Care Identity Service common issues in the Path to Live environments

Authentication issues

SSL/TLS error - this error indicates that the certificate chain is not complete on the machine in use. The SubCA and RootCA certificates can be found on the relevant Path to Live environment pages. 

3606 error - this is caused by having the incorrect registry settings installed on your workstation for the card you're authenticating with. For example, you have Live registry settings and you're trying to authenticate with an Integration smartcard. You can use the registry editor tool/sandpit switcher.

Unlocking smartcards

Sponsors are finding that they are unable to manage another user's smartcard, for example unlocking cards and renewing certificates. An empty white box with the 'close' button is displayed and the 'continue' button is greyed out.

Sponsors are unable to unlock the smartcards of the following users:

• registration authority (RA) managers,
• advanced RA agents
• RA agents
• other users with sponsor activities if the user also has RA activities

Only RA users can unlock the smartcards of other RA users. An RA user's card can be unlocked by an RA Manager from another organisation.

Repairing smartcards

NHS Digital does not support smartcards below version 4. It is, therefore, important that users know how to check the version of their smartcards. 

On the back of the card there will be an 11 digit number. The first 2 numbers provide the version number, for example:

• 03 - version 3
• T4 - version 4
• 04 - version 4
• 05 - version 5

If the card is completely blank it is likely to be a very old version 2 card which is no longer supported. 

Smartcard expiry dates

Step by step instructions to check the expiry date of smartcard certificates using the classic client toolbox. You will need to have access to the smartcard and a smartcard reader.

'Failed to delete key container' error

Issue: When trying to renew a certificate, the process fails on the fourth stage (Storing Certificates) of the renew certificate confirmation section, with the following error:

'Failed to delete key container. Can’t proceed ahead, please cancel the Smartcard'

Resolution: It is likely that the 'containers' are full for this particular smartcard which means the card has been renewed the maximum number of times. You need to cancel this smartcard and re-issue it. If the issue still persists you will need to destroy this card and issue a brand new one. 

'Smartcard not found' error

Issue: When using Care ID to print a smartcard in the 'issue smartcard' window, the printer and layout are selected but instead of printing the card a 'smartcard not found' error is displayed. 

In the Path to Live testing environments it is not common practice to 'print' smartcards, as the cards are frequently cancelled and re-used for different user's unique identifiers (UUIDs).

Resolution: If you do not need to test the 'printing' function you can select the 'skip printing' option and issue the card without printing it. It will still authenticate to the environment but the smartcard will not have any pictures or details printed on it. 

If you want to print the smartcard for testing purposes, it is likely that this issue is related to local machine access rights or a hardware issue. Ask your local IT department to investigate in the first instance.

'Wrong smartcard inserted' error

Issue: When using the self service function of the Care ID service to renew the certificates on the smartcard, instead of renewing the certificates, the 'wrong smartcard inserted' error is shown.

This error usually occurs because the smartcard has a different serial number to that stored in the application. This is due to an old version of the classic client toolbox being used.

Resolution: The easiest way to resolve this is to uninstall and then re-install the IA client. You will need to re-install Java as well if you do this as this will install the latest version of the classic client toolbox. 

If the issue remains, the smartcard will need to be manually cancelled and re-issued by a Registration Authority (RA).

'User credentials' error

Issue: The BT Identity Agent (IA) Client displays the error message ‘the user credentials presented are not valid’ when the registry settings on the PC do not match the details on the smartcard being used. Please note that the IA13 client is no longer supported. A more recent IA client should be downloaded.

Resolution: follow these steps:

1. Select your chosen environment and install the IA13 registry file.
2. Copy the text and paste into notepad.
3. Save the notepad document.
4. Change the extension to .reg
5. Run the registry file by double clicking on it and accept any warnings.
6. Re-enter the smartcard and re-try.

If this is affecting one card, where other cards for the same environment are working on the same machine, this suggests that there is an issue with the certificates on the card. Cancelling and re-issuing the card usually resolves the issue. If not, issue the UUID on a new smartcard.

Unable to ‘destroy’ or ‘cancel’ an expired smartcard

Issue: When managing a user in Care ID and then selecting 'destroy card' from the smartcard service options and selecting 'lost', an error is displayed stating that the certificates have already expired.

Resolution: If the user selects 'destroy' smartcard functionality and then option 2 'lost/stolen', then the system will attempt to add the certificates to the certificate revocation list. This is a list of otherwise valid certificates that we do not want used for authentication.

As the certificates on the card have already expired, they cannot be added to the certificate revocation list because the certificates have expired and are, therefore, already invalid.

In the Path to Live environments, cards should be 'cancelled' rather than 'destroyed' so that they can be re-used for other testing.

Workaround:

1. Select 'damaged' rather than 'lost'.
2. Select 'cancel' as 'damaged' (lost will say smartcard certificates already expired).

3. Select reason as 'damaged'.

4. Select 'yes I have the smartcard'.

5. Tick 'I can confirm cancellation'.

6. Provide your explanation, for example, CIS error.

7. Select confirm (may take multiple attempts).

Smartcard renewal failure

The process of putting the certificates on the card is very secure. Any minor glitch in communication causes the process to fail to ensure the integrity of the process. 

There are also a certain number of failures of the physical chip on the card. Other than 03 series cards that are no longer supported, there is no known issue other versions of smartcards. 

‘Unlock a card’ option missing or greyed-out

For a user to be able to unlock a smartcard they must have Activity B0263 assigned to them. Some users are being given this role but the tab is not showing at the top of their window or the tab is greyed out.

Workaround:

1. Search for the user.
2. Select the user from the results found.
3. Select the user's profile.
4. Go to the smartcards section.
5. Select the smartcard using the service button.
6. Insert the user's smartcard and select the 'unlock' option - if the user's smartcard has been inserted at any other stage in the process the unlock will fail.

If the user has the B0263 role, gets as far as clicking on the radio button to unlock the smartcard and it does not work, then an incident should be raised. 

There are known issues when unlocking cards using Internet Explorer (IE) 8. You should use another browser. Consult the Spine technical information: Warranted Environment Specification (WES) for supported browsers. 

Changing personal details – ‘update user’ option is greyed out

Issue: When attempting to 'modify personal details' on a user account , once the required details have been changed and any 'identity change verification' details are completed, the 'update user' option is still greyed out.

Resolution: This can happen when the data is migrated or loaded into the system without being validated. One of the fields may contain invalid data but no error is shown until the field is selected. Click in and out of each field to see if any errors are shown. If this doesn't work try removing and re-adding the photo.

The EPR service is used for creating messaging endpoints. An endpoint consists of the following:

• a party key
• an accredited system ID (ASID)
• a certificate
• a messaging product 
• a response URL where response messages are sent

The EPR service allows users to create and manage each of the aspects of the endpoint. 

Most supplier organisations have a dedicated person for everyone in the organisation - they should be the first point of call should someone wish to set up an endpoint. 

Endpoint registration service guide

This EPR user guide describes the process to create a request in the Endpoint Registration Service for Service Registration (Party Key / ASID) and End Point certificates. 

Get a Security Assertion Markup Language (SAML) assertion for your Unique User ID (UUID)

The SAML is a full user Spine Directory Service (SDS) extract which contains the information about the user's roles activities from, for example, SDS and organisationID codes.

1. log in with your smartcard in the usual way
2. on the spine portal page, change the portal URL to: https://sbapi.env.national.ncrs.nhs.uk/saml/RoleAssertion (for example, in INT you would enter: https://sbapi.nis1.national.ncrs.nhs.uk/saml/RoleAssertion)

This should then display an xml web page with the SAML details in.

SAML URLs can be found on the relevant environment page.

Number of characters allowed in the 'preferred name' field in CIS

In Care ID the 'preferred name' field has a limited number of characters. This field has a maximum of 20 characters.

Roles and activities required to perform Registration Authority (RA) tasks

The table below shows the roles and activities required for RA tasks.

Key:

B - included as part of the baseline activities for the role

O - can be optionally added

# - sponsors can be allocated any appropriate role, for example clinical practitioner access role

* - restricted 

In the Path to Live environments, RA Agents can 'self sponsor' requests without triggering an alert, unlike in Live, so there is no longer a requirement to provide 'RA Manager' roles or restricted RA activities in Path to Live.

Viewing position information

Sponsors are reporting that they are trying to grant positions to users, but some of the positions are missing. However, RA Agents are able to see all the positions.

The positions will not get listed in the 'raise request' option for sponsor if they contain one or more below activities: 

• restricted attributes
• RAM activity (R5080/B0005)
• RA activity (R5090/B0008)
• advanced RA activity (B0274)
• sponsor activity (B1300)
• WGA activity (B0100)

Problems when modifying activities

When using Care ID to update the activity codes on a position, instead of selecting or adding the roles to the list, the application is freezing.

This is usually an issue when running Internet Explorer (IE) 8 in 'compatibility mode'. Electronic Staff Record (ESR) requires later browsers to be in compatibility mode, but CIS does not work in compatibility mode. This issue can be resolved by following the instructions below:

'Invalid signature' error when authenticating with NHS Digital IA v2 

Issue: A Registration Authority (RA) may find the passcode form incorrectly showing during a CMS operation, for example, issuing / repairing a smartcard, especially on a Series 08 smartcard and if you have Session Lock Persistence enabled. If this happens, it is likely you have removed all smartcards and tried to log in again, and the ‘invalid signature’ error has occurred.

Resolution: In this case it is almost certain that a registry key has been ‘flipped’ during the CMS operation, but because the process did not complete properly, the registry key did not ‘flip back’.

Navigate to: HKEY_CURRENT_USER\SOFTWARE\Oberthur Technologies\Minidriver\ PIVMinidriver 

There you should find a key named 'EnableNHSEnrollment". If this is set to '1', you will need to change it to '0' and you should be able to log in.

In order to prevent the passcode form showing again during a CMS operation, the RA should place the entry ‘CardRemovalCheck’ in the registry (the same place they enabled Session Lock Persistence), and set the value to ‘false’, remembering to restart the Identity Agent (IA) after doing so.

Download an IA Client

The Identity Agent (IA) Client allows users to authenticate to Spine using a smartcard.

You will need to download and Install an IA Client in order to access the Path to Live testing environments. Supported IA Client versions can be downloaded.

Live versions of IA Client can be used for the Path to Live environments in conjunction with the relevant registry settings.

Troubleshoot authentication issues 

If you are having problems authenticating to the Path to Live environments. This list can rule out the most common issues.

Registry settings - check that the correct registry URLs are being used, the registry settings for each IA Client and environment can be obtained via the 'downloads' page.

Local Firewall -  the Local Firewall should allow connections to and from the URLs and I.P.s outlined on the relevant environment page. To confirm that the authentication URLs are not being blocked by the local firewall, a telnet can be performed for the 'gas' and 'sbapi' I.P. addresses on port 443.

Smartcards - check that the certificates on the smartcards have not expired and check that the UUID is present in CIS by logging on with a different card (If possible) and searching for the UUID.

Trusted Sites - Check that you have added the portal, authentication and application URLs to your trusted sites list, or that you have the wildcard (https://*.national.ncrs.nhs.uk) instead. Authentication URLs can be obtained from the ASN document for the relevant environment.

Gem Authentication Client (GAC) - check that GAC has been restarted after registry changes have been made. Some Windows XP builds require a GAC restart after changing the registry. In addition, shut down and then restart the Gemplus software. Then make another attempt to authenticate using a smartcard. If this fails (keeping the card in the reader), click on the Gemplus icon on the bottom right hand side, then select ‘Create Report’.

DNS - check that the gas and sbapi FQDNs for the relevant environment resolve to the correct address via local DNS. URLs can be found in the relevant ASN document for the environment (e.g. for INT use: gas.nis1.national.ncrs.nhs.uk and sbapi.nis1.national.ncrs.nhs.uk).

Java - the lowest version of Java supported is version 6 update 45. Also, if you are using a java version above version 7, you may need to add the required URLs to the exceptions list. 

If you are using Java Version 7 and above, you may need to add the URLs to the exceptions list.

Java Version 7 update 21 (v7u21) and above have a feature that blocks 'self signed' and 'mismatched' certificates (the Java website provides further details).

As the Path to Live portal pages use a URL which differs from the certificate configuration, a certificate error is displayed (for example, in INT the URL is portal.nis1.national.ncrs.nhs.uk but the certificate is configured for wfe.int.national.ncrs.nhs.uk).

Versions of Java below v7 may issue a warning but will allow you to continue to the page. Java v7u21 introduced stricter functionality where, in this situation, the Java is prevented from running and the page is not displayed.

Go to the control panel and open the 'Java Control Panel' (sometimes referred to as the Java console), go to the 'security' tab and add all required URLs into the 'exceptions sitelist' and apply.

Smartcard reader - make a note of which smartcard reader you are using and try another if possible.

If this does not resolve the issue:

• uninstall the IA client, reboot the PC, reinstall IA client and reboot again - if you uninstall and re-install the IA Client, you will also need to uninstall and re-install Java

If you are still having issues, please raise an incident with the Platforms support desk using the Path to Live environments online incident reporting form (opens in a new window) or NHS Digital's service portal (HSCN access required to access the service portal).

Problems with Java following an IA re-install

Issue: After removing and reinstalling the IA software, the Portal page and/ or spine application pages may not load correctly. This can either be a 'broken' Java icon, 'loading' icon or a blank page when attempting to access these web pages. 

Resolution: This is due to an essential Java file being stored within the IA Client folders on C://. When the IA Client folders are removed and replaced, the file is lost.

To resolve, remove and re-install Java.

A telnet command allows bidirectional communications with a remote computer. This test is used to ensure a particular server can send and receive commands.

If you are asked to telnet to a particular environment firstly find the relevant URL, IP address, port numbers and fully qualified domain names (FQDNs) of the service you're trying to connect to. These can be found on the relevant environment page. 

In the example below a user has been unable to connect to LDAP in the Spine training environment. You'll need to log onto a server that has HSCN (N3) connectivity, and from a command line type the following: