Each interaction that can be performed against the NRL and SSP is given an unique interaction identifier (ID). Each system that connects to the NRL will be given a unique Accredited System Identifier (ASID), by NHS Digital, and this unique ASID will be associated with one or more interactions.
The interactions associated with a system’s ASID will relate to the interactions for which the system has been approved and assured to use.
As part of sending a request to the NRL, the requesting system will supply its ASID and the interaction ID which relates to the action it is trying to perform. If the interaction ID is not associated with the system’s ASID, the request will be blocked.
When a provider uses the
Delete interactions to maintain existing pointers, the NRL will only allow the provider to make changes to their own pointers. To do this the NRL will validate that the ASID of the system attempting to manage the pointer is associated with the ODS code found in the pointer. If the ASID is not associated with the ODS code within the pointer the NRL will block the attempt.
Technical Security Constraints
Secure Socket Layer (SSL) and Transport Layer Security (TLS) Protocols
Following consultation with the Infrastructure Security, Operational Security, and Spine DDC teams, only the following SSL protocols are supported:
TLSv1.2Note: Protocol versions SSLv2, SSLv3, TLSv1.0, and TLSv1.1 are not supported and MUST NOT be used. All consumer and provider systems MUST be configured to implement the protocol version TLSv1.2.
Following consultation with the Infrastructure Security, Operational Security, and Spine DDC teams, only the following ciphers are supported:
Client Certificates (TLSMA)
Provider and consumer systems MUST:
- only accept client certificates issued by the NHS Digital Deployment Issue and Resolution (DIR) team.
- only accept client certificates with a valid Spine ‘chain of trust’ (that is, linked to the Spine SubCA and RootCA).
- only accept client certificates that have not expired or been revoked.
- verify that the FQDN presented in the client certificate is that of the Spine Secure Proxy (SSP).
The NHS Digital Deployment Issue and Resolution (DIR) team will be able to confirm this at the point at which endpoint registration is required.
External Documents/Policy Documents
|Approved Cryptographic Algorithms Good Practice Guideline||NHS Digital||v4.0|
|Warranted Environment Specification (WES)||NHS Digital||v3.2020|