Technical information on using Opentest

This page provides detailed technical information about Opentest, following on from how to access and use our Open access test environment for Spine, Opentest.

Opentest is our open-access network for developing and testing healthcare applications. The Opentest network consists of a hosted component - you connect to this through a VPN. The network is not HSCN-connected so you can access it without Information Governance Statement of Compliance (IGSoC) conformance. 

The following diagram shows how applications connect to the network through a VPN.   

The hosted network contains instances of:    

• Spine 2 Core, including PDS, SCR, ACS, EPS, MESH, SMSP-PDS and CP-IS

• synthetic patient demographics and clinical information

• Care Identity Service including endpoints and organisations

• NIST XDStools (basic Connectathon configuration)

The NHS Digital Delivery Centre programmes use Opentest to host proof-of-concept or trial service versions.    

You can use Opentest user nodes to route to one another over the VPN - this is because each VPN login is associated with a static IP address. If you do this, be aware of our usage policy below on acceptable use.   

The basic service is free. We reserve the right to charge for extensions or customised configurations of the basic service. We also charge for providing specialised consultancy work.    

We are implementing an evolving set of services to support testing. These provide:    

• test counterparties (synthetic clients with web interfaces and servers with rules-based responses)

• automated, user-configurable content validation

• automated, user-configurable scenario-based test support

Email the NHS Digital Solutions Assurance Service Desk with your request. You need to provide your contact details and brief information about the type of development you are interested in.    

We will send you:    

• a VPN login, plus connection instructions and a password

• your IP address on the VPN network

• Spine Party key and ASID details

• service locations on the network, and Spine 2 Core service URLs

• an endpoint certificate and private key, both as separate files and a PKCS#12 chain

• copies of the root CA and endpoint sub-CA

Email the NHS Digital’s Service Desk for test data details.

Opentest provides you with an environment that gives unrestricted development access to the 'integration styles' in use in the NHS England environment. This includes use of Spine services and the Interoperability Toolkit (ITK) which require registered endpoints, certificates and so on. Use of automated test support systems require systems that can decrypt user traffic for analysis and reporting.

To enable these services, we set up user accounts in advance with everything developers need. This includes a Spine endpoint permissioned for all services, certificates, keys, and a known location on the network. When you ask for an Opentest account we allocate you a pre-configured endpoint. This means that if you need Spine or a colleague to talk to you, you both know one anothers' location on the network.

The basic service includes a single IP address on the Opentest network. However, NHS Digital is open to requests for network VPN logins. Before doing this, we need to discuss any specialised user requirements so we can make sure we understand your needs so we can address them properly.    

Opentest supports healthcare applications and systems development. These may use Spine, ERS, ITK, IHE or other protocols such as those based on FHIR. This may be for single projects, or as a shared environment used by multiple developers or companies, working together on integrated solutions. There are also scenarios where an organisation does not hold IGSoC on its own account, so it needs an environment to demonstrate their work to potential customers. Potential systems customers may also wish to run procurement events between vendors. We welcome both these additional uses.

NHS Digital is a supporter of the Hack Day concept so you can use Opentest to host 'virtual' events. These let developers collaborate intensively on projects. Ideally, people with a wide range of expertise can find solutions to problems and make improvements. You can deploy Opentest-compatible environments locally. 

For more information, see NHS Hack Day

Email the NHS Digital Solutions Assurance Service Desk to discuss your requirements.

Opentest provides support for the 'hard' parts of integration. This is when semantics and information models come in contact on either side of the APIs individual systems.

The Spine 2 Core and other NHS Digital services are a fully-operational instance at a similar patch level to that of the HSCN-facing 'Development' environment. We update the Spine 2 Core instance once per month to the latest build. There are some differences between what is available in the open-access platform, and what is in path-to-live. We can configure open access implementations other than Opentest for specific purposes without some components of the full service.

To differentiate the open-access environments from those on HSCN (including live), we use a discrete PKI. This consists of a trusted root CA, and sub-CAs for endpoints, users and EPS non-repudiation. 

Certificates issued by the sub-CAs, and the signing chain, are structurally the same as that in Spine, but distinct from it. 

Certificate Distinguished Names contain (o=HSCIC,ou=OpenTest) rather than (o=nhs,ou=devices) and so are not compatible with any of the HSCN-facing Spine services. 

Spine user certificates are issued by the same sub-CA as are endpoints, and are distinguished by DN. 

Open-access user certificates are issued by a dedicated sub-CA. 

At present, no CRL distribution point is published or populated.

We provide you with keys and certificates as this enables automated capture and decryption of traffic, under your control. This decrypted traffic is used for automated content validation reports and it supports scenario-based automated testing services. If you subsequently seek compliance for Spine or ITK deployment, outputs from these services count towards your accreditation.

There are no Service Level Agreements (SLAs) associated with the service in terms of update frequency or performance. The number of available logins matches our coverage for concurrent VPN connections. There may be instances where we have more logins configured than we have concurrent licences. Normally this will only happen when the connected user population is consistently larger than the number of concurrent connections. We manage the service so that conflict is minimal. Due to cost implications we cannot guarantee availability all the time.

The Opentest service depends on a concurrent-connection licence for the VPN. NHS Digital manages this provision, but we reserve the right to introduce a 'login expiry' period for inactive users.

NHS Digital Solutions Assurance Test Data team maintains a synthetic patient population, plus associated Summary Care Records (SCRs). The population is not routinely 're-set'. If unauthorised data is put into the system, NHS Digital may take action, possibly including a complete data refresh. The service is intended for functional development and testing. It is not scaled for volumetric and performance tests. Abuse of the system or other users, can result in your access being revoked.