Spine Core common issues in the Path to Live environments
How to deal with common issues experienced by users of the Path to Live environments when using the Spine Core service.
Dealing with common messaging issues
Firewall rules
Make sure that you have allowed traffic between IP addresses/URLs from the relevant environment page both in and out of your local firewall. If you have not allowed them, you may get rejection messages, timeouts or no response at all.
Messaging URLs
Confirm whether you are sending directly to URLs, and if so, that you are using the correct messaging URLs as provided on the relevant environment page. Check whether you are using a host file and that it has the correct entries in it.
DNS registration
Confirm that you have registered your FQDN and IP address with the NHS DNS team as this may be preventing you from receiving responses from Spine. This can be confirmed by doing a DNS lookup on the FQDN or you can email: [email protected]
Party key and Accredited System ID (ASID)
Confirm that the party key and/or ASID that you are sending in your message exists in the required environment. This can be done by doing a suitable LDAP search. An LDAP search can also be used to confirm which messages are registered against the endpoint.
Perform a telnet command
A telnet command tests bidirectional communications with a remote computer. This test is used to ensure a particular server can send and receive commands.
If you are asked to telnet to a particular environment you need to find the relevant URL, IP address, port numbers and fully qualified domain names (FQDNs) of the service you're trying to connect to. These can be found on the relevant environment page.
In the example below, a user has been unable to connect to LDAP in the Spine training environment. You'll need to log onto a server that has HSCN (N3) connectivity, and from a command line type the following:
$ telnet ldap.tsp.national.ncrs.nhs.uk 443
OR
$ telnet 10.200.40.136 636
Click 'return' to run the command
- if successful, the screen is cleared and the cursor flashes - you should be prompted to enter 'CTRL+]' to disconnect
- if unsuccessful, an error will be returned or the request may timeout - make a note of this error and contact your HSCN provider
Perform a DNS lookup
The DNS lookup command checks either an FQDN or IP address against the NHS DNS servers to see if they are registered. A DNS registration is required to ensure traffic can go between servers.
If you're asked to do a DNS test in a particular environment, you will need either the FQDN or IP address of the service you're trying to connect to. In the example below, a user is querying the FQDN of the LDAP service. You'll need to log onto a server which has HSCN connectivity and type in the following command:
$ nslookup ldap.tsp.national.ncrs.nhs.uk
OR
$ nslookup 10.200.40.136
Click 'return' to run the command
- if successful, you'll receive a response with the FQDN and IP address shown
- if unsuccessful, an error will say the server cannot find the FQDN/IP address - contact the DNS team to register DNS name as per instructions on the relevant environment page
- some DNS services will not allow reverse lookups (searching for IP address)
Troubleshoot LDAP issues
It is important to distinguish between the inability to connect to LDAP and unexpected results being returned.
Unable to connect to LDAP
- confirm that the correct URL is being used for the required environment - the environment specific URLs are available on the relevant environment page
- the LDAP URL must be allowed in and out of the local firewall, otherwise the connection will be blocked
- the system connecting to the LDAP URLs must have a certificate, usually the same as the end point certificate, and a HSCN connection
No results or incorrect results returned
You will need to raise an incident with the Platforms support desk using the incident form (opens in a new window) or service portal (HSCN access required to access the service portal). Please provide the full LDAP search string and the environment name, combined with a description of what you expected to be returned.
Packet capture
To help us investigate a connection issue, it may be necessary to complete a packet capture showing the network traffic.
The software captures the network conversation between the Local System and the End System and helps the resolving group understand where the issue lies. If the local user is not getting as far as reaching the end system then the packet capture may show this. Users will need admin access to install suitable software, for example Wire-Shark.
This process is also known as a 'snoop'. If you do not know how to complete a packet capture/snoop, please contact your local IT support team. It may be necessary to coordinate such activity with NHS Digital to perform a full investigation.
Demographic Spine Application (DSA) roles and activities
The Role Based Access Control (RBAC) roles and activities commonly used for DSA are outlined below.
Users should contact [email protected] to gain access to DSA.
| Module | Role | Role code | Activity | Activity name |
|---|---|---|---|---|
| DSA | Demographic administrator | R5110 | B0056 | Manage work items |
| DSA | Demographic administrator | R5110 | B0060 | Manage NHS number information |
| DSA | Demographic administrator | R5110 | B0089 | Access DSA |
| DSA | Demographic administrator | R5110 | B0091 | Update violent patient indicator |
| DSA | Demographic administrator | R5110 | B0092 | Access service dependent data |
| DSA | Demographic administrator | R5110 | B0093 | Create work item |
| DSA | Demographic administrator | R5110 | B0094 | Add/delete WI NHS numbers |
| DSA | Demographic administrator | R5110 | B0096 | Amend patient demographics (NBO) |
| DSA | Demographic administrator | R5110 | B0097 | Clinical back office access |
| DSA | Demographic administrator | R5110 | B0098 | View patient demographics |
| DSA | Demographic administrator | R5110 | B0099 | Bulk update and removal |
| DSA | Demographic administrator | R5110 | B0111 | Create work item for CBO |
| DSA | Demographic administrator | R5110 | B0620 | Transfer paper records |
| DSA | Demographic administrator | R5110 | B0825 | Amend patient demographics (PCRBO) |
| DSA | Demographic administrator | R5110 | B1610 | Allocate NHS number |
| DSA | Demographic administrator | R5110 | B1680 | Merge |
| DSA | Demographic administrator | R5110 | B1810 | Run sensitive PDS data quality reports |
| DSA | Demographic administrator | R5110 | B8009 | GP registration |
| DSA | Demographic supervisor | R0008 | B0057 | Core supervisor |
| DSA | Demographic supervisor | R0008 | B0059 | Application maintenance |
| DSA | Demographic supervisor | R0008 | B0062 | System administration |
| DSA | Demographic supervisor | R0008 | B0089 | Access DSA |
| DSA | Demographic supervisor | R0008 | B0092 | Access service dependent data |
| DSA | Demographic supervisor | R0008 | B0093 | Create work item |
| DSA | Demographic supervisor | R0008 | B0094 | Add/delete WI NHS numbers |
| DSA | Demographic supervisor | R0008 | B0096 | Amend patient demographics (NBO) |
| DSA | Demographic supervisor | R0008 | B0097 | Clinical back office access |
| DSA | Demographic supervisor | R0008 | B0098 | View patient demographics |
| DSA | Demographic supervisor | R0008 | B0825 | Amend patient demographics (PCRBO) |
| DSA | Demographic supervisor | R0008 | B1610 | Allocate NHS number |
| DSA | Demographic supervisor | R0008 | B1680 | Merge |
| DSA | Demographic supervisor | R0008 | B1810 | Run sensitive PDS data quality reports |
| DSA | Demographic supervisor | R0008 | B8009 | GP registration |
Summary Care Record (SCR) roles and activities
The Role Based Access Control (RBAC) roles and activities commonly used for SCR are outlined below.
| Module | Role | Role code | Activity | Activity name |
|---|---|---|---|---|
| SCR | Clinical Practitioner | R8000 | B0264 | Access CSA (perform patient trace) |
| SCR | Clinical Practitioner | R8000 | B0257 | View non-ETP clinical data within CSA |
| SCR | Clinical Practitioner | R8000 | B0085 | Claim a relationship with a patient |
| SCR | Clinical Practitioner | R8000 | B0030 | Record a patient's self referral |
| SCR | Clinical Practitioner | R8000 | B0082 | Legal override of consent |
| SCR | Clinical Practitioner | R8000 | B0168 | View when permission could not be requested |
| SCR | Receptionist | R8009 | B0264 | Access CSA (perform patient trace) |
| SCR | Receptionist | R8009 | B0030 | Record a patient's self referral |
| Alert Viewer | Privacy Officer | R0001 | B0016 | Receive self claimed LR alerts |
| Alert Viewer | Privacy Officer | R0001 | B0015 | Receive legal override and emergency view alerts |
| GP System | Clinical Practitioner | R8000 | B0370 | View summary health records |
| GP System | Clinical Practitioner | R8000 | B8029 | Manage detailed health records |
| GP System | Clinical Practitioner | R8000 | B0401 | View patient medication |
| GP System | Clinical Practitioner | R8000 | B0380 | Perform detailed health record |
| GP System | Clinical Practitioner | R8000 | B8028 | Verify health records |
| GP System | Clinical Practitioner | R8000 | B0097 | Manage summary care record |
| GP System | Clinical Practitioner | R8000 | B8029 | Manage detailed health records |
| GP System | Clinical Practitioner | R8000 | B0020 | Control consent status |
| GP System | Clinical Practitioner | R8000 | B0062 | Local system administration |
| GP System | Clinical Practitioner | R8000 | B0168 | View when permission could not be requested |
| GP System | Clinical Practitioner | R8000 | B0082 | Legal override of consent |
| GP System | Clinical Practitioner | R8000 | B0011 | Analyse audit trails |
| GP System | Systems Support | R8015 | B0020 | Control consent status |
| GP System | Systems Support | R8015 | B0380 | Perform detailed health record |
| GP System | Systems Support | R8015 | B0062 | Local system administration |
| GP System | Systems Support | R8015 | B0011 | Analyse audit trails |
Spine party key
The contract properties for all national service messages can be obtained from the Spine party key along with ASID information.
Spine Party Key: YES-0000806
ASIDs: vary depending on the service
Full details can be obtained by performing a suitable LDAP search against the Spine party key.
Logging a messaging incident
If you are experiencing an issue with Spine messaging and you've attempted the fixes above unsuccessfully, please raise an incident with the Platforms support desk using the incident form (opens in a new window) or service portal (HSCN access required to access the portal).
Please provide as much of the following detail as possible:
- Party key: your party key and the associated binding URL
- ASID: the ASID you are sending
- Message tracing information: GUID and timestamp of a message
- Message: if possible a copy of the message that you are sending, including the headers
- Error messages: details of any error message received and where in the process you receive them
- Recreation steps: what you did prior to experiencing the problem and whether or not this happens consistently
Further information
Overview of Spine Core messaging and applications in the Path to Live environments.
Last edited: 6 March 2025 12:16 pm