Skip to main content
Training environments

Find out how to connect to the training environments, services available, build version, maintenance slots and scheduled changes.

How the training environments should be used

The training environments are used by suppliers to train staff on Spine Core messaging, Spine Care Identity Service (CIS) and NHS e-Referral Service (e-RS).

The Spine Core training environment undergoes a nightly reset of application data to enable re-use in subsequent training exercises. 

There is a e-RS training environments available as follows:

  • ERSTRAIN - offers e-RS functionality without the requirement for a PAS which is simulated in this environment. ERSTRAIN is internet facing and does not require smartcard authentication. Access to the ERSTRAIN environment is managed by the e-RS Training team - all connection details will be provided as part of the request. Please note this environment does not have any Spine connections and is self-contained.

What the training environments should not be used for

The training environments do not:

  • replace the development environments as proof of concept or test environments
  • replace any of the other path to live environments for any form of testing
  • provide right of access to any other environments during environment downtime or any other form of unavailability

How to connect to the environment

Before you start

You will need to:

  1. complete the training environment requirements form - this will help NHS Digital understand the scope of your use of the training environment - we will assess your requirements before you can connect to the environment
  2. connect to the Health and Social Care Network (HSCN) - the secure NHS network (if you do not have a connection or are experiencing problems connecting, contact your network provider)
  3. request access to test data (email:
  4. request smartcards if required - you must have a valid smartcard to user certain services, including the Care Identity Service (CIS) - if you do not have a valid smartcard please email:
  5. before you request access to the training environment, the product should have successfully completed the integration test phase
  6. register the messaging product using a Manufacturer, product and version (MPV) form if required
  7. register your message handling service with the Spine by requesting an endpoint (an authorised connection to Spine) to be created unless you have an endpoint administrator in your organisation who can do this for you - please complete the endpoint admin access request form (epr) to manage your own endpoints
  8. register your Fully Qualified Domain Name (FQDN) with the NHS DNS team
  9. download Identity Agent Client software

More detailed guidance of the connection process

Additional guidance to support the connection process.

Further assistance

Contact us for further assistance. Email:

Connection information

A full list of URLs and associated IP addresses are provided below to help you connect to the training environments. 

Local firewall administrators should allow communication to the IP addresses as necessary using these details.

Portal URLs

These are the connection URLs for the Care Identity Service (CIS) portal and associated applications. 

Description URL DNS name IP address Port
Used for the SCRa service TCP 443
Used for self service TCP 443
Used for the alert service TCP 443
Used for the DSA service TCP 443
Used for the ETP ADMIN service TCP 443
Used for the Spine reporting service (SRS) TCP 443
Used for the MOLES service TCP 443
Portal page with links to access Spine Core and CIS applications See system URL section below TCP 443

System URLs

These are the connection URLs for the services required to run or connect to applications. Due to the move of this environment to AWS, the IP addresses of the following are not constant. Customers will need to open their firewalls to the IP address range of to ports 636 (LDAP) and 443 (Sbapi, Gas and TRAIN Portal (see above)).  If you are using hard-coded IP addresses e.g. in a hosts file, you will need modify your application to use the DNS service names. 

Description URL DNS name IP address Port

This is the LDAPS protocol service to the directory.

This is a service used by other services accessing the SPINE for directory lookups

ldaps://<LDAP QUERY>

<LDAP QUERY> - The query to the directory may be contained within the URL See above TCP 636
This name exists for Smart Card authentications from the PC and is not a user service

Client Side GAC URL:

Server Side GAS URL: See above TCP 443

Used to access ID server and is not a user based service

These URLs will only be used by application developers and are included here for completeness

(This URL is case sensitive)

Naming service:

Role assertion: See above TCP 443

Messaging URLs

These are the messaging URLs for all Spine services.

Spine party key

A party key is a unique reference for a particular organisation and set of contract properties. Several party keys can exist at the same organisation and will start with the Organisation Data Service (ODS) code.

For the training environment, the party key is: YES-0000806.

All messaging properties should be obtained from this party key using the Lightweight Directory Access Protocol (LDAP) service URL listed below. 

Description URL DNS name IP address Port

Used for all domain synchronous messaging

This is also the service entry point for NN4B messages TCP 443
Used for all domain reliable messaging TCP 443
Used for all domain unreliable messaging TCP 443
Used for all domain intermediary messaging TCP 443

Used to access the gazetteer postcode look up service

Gazetteer is a web service so will be called by other applications using this URL.

This is not a user service. TCP 443

Used for all SMSP messaging

Now uses TLS1.2 TCP 443

Used for all SMSP messaging.

Now uses TLS1.2[provider service root url]/[fhir request] TCP 443
Used for internet facing messaging

Varies TCP 443

Outbound Network Address Translation (NAT) addresses

Local firewall administrators should allow communication from these IP addresses.

Description URL DNS name IP address Port

All messages will be sent out as coming from

Nothing will ever be sent to this domain name. This is included for clarity and firewall rules only
Not applicable TCP 443

Outbound token events to registered listeners will be sent from this address

Nothing will ever be sent to this domain name. This is included for clarity and firewall rules only

CIS will respond on the port number specified by the client request
Not applicable Not applicable Any

Spine application URLs


Area URL
Summary Care Record (SCR)
SCR 1-Click
EPS Prescription Tracker
Care ID Service (Smartcard Management)
End Point Registration Service (EPR)
Spine Reporting Service
Demographic Spine Application (DSA)
TES Alert Viewer

NHS e-Referral Service (e-RS)

Area URL IP address
e-RS Professional Web App
e-RS Patient Web App

Training NHS e-Referral Service (e-RS) URLs

The Training e-RS environment has been decommissioned and replaced by a new e-RS Training environment, ERSTRAIN. This environment is self contained and not connected to the Spine Training environment. Further information and access details are available from

RootCA and SubCA Certificates

In order to establish connection to the deployment environment, a chain of trust must be set up using the RootCA and SubCA certificate. 

  1. copy the required RootCA or SubCA certificate
  2. open Notepad or similar and paste the certificate - save the file locally with a suitable file name
  3. locate the locally saved text file and change the file extension from .txt to .der
  4. import the certificate into the local trusted certificate store - use the documentation from your software supplier as this may vary between applications

Please note that the: 

  • RootCA should be placed in 'Trusted Root Certification Authorities' 
  • SubCA should be placed in 'Intermediate Certification Authorities'

Root CA (NHS PTL Root AuhorityI






















SubCA (NHS TRA Level 1C)






















Message Exchange for Social Care and Health (MESH) keystore files to download

The following MESH keystore needs to be downloaded and installed as part of the MESH client installation. 

Environment Primary URL Keystore Path Keystore
Training C:\MESH-APP-HOME\Keystore\meshtrn.keystore meshTRN

Full details can be found in the MESH client installation pack. The environment specific information required is listed below. The password should have been provided when the MESH mailbox was first requested.

If you have any questions, email:

Registry settings required to connect to the spine training environments

In order to access the Spine Training environment, changes are required to the user's computer registry.  The exact changes depend on the version of the Identity Agent (IA) Client being used, and whether the operating system is 32-bit or 64-bit. 

  1. Copy the relevant text to a Notepad file and save it to your desktop
  2. Rename the file, changing the file extension from .txt to .reg
  3. Double-click on the file to run it

N.B. You will need administrator access to change registry settings on your computer. If you do not have this you should contact your local support team to run the file for you.

Registry File HSCIC Identity Agent 2 (64-bit) Spine Training

Windows Registry Editor Version 5.00






Registry File HSCIC Identity Agent 2 (32-bit) Spine Training

Windows Registry Editor Version 5.00






Registry File HSCIC Identity Agent 1 (64-bit) Spine Training

Windows Registry Editor Version 5.00






Registry File HSCIC Identity Agent 1 (32-bit) Spine Training

Windows Registry Editor Version 5.00






Registry File BT Identity Agent IA13 Spine Training

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Gemplus\GAC] "Activate.URL"="" "Logout.URL"="" "Authentication.StartBrowser.Url"="<SSO_TICKET>" ""="1ef2f9cc" "UpdateWatcher.enable"=dword:00000000 ""="<IP_ADR>&latestdeviceid=<DEVICE_ID>&storeddeviceid=<OLD_DEVICE_ID>&token=<SSO_TICKET>" "Authentication.StartBrowser.Url"="<SSO_TICKET>" "RoleSelection.URL"="<SSO_TICKET>&selectedRoleUid=<ROLE_UID>&ssbMode=<MODE>&gacVersion=<GAC_VERSION>&fallbackStatus=<FALLBACK>" "Portal.URL"=""

Data reset and restore

The Personal Demographics Service (PDS) data in the training environment is backed up on a weekly basis to create a benchmark. Any new test data in will be introduced immediately prior to this backup. The PDS data is reset to this known benchmarked state overnight, thus the training data is reset to the same initial state at the start of each training day.

Please note that only PDS data is reset. Any e-RS data is not reset in any way.

Services available in the training environments

Spine Core Messaging and Spine Core applications 

The Spine Core service provides a messaging service that allows certified endpoint message handling systems to query and update data held in the national demographic and prescriptions systems. 

The Spine Core systems also supports the e-RS national systems by providing a messaging interface between e-RS and referrers and providers. Also included in the Spine Core service are the Graphic User Interface (GUI) based Summary Care Record application (SCRa) and Demographic Spine Application (DSA). These allow Spine Core data to be manipulated without a messaging interface.

Spine Mini Service Provider 

The Spine Mini Service Provider provides customers an interface to submit a limited number of demographic messages in a simple format.

Spine Secure Proxy

The Spine Secure Proxy provides a simpler interface to local systems for demographic messaging, allowing quick recovery of details without the requirements of full integration. Messaging functionality is limited to retrievals and simple trace. Updates are not supported. 

Message Exchange for Social Care and Health (MESH)

The Message Exchange for Social Care and Health (MESH) provides a workflow based data transfer service that allows registered users to exchange data between secure mailboxes. It is used to support services such as the transfer of Pathology data between labs and hospitals and electronic discharge notes to community medical teams for patients leaving hospital care.

Care Identity Service (CIS)

The Care Identity Service (CIS) controls user access to data held in the national systems. Users access is via a smartcard and uses Role Based Access Control. Both smartcards and Access control are managed within the CIS application. Certification and management of message handling systems is also managed within the CIS application.

NHS e-Referral Service (e-RS) 

The NHS e-Referral Service (e-RS) combines electronic booking with a choice of place, date and time for first hospital or clinic appointments. Patients can choose their initial hospital or clinic appointment, book it in the GP surgery at the point of referral, or later at home on the phone or online. 

NHS e-Referral Service Application Programming Interface (e-RS API)

The NHS e-Referral Service Application Programming Interface (e-RS API) service allows patient systems to perform clinical actions within the e-RS application via an external API interface.

Smartcard services

You will need a valid smartcard to use certain services including the Care Identity Service (CIS).

If you do not have a valid smartcard, email

Environment build versions

Current versions of the national system applications deployed in each Path to Live environment.

Maintenance slots and scheduled changes

Although these are the scheduled maintenance slots, check the Forward Change Schedule for activity taking place outside the scheduled maintenance slots.

Maintenance slots 

Spine Core

Friday 8pm to Saturday 6am (weekly)

Spine CIS

Friday 8pm to Saturday 6am (weekly)

e-RS Train

Friday 8pm to Saturday 6am (the week following the live e-RS release)

e-RS Train2

Sunday 8am to Monday 6am (the week following the live e-RS release)

Last edited: 29 September 2021 1:54 pm