'Invalid signature' error when authenticating with NHS Digital IA v2
Issue: A Registration Authority (RA) may find the passcode form incorrectly showing during a CMS operation, for example, issuing / repairing a smartcard, especially on a Series 08 smartcard and if you have Session Lock Persistence enabled. If this happens, it is likely you have removed all smartcards and tried to log in again, and the ‘invalid signature’ error has occurred.
Resolution: In this case it is almost certain that a registry key has been ‘flipped’ during the CMS operation, but because the process did not complete properly, the registry key did not ‘flip back’.
Navigate to: HKEY_CURRENT_USER\SOFTWARE\Oberthur Technologies\Minidriver\ PIVMinidriver
There you should find a key named 'EnableNHSEnrollment". If this is set to '1', you will need to change it to '0' and you should be able to log in.
In order to prevent the passcode form showing again during a CMS operation, the RA should place the entry ‘CardRemovalCheck’ in the registry (the same place they enabled Session Lock Persistence), and set the value to ‘false’, remembering to restart the Identity Agent (IA) after doing so.
Download an IA Client
The Identity Agent (IA) Client allows users to authenticate to Spine using a smartcard.
You will need to download and Install an IA Client in order to access the Path to Live testing environments. Supported IA Client versions can be downloaded.
Live versions of IA Client can be used for the Path to Live environments in conjunction with the relevant registry settings.
Troubleshoot authentication issues
If you are having problems authenticating to the Path to Live environments. This list can rule out the most common issues.
Registry settings - check that the correct registry URLs are being used, the registry settings for each IA Client and environment can be obtained via the 'downloads' page.
Local Firewall - the Local Firewall should allow connections to and from the URLs and I.P.s outlined on the relevant environment page. To confirm that the authentication URLs are not being blocked by the local firewall, a telnet can be performed for the 'gas' and 'sbapi' I.P. addresses on port 443.
Smartcards - check that the certificates on the smartcards have not expired and check that the UUID is present in CIS by logging on with a different card (If possible) and searching for the UUID.
Trusted Sites - Check that you have added the portal, authentication and application URLs to your trusted sites list, or that you have the wildcard (https://*.national.ncrs.nhs.uk) instead. Authentication URLs can be obtained from the ASN document for the relevant environment.
Gem Authentication Client (GAC) - check that GAC has been restarted after registry changes have been made. Some Windows XP builds require a GAC restart after changing the registry. In addition, shut down and then restart the Gemplus software. Then make another attempt to authenticate using a smartcard. If this fails (keeping the card in the reader), click on the Gemplus icon on the bottom right hand side, then select ‘Create Report’.
DNS - check that the gas and sbapi FQDNs for the relevant environment resolve to the correct address via local DNS. URLs can be found in the relevant ASN document for the environment (e.g. for INT use: gas.nis1.national.ncrs.nhs.uk and sbapi.nis1.national.ncrs.nhs.uk).
Java - the lowest version of Java supported is version 6 update 45. Also, if you are using a java version above version 7, you may need to add the required URLs to the exceptions list.
If you are using Java Version 7 and above, you may need to add the URLs to the exceptions list.
Java Version 7 update 21 (v7u21) and above have a feature that blocks 'self signed' and 'mismatched' certificates (the Java website provides further details).
As the Path to Live portal pages use a URL which differs from the certificate configuration, a certificate error is displayed (for example, in INT the URL is portal.nis1.national.ncrs.nhs.uk but the certificate is configured for wfe.int.national.ncrs.nhs.uk).
Versions of Java below v7 may issue a warning but will allow you to continue to the page. Java v7u21 introduced stricter functionality where, in this situation, the Java is prevented from running and the page is not displayed.
Go to the control panel and open the 'Java Control Panel' (sometimes referred to as the Java console), go to the 'security' tab and add all required URLs into the 'exceptions sitelist' and apply.
Smartcard reader - make a note of which smartcard reader you are using and try another if possible.
If this does not resolve the issue:
- uninstall the IA client, reboot the PC, reinstall IA client and reboot again - if you uninstall and re-install the IA Client, you will also need to uninstall and re-install Java
If you are still having issues, please raise an incident with the Platforms support desk using the Path to Live environments online incident reporting form (opens in a new window) or NHS Digital's service portal (HSCN access required to access the service portal).
Problems with Java following an IA re-install
Issue: After removing and reinstalling the IA software, the Portal page and/ or spine application pages may not load correctly. This can either be a 'broken' Java icon, 'loading' icon or a blank page when attempting to access these web pages.
Resolution: This is due to an essential Java file being stored within the IA Client folders on C://. When the IA Client folders are removed and replaced, the file is lost.
To resolve, remove and re-install Java.