Skip to main content
Deployment environments

Find out how to connect to the deployment environments, services available, build version, maintenance slots and scheduled changes.

How the deployment environments should be used

The deployment environments are used to test applications in-situ before live deployments, to help suppliers and NHS organisations develop local site processes, procedures and create a local change process. The deployment environments are also used for user acceptance testing (UAT) with NHS organisations.

The e-RS DEP1 environment provides e-RS services using the Spine Core deployment environment for messaging.

What the deployment environments should not be used for

The deployment environments do not:

  • replace the development environments as proof of concept or early deployment test environments
  • provide right of access to any other environments during environment downtime or any other form of unavailability

How to connect to the environment

Before you start

You will need to: 

  1. have a connection to the Health and Social Care Network (HSCN)  - the secure NHS network (if you do not have a connection or are experiencing problems connecting, contact your network provider)
  2. request access to test data (email:
  3. request smartcards if required - you must have a valid smartcard to user certain services, including the Care Identity Service (CIS) - if you do not have a valid smartcard please email:
  4. before requesting access to the deployment environment, the product should have successfully completed the integration test phase
  5. register the messaging product using a Manufacturer, product and version (MPV) form if required
  6. register your message handling service with the Spine by requesting an endpoint (an authorised connection to Spine) to be created unless you have an endpoint administrator in your organisation who can do this for you - please complete the endpoint admin access request form (epr) (opens in a new window) to manage your own endpoints
  7. register your Fully Qualified Domain Name (FQDN) with the NHS DNS team
  8. download Identity Agent Client software

More detailed guidance of the connection process

Additional guidance to support the connection process.

Further assistance

Contact us for further assistance. Email:

Connection information

A full list of URLs and associated IP addresses are provided below to help you connect to the deployment environments. 

Local firewall administrators should allow communication to the IP addresses as necessary using these details.

Portal URLs

These are the connection URLs for the Care Identity Service (CIS) portal and associated applications. 

Description URL DNS name IP address Port
Used for the SCRa service TCP 443
Used for self service TCP 443
Used for the Alert service TCP 443
Used for the DSA service TCP 443
Used for the ETP ADMIN service TCP 443
Used for the SRS service TCP 443
Used for the MOLES service TCP 443
Central portal page  with links to  Spine Core and CIS applications See system URL section below TCP 443

System URLs

These are the connection URLs for the services required to run or connect to applications. Due to the move of this environment to AWS, the IP addresses of the following are not constant. Customers will need to open their firewalls to the IP address range of to ports 636 (LDAP) and 443 (Sbapi, Gas and DEP Portal (see above)).  If you are using hard-coded IP addresses e.g. in a hosts file, you will need modify your application to use the DNS service names. 

Description URL DNS name IP address Port

This is the LDAPS protocol service to the directory.

This is a service used by other services accessing the SPINE for directory lookups.

ldaps:// /<LDAP QUERY>

<LDAP QUERY> - The query to the directory may be contained within the URL See above TCP 636
This name exists for Smart Card authentications from the PC and is not a user service

Client Side GAC URL: /login/authactivate /login/authlogout

Server side GAS URL: /login/authvalidate See above TCP 443

Used to access ID server and is not a user based service. These URLs will only be used by application developers and are included here for completeness

(this URL is case sensitive)

Naming service: /amserver/namingservice

Role assertion: /saml/RoleAssertion See above TCP 443

Messaging URLs

These are the messaging URLs for all Spine services.

Spine party key

A party key is a unique reference for a particular organisation and set of contract properties. Several party keys can exist at the same organisation and will start with the Organisation Data Service (ODS) code.

For the deployment environment, the party key is: YES-0000806.

All messaging properties should be obtained from this party key using the Lightweight Directory Access Protocol (LDAP) service URL listed below. 

Description URL DNS name IP address Port

Used for all domain synchronous messaging

This is also the service entry point for NN4B messages TCP 443
Used for all domain reliable messaging TCP 443
Used for all domain unreliable messaging TCP 443
Used for all domain intermediary messaging TCP 443

Used to access the gazetteer postcode look up service

Gazetteer is a web service so will be called by other applications using this URL. This is not a user service. TCP 443

Used for all SMSP messaging.

Now uses TLS1.2 TCP 443
Used for all SMSP messaging.
Now uses TLS1.2[provider service root url]/[fhir request] TCP 443
Used for internet facing messaging

Varies TCP 443

Outbound Network Address Translation (NAT) addresses

Local firewall administrators should allow communication from these IP addresses.

Description URL DNS name IP address Port

All messages will be sent out as coming from

Nothing will ever be sent to this domain name. This is included for clarity and firewall rules only
No URL TCP 443

Outbound token events to registered listeners will be sent from this address

Nothing will ever be sent to this domain name. This is included for clarity and firewall rules only

CIS will respond on the port number specified by the client request
No URL Not applicable Any

Spine application URLs

This is a full list of URLs for the applications in the deployment environments.


Area URL
Summary Care Record (SCR)
SCR 1-Click
EPS Prescription Tracker
Care ID Service (Smartcard Management)
End Point Registration Service (EPR) https:/uim.vn1.national.ncrs.nhs.ukeprwebapp/
Spine Reporting Service
Demographic Spine Application (DSA)
Data Access Service (DAS)- R15

Data Access Service
NDS Admin Portal
TES Alert Viewer
SUS: Business Intelligence

NHS e-Referral Service (e-RS)

Area URL IP address
e-RS Dep1 Professional Web App
e-RS Dep1 Patient Web App
e-RS Dep2 Professional Web App
e-RS Dep2 Patient Web App

Deployment NHS e-Referral Service (e-RS) URLs

Party key

The party key for e-RS in the Dep1 environment is: YEO-11809150.

Accredited System ID (ASID) 

The ASID is: 606179841014. An ASID is a unique reference for a particular system. Different systems may have different ASIDs.  

The following IP addresses and URLs are used to access e-RS services.

Description URL DNS name IP address Port
Professional webapp TCP 443
Professional webapp Variable TCP 443
Patient webapp TCP 443
e-RS API TCP 443
Messaging endpoint TCP 443

RootCA and SubCA Certificates 

In order to establish connection to the deployment environments, a chain of trust must be set up using the RootCA and SubCA certificates.

  1. Copy the required RootCA or SubCA certificate. If you are using a existing certificate, please use the Root and Sub CA certificates that are valid till 8 January 2020.  The new certificates should only be used with certificates created after the 6 November 2019. If you will be using both existing and new certificates you will need to install both sets of certificates.
  2. Open Notepad or similar and paste the certificate - save the file locally with a suitable file name
  3. Locate the locally saved text file and change the file extension from .txt to .der
  4. Import the certificate into the local trusted certificate store - use the documentation from your software supplier as this may vary between applications

Please note that the: 

  • RootCA should be placed in 'Trusted Root Certification Authorities' 
  • SubCA should be placed in 'Intermediate Certification Authorities'

RootCA (NHS PTL Root Authority)






















SubCA (NHS DEP Level1C)






















Message Exchange for Social Care and Health (MESH) keystore files to download

The following MESH keystore needs to be downloaded and installed as part of the MESH client installation. 

Environment Primary URL Keystore Path Keystore
Deployment C:\MESH-APP-HOME\Keystore\meshdep.keystore meshDEP

Full details can be found in the MESH client installation pack. The environment specific information required is listed below. The password should have been provided when the MESH mailbox was first requested.

If you have any questions, email:

Registry settings required to connect to the spine deployment environments 

In order to access the Spine Deployment environment, changes are required to the user's computer registry.  The exact changes depend on the version of the Identity Agent (IA) Client being used, and whether the operating system is 32-bit or 64-bit. 

  1. Copy the relevant text to a Notepad file and save it to your desktop
  2. Rename the file, changing the file extension from .txt to .reg
  3. Double-click on the file to run it

N.B. You will need administrator access to change registry settings on your computer. If you do not have this you should contact your local support team to run the file for you.

Registry File HSCIC Identity Agent 2 (64-bit) Spine deployment

Windows Registry Editor Version 5.00






Registry File HSCIC Identity Agent 2 (32-bit) Spine deployment

Windows Registry Editor Version 5.00






Registry File HSCIC Identity Agent 1 (64-bit) Spine deployment

Windows Registry Editor Version 5.00






Registry File HSCIC Identity Agent 1 (32-bit) Spine deployment

Windows Registry Editor Version 5.00






Registry File BT Identity Agent IA13 Spine deployment

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Gemplus\GAC] "Activate.URL"="" "Logout.URL"="" "Authentication.StartBrowser.Url"="<SSO_TICKET>" ""="1ef2f9cc" "UpdateWatcher.enable"=dword:00000000 ""="<IP_ADR>&latestdeviceid=<DEVICE_ID>&storeddeviceid=<OLD_DEVICE_ID>&token=<SSO_TICKET>" "Authentication.StartBrowser.Url"="<SSO_TICKET>" "RoleSelection.URL"="<SSO_TICKET>&selectedRoleUid=<ROLE_UID>&ssbMode=<MODE>&gacVersion=<GAC_VERSION>&fallbackStatus=<FALLBACK>" "Portal.URL"=""

Services available in the deployment environment

Spine Core Messaging and Spine Core applications 

The Spine Core service provides a messaging service that allows certified endpoint message handling systems to query and update data held in the national demographic and prescriptions systems. 

The Spine Core systems also supports the e-RS national systems by providing a messaging interface between e-RS and referrers and providers. Also included in the Spine Core service are the Graphic User Interface (GUI) based Summary Care Record application (SCRa) and Demographic Spine Application (DSA). These allow Spine Core data to be manipulated without a messaging interface.

Spine Mini Service Provider 

The Spine Mini Service Provider provides customers an interface to submit a limited number of demographic messages in a simple format.

Spine Secure Proxy

The Spine Secure Proxy provides a simpler interface to local systems for demographic messaging, allowing quick recovery of details without the requirements of full integration. Messaging functionality is limited to retrievals and simple trace. Updates are not supported. 

Message Exchange for Social Care and Health (MESH)

The Message Exchange for Social Care and Health (MESH) provides a workflow based data transfer service that allows registered users to exchange data between secure mailboxes. It is used to support services such as the transfer of Pathology data between labs and hospitals and electronic discharge notes to community medical teams for patients leaving hospital care.

Care Identity Service (CIS)

The Care Identity Service (CIS) controls user access to data held in the national systems. Users access is via a smartcard and uses Role Based Access Control. Both smartcards and Access control are managed within the CIS application. Certification and management of message handling systems is also managed within the CIS application.

NHS e-Referral Service (e-RS) 

The NHS e-Referral Service (e-RS) combines electronic booking with a choice of place, date and time for first hospital or clinic appointments. Patients can choose their initial hospital or clinic appointment, book it in the GP surgery at the point of referral, or later at home on the phone or online. 

NHS e-Referral Service Application Programming Interface (e-RS API)

The NHS e-Referral Service Application Programming Interface (e-RS API) service allows patient systems to perform clinical actions within the e-RS application via an external API interface.

Smartcard services

You will need a valid smartcard to use certain services including the Care Identity Service (CIS).

If you do not have a valid smartcard, email

Environment build versions

Current versions of the national system applications deployed in each Path to Live environment.

Maintenance slots and scheduled changes

Although these are the scheduled maintenance slots, check the Forward Change Schedule for activity taking place outside of the scheduled maintenance slots. 

Maintenance slots 

Spine Core

Thursday 8pm to Friday 6am (weekly)

Spine CIS

Wednesday 8pm to Thursday 6am (weekly)


Wednesday 8pm to Thursday 6am (following live e-RS release)

Last edited: 29 September 2021 1:53 pm