Search loading...

API Hub

Explore and Make use of Nationally Defined Messaging APIs

 

Security guidance

Details of the API security model and supported protocols

Overview

Providers and Consumers are required to maintain a secure connection to the NRL and SSP.

The technical requirements that support this are detailed below.

Secure Socket Layer (SSL) and Transport Layer Security (TLS) Protocols

Following consultation with the Infrastructure Security, Operational Security, and Spine DDC teams, the following SSL protocols MUST be supported.

  • TLSv1.2

Supported Ciphers

Following consultation with the Infrastructure Security, Operational Security, and Spine DDC teams, the following ciphers MUST be supported.

  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-SHA384
  • DHE-RSA-AES256-SHA256
  • DHE-RSA-AES256-SHA
  • ECDHE-RSA-AES256-SHA

Client Certificates (TLSMA)

Provider and consumer systems MUST only accept client certificates issued by the NHS Digital Deployment Issue and Resolution (DIR) team.

Provider and consumer systems MUST only accept client certificates with a valid Spine ‘chain of trust’ (that is, linked to the Spine SubCA and RootCA).

Provider and consumer systems MUST only accept client certificates that have not expired or been revoked.

Provider and consumer systems MUST verify that the FQDN presented in the client certificate is that of the Spine Secure Proxy (SSP).

External Documents/Policy Documents

Name Author Version Updated
Approved Cryptographic Algorithms Good Practice Guidelines NHS Digital v4.0
Warranted Environment Specification (WES) NHS Digital v1.0

All content is available under the Open Government Licence v3.0, except where otherwise stated