Skip to main content
News - week commencing 21 June 2021

Current and future non-production environment plans and other relevant topics to help make connecting to NHS national systems easier.

Current plans


1. CIS live service changes - updated

As previously communicated, to improve stability of the Care Identity Service (CIS) platform we are moving the live CIS service (comprising authentication and application services) to the Cloud.

As a reminder, the transition is now re-scheduled to start on Friday 9 July 2021 (BST) 18:30. As before, during this transition, Authentication and the Directory Service will remain available. From the start of the transition, the Care Identity Service application including any CMS operations on smartcards will be unavailable. The CIS application will be unavailable until the Authentication cutover is completed and agreement to turn it on is confirmed on Monday 12 July. In summary, the key milestones over the transition are:

Step 1: We will close the front doors to the CIS Application and banner up on 9 July 2021 at (BST) 18:30.

Step 2: Cutover CIS Authentication to the Cloud on 10 July at (BST) 04:00.

Step 3: CIS application planned to be brought back into live service on 12 July 2021 (time to be agreed but will be brought back into service at the earliest opportunity).

Many organisations, will have already made the pre-requisite changes, as noted in a previous newsletter. If you haven’t please can you ensure they are completed ahead of the cutover date. If you haven’t but would like to, you can still perform a pre go-live connectivity check but the details have changed. 

Pre go-live connectivity check

To conduct a basic connectivity test to the test gas endpoint, using either nc or telnet. This will confirm you have basic connectivity to the service in AWS on the required ports.

nc -vz -w1 test.gas.national.ncrs.nhs.uk 443



nc -vz -w1 test.ldap.national.ncrs.nhs.uk 636

or

telnet test.gas.national.ncrs.nhs.uk 443



telnet test.ldap.national.ncrs.nhs.uk 636

Key contact in case of problems

If you experience any issues with the CIS live environment, please report as normal to the National Service Desk (03003 035 035 - ssd.nationalservicedesk@nhs.net).

CIS Service Changes in the PTL Deployment, Training and Development environments

To improve the stability of the Care Identity Service (CIS) platform (comprising authentication and application services) NHS Digital are moving the final CIS Path to Live Environments, PTL-DEP and PTL-TRAIN to the Cloud.

The Path to Live Development (PTL-DEV) and Integration (PTL-INT) CIS services have already been successfully migrated to the cloud. The CIS Production Service transition is scheduled to start on Friday 9 July 2021 (BST) 18:30. Please see the notice above.

Step 1: Transitioning PTL-DEP to the Cloud - the existing data in the environment will be migrated.

Step 2: Transitioning PTL-TRAIN to the Cloud - the existing data in the environment will be migrated.

Step 3: For the PTL-DEV environment, already transitioned to the Cloud, NHS Digital will be making a change to the existing IP Range. This change will match the network address space with the other CIS environments.

The transition of these Path to Live Environments is scheduled to take place on 4 August 2021 (17:30 BST). From 4 August (17:30 BST) to 5 August 2021 (08:30 BST), Authentication and the Directory Service will remain available, however, the Care Identity Service application including any CMS operations on smartcards will be unavailable in these environment (PTL-DEP and PTL-TRAIN). There will be an one hour outage on PLT-DEV between 19:30 BST and 20:30 BST to perform the change to the existing IP range.

If you are using these environments please refer to the sections below for the changes you will need to make ahead of the transition.


Change 1 - Transitioning PTL-DEP to the Cloud

Ahead of the transition, your IT function will need to:

Make a change to your firewall

You will need to allow the traffic out from your firewall to the following address range 10.239.59.0/24 to ports 443 and 636. You will also need to allow inbound connectivity from this range to receive logout notifications, if you are using them. When making these firewall changes, subject to how your network connections are set-up, you may need to update your routing/NAT configurations to accommodate the new IP range.

Apply root certificates

If you have explicitly added any of our certificates to any of your trust stores you will also need to ensure you add the new AWS root certificates ahead of the migration from the Amazon website.

If applicable, remove hard coded IP addresses.

If you have hard-coded current live IP addresses in place of domain name system (DNS) entries then these will stop working after the cutover and you will need to change any hard-coded addresses in advance. If you have hard-coded the IP address of the service in place of DNS entries, you will need to ensure you return to using the DNS entries. This will ensure you are automatically directed to the new service when the transition takes place. The DNS entries required are:

Authentication - gas.vn1.national.ncrs.nhs.uk

Directory - ldap.vn1.national.ncrs.nhs.uk

Security Broker - sbapi.vn1.national.ncrs.nhs.uk

The existing client/user certificates will still be valid against the new Live service and no further action is required.

During the transition, we will be updating DNS to point at the new IP range. If the instructions above are followed, we do not anticipate any issues. If you do encounter any issues resolving the host names we do recommend you clear down your DNS cache.  

After the cutover, if you are using the legacy BT Identity Agent (IA) you will need to restart the identity agent to pick up the DNS Changes. BT IA is no longer supported and we strongly recommended that you upgrade to the latest version which can be downloaded from the DIR website. This is only available from HSCN. 


Change 2 - Transitioning PTL-TRAIN to the Cloud

Ahead of the transition, your IT function will need to:

Make a change to your firewall

You will need to allow the traffic out from your firewall to the following address range 10.239.60.0/24  to ports 443 and 636. You will also need to allow inbound connectivity from this range to receive logout notifications, if you are using them. When making these firewall changes, subject to how your network connections are set-up, you may need to update your routing/NAT configurations to accommodate the new IP range

Apply root certificates

If you have explicitly added any of our certificates to any of your trust stores you will also need to ensure you add the new AWS root certificates ahead of the migration from the Amazon website.

If applicable, remove hard coded IP addresses.

If you have hard-coded current Live IP addresses in place of domain name system (DNS) entries then these will stop working after the cutover and you will need to change any hard-coded addresses in advance  If you have hard-coded the IP address of the service in place of DNS entries, you will need to ensure you return to using the DNS entries. This will ensure you are automatically directed to the new service when the transition takes place. The DNS entries required are:

Authentication - gas.tsp.national.ncrs.nhs.uk

Directory - ldap.tsp.national.ncrs.nhs.uk

Security Broker - sbapi.tsp.national.ncrs.nhs.uk

The existing client/user certificates will still be valid against the new Live service and no further action is required.

During the transition, we will be updating DNS to point at the new IP range. If the instructions above are followed, we do not anticipate any issues. If you do encounter any issues resolving the host names we do recommend you clear down your DNS cache.  

After the cutover, if you are using the legacy BT Identity Agent (IA) you will need to restart the identity agent to pick up the DNS Changes. BT IA is no longer supported and we strongly recommended that you upgrade to the latest version which can be downloaded from the DIR website. This is only available from HSCN. 


Change 3 - PTL-DEV environment - making a change to the existing IP Range.

Firewall changes - For the PTL-DEV environment, already transitioned to the Cloud, we will be making a change to the existing IP Range. This change will match the network address space with the other CIS environments. The IP address range should be changed from 10.239.67.128/25 to 10.239.57.0/24.

You will need to modify to allow the traffic out from your firewall to the following address range 10.239.57.0/24 to ports 443 and 636. You will also need to allow inbound connectivity from this range to receive logout notifications, if you are using them.

Key contact in case of problems

If you experience any issues with the CIS PTL-DEP, PTL-TRAIN and PTL-DEV environments after the transition, please report as normal to the ITOC Support Desk as normal (itoc.supportdesk@nhs.net).

Last edited: 12 August 2021 11:09 am