News - week commencing 12 April 2021

Current and future non-production environment plans and other relevant topics to help make connecting to NHS national systems easier.

Current plans

1. Platforms Support Desk - changes of name

From Monday 1 March 2021 the Platforms Support Desk will change its name to the IT Operations Centre Support desk. This means our email address will change to [email protected].

Any e-mails be sent to the [email protected] mailbox will forwarded and dealt with as normal.

2. PTL domain name change for NHS Identity

Domain names on the NHS Identity Path To Live (PTL) environments will be changing. You should prepare for this change.

The Live URL will not be changing - this only affects PTL environments. Most clients only have a presence in our DEV or INT environments.

How this will affect you

Your server configuration:

If your application uses NHS Identity for authentication, then any of your environments where you use the PTL environments for authentication will require a change of domain name in the OpenID Connect (OIDC) configuration.

Authenticators:

If you use Windows Hello for Business (WHfB) platform authenticators, or Cross Platform Security Keys, you will need to book a 'binding session' as the previous credentials will be bound to the old domain name. This will not affect most people as the majority of PTL users use smartcard authenticators or just the simple OIDC realm without an authenticator.

Smartcard users will need to update their 'smartcard bridge method' if using anything other than the Java Applet - see Authentication methods in a PTL environment.

If you use the Chrome plugin you will need a new version - please request this from us.

If you use the ActiveX control, you will just need to whitelist the new URL in Internet Explorer.

If you use the NHS Identity Hub, you will need to replace this with the new NHS Credential Management application - requires HSCN connection.

iPad users will need a new version of the iPad app - remember the iPad app on PTLs is specific to that PTL only. A new version of the iPad app will mean you need to arrange a binding session to get the iPad bound to your identity.

This only affects PTL authentication, not Live use.

Change schedule

Environment	Domain name change	Old domain	New domain
DEV	14 April 2021 1pm-3pm	am.nhsdev.ptl.nhsd-esa.net	am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk
INT	15 April 2021 1pm-3pm	am.nhsint.ptl.nhsd-esa.net	am.nhsint.auth-ptl.cis2.spineservices.nhs.uk
REF-1	w/c 5 April 2021	am.nhsref-1.ptl.nhsd-esa.net	am.nhsref-1.auth-ptl.cis2.spineservices.nhs.uk
DEP	w/c 5 April 2021	am.nhsdep.ptl.nhsd-esa.net	am.nhsdep.auth-ptl.cis2.spineservices.nhs.uk

Required actions

Determine which of your dev/test environments connect to which NHS Identity environments.
Plan in a configuration change for on or after the domain name change for those environments (your authentication will not work on the old configurations after that date).
Request a new version of the Chrome plugin 'smartcard bridge method' if you use it for smartcard authentication.
Install the NHS Credential Management app if you previously used the NHS Identity Hub for smartcard authentication.
Book a re-binding session with NHS Identity if you use either Windows Hello for Business, Cross Platform Security Key or iPad app.

Please confirm receipt of this message to [email protected] and also ask any questions you may have about this change.

3. CIS live service changes - updated

To improve stability of the Care Identity Service (CIS) platform we are moving the live CIS service (comprising authentication and application services) to the Cloud. This removes the risk of ageing hardware. This updated communication provides details of the actual go-live date and details of the pre-go live connectivity check. It also includes the details previously published.

The Path to Live Development (PTL-DEV) and Integration (PTL-INT) CIS services have already been successfully migrated to the cloud. We are relocating the service from physical hardware to the cloud. The existing data in the environment will be migrated.

Suppliers/partners/trusts will continue to access the CIS service over the Health and Social Care Network (HSCN) after the transition.

This transition weekend is scheduled to take place between Friday 7 May (BST) 18:30 and Monday 10 May (BST) 08:00.

During this transition weekend, Authentication and the Directory Service will remain available. From the start of the transition weekend, the CIS application, including any CMS operations on smartcards, will be unavailable. The application will be unavailable until the cutover is completed and agreement to turn on it on is confirmed on Monday 10 May.

What this will mean to you

This change will improve platform stability, and the overall user experience. Ahead of the transition, your IT function will need to:

make a change to your firewall
apply root certificates
if applicable, remove hard coded IP addresses

Please share this information with your IT department so they can take appropriate action.

What your IT function needs to do

You will need to execute the following steps to ensure your continued access to the service - these changes can be done ahead of the cutover:

1. Firewall changes

You will need to allow the traffic out from your firewall to the following address range 155.231.9.0/24 to ports 443 and 636. You will also need to allow inbound connectivity from this range to receive logout notifications. Making these firewalls changes ahead of the cutover will allow you to participate in the connection check described below - see 'pre go-live connectivity check' section below.

When making these firewall changes, you may need to update your routing/NAT configurations to accommodate the new IP range (subject to how your network connections are set-up).

If your firewalls are configured using DNS names, rather than IP addresses, there should be no updates to make.

It should be sufficient to perform checks to ensure you permit traffic to and from:

portal.national.ncrs.nhs.uk
ldap.national.ncrs.nhs.uk
gas.national.ncrs.nhs.uk
sbapi.national.ncrs.nhs.uk
esw.national.ncrs.nhs.uk
ldappoll.national.ncrs.nhs.uk
uim.national.ncrs.nhs.uk

2. Root certificates

If you have explicitly added any of our certificates to any of your trust stores you will also need to ensure you add the new AWS root certificates ahead of the migration.

AWS root certificates

It is recommended all the certificates listed in the Root CAs section are installed in your Live estate.

3. Hard-coded IP addresses

If you have hard-coded live IP addresses currently in place of domain name system (DNS) entries then these will stop working after the cutover and you will need to change any hard-coded addresses in advance.

If you have hard-coded the IP address of the service in place of DNS entries, you will need to ensure you return to using the DNS entries. This will ensure you are automatically directed to the new service when the transition takes place. The DNS entries required are:

The existing client/user certificates will still be valid against the new live service and no further action is required.

During the cutover weekend, we will be updating DNS to point at the new IP range. If the instructions above are followed, we do not anticipate any issues. If you do encounter any issues resolving the host names we do recommend you clear down your DNS cache.

During the transition window we anticipate a very small number of users, who have active sessions, may find that they need to re-authenticate again using normal smartcard processes. We have taken steps to minimise the number of users who will be affected in this way by choosing the timing of the transition carefully and by transitioning session data from the old to the new service.

After the cutover those using the legacy BT Identity Agent (IA) will need to restart the identity agent to pick up the DNS changes. BT IA is no longer supported and we strongly recommended that you upgrade to the latest version.

Key contact in case of problems

If you experience any issues with the CIS live environment, please report as normal to the National Service Desk (03003 035 035 - [email protected]).

Pre go-live connectivity check

A few weeks ahead of the actual cutover, we would like you to perform a check. This check will allow you to test your connection to the new Production environment and ensure your firewall changes have been applied. If you experience any issues or would like some advice/guidance please contact SPINECIS, Sm at [email protected].

This check will only be available for a limited period of time between Monday 19 April (BST) 09:00 to Monday 26 April (BST) 18:00:

You will be able to check the connectivity to the new AWS platform using the hostnames:

Specific instructions are below.

Testing connectivity

You can test connectivity to the gas and sbapi services using either a web browser or a command line utility such as curl. A successful connection will return the static response 'Welcome to CIS'.

curl https://gas.prod.cis.spine2.ncrs.nhs.uk/

Welcome to CIS

You can test the connectivity to the ldap service by using the openssl command line utility and your existing ldap client certificates.

openssl s_client -connect ldap.prod.cis.spine2.ncrs.nhs.uk:636 -servername ldap.prod.cis.spine2.ncrs.nhs.uk -CAfile root.pem -cert yourcert.crt -key yourcert.key

If you are able to connect successfully you should see a response similar to the following.

CONNECTED(00000005)

depth=2 O = nhs, OU = CA, CN = NHS PTL Root Authority

verify return:1

depth=1 O = nhs, OU = CA, CN = NHS DEV Level 1C

verify return:1

depth=0 O = nhs, OU = Devices, CN = ldap.vn03.national.ncrs.nhs.uk

verify return:1

---

Certificate chain

0 s:O = nhs, OU = Devices, CN = ldap.vn03.national.ncrs.nhs.uk

   i:O = nhs, OU = CA, CN = NHS DEV Level 1C

1 s:O = nhs, OU = CA, CN = NHS DEV Level 1C

   i:O = nhs, OU = CA, CN = NHS PTL Root Authority

2 s:O = nhs, OU = CA, CN = NHS PTL Root Authority

   i:O = nhs, OU = CA, CN = NHS PTL Root Authority

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIEETCCAvmgAwIBAgIEXa24TjANBgkqhkiG9w0BAQsFADA2MQwwCgYDVQQKEwNu

aHMxCzAJBgNVBAsTAkNBMRkwFwYDVQQDExBOSFMgREVWIExldmVsIDFDMB4XDTE5

MTExNDE0NTMyMloXDTIyMTExNDE1MjMyMlowSTEMMAoGA1UEChMDbmhzMRAwDgYD

VQQLEwdEZXZpY2VzMScwJQYDVQQDEx5sZGFwLnZuMDMubmF0aW9uYWwubmNycy5u

aHMudWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkQXs+JW/u3PkL

uoOglALsQlkTVUZUkPWf+KYmrNZdtnx2hD0Y7fclvWH0ZkJHfnwD632hW+fDTiZc

mM0/wx9P1DkAG/l06fStAcWTEIAES3/eIipSCORbmF4O2+HvXkRMRrs+jRKZJuwq

2/umGMC5MODM0NIbT21F7O7r9czv/k7yzcZEljqRv6V9TvMvwbCzUR39LiYEuTLE

M0h5MtISshlmh60xu9BGNelLhL7GEIXsQwkIxnAfOSzqXdb58pNY6VVSx6JphndS

5U3SHa3oYcEfSPB7/q77K5UnCm+yy0KCVnFEoXUpO3DLx4IdZi9v+2iTmkUPzryH

0mGhYCNlAgMBAAGjggESMIIBDjALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB

BQUHAwEGCCsGAQUFBwMCMBgGA1UdIAQRMA8wDQYLKoY6AIl7ZQADAQEwMwYDVR0f

BCwwKjAooCagJIYiaHR0cDovL2NybC5uaHMudWsvZGV2LzFjL2NybGMxLmNybDAr

BgNVHRAEJDAigA8yMDE5MTExNDE0NTMyMlqBDzIwMjExMjIwMjAxMTIyWjAfBgNV

HSMEGDAWgBRe89pS9gIu2pomUlH/STXIDHcNdjAdBgNVHQ4EFgQU6drAg31Mxhqx

UnihdN9RUjbAMdowCQYDVR0TBAIwADAZBgkqhkiG9n0HQQAEDDAKGwRWOC4zAwIE

sDANBgkqhkiG9w0BAQsFAAOCAQEAOrrWGAWH3D4C2SbvDNx4bpAzHYyRefVg/zIZ

um/wOLjkQ6n7lN7VgkVJrmQkahrgbQvtlLfZdZcJ3T8qkLcSwfZaIR6Bfl6L9Pqa

DjYbLLeRtvC6LCiLTSOt143JQ0SD1HvvbzNa6PLqem7qfpQvOzwbCmJ8x/p5Njqw

QFaJyZgcxiHetUmaFLjez+TG1n5AppMOvLxZjW0XXgPzPoCmjIUzJZtm+0ThyAOP

y3nm6TbDGaDxymuVHdsQ1v9dxa/6uD7hekkqedAvpJb9smVrrZH4hc2gmrYBhmu8

hhQZBHNPQW3qqyK7Bnje7CHwZicWl7UfbBHTsmDvYmtoliQjrQ==

-----END CERTIFICATE-----

subject=O = nhs, OU = Devices, CN = ldap.vn03.national.ncrs.nhs.uk

issuer=O = nhs, OU = CA, CN = NHS DEV Level 1C

---

Acceptable client certificate CA names

O = nhs, OU = CA, CN = VNIS03_SUBCA

O = nhs, OU = CA, CN = VNIS03_RootCA

O = nhs, OU = CA, CN = NHS PTL Root Authority

O = nhs, OU = CA, CN = NHS DEV Level 1C

Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1

Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512

Peer signing digest: SHA256

Peer signature type: RSA-PSS

Server Temp Key: X25519, 253 bits

---

SSL handshake has read 3772 bytes and written 3615 bytes

Verification: OK

---

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

Server public key is 2048 bit

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

Early data was not sent

Verify return code: 0 (ok)

---

---

Post-Handshake New Session Ticket arrived:

SSL-Session:

    Protocol  : TLSv1.3

    Cipher    : TLS_AES_256_GCM_SHA384

    Session-ID: B2A21E7CC0E50DD140016FE26D7E31D0CAF07702871CA0AFFA1933A30D9D1312

    Session-ID-ctx:

    Resumption PSK: C9360EE2D60A99DA7CF23567A59926389F9266BD516A38E406AB39B1ACDE230B5EA4A4CCA1FC7DB8D5187B1D897AB01F

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    TLS session ticket lifetime hint: 7200 (seconds)

    TLS session ticket:

    0000 - 9f 6c 14 11 7b 30 28 c4-7c 5d 34 36 29 ab 55 45   .l..{0(.|]46).UE

    0010 - 57 2b 8b b8 f0 a0 a0 de-73 62 d7 c0 d9 a2 af 92   W+......sb......

    Start Time: 1615552335

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

    Extended master secret: no

    Max Early Data: 0

---

read R BLOCK

---

Post-Handshake New Session Ticket arrived:

SSL-Session:

    Protocol  : TLSv1.3

    Cipher    : TLS_AES_256_GCM_SHA384

    Session-ID: CD9ED1F09D66A55264E69DB2B2D8A1ED871DBE3D1D53125ADBD617B1DAF34EC0

    Session-ID-ctx:

    Resumption PSK: 8F4E2CD679E77FC20CEA1782B74404ED3EA4038BEB5E265FBC9A2531C33A6B73891CDAD548DC19E88D65AF70752ADBE7

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    TLS session ticket lifetime hint: 7200 (seconds)

    TLS session ticket:

    0000 - b4 3c d0 2a cf ce ac 5e-95 f2 3b fa 55 e1 b7 b9   .<.*...^..;.U...

    0010 - 50 3e 9a 0f 09 cd 79 50-e0 a2 91 4e 23 6a 60 06   P>....yP...N#j`.

    Start Time: 1615552335

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

    Extended master secret: no

    Max Early Data: 0

---

read R BLOCK

Other Information

In line with general security recommendations, CIS will no longer support SSL - only TLSv1 (and above) will be supported. If you are using SSL v2 or SSL v3 then you will need to upgrade to later versions of TLS before the CIS Live transition date. If you are using SSL, please can you directly contact SPINECIS, Sm at [email protected] urgently.

As a reminder, the new CIS Cloud Service already hosts both a PTL-Development and PTL-Integration environment.

The development environment is used by suppliers who are implementing the design, development and system test phases within their own test environment(s). They are also used to perform early testing against the Spine Core, Spine Care Identity Service (CIS) and NHS e-Referral service (e-RS) national systems.

The integration environment is used for integration testing which proves the end to end capability of messaging between the supplier’s test environment and a Path to Live test environment. It is strongly recommended that you use these PTL environments to test both the essential changes and the processes required to implement them.

4. CIS live service changes - smartcard functionality

As previously communicated, to improve stability of the Care Identity Service (CIS) platform we are moving the Live CIS service (comprising authentication and application services) to the Cloud to remove the risk of ageing hardware. This updated communication provides details of the actual go-live date and details of the Pre-Go Live Connectivity check. It also includes the details previously published.

As a reminder, this transition weekend is scheduled to take place between Friday 7 May (BST) 18:30 and Monday 10 May (BST) 08:00. During this transition weekend, Authentication and the Directory Service will remain available. From the start of the transition weekend, the Care Identity Service application including any CMS operations on smartcards will be unavailable. The application will be unavailable until the cutover is completed and agreement to turn on it on is confirmed on Monday 10 May. Smartcard unlocking will not be available until the CIS application is turned on, so it is advisable to notify users in your area that this function will be unavailable. Please refer to the previous update for further details

Future Plans

Care Identity Service future changes

To improve stability of the Care Identity Service (CIS) platform we are moving the Live CIS service (comprising authentication and application services) to the Cloud to remove the risk of ageing hardware. The Path to Live Development (PTL-DEV) and Integration (PTL-INT) CIS services have already been successfully migrated to the cloud. This Live CIS Service transition is scheduled to take place late April/mid May and we will keep you updated as plans finalise and we have a definite date in place.

After the Live CIS transition, we will be planning to make the following future changes. Details of both these changes will be communicated.

CIS PTL-DEP/PTL-TRAIN environment will be migrated to the Cloud.
For the PTL-DEV environment, already transitioned to the Cloud, we will be making a change to the existing IP Range. This change will increase the network capability.

The IP address range should be changed from 10.239.67.128/25 to 10.239.57.0/24. You will need to modify to allow the traffic out from your firewall to the following address range 10.239.57.0/24 to ports 443 and 636. You will also need to allow inbound connectivity from this range to receive logout notifications.

Please do not make any changes until further details are provided in the newsletter.

Last edited: 21 February 2023 8:40 am