Skip to main content

Training environments

Find out how to connect to the training environments, services available, build version, maintenance slots and scheduled changes.

Page contents

How the training environments should be used

The training environments are used by suppliers to train staff on Spine Core messaging, Spine Care Identity Service (CIS) and NHS e-Referral Service (e-RS).

The Spine Core training environment undergoes a nightly reset of application data to enable re-use in subsequent training exercises. 

There is a e-RS training environments available as follows:

  • ERSTRAIN - offers e-RS functionality without the requirement for a PAS which is simulated in this environment. ERSTRAIN is internet facing and does not require smartcard authentication. Access to the ERSTRAIN environment is managed by the e-RS Training team - all connection details will be provided as part of the request. Please note this environment does not have any Spine connections and is self-contained.

What the training environments should not be used for

The training environments do not:

  • replace the development environments as proof of concept or test environments
  • replace any of the other path to live environments for any form of testing
  • provide right of access to any other environments during environment downtime or any other form of unavailability

How to connect to the environment

Before you start

You will need to:

  1. complete the training environment requirements form - this will help NHS Digital understand the scope of your use of the training environment - we will assess your requirements before you can connect to the environment
  2. connect to the Health and Social Care Network (HSCN) - the secure NHS network (if you do not have a connection or are experiencing problems connecting, contact your network provider)
  3. request access to test data (email: [email protected])
  4. request smartcards if required - you must have a valid smartcard to user certain services, including the Care Identity Service (CIS) - if you do not have a valid smartcard please email: [email protected]
  5. before you request access to the training environment, the product should have successfully completed the integration test phase
  6. register the messaging product using a Manufacturer, product and version (MPV) form if required
  7. register your message handling service with the Spine by requesting an endpoint (an authorised connection to Spine) to be created unless you have an endpoint administrator in your organisation who can do this for you - please complete the endpoint admin access request form (epr) to manage your own endpoints
  8. register your Fully Qualified Domain Name (FQDN) with the NHS DNS team
  9. download Identity Agent Client software

More detailed guidance of the connection process

Additional guidance to support the connection process.

Further assistance

Contact us for further assistance. Email: [email protected]

Connection information

A full list of URLs and associated IP addresses are provided below to help you connect to the training environments. 

Local firewall administrators should allow communication to the IP addresses as necessary using these details.

Portal URLs

These are the connection URLs for the Care Identity Service (CIS) portal and associated applications. 

Description URL DNS name IP address Port
Used for the SCRa service https://nww.train.spine2.ncrs.nhs.uk/summarycarerecord nww.train.spine2.ncrs.nhs.uk 10.239.14.22 TCP 443
Used for self service https://nww.train.spine2.ncrs.nhs.uk/spineselfservice nww.train.spine2.ncrs.nhs.uk 10.239.14.22 TCP 443
Used for the alert service https://nww.train.spine2.ncrs.nhs.uk/spinealertservice nww.train.spine2.ncrs.nhs.uk 10.239.14.22 TCP 443
Used for the DSA service https://nww.train.spine2.ncrs.nhs.uk/demographicspineapplication nww.train.spine2.ncrs.nhs.uk 10.239.14.22 TCP 443
Used for the ETP ADMIN service https://nww.train.spine2.ncrs.nhs.uk/prescriptionsadmin nww.train.spine2.ncrs.nhs.uk 10.239.14.22 TCP 443
Used for the Spine reporting service (SRS) https://nww.train.spine2.ncrs.nhs.uk/spinereportingservice nww.train.spine2.ncrs.nhs.uk 10.239.14.22 TCP 443
Portal page with links to access Spine Core and CIS applications https://portal.tsp.national.ncrs.nhs.uk portal.tsp.national.ncrs.nhs.uk See system URL section below TCP 443

System URLs

These are the connection URLs for the services required to run or connect to applications. Due to the move of this environment to AWS, the IP addresses of the following are not constant. Customers will need to open their firewalls to the IP address range of 10.239.60.0/24 to ports 636 (LDAP) and 443 (Sbapi, Gas and TRAIN Portal (see above)).  If you are using hard-coded IP addresses e.g. in a hosts file, you will need modify your application to use the DNS service names. 

Description URL DNS name IP address Port

This is the LDAPS protocol service to the directory.

This is a service used by other services accessing the SPINE for directory lookups

ldaps://ldap.tsp.national.ncrs.nhs.uk/<LDAP QUERY>

<LDAP QUERY> - The query to the directory may be contained within the URL		 ldap.tsp.national.ncrs.nhs.uk See above TCP 636
This name exists for Smart Card authentications from the PC and is not a user service

Client Side GAC URL:

https://gas.tsp.national.ncrs.nhs.uk/login/authactivate

https://gas.tsp.national.ncrs.nhs.uk/login/authlogout

Server Side GAS URL:

https://gas.tsp.national.ncrs.nhs.uk/login/authvalidate		 gas.tsp.national.ncrs.nhs.uk See above TCP 443

Used to access ID server and is not a user based service

These URLs will only be used by application developers and are included here for completeness

(This URL is case sensitive)

Naming service:

https://sbapi.tsp.national.ncrs.nhs.uk/amserver/namingservice

Role assertion:

https://sbapi.tsp.national.ncrs.nhs.uk/saml/RoleAssertion		 sbapi.tsp.national.ncrs.nhs.uk See above TCP 443

Messaging URLs

These are the messaging URLs for all Spine services.

Spine party key

A party key is a unique reference for a particular organisation and set of contract properties. Several party keys can exist at the same organisation and will start with the Organisation Data Service (ODS) code.

For the training environment, the party key is: YES-0000806.

All messaging properties should be obtained from this party key using the Lightweight Directory Access Protocol (LDAP) service URL listed below. 

Description URL DNS name IP address Port

Used for all domain synchronous messaging

This is also the service entry point for NN4B messages

 https://msg.train.spine2.ncrs.nhs.uk/sync-service  msg.train.spine2.ncrs.nhs.uk 10.239.14.27 TCP 443
Used for all domain reliable messaging https://msg.train.spine2.ncrs.nhs.uk/reliablemessaging/reliablerequest msg.train.spine2.ncrs.nhs.uk 10.239.14.27 TCP 443
Used for all domain unreliable messaging https://msg.train.spine2.ncrs.nhs.uk/reliablemessaging/queryrequest msg.train.spine2.ncrs.nhs.uk 10.239.14.27 TCP 443
Used for all domain intermediary messaging https://msg.train.spine2.ncrs.nhs.uk/reliablemessaging/intermediary msg.train.spine2.ncrs.nhs.uk 10.239.14.27 TCP 443

Used to access the gazetteer postcode look up service

Gazetteer is a web service so will be called by other applications using this URL.

This is not a user service.

 https://msg.train.spine2.ncrs.nhs.uk/addressfinder/query msg.train.spine2.ncrs.nhs.uk 10.239.14.27 TCP 443

Used for all SMSP messaging

Now uses TLS1.2

 https://simple-sync.train.spine2.ncrs.nhs.uk/smsp/pds simple-sync.train.spine2.ncrs.nhs.uk 10.239.14.37 TCP 443

Used for all SMSP messaging.


Now uses TLS1.2

 https://proxy.train.spine2.ncrs.nhs.uk/[provider service root url]/[fhir request] proxy.train.spine2.ncrs.nhs.uk 10.239.14.32 TCP 443
Used for internet facing messaging 

https://msg.trainspineservices.nhs.uk

https://proxy.trainspineservices.nhs.uk

https://simple.trainspineservices.nhs.uk

msg.trainspineservices.nhs.uk

proxy.trainspineservices.nhs.uk

simple.trainspineservices.nhs.uk

 Varies TCP 443

Outbound Network Address Translation (NAT) addresses

Local firewall administrators should allow communication from these IP addresses.

Description URL DNS name IP address Port

All messages will be sent out as coming from msg-out.train.spine2.ncrs.nhs.uk.

Nothing will ever be sent to this domain name. This is included for clarity and firewall rules only		 Not applicable msg-out.train.spine2.ncrs.nhs.uk 10.239.14.102 TCP 443

Outbound token events to registered listeners will be sent from this address

Nothing will ever be sent to this domain name. This is included for clarity and firewall rules only

CIS will respond on the port number specified by the client request		 Not applicable Not applicable 10.239.60.0/24 Any

Spine application URLs

Applications

Area URL
Summary Care Record (SCR) https://nww.train.spine2.ncrs.nhs.uk/summarycarerecord/
SCR 1-Click http://nww.train.spine2.ncrs.nhs.uk/oneclickscr/LSPValidator.jsp
SAML https://sbapi.tsp.national.ncrs.nhs.uk/saml/RoleAssertion
EPS Prescription Tracker https://nww.train.spine2.ncrs.nhs.uk/prescriptionsadmin/
Care ID Service (Smartcard Management) https://cis.tsp.national.ncrs.nhs.uk/urswebapp/
End Point Registration Service (EPR) https://cis.tsp.national.ncrs.nhs.uk/eprwebapp/
Spine Reporting Service https://nww.train.spine2.ncrs.nhs.uk/spinereportingservice/
Demographic Spine Application (DSA) https://nww.train.spine2.ncrs.nhs.uk/demographicspineapplication/
TES Alert Viewer https://nww.train.spine2.ncrs.nhs.uk/spinealertservice/

 

Training NHS e-Referral Service (e-RS) URLs

The Training e-RS environment has been decommissioned and replaced by a new e-RS Training environment, ERSTRAIN. This environment is self contained and not connected to the Spine Training environment. Further information and access details are available from [email protected]

RootCA and SubCA Certificates

In order to establish connection to the deployment environment, a chain of trust must be set up using the RootCA and SubCA certificate. 

  1. copy the required RootCA or SubCA certificate
  2. open Notepad or similar and paste the certificate - save the file locally with a suitable file name
  3. locate the locally saved text file and change the file extension from .txt to .der
  4. import the certificate into the local trusted certificate store - use the documentation from your software supplier as this may vary between applications

Please note that the: 

  • RootCA should be placed in 'Trusted Root Certification Authorities' 
  • SubCA should be placed in 'Intermediate Certification Authorities'

Root CA (NHS PTL Root AuhorityI

-----BEGIN CERTIFICATE-----
MIIDgjCCAmqgAwIBAgIEXR9LkDANBgkqhkiG9w0BAQsFADA8MQwwCgYDVQQKEwNu
aHMxCzAJBgNVBAsTAkNBMR8wHQYDVQQDExZOSFMgUFRMIFJvb3QgQXV0aG9yaXR5
MB4XDTE5MDcwNTEyMzcyOFoXDTM5MDcwNTEzMDcyOFowPDEMMAoGA1UEChMDbmhz
MQswCQYDVQQLEwJDQTEfMB0GA1UEAxMWTkhTIFBUTCBSb290IEF1dGhvcml0eTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJkUOEvituvw0SSmU4adXDnP
SXiaLsQb8CPZwLylSYqumfIzSjsxkktJsekegF6ybtGRMPWW+zBXMI15C3cT+tn8
gpCNYyn1P8/+oNgxtqTLYjxackfU6S8AL+6d39grDd6PlI5ILvCZko82m23cUx2y
2aRnpAIBgDk518tWLTZbMuM14bza/QvYVeX5DqW9gsz947opb6FYRe3MjeHiQmxq
GvWfPY/yb/cggo5y8m2fTQa6dencHeFwnmwbX6nwbrFx8UXzflD0Yke4i5Z2NN4C
xmgAqtxSu5Bz9f7ZQLPPBT5FL+pvxkAu4cEHma4JDD3KayhxzxigKbQcnQpXWEcC
AwEAAaOBizCBiDArBgNVHRAEJDAigA8yMDE5MDcwNTEyMzcyOFqBDzIwMzkwNzA1
MTMwNzI4WjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUz4gDrKnt3tEACoCAAEC4
A4jIkFIwHQYDVR0OBBYEFM+IA6yp7d7RAAqAgABAuAOIyJBSMAwGA1UdEwQFMAMB
Af8wDQYJKoZIhvcNAQELBQADggEBAJU06JOPpBMgj/Owzd2aDDIlzEjHDyBx0UOa
xcIeeAT/ByYkTuPees9b5vsPmUwVuNzKscChQ9tvuugPPoTu9gXQfLldKTLlPqOf
+VCghQhM4H+i9+JyK7iKYN7xdVJLjH0AIgpNLwNN/2pnZ+69dOU4G7W0+NYT4e/w
wDcJSq0fi8dwixDTYU8DkFCfEyahEqeuNPp9X3ddWZryq3XjbR3n0YA1sUmnuwiT
ruMNXR0m34pt0nFLQFz57+dLWhAsB5xQdLPc1AuWwK/R8jnHh3+Q/RXOnXG4NNmn
RKYUDjLpFTnWmiZfGyX6edIrjN72M3Guu5cAs0pD/2d6QFsp1Dg=
-----END CERTIFICATE-----

SubCA (NHS TRA Level 1C)

-----BEGIN CERTIFICATE-----
MIIDiDCCAnCgAwIBAgIEXa2OfTANBgkqhkiG9w0BAQsFADA8MQwwCgYDVQQKEwNu
aHMxCzAJBgNVBAsTAkNBMR8wHQYDVQQDExZOSFMgUFRMIFJvb3QgQXV0aG9yaXR5
MB4XDTE5MTIwNjEyNTIyOVoXDTI5MTIwNjEzMjIyOVowNjEMMAoGA1UEChMDbmhz
MQswCQYDVQQLEwJDQTEZMBcGA1UEAxMQTkhTIFRSQSBMZXZlbCAxQzCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN/HWQM1PzDtDpsMZhr4ShfEIWPALZ69
XacseVs9llslXFIhqEGSGdbRpSyJa0rRuDkQpfDQh4U8PNoiTcbh5HEovQHMSVUC
+EmA0UMoq/Za4moMHucsfzFNzTwzic2sl1q1/y7maxqeRxdSK9/l+8pKTay8+Qlo
uTCFacQZckwtR0Jq9lTFRC8IbBEEqLaM1Tcu4OB4SHce1cetWPzLVKV7N2r/R+7K
WoxzJ7PaDC1RH0f4yyBU8kXy3CAYr5ffZHGR1/9vpkUf/mt9lg3J4UzeFda0Szmc
IwmuwBYa0hEuqYB+IJ/GxFYHAH5G8ElCuy/T3F3qazWo1QBQZEh2Uu0CAwEAAaOB
lzCBlDA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3JsLm5ocy51ay9wdGwvcm9v
dGNhL2FybGExLmNybDALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUz4gDrKnt3tEA
CoCAAEC4A4jIkFIwHQYDVR0OBBYEFAlnIgIT7ZHBCJxDkrCXmFErYD1gMAwGA1Ud
EwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGvXzpHcRD9Ju6rLl4NRX+24xvcO
6p2iLu1A872zsjry9qviAKE0Wba4wcR+pozJ5aZQoupcH3Jp9kl4ziGlUwbQKFq9
teFmA10PWcMI4VPyUprXFSndBCWsh/ZIHfM4iEFM/t6DhlrlKTqtKsrtjnW3Eg8v
quD2/F9wK05m9ufCxa0V3wgKGQWWg83aD3aKNCu4Y4SrpvBaKk/rFh9mWONVGPfG
wsIX2UaFu03NCsIRZ1Z8hiRr5sMeo24BQGjXXBRR9p5Knv9QhD3EMgubi/Bq+gqS
7T8lZySUADPHcuIUKbsnJL7bEdfP7XwTw2eZMnKI6k94BiSOVhOtB2j0rwM=
-----END CERTIFICATE-----

Message Exchange for Social Care and Health (MESH) keystore files to download

MESH is no longer supported in the Training environment, please use the Integration or Deployment environments instead.

Registry settings required to connect to the spine training environments

In order to access the Spine Training environment, changes are required to the user's computer registry.  The exact changes depend on the version of the Identity Agent (IA) Client being used, and whether the operating system is 32-bit or 64-bit. 

  1. Copy the relevant text to a Notepad file and save it to your desktop
  2. Rename the file, changing the file extension from .txt to .reg
  3. Double-click on the file to run it

N.B. You will need administrator access to change registry settings on your computer. If you do not have this you should contact your local support team to run the file for you.

Registry File HSCIC Identity Agent 2 (64-bit) Spine Training

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\HSCIC\Identity Agent]
"ActivatePOSTURL"="https://gas.tsp.national.ncrs.nhs.uk/login/authactivate"
"LaunchAppsPath"="https://portal.tsp.national.ncrs.nhs.uk"
"MobilityPersistence_Available"="False"
"SessionLockPersistence_Enabled"="False"

Registry File HSCIC Identity Agent 2 (32-bit) Spine Training

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\HSCIC\Identity Agent]
"ActivatePOSTURL"="https://gas.tsp.national.ncrs.nhs.uk/login/authactivate"
"LaunchAppsPath"="https://portal.tsp.national.ncrs.nhs.uk"
"MobilityPersistence_Available"="False"
"SessionLockPersistence_Enabled"="False"

Registry File HSCIC Identity Agent 1 (64-bit) Spine Training

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\HSCIC\Identity Agent]
"ActivatePOSTURL"="https://gas.tsp.national.ncrs.nhs.uk/login/authactivate"
"RoleSelectionGETPOSTURL"="https://sbapi.tsp.national.ncrs.nhs.uk/saml/RoleSelectionGP.jsp"
"LogoffPOSTURL"="https://gas.tsp.national.ncrs.nhs.uk/login/authlogout"
"LaunchAppsPath"="https://portal.tsp.national.ncrs.nhs.uk"

Registry File HSCIC Identity Agent 1 (32-bit) Spine Training

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\HSCIC\Identity Agent]
"ActivatePOSTURL"="https://gas.tsp.national.ncrs.nhs.uk/login/authactivate"
"RoleSelectionGETPOSTURL"="https://sbapi.tsp.national.ncrs.nhs.uk/saml/RoleSelectionGP.jsp"
"LogoffPOSTURL"="https://gas.tsp.national.ncrs.nhs.uk/login/authlogout"
"LaunchAppsPath"="https://portal.tsp.national.ncrs.nhs.uk"

Registry File BT Identity Agent IA13 Spine Training

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Gemplus\GAC] "Activate.URL"="https://gas.tsp.national.ncrs.nhs.uk/login/authactivate" "Logout.URL"="https://gas.tsp.national.ncrs.nhs.uk/login/authlogout" "Authentication.StartBrowser.Url"="https://sbapi.tsp.national.ncrs.nhs.uk/saml/RoleSelectionWT.jsp?token=<SSO_TICKET>" "Device.id"="1ef2f9cc" "UpdateWatcher.enable"=dword:00000000 "Device.id.URL"="https://sbapi.tsp.national.ncrs.nhs.uk/ssb/DeviceIDLogger?ipaddress=<IP_ADR>&latestdeviceid=<DEVICE_ID>&storeddeviceid=<OLD_DEVICE_ID>&token=<SSO_TICKET>" "Authentication.StartBrowser.Url"="https://sbapi.tsp.national.ncrs.nhs.uk/saml/RoleSelectionWT.jsp?token=<SSO_TICKET>" "RoleSelection.URL"="https://sbapi.tsp.national.ncrs.nhs.uk/saml/RoleSelectionGP.jsp?token=<SSO_TICKET>&selectedRoleUid=<ROLE_UID>&ssbMode=<MODE>&gacVersion=<GAC_VERSION>&fallbackStatus=<FALLBACK>" "Portal.URL"="https://portal.tsp.national.ncrs.nhs.uk"

Data reset and restore

The Personal Demographics Service (PDS) data in the training environment is backed up on a weekly basis to create a benchmark. Any new test data in will be introduced immediately prior to this backup. The PDS data is reset to this known benchmarked state overnight, thus the training data is reset to the same initial state at the start of each training day.

Please note that only PDS data is reset. Any e-RS data is not reset in any way.

Services available in the training environments

Spine Core Messaging and Spine Core applications 

The Spine Core service provides a messaging service that allows certified endpoint message handling systems to query and update data held in the national demographic and prescriptions systems. 

The Spine Core systems also supports the e-RS national systems by providing a messaging interface between e-RS and referrers and providers. Also included in the Spine Core service are the Graphic User Interface (GUI) based Summary Care Record application (SCRa) and Demographic Spine Application (DSA). These allow Spine Core data to be manipulated without a messaging interface.

Spine Mini Service Provider 

The Spine Mini Service Provider provides customers an interface to submit a limited number of demographic messages in a simple format.

Spine Secure Proxy

The Spine Secure Proxy provides a simpler interface to local systems for demographic messaging, allowing quick recovery of details without the requirements of full integration. Messaging functionality is limited to retrievals and simple trace. Updates are not supported. 

Message Exchange for Social Care and Health (MESH)

MESH is no longer supported in the Training environment, please use the Integration or Deployment environments instead.

Care Identity Service (CIS)

The Care Identity Service (CIS) controls user access to data held in the national systems. Users access is via a smartcard and uses Role Based Access Control. Both smartcards and Access control are managed within the CIS application. Certification and management of message handling systems is also managed within the CIS application.

NHS e-Referral Service (e-RS) 

The NHS e-Referral Service (e-RS) combines electronic booking with a choice of place, date and time for first hospital or clinic appointments. Patients can choose their initial hospital or clinic appointment, book it in the GP surgery at the point of referral, or later at home on the phone or online. 

NHS e-Referral Service Application Programming Interface (e-RS API)

The NHS e-Referral Service Application Programming Interface (e-RS API) service allows patient systems to perform clinical actions within the e-RS application via an external API interface.

Smartcard services

You will need a valid smartcard to use certain services including the Care Identity Service (CIS).

If you do not have a valid smartcard, email [email protected].

Environment build versions

Current versions of the national system applications deployed in each Path to Live environment.

Maintenance slots and scheduled changes

Although these are the scheduled maintenance slots, check the Forward Change Schedule for activity taking place outside the scheduled maintenance slots.

Maintenance slots 

Spine Core

Friday 8pm to Saturday 6am (weekly)

Spine CIS

Friday 8pm to Saturday 6am (weekly)

e-RS Train

Friday 8pm to Saturday 6am (the week following the live e-RS release)

e-RS Train2

Sunday 8am to Monday 6am (the week following the live e-RS release)

Last edited: 11 April 2024 8:57 am