Deployment environments
Find out how to connect to the deployment environments, services available, build version, maintenance slots and scheduled changes.
How the deployment environments should be used
The deployment environments are used to test applications in-situ before live deployments, to help suppliers and NHS organisations develop local site processes, procedures and create a local change process. The deployment environments are also used for user acceptance testing (UAT) with NHS organisations.
The e-RS DEP1 environment provides e-RS services using the Spine Core deployment environment for messaging.
What the deployment environments should not be used for
The deployment environments do not:
- replace the development environments as proof of concept or early deployment test environments
- provide right of access to any other environments during environment downtime or any other form of unavailability
How to connect to the environment
Before you start
You will need to:
- have a connection to the Health and Social Care Network (HSCN) - the secure NHS network (if you do not have a connection or are experiencing problems connecting, contact your network provider)
- request access to test data (email: [email protected])
- request smartcards if required - you must have a valid smartcard to user certain services, including the Care Identity Service (CIS) - if you do not have a valid smartcard please email: [email protected]
- before requesting access to the deployment environment, the product should have successfully completed the integration test phase
- register the messaging product using a Manufacturer, product and version (MPV) form if required
- register your message handling service with the Spine by requesting an endpoint (an authorised connection to Spine) to be created unless you have an endpoint administrator in your organisation who can do this for you - please complete the endpoint admin access request form (epr) (opens in a new window) to manage your own endpoints
- register your register your Fully Qualified Domain Name (FQDN) with the NHS DNS team
- download Identity Agent Client software
More detailed guidance of the connection process
Additional guidance to support the connection process.
Further assistance
Contact us for further assistance. Email: [email protected].
Connection information
A full list of URLs and associated IP addresses are provided below to help you connect to the deployment environments.
Local firewall administrators should allow communication to the IP addresses as necessary using these details.
Portal URLs
System URLs
These are the connection URLs for the services required to run or connect to applications. Due to the move of this environment to AWS, the IP addresses of the following are not constant. Customers will need to open their firewalls to the IP address range of 10.239.59.0/24 to ports 636 (LDAP) and 443 (Sbapi, Gas and DEP Portal (see above)). If you are using hard-coded IP addresses e.g. in a hosts file, you will need modify your application to use the DNS service names.
| Description | URL | DNS name | IP address | Port |
|---|---|---|---|---|
|
This is the LDAPS protocol service to the directory. This is a service used by other services accessing the SPINE for directory lookups. |
ldaps://ldap.vn1.national.ncrs.nhs.uk /<LDAP QUERY> <LDAP QUERY> - The query to the directory may be contained within the URL |
ldap.vn1.national.ncrs.nhs.uk | See above | TCP 636 |
| This name exists for Smart Card authentications from the PC and is not a user service |
Client Side GAC URL: https://gas.vn1.national.ncrs.nhs.uk /login/authactivate https://gas.vn1.national.ncrs.nhs.uk /login/authlogout Server side GAS URL: https://gas.vn1.national.ncrs.nhs.uk /login/authvalidate |
gas.vn1.national.ncrs.nhs.uk | See above | TCP 443 |
|
Used to access ID server and is not a user based service. These URLs will only be used by application developers and are included here for completeness (this URL is case sensitive) |
Naming service: https://sbapi.vn1.national.ncrs.nhs.uk /amserver/namingservice Role assertion: https://sbapi.vn1.national.ncrs.nhs.uk /saml/RoleAssertion |
sbapi.vn1.national.ncrs.nhs.uk | See above | TCP 443 |
Messaging URLs
These are the messaging URLs for all Spine services.
Spine party key
A party key is a unique reference for a particular organisation and set of contract properties. Several party keys can exist at the same organisation and will start with the Organisation Data Service (ODS) code.
For the deployment environment, the party key is: YES-0000806.
All messaging properties should be obtained from this party key using the Lightweight Directory Access Protocol (LDAP) service URL listed below.
| Description | URL | DNS name | IP address | Port |
|---|---|---|---|---|
|
Used for all domain synchronous messaging This is also the service entry point for NN4B messages |
https://msg.dep.spine2.ncrs.nhs.uk/sync-service | msg.dep.spine2.ncrs.nhs.uk | 10.239.14.28 | TCP 443 |
| Used for all domain reliable messaging | https://msg.dep.spine2.ncrs.nhs.uk/reliablemessaging/reliablerequest | msg.dep.spine2.ncrs.nhs.uk | 10.239.14.28 | TCP 443 |
| Used for all domain unreliable messaging | https://msg.dep.spine2.ncrs.nhs.uk/reliablemessaging/queryrequest | msg.dep.spine2.ncrs.nhs.uk | 10.239.14.28 | TCP 443 |
| Used for all domain intermediary messaging | https://msg.dep.spine2.ncrs.nhs.uk/reliablemessaging/intermediary | msg.dep.spine2.ncrs.nhs.uk | 10.239.14.28 | TCP 443 |
|
Used to access the gazetteer postcode look up service Gazetteer is a web service so will be called by other applications using this URL. This is not a user service. |
https://msg.dep.spine2.ncrs.nhs.uk/addressfinder/query | msg.dep.spine2.ncrs.nhs.uk | 10.239.14.28 | TCP 443 |
|
Used for all SMSP messaging. Now uses TLS1.2 |
https://simple-sync.dep.spine2.ncrs.nhs.uk/smsp/pds | simple-sync.dep.spine2.ncrs.nhs.uk | 10.239.14.38 | TCP 443 |
| Used for all SMSP messaging. Now uses TLS1.2 |
https://proxy.dep.spine2.ncrs.nhs.uk/[provider service root url]/[fhir request] | proxy.dep.spine2.ncrs.nhs.uk | 10.239.6.33 | TCP 443 |
| Used for internet facing messaging |
https://msg.depspineservices.nhs.uk https://proxy.depspineservices.nhs.uk https://simple.depspineservices.nhs.uk |
msg.depspineservices.nhs.uk proxy.depspineservices.nhs.uk simple.depspineservices.nhs.uk |
Varies | TCP 443 |
Outbound Network Address Translation (NAT) addresses
Local firewall administrators should allow communication from these IP addresses.
| Description | URL | DNS name | IP address | Port |
|---|---|---|---|---|
|
All messages will be sent out as coming from msg-out.dep.spine2.ncrs.nhs.uk Nothing will ever be sent to this domain name. This is included for clarity and firewall rules only |
No URL | msg-out.dep.spine2.ncrs.nhs.uk | 10.239.14.103 | TCP 443 |
|
Outbound token events to registered listeners will be sent from this address Nothing will ever be sent to this domain name. This is included for clarity and firewall rules only CIS will respond on the port number specified by the client request |
No URL | Not applicable | 10.239.59.0/24 | Any |
Deployment NHS e-Referral Service (e-RS) URLs
ERSDEP
Party key
The party key for e-RS in the Dep1 environment is: YEO-11809150.
Accredited System ID (ASID)
The ASID is: 606179841014. An ASID is a unique reference for a particular system. Different systems may have different ASIDs.
The following IP addresses and URLs are used to access e-RS services.
| Description | URL | DNS name | IP address | Port |
|---|---|---|---|---|
| Professional webapp | https://dep-ers.nhs.uk | dep-ers.nhs.uk | Variable | TCP 443 |
| Patient webapp | https://dep-refer.nhs.uk | dep-refer.nhs.uk | Variable | TCP 443 |
| e-RS API | https://dep.api.service.nhs.uk/referrals-dep | dep.api.service.nhs.u | Variable | TCP 443 |
RootCA and SubCA Certificates
In order to establish connection to the deployment environments, a chain of trust must be set up using the RootCA and SubCA certificates.
- Copy the required RootCA or SubCA certificate. If you are using a existing certificate, please use the Root and Sub CA certificates that are valid till 8 January 2020. The new certificates should only be used with certificates created after the 6 November 2019. If you will be using both existing and new certificates you will need to install both sets of certificates.
- Open Notepad or similar and paste the certificate - save the file locally with a suitable file name
- Locate the locally saved text file and change the file extension from .txt to .der
- Import the certificate into the local trusted certificate store - use the documentation from your software supplier as this may vary between applications
Please note that the:
- RootCA should be placed in 'Trusted Root Certification Authorities'
- SubCA should be placed in 'Intermediate Certification Authorities'
RootCA (NHS PTL Root Authority)
-----BEGIN CERTIFICATE----- MIIDgjCCAmqgAwIBAgIEXR9LkDANBgkqhkiG9w0BAQsFADA8MQwwCgYDVQQKEwNu aHMxCzAJBgNVBAsTAkNBMR8wHQYDVQQDExZOSFMgUFRMIFJvb3QgQXV0aG9yaXR5 MB4XDTE5MDcwNTEyMzcyOFoXDTM5MDcwNTEzMDcyOFowPDEMMAoGA1UEChMDbmhz MQswCQYDVQQLEwJDQTEfMB0GA1UEAxMWTkhTIFBUTCBSb290IEF1dGhvcml0eTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJkUOEvituvw0SSmU4adXDnP SXiaLsQb8CPZwLylSYqumfIzSjsxkktJsekegF6ybtGRMPWW+zBXMI15C3cT+tn8 gpCNYyn1P8/+oNgxtqTLYjxackfU6S8AL+6d39grDd6PlI5ILvCZko82m23cUx2y 2aRnpAIBgDk518tWLTZbMuM14bza/QvYVeX5DqW9gsz947opb6FYRe3MjeHiQmxq GvWfPY/yb/cggo5y8m2fTQa6dencHeFwnmwbX6nwbrFx8UXzflD0Yke4i5Z2NN4C xmgAqtxSu5Bz9f7ZQLPPBT5FL+pvxkAu4cEHma4JDD3KayhxzxigKbQcnQpXWEcC AwEAAaOBizCBiDArBgNVHRAEJDAigA8yMDE5MDcwNTEyMzcyOFqBDzIwMzkwNzA1 MTMwNzI4WjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUz4gDrKnt3tEACoCAAEC4 A4jIkFIwHQYDVR0OBBYEFM+IA6yp7d7RAAqAgABAuAOIyJBSMAwGA1UdEwQFMAMB Af8wDQYJKoZIhvcNAQELBQADggEBAJU06JOPpBMgj/Owzd2aDDIlzEjHDyBx0UOa xcIeeAT/ByYkTuPees9b5vsPmUwVuNzKscChQ9tvuugPPoTu9gXQfLldKTLlPqOf +VCghQhM4H+i9+JyK7iKYN7xdVJLjH0AIgpNLwNN/2pnZ+69dOU4G7W0+NYT4e/w wDcJSq0fi8dwixDTYU8DkFCfEyahEqeuNPp9X3ddWZryq3XjbR3n0YA1sUmnuwiT ruMNXR0m34pt0nFLQFz57+dLWhAsB5xQdLPc1AuWwK/R8jnHh3+Q/RXOnXG4NNmn RKYUDjLpFTnWmiZfGyX6edIrjN72M3Guu5cAs0pD/2d6QFsp1Dg= -----END CERTIFICATE-----
SubCA (NHS DEP Level1C)
-----BEGIN CERTIFICATE----- MIIDiDCCAnCgAwIBAgIEXa2KeTANBgkqhkiG9w0BAQsFADA8MQwwCgYDVQQKEwNu aHMxCzAJBgNVBAsTAkNBMR8wHQYDVQQDExZOSFMgUFRMIFJvb3QgQXV0aG9yaXR5 MB4XDTE5MTAyOTE0NDM0MVoXDTI5MTAyOTE1MTM0MVowNjEMMAoGA1UEChMDbmhz MQswCQYDVQQLEwJDQTEZMBcGA1UEAxMQTkhTIERFUCBMZXZlbCAxQzCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBALtHSWj/wTR08maM2m8UhQ6NKV4XwgPD RelSE0DUfe5UB+Sa1tFODd47cGgRWqkHGUOEsiujfHhQitQIaQD4lvCcPdwZIRrP WiSIKFQiJtuFFCtOvfIQFTqBAxhUPI8R/AdNuNS43zwcdXCRnNq86e8FY8JafXrH dWukASTyH7CvlJwaKtVipnWgVJ6fFfan77Q9dMgJcrJTZkUDATpAE25EwupcfthU 9Kig5JU0FZ9fz3GAXDzDDWaXbzevYvt5QLsczh9b8nyilF3PQm9l2mjUcY18rj0A boge9K7Q7reQjFa6NIbFL86eXrA8o5aMbcgRyEY0fUkADBqVwW8QezMCAwEAAaOB lzCBlDA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3JsLm5ocy51ay9wdGwvcm9v dGNhL2FybGExLmNybDALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUz4gDrKnt3tEA CoCAAEC4A4jIkFIwHQYDVR0OBBYEFGVuJdpgsijOo+SQn4gbV4nd5yA9MAwGA1Ud EwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAErhqxNGnl4Jary8uBMQUpVPhCtI j3irHSj1nAcAzYH8jmC2DZgRIaNG3ShkxWAxc/pjWbx0YcyUrCAEOq00WdGcoz2Q HUnr1lbgl1avz/PMyKufo5YisR8FumzCDSQVGuLpx9sFusvv62VlZQ99u8fSYJ+l V4JtH+pAbGxg8qrDe63xATQ3PYi6W3ljMxxdrrvJXlbqpqG6xML2w0YIJFLdvIlq oVff5GKH/z0l44zq5i7zggOtYi+/MKOudvhr9dtgR58Ul+jJ7WO5Blcfjjh+00AE oc2qDRFYT3HFBPNllnp9V4lGBu3WlCIg9soWzfu/U4lU+REyH4PjPF+5H7s= -----END CERTIFICATE-----
Registry settings required to connect to the spine deployment environments
In order to access the Spine Deployment environment, changes are required to the user's computer registry. The exact changes depend on the version of the Identity Agent (IA) Client being used, and whether the operating system is 32-bit or 64-bit.
- Copy the relevant text to a Notepad file and save it to your desktop
- Rename the file, changing the file extension from .txt to .reg
- Double-click on the file to run it
N.B. You will need administrator access to change registry settings on your computer. If you do not have this you should contact your local support team to run the file for you.
Registry File HSCIC Identity Agent 2 (64-bit) Spine deployment
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\HSCIC\Identity Agent] "ActivatePOSTURL"="https://gas.vn1.national.ncrs.nhs.uk/login/authactivate" "LaunchAppsPath"="https://portal.vn1.national.ncrs.nhs.uk" "MobilityPersistence_Available"="False" "SessionLockPersistence_Enabled"="False"
Registry File HSCIC Identity Agent 2 (32-bit) Spine deployment
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\HSCIC\Identity Agent] "ActivatePOSTURL"="https://gas.vn1.national.ncrs.nhs.uk/login/authactivate" "LaunchAppsPath"="https://portal.vn1.national.ncrs.nhs.uk" "MobilityPersistence_Available"="False" "SessionLockPersistence_Enabled"="False"
Registry File HSCIC Identity Agent 1 (64-bit) Spine deployment
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\HSCIC\Identity Agent] "ActivatePOSTURL"="https://gas.vn1.national.ncrs.nhs.uk/login/authactivate" "RoleSelectionGETPOSTURL"="https://sbapi.vn1.national.ncrs.nhs.uk/saml/RoleSelectionGP.jsp" "LogoffPOSTURL"="https://gas.vn1.national.ncrs.nhs.uk/login/authlogout" "LaunchAppsPath"="https://portal.vn1.national.ncrs.nhs.uk"
Registry File HSCIC Identity Agent 1 (32-bit) Spine deployment
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\HSCIC\Identity Agent] "ActivatePOSTURL"="https://gas.vn1.national.ncrs.nhs.uk/login/authactivate" "RoleSelectionGETPOSTURL"="https://sbapi.vn1.national.ncrs.nhs.uk/saml/RoleSelectionGP.jsp" "LogoffPOSTURL"="https://gas.vn1.national.ncrs.nhs.uk/login/authlogout" "LaunchAppsPath"="https://portal.vn1.national.ncrs.nhs.uk"
Registry File BT Identity Agent IA13 Spine deployment
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Gemplus\GAC] "Activate.URL"="https://gas.vn1.national.ncrs.nhs.uk/login/authactivate" "Logout.URL"="https://gas.vn1.national.ncrs.nhs.uk/login/authlogout" "Authentication.StartBrowser.Url"="https://sbapi.vn1.national.ncrs.nhs.uk/saml/RoleSelectionWT.jsp?token=<SSO_TICKET>" "Device.id"="1ef2f9cc" "UpdateWatcher.enable"=dword:00000000 "Device.id.URL"="https://sbapi.vn1.national.ncrs.nhs.uk/ssb/DeviceIDLogger?ipaddress=<IP_ADR>&latestdeviceid=<DEVICE_ID>&storeddeviceid=<OLD_DEVICE_ID>&token=<SSO_TICKET>" "Authentication.StartBrowser.Url"="https://sbapi.vn1.national.ncrs.nhs.uk/saml/RoleSelectionWT.jsp?token=<SSO_TICKET>" "RoleSelection.URL"="https://sbapi.vn1.national.ncrs.nhs.uk/saml/RoleSelectionGP.jsp?token=<SSO_TICKET>&selectedRoleUid=<ROLE_UID>&ssbMode=<MODE>&gacVersion=<GAC_VERSION>&fallbackStatus=<FALLBACK>" "Portal.URL"="https://portal.vn1.national.ncrs.nhs.uk"
Services available in the deployment environment
Spine Core Messaging and Spine Core applications
The Spine Core service provides a messaging service that allows certified endpoint message handling systems to query and update data held in the national demographic and prescriptions systems.
The Spine Core systems also supports the e-RS national systems by providing a messaging interface between e-RS and referrers and providers. Also included in the Spine Core service are the Graphic User Interface (GUI) based Summary Care Record application (SCRa) and Demographic Spine Application (DSA). These allow Spine Core data to be manipulated without a messaging interface.
Spine Mini Service Provider
The Spine Mini Service Provider provides customers an interface to submit a limited number of demographic messages in a simple format.
Spine Secure Proxy
The Spine Secure Proxy provides a simpler interface to local systems for demographic messaging, allowing quick recovery of details without the requirements of full integration. Messaging functionality is limited to retrievals and simple trace. Updates are not supported.
Message Exchange for Social Care and Health (MESH)
The Message Exchange for Social Care and Health (MESH) provides a workflow based data transfer service that allows registered users to exchange data between secure mailboxes. It is used to support services such as the transfer of Pathology data between labs and hospitals and electronic discharge notes to community medical teams for patients leaving hospital care.
Care Identity Service (CIS)
The Care Identity Service (CIS) controls user access to data held in the national systems. Users access is via a smartcard and uses Role Based Access Control. Both smartcards and Access control are managed within the CIS application. Certification and management of message handling systems is also managed within the CIS application.
NHS e-Referral Service (e-RS)
The NHS e-Referral Service (e-RS) combines electronic booking with a choice of place, date and time for first hospital or clinic appointments. Patients can choose their initial hospital or clinic appointment, book it in the GP surgery at the point of referral, or later at home on the phone or online.
NHS e-Referral Service Application Programming Interface (e-RS API)
The NHS e-Referral Service Application Programming Interface (e-RS API) service allows patient systems to perform clinical actions within the e-RS application via an external API interface.
Smartcard services
You will need a valid smartcard to use certain services including the Care Identity Service (CIS).
If you do not have a valid smartcard, email [email protected].
Environment build versions
Current versions of the national system applications deployed in each Path to Live environment.
Maintenance slots and scheduled changes
Although these are the scheduled maintenance slots, check the Forward Change Schedule for activity taking place outside of the scheduled maintenance slots.
Maintenance slots
Spine Core
Thursday 8pm to Friday 6am (weekly)
Spine CIS
Wednesday 8pm to Thursday 6am (weekly)
e-RS
Wednesday 8pm to Thursday 6am (following live e-RS release)
Last edited: 24 April 2025 3:14 pm