Search loading...

API Hub

Explore and Make use of Nationally Defined Messaging APIs

 

Security guidance

Details of the API security model and supported protocols

Overview

Providers and Consumers are required to maintain a secure connection to the NRL and SSP.

The technical requirements that support this are detailed below.

Secure Socket Layer (SSL), and Transport Layer Security (TLS) Protocols

After consultation with the Infrastructure Security, Operational Security and Spine DDC teams the following SSL protocols SHALL be supported.

  • TLSv1.2

Supported Ciphers

After consultation with the Infrastructure Security, Operational Security and Spine DDC teams the following ciphers SHALL be supported.

  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-SHA384
  • DHE-RSA-AES256-SHA256
  • DHE-RSA-AES256-SHA
  • ECDHE-RSA-AES256-SHA

1Digitcert - SSL Support Enabling Perfect Forward Secrecy

Client Certificates (TLSMA)

Provider and consumer systems SHALL only accept client certificates issued by the NHS Digital Deployment Issue and Resolution (DIR) team.

Provider and consumer systems SHALL only accept client certificates with a valid Spine ‘chain of trust’ (that is, linked to the Spine SubCA and RootCA).

Provider and consumer systems SHALL only accept client certificates which have not expired or been revoked.

Provider and consumer systems SHALL check the FQDN presented in the client certificate is that of the Spine Secure Proxy (SSP).

External Documents / Policy Documents

Name Author Version Updated
Approved Cryptographic Algorithms Good Practice Guidelines NHS Digital v4.0 13/07/2016
Warranted Environment Specification (WES) NHS Digital v1.0 June 2015
Tags: development

All content is available under the Open Government Licence v3.0, except where otherwise stated