Spine Core common issues in the Path to Live environments

Firewall rules

Make sure that you have allowed traffic between IP addresses/URLs from the relevant environment page both in and out of your local firewall. If you have not allowed them, you may get rejection messages, timeouts or no response at all.

Messaging URLs

Confirm whether you are sending directly to URLs, and if so, that you are using the correct messaging URLs as provided on the relevant environment page. Check whether you are using a host file and that it has the correct entries in it.

DNS registration

Confirm that you have registered your FQDN and IP address with the NHS DNS team as this may be preventing you from receiving responses from Spine. This can be confirmed by doing a DNS lookup on the FQDN or you can email: [email protected]

Party key and Accredited System ID (ASID)

Confirm that the party key and/or ASID that you are sending in your message exists in the required environment. This can be done by doing a suitable LDAP search. An LDAP search can also be used to confirm which messages are registered against the endpoint. 

A telnet command tests bidirectional communications with a remote computer. This test is used to ensure a particular server can send and receive commands.

If you are asked to telnet to a particular environment you need to find the relevant URL, IP address, port numbers and fully qualified domain names (FQDNs) of the service you're trying to connect to. These can be found on the relevant environment page. 

In the example below, a user has been unable to connect to LDAP in the Spine training environment. You'll need to log onto a server that has HSCN (N3) connectivity, and from a command line type the following:

The DNS lookup command checks either an FQDN or IP address against the NHS DNS servers to see if they are registered. A DNS registration is required to ensure traffic can go between servers. 

If you're asked to do a DNS test in a particular environment, you will need either the FQDN or IP address of the service you're trying to connect to. In the example below, a user is querying the FQDN of the LDAP service. You'll need to log onto a server which has HSCN connectivity and type in the following command:

It is important to distinguish between the inability to connect to LDAP and unexpected results being returned.

Unable to connect to LDAP

• confirm that the correct URL is being used for the required environment - the environment specific URLs are available on the relevant environment page
• the LDAP URL must be allowed in and out of the local firewall, otherwise the connection will be blocked
• the system connecting to the LDAP URLs must have a certificate, usually the same as the end point certificate, and a HSCN connection

No results or incorrect results returned

You will need to raise an incident with the Platforms support desk using the incident form (opens in a new window) or service portal (HSCN access required to access the service portal). Please provide the full LDAP search string and the environment name, combined with a description of what you expected to be returned.

To help us investigate a connection issue, it may be necessary to complete a packet capture showing the network traffic.

The software captures the network conversation between the Local System and the End System and helps the resolving group understand where the issue lies. If the local user is not getting as far as reaching the end system then the packet capture may show this. Users will need admin access to install suitable software, for example Wire-Shark.

This process is also known as a 'snoop'. If you do not know how to complete a packet capture/snoop, please contact your local IT support team. It may be necessary to coordinate such activity with NHS Digital to perform a full investigation. 

The Role Based Access Control (RBAC) roles and activities commonly used for DSA are outlined below.

Users should contact [email protected] to gain access to DSA.

The Role Based Access Control (RBAC) roles and activities commonly used for SCR are outlined below.

The contract properties for all national service messages can be obtained from the Spine party key along with ASID information.

Spine Party Key: YES-0000806

ASIDs: vary depending on the service 

Full details can be obtained by performing a suitable LDAP search against the Spine party key. 

If you are experiencing an issue with Spine messaging and you've attempted the fixes above unsuccessfully, please raise an incident with the Platforms support desk using the incident form (opens in a new window) or service portal (HSCN access required to access the portal). 

Please provide as much of the following detail as possible:

• Party key: your party key and the associated binding URL
• ASID: the ASID you are sending
• Message tracing information: GUID and timestamp of a message
• Message: if possible a copy of the message that you are sending, including the headers
• Error messages: details of any error message received and where in the process you receive them
• Recreation steps: what you did prior to experiencing the problem and whether or not this happens consistently