration steps should be followed:

The EDDI application should only be run on a Windows PC with the latest supported operating system (currently Windows 10). EDDI may work on earlier versions of Windows (e.g. Windows 7), but these do not meet the minimum security and support requirements, specified by NHS Digital.

To set up EDDI, you will need an account on the PC that has local administrator privileges. This may require assistance from your IT support team. To access and use, EDDI needs only a standard PC user account with N3/HSCN network access.

### Step 2: Ensure PC meets minimum hardware requirements

The EDDI application is a web based application that does not have a minimum specification hardware requirement, over and above that of the Windows operating system on which it is running. The more memory (RAM) that a system has, the more applications/data it can load at the same time. Additional memory may therefore be required if running multiple applications on the same PC.

Users of the EDDI application should work with their local IT providers and support staff to ensure their memory is adequate, especially if experiencing any slow response times.

The EDDI application is dependent on an N3/HSCN (Health and Social Care Network) connection.

Computer systems which access NHS Digital services must meet certain technical standards. The Warrented Environment Specification (WES) defines the client environments that we support.

Users should work with their suppliers to ensure that the N3/HSCN network provision is optimised for their needs, as this will vary between different sites.

### Step 3: Install NHS Identity Agent

All information relating the Identity Agent installation process is available on the NHS Digital website.

This step includes installing the following software:

1. Java RunTime 7 or 8 32-bit
2. 32-bit or 64-bit Gemalto Classic Client
3. .Net Framework 3.5.1 or above
5. NHS Digital Identity Agent v2.3 or later

For any IA Client issues/questions that cannot be resolved via these sources, please contact the NHS Digital Deployment Issue Resolution Team at dir@nhs.net.

## Browser requirements

The following browsers may be used to access EDDI:

• Internet Explorer 11
• Chrome v45 or later
• Microsoft Edge v79 or later

Depending on which browser you use, the installation will be different. Please refer to the relevant section below for the appropriate browser configuration.

## Internet Explorer 11 (IE11)

### Step 4: Install ActiveX

In order to use Internet Explorer, your ICT department will need to install or allow users to accept an ActiveX control. ActiveX is the primary mechanism for Smartcard logon in Internet Explorer.

Go to the following browser configuration check page and run the test:

https://nww.ebs.ncrs.nhs.uk/browsercheck

As part of the test you may be prompted to download an ActiveX component and/or a Java applet. Select 'Yes' when prompted as they are required to perform the tests. Administrator privileges are required to complete this installation.

When the Internet Explorer Add-on window pops up, check that the name (of the ActiveX control) is IdentityAgent.dll and that the publisher is BJSS Ltd. Note that the certificate has expired.

ICT departments wanting to install the ActiveX control across their sites can download the ActiveX control and place the individual files in the following directory:

C:\Windows\Download Program Files

The two files required are:

IdentityAgent.dll

IdentityAgent.inf

### Step 4.1: Verify that the EDDI URL is in the Trusted Site Security Zone

The EDDI application has been designed and tested to run in the “Trusted sites” zone within Internet Explorer, using “Low” security settings for that zone. This can be configured either manually, or through desktop management software, and is the responsibility of local IT support teams.

Both HTTP and HTTPS traffic must be included in the “Trusted sites” zone.

To verify that EDDI is correctly configured in the “Trusted sites” zone, navigate to Internet Options > Security and ensure *.eddi.nhs.uk is displayed as "Trusted sites".

You can view this in Internet Explorer by right clicking on the page and selecting Properties.

Internet Options are available via the Tools menu.

This is illustrated in the following screen shots:

Should the zone display “Unknown Zone (Mixed)” (as below) this is because only HTTP or HTTPS traffic (but not both) has been configured to be in the “Trusted sites” zone:

When manually configuring the URL to be in the Trusted sites zone, ensure that the “Require server verification…” checkbox is unchecked:

IT administrators can add the URL to the Trusted Sites zone using a simple registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Intern et Settings\ZoneMap\Domains\nhs.uk] "*"=dword:00000002

### Step 4.2: Check browser compatibility mode is not set

Compatibility View settings in Internet Explorer are maintained by selecting the Compatibility View settings command in the Tools menu.

Ensure that the domain or any parent domain is not listed in the “Websites you’ve added to Compatibility View” section:

## Chrome and Microsoft Edge

Configuration for Google Chrome and Microsoft Edge are the same.

Microsoft Edge v79 and later uses the Chromium engine open source software. In order to use Chrome or Edge for EDDI, the NHS Digital Chrome Extension will be required.

Note that versions of Edge which do not use the Chromium engine will not work with EDDI, even with the NHS Digital Chrome extension.

### Step 5: Install Chrome Extension

The Chrome Extension consists of a Native Bridge component along with the Chrome Extension itself. Both components are required to communicate with the Identity Agent.

## Appendix A - Connection and installation troubleshooting

To identify the cause of problems experienced trying to access EDDI, please complete checks 1and 2 below.

If any of the checkpoints fail, follow the guidance within the relevant subheading to resolve the problem. If you run through all the checks and have ruled out all potential local issues and are still unable to access EDDI, please call the National Service Desk.

### Check 1: Insert a smartcard and expect to be prompted for a passcode

After inserting a smartcard, the Identity Agent software should immediately become active.

After a few seconds you should be presented with a prompt to enter your passcode, which will look similar to one of the following (depending on which version of Identity Agent is installed):

### Result: Nothing happens

If nothing happens after you insert a smartcard, check the following:

#### Check the card has been inserted correctly

Most card readers require the card to be inserted with the picture facing up and visible when inserted. One exception is the Fujitsu Siemens card reader keyboard which requires the card to be inserted facing down.

#### Check the physical connections to the PC

The cable should be securely connected to the smart card reader and at the other end a USB port in the PC. If using a USB hub, check that there is power (if required) and that the hub in turn is connected to the PC.

#### Check the USB port is working

When a USB device is plugged in, the PC should check for valid drivers, test the port with a USB drive or other device. If the port is not functioning check within device manager to ensure it is installed.

#### Check the network availability

Test that the PC has Internet access and can access NHS web sites such as https://nww.ebs.ncrs.nhs.uk/browsercheck
If not speak to the local IT administrator to get valid IP details for the PC. Ensure network availability is available before proceeding.

#### Check the Identity Agent software is active

If you have HSCIC Identity Agent v2 (or later) installed, then the icon in the system tray will look as follows:

By right clicking on the icon, you will be able to get the Status of the Identity Agent or to Exit (quit the application), as shown below:

If you had quit the Identity Agent application, it can be started via the Windows Start button by navigating to the Identity Agent icon:

### Result: Identity Agent brings up an error

When the card is inserted, a message box appears saying you cannot connect to the server (see below):

#### Check the authentication page

Open a browser window and go to https://gas.national.ncrs.nhs.uk/login/authactivate.

You should see an XML page similar to the example below:

If not, check the local network settings to ensure there is connectivity to the URL above.
Further troubleshooting information on this issue can be found in the Identity Agent documentation (HSCN/N3 access required).

### Check 2: Does the EDDI page appear?

The EDDI landing page can vary depending on a person’s user profile.

If the user is able to access multiple organisations and/or locations, then EDDI displays a list of possible choices for the user to select from:

Alternatively, if the user has only one org/location but multiple roles, EDDI displays a list of roles for the user to choose from:

If the user has only one location and role, but multiple services, EDDI displays a list of services:

If the user has only one org/location and role, the system will automatically log in to the user's homepage with the ‘Daily view’ screen displayed:

### Result: A blank screen is displayed

#### Ensure ‘Enable Meta Refresh’ is set

Ensure that the ‘Allow Meta Refresh’ variable in the trusted sites’ security settings is set to “enable”. This should be set to “enable” if the Trusted sites’ security level is set to the default (Low) level.

#### Check network availability

Test that the PC has Internet access and can access NHS web sites such as https://nww.ebs.ncrs.nhs.uk/browsercheck

#### Check that the ActiveX control is installed

EDDI uses an ActiveX control as the primary mechanism for logon in Internet Explorer.

When the Internet Explorer Add-on window pops up, check that the Name (of the ActiveX control) is IdentityAgent.dll and that the Publisher is BJSS Ltd. Click on the Install button to install the ActiveX control. Note that administrator privileges are required to complete this installation.

#### Check Chrome Extension is installed

If using Google Chrome browser, ensure that the Chrome Extension has been installed.

#### Check if the PC is running through a proxy server

Some proxy servers can be configured to deny access to JavaScripts. Check the internet settings to see if a proxy server is being used and if so ensure that the EDDI website has been set up as an exclusion, either explicitly (as in the screenshot on the left) or by use of wildcards (*.nhs.uk)

#### Check that Windows updates are installed

It is possible the Windows hotfixes are not up to the required level.

#### Register mshtml.dll

It is possible that the version of mshtml.dll on the machine does not match its COM interface registry entries, which results in the Checking Authentication page hanging. Re-registering this DLL may resolve this login issue.

To re-register the DLL, type the following line into the command prompt:

“regsvr32 c:\windows\system32\mshtml.dll”

Local administrator privileges are required to successfully execute this command.

#### Check the environment settings

Check the Environment variable by right-clicking "My Computer" or “Computer” or “This PC” (depending on the Windows version on your PC), then select "System Properties" or “Properties”, then “Advanced System Settings” (if running Windows 7 or Windows 10), then "Environment Variables".

Ensure the "Path" contains C:\Program Files\Gemalto\Classic Client\bin

If the Path does not contain the above directory, reinstall the card reader software.

#### Check the TicketApiDll.dll file

Check that the TicketApiDll.dll file is present.

Complete a search within Windows Explorer to ascertain if there are any other files with the name TicketApiDll.dll. If multiple files are found, ensure they are of the same size and have the same version. If not, delete any older files found with caution.

Some GP system suppliers deploy a version of the TicketApiDll.dll file to the network drive. If present the version of this file should be checked.

#### Check the version of the TicketApiDll.dll file

If you have installed the new HSCIC Identity Agent (v2.0 or later), then the TicketApiDll.dll version will be 1.0.1.0 or later. Earlier versions of the TicketApiDll.dll file are not compatible with the ActiveX control and are no longer supported.

If you have a different or unsupported version, then the recommended approach is to reinstall the Identity Agent to ensure the correct versions are installed rather than deleting or replacing manually.

#### Check the JAR file

Search for the file name GATicket.jar on the local drive and ensure there is a copy of the file within C:\Program Files\Java\<latest JRE directory>\lib\applet or
C:\Program Files (x86)\HSCIC\Identity Agent directory, and that all other instances are removed.

#### Check the EDDI roles

It is necessary for EDDI to synchronise with the Spine Directory Service (SDS) to pick up any new users. This synchronisation can take up to an hour. Therefore, a user will need to allow for this period to elapse after their RA Manager has issued their smart card, prior to logging on for the first time. In addition, the user's details will only be picked up from SDS if they have a valid role profile.

A legitimate role profile consists of:

• an applicable organisation
• a valid EDDI role

If this error is displayed, the user should go back to their RA Manager to verify their EDDI role.

#### Check the Chrome Extension is enabled (Chrome/Edge)

Some policies can disable browser extensions. Navigate to the extension page on the browser, either: chrome://extensions or edge://extensions

Verify it is installed and enabled as such:

Last edited: 16 December 2020 1:11 pm