NHS Booking and Referral Standard

Environments

The principle environment for development and testing is the INT (integration) environment. This is a like-live environment, harnessing full security and functionality that can expect to be encountered in Production. In addition, the BaRS API specification links to the Sandbox environment, which is capable of demonstrating the key functionality but without the security overhead.

Path-to-Live has full details of all available testing environments and the functionality they offer.

TKW

What is TKW?

TKW - Toolkit Workbench - is a tool to assist development and assurance of supplier solutions to meet BaRS (Booking and Referral Standard) requirements.

The tool supports testing of key high-level workflows e.g. a booking routine, including some of asynchronous ones, but is also capable of inspecting low level technical requirements. It reports the output in Validation Reports which clearly indicates to the reader where and why a test has failed. In addition, it supports consistent error states which are often difficult to create but required for development and assurance.

The BaRS TKW tooling is embedded into the INT environment, encompassing all the same end-to-end BaRS infrastructure that is mirrored in Production, rather than being downloaded and used in isolation. This ensures the same steps to deploy solutions to Production are followed during deployment to INT, and allowing testing of requests/responses to occur under Production-like conditions. Similarly, we're able to incorporate other key components, similar to those used in Production workflows, such as the UserTest Directory of Services (DoS). In the current BaRS Applications, the TKW tool relies on values in the UserTest DoS to elicit particular behavioural responses. The Sender will populate what are termed 'sentinel' values, such as the NHSD-Target-Identifier, with a particular value and TKW will respond with a certain Capability Statement, MessageDefinition etc. (See the 'Scenarios' section for detail).

It is important for Senders to remember TKW is a stateless receiver and is not checking the relationship between requests (except in a handful of stateful scenarios - outlined below). This is important when developing workflows such as linking a booking and referral and transactional Integrity.

Using TKW Portal

Suppliers must register a Portal account to start working with TKW but Senders and Receivers will use the tool in slightly different ways due to the nature of the requests/responses they require. Senders, needing somewhere to send requests and Receivers needing something to make requests of their solution.

During the registration process, the 'Target Identifier' and 'ODS Code' values are important to ensure requests are sent and received appropriately. As a Sender (to TKW), the HTTP Header NHSD-End-User-Organisation must include the ODS Code they registered with because TKW will collate requests based on this value. When reports are downloaded and viewed, only requests with that specific ODS Code in the header will be visible. As a Receiver, once logged into the portal and selecting the request(s) TKW is required to make of your endpoint, they will be directed to the Target Identifier registered against and, equally, downloaded reports will only relate to that specific value.

• Navigate to https://maitportal.testlab.nhs.uk/
• Click Register and complete the form below

• Email bookingandreferralstandard@nhs.net for a Target Identifier (this represents you on the Endpoint Catalogue)
• MAIT Team will need enable your account, email bookingandreferralstandard@nhs.net to advise this has been created
• Verify the account via email 
• Configure Multi-Factor Authentication 
• Access Portal Home screen 

Sender 

Once registered, requests can be made of TKW in any given workflow e.g. booking, validation etc. and the tool will record and provide downloadable validation reports for each request made. 

The Scenarios (including Stateful Scenarios) outlined below highlight how to elicit particular behaviour required, note the specific sentinel values for NHSD-Target-Identifier and patient NHS Number. As a Sender, the various requests can be made and TKW will repond accoridngly. 

NB: It is important for Senders to remember TKW is a stateless receiver and is not checking the relationship between requests (except in a handful of stateful scenarios - outlined below). This is important when developing workflows such as linking a booking and referral and transactional Integrity.

Receiver

A receiver can access the portal (once registered) to send either individual tests or an entire suite of tests to themselves. From the top menu bar, click 'Receive Requests' and the screen below will present -

The receiver selects the request they wish the TKW to make of their endpoint and clicks 'Execute Selected Tests' (bottom of the page). TKW will indicate when the requests have been processed.

Once all requested tests have been completed, the Validation Report can be downloaded - 

• from the top menu, select 'Download Reports'
• then click on the button 'Download Reports' (this packages the report and makes it available to download locally)
• from the top me, select 'Receiver Reports'
• click on the hyperlink of the required report to download locally (.zip format)

Scenarios

The TKW will respond to the scenarios outlined below. It does not hold the state of any prior request (unless specified in the Stateful scenarios) and the specific 'sentinel' values (in bold) must be used to elicit the required response where stated. 

NB: where 'Any' NHSD-Target-Identifier is specified, only those highlighted in this table will work for TKW. Any of the NHSD-Target-Identifiers configured for TKW. 

UserTest DoS Services

The sentinel values linked to UserTest DoS services can be found by searching with the following criteria.

Stateful Scenarios

TKW supports a limited stateful response for 111 to ED requests. This is a simulation of the real-world receiving end-point and mimics the expected behaviour of a Reciever solution.

This stateful behaviour is only demonstrated for a specific patient (NHS Number 9707606312) and per NHSD-End-User-Organisation - i.e. state will be persisted only between requests made by the same End User Organisation.

Note The stateful server will reset each night which will return all users back to the initial state.

State Transition Table indicating the responses the stateful TKW scenarios will support and the expected responses-

Onboarding

API-M provide the security model for BaRS.

There are two roles; Sender and Receiver, and most BaRS Applications will require a solution to support both, despite being predominantly one or the other, because of the response workflow steps. In responses flows, the original Sender becomes and Receiver and original Receiver becomes a Sender.

The Sender obtains a token from the API-M platform to make requests of the BaRS API Proxy which brokers the request through the Receiver, secure via TLS-MA (Transport Layer Security-Mutual Authentication).

BaRS is based on internet-first principles and there is no requirement for Health and Social Care Network (HSCN) connectivity.

Sender

Prerequiste steps to follow -

• Create Developer account
• Sign in, create a team by selecting "My teams", and then "+ New Team":

• Assign members to your Team
• Create an App
  • Owner of the App should be the Team created above
  • You will need a callback URL (bottom of page)
  • Enable or request the API's you wish to use for your application
    • "Booking and Referral FHIR API (Sandbox Environment)" - for Sandbox
    • "Booking and Referral FHIR API (Integration Testing Environment)" - for INT
  • Generate an API Key for your application
• Define your Key Identifier (KID) to be used within your JWTs
  • KID Naming Convention (Development Systems) - <Supplier>-<Environment>-<rotation> i.e. MySupplier-INT-1
  • KID Naming Convention (Provider Systems) - <Provider>-<Environment>-<rotation> i.e. Provider-INT-1
• Generate a key pair (.pem)
  • Windows based apps
  • Alternatively, this website can also generate Key Pairs
• Provide details to register your key
  • For INT : Register Public key with API Management
    • Email - api.management@nhs.net with:
      • Environment - Sandbox, Development, Integration Test or Production
      • App ID and Name from the portal
      • Public key
        • As an attachment, PEM-Encoded
      • The KID you have defined for this public key
      • APIs you want to use
  • For Production (each provider needs their own key).
    • Email -
      • Specify Live
      • App ID and Name from the portal for both Production and the INT Suppliers Development environment.
      • Public key for the providers Production instance.
        • As an attachment, PEM-Encoded.
      • The KID defined for this public key.
      • The APIs you want to use.
• Generate a signed JWT using your private key

  • The header:

    • alg: The algorithm used
    • typ: "JWT" in this instance
    • kid: Your KID as provided to API Management above
    • example:

            {
                "alg":"RS512"
                "typ":"JWT"
                "kid":"BaRS-Sandbox-1"
            }
    
    

  • The payload:

    • iss: The API Key you generated in the portal
    • sub: The API Key you generated in the portal
    • aud: The full URL of the endpoint you are calling (example: https://sandbox.api.service.nhs.uk/oauth2/token )
    • jti: UUID/GUID, different for each request
    • exp: Epoch time, to be no more than 5 minutes in the future, indicating when your token will expire
    • example:

            {
                "iss":"IwrOdg62kM9LN1oFhlHAhWPHAhWPbV62",
                "sub":"IwrOdg62kM9LN1oFhlHAhWPHAhWPbV62",
                "kid":"BaRS-Sandbox-1",
                "aud":"https://sandbox.api.service.nhs.uk/oauth2/token",
                "jti":"b7ae4c12-3c04-465a-8877-c2e80f0126a3"
                "exp":"1635263528"
            }
    
    

  • Post your JWT to the OAuth endpoint to receive a Token

    • Note: A token is not required for the Sandbox environment

    • Your request body should be x-www-form-urlencoded with the following fields

      • grant_typegrant_type = "client_credentials"
      • client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
      • client_assertion = <Your signed JWT>
      • example:

          curl --location --request POST 'https://sandbox.api.service.nhs.uk/oauth2/token' \
          --header 'Content-Type: application/x-www-form-urlencoded' \
          --data-urlencode 'grant_type=client_credentials' \
          --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
          --data-urlencode 'client_assertion=eyJ0eXAiOiJKV1QiLCJraWQiOiJCYVJTLVNhbmRib3gtMSIsImFsZyI6IlJTNTEyIn0.
          eyJpc3MiOiJJd3JPZGc2MmtNOUxOMW9GaGw4UnlVUmJIQWhXUFY2MiIsInN1YiI6Ikl3ck9kZzYya005TE4xb0ZobDhSeVVSYkhBaFdQVjYyIiwia2lkIjoiQmFSUy1TYW5kYm94LTEiLCJhdWQiOiJodHRwczovL3NhbmRib3guYXBpLnNlcnZpY2UubmhzLnVrL29hdXRoMi90b2tlbiIsImp0aSI6IlQtWjdhTm1UODUybE1uVGtZb1NaRiIsImlhdCI6MTYzNTI2MjI2MiwibmJmIjoxNjM1MjYyMjYyLCJleHAiOjE2MzUyNjI1NjZ9.aUQSqvkzjAMRR21lNiE6YnksynPWx9wkXdEFJZ_muzGfeyuS3ooh-uXlOccQFSDS790Wrne49vMsf72NILK3iDjWyH2z8D8R_B_xYy2e3ZOktqQFNx5vZ0svC-_v1ranJKJJU8NiQog7JvRtXNwKcdExpge2bkhV2JN3bQtzPY0F7CxPohILmCIUvi3yEyr-nm3kxdB8LkifQAz132qpuO_1iENGmbqUgASYBZMTQIdD4aO8Vv9sJ9rvyIQyniw_DeY6SEMx4CHDiEb0NWmcOmpdBS1DDkuMiUohSpz8OXEYR1cZcL27dyibDJBY57FGCMBn1AVb43olYSumOIwg'
      
      

  • The expected success response from the Post should be a status 200 with a 3 field JSON response:

    • access_token: Your access token
    • expires_in: When it expires
    • token_type: "Bearer"
    • issued_at: Time issued
    • example:

            {
                'access_token': 'Sr5PGv19wTEHJdDr2wx2f7IGd0cw',
                'expires_in': '599',
                'token_type': 'Bearer'
                'issued_at': '1675784384503'
            }
    
    

  • A failure response will have a response code appropriate for the reason and the following 3 fields:

    • error: The error thrown
    • error_description: Diagnostics text to tell you why the error was thrown
    • message_id: A unique id for the interaction
    • example:

            {
                "error": "public_key error",
                "error_description": "You need to register a public key to use this authentication method - please contact support to configure",
                "message_id": "rrt-8923968319386160140-b-geu2-23765-558685-1"
            }
    
    

Receiver

BaRS will utilise TLS-MA to communicate with Receiving endpoints. Receiving endpoints will require a certificate under the NHS Root CA to facilitate TLS-MA.

• The receiver must request a certificate under the NHS Root CA
  • There are different certificate chains for INT and Prod
  • INT Certificate chains
  • Prod Certificate chains
• The receiving endpoint will present the certificate obtained for TLS-MA
• The receiving endpoint will need to trust the Root CAs and SubCAs for their respective environments
• The receiving endpoint will only accept requests presented with certificates from their respective chains

As the certificates are using the NHS Root CA, FQDN must be an nhs.uk address, this is the case for both INT and Prod

You can apply for your domain here, ensuring that you complete Section 5: For website or application records visible on public internet

Once you have you have your domain registered you can then begin the process to obtain your certificate by generating a certificate request

Certificate requests will need to be signed for your endpoint. Note that the fully qualified domain (FQDN) name is equal to the certificate name (CN) by convention

At this point you should have a .key and a .csr files. The next step will be to send the .csr file to be signed by the NHS and get the client certificate. For full steps see below sections for each environment under 'Configuring endpoints for different environments'

• If your client certificate will be implemented in any PTL environment then you should send the .csr file to itoc.supportdesk@nhs.net
• If your client certificate will be implemented in the PROD environment then the .csr file needs to be sent to the DIR team at dir@nhs.net and they will issue the certificate after validating your request with the Live Services Pipeline at liveservices.gate@nhs.net

Integration (INT)

• Request a ‘certificate only’ from ITOC
  • 
  • Certificate Only (No endpoint)
  • Integration environment
  • Format for development systems FQDN on INT is ‘BaRS-INT-<ODS Code>.<Supplier name>.thirdparty.nhs.uk’
  • Format for provider systems FQDN on INT is ‘BaRS-INT-<ODS Code>.<Provider name>.nhs.uk’
  • Ensure it is clear this is a request for a ‘BaRS’ certificate
  • ‘N/A’ in the Party Key section because there is no relation to SDS endpoints
  • In the .csr, the ‘email’ field must be blank
• Receive certificate from ITOC
• Email dnsteam@nhs.net with FQDN and public facing IP to register DNS
• Email bookingandreferralstandard@nhs.net with Receiver URL for BaRS/API-M to add to the Endpoint Catalogue

Production (Prod)

• Once Solution Assurance issue the supplier with the Technical Conformance certificate Production endpoints can be requested
• Sends .csr to dir@nhs.net, indicating this is for a BaRS Receiver endpoint
  • Format for FQDN on PROD for -
    • Supplier hosted solutions is ‘BaRS-PROD-<ODS Code>.<Supplier name>.thirdparty.nhs.uk’
      • This option is used for multi-tenanted solutions.
    • Service Provider hosted solutions is ‘BaRS-PROD-<ODS Code>.<Provider name>.nhs.uk’
      • This option is used for non multi-tenanted solutions. If multiple endpoints are needed, the ODS code can be appended with an identifier for the setting.
      • It may be that the provider already has a 'nhs.uk' standard domain DNS entry, If one exists, it should be used for this new subdomain.
• Receive certificate from DIR Team
• Email dnsteam@nhs.net with FQDN and public facing IP to register DNS
• Email bookingandreferralstandard@nhs.net with Receiver URL for BaRS/API-M to add to the Endpoint Catalogue

Note - Receiver Firewall Amendments - Requests from the BaRS API (for both INT and Prod) will originate from 34.89.0.111 & 34.89.69.6

Certificates

Introduction

The BaRS API and supplier solution will be secured by HTTPS/TLS, for both inbound and outbound connections. All certificates used are published on this website for your convenience.

In order to establish a connection to and from any environment, a chain of trust must be set up using the certificates detailed below.

For information on obtaining certificates as a Receiver see the Onboarding section.

Inbound

All inbound connections to the BaRS API will be presented with environment specific certificate, provided by Digicert. This is inline with all NHS APIs on the platform. The details for the certificate and chain used are described in the table below.

dev.api.service.nhs.uk (Digicert)

-----BEGIN CERTIFICATE-----
MIIH7zCCBtegAwIBAgIQCd1RZTdgwjlx2LOoB8pNHTANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjA2MjkwMDAwMDBa
Fw0yMzA2MjkyMzU5NTlaMFQxCzAJBgNVBAYTAkdCMQ4wDAYDVQQHEwVMZWVkczEU
MBIGA1UEChMLTkhTIERpZ2l0YWwxHzAdBgNVBAMTFmRldi5hcGkuc2VydmljZS5u
aHMudWswggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQChdhQee1KNW6C/
qUzRfgwLzxdXcLMusYrCR+dkiJiyVTy2JAP9iDwOqsJWeaxzXzXoPM+3ahq2m7c6
CgAhuk8XHo3vhRfJzLehbQtzAgnz5YDevpI74gj2V/Wd7/QGu8Cgh9AoCtO5gfh8
byju/V9eJArHxCE6huduBTp59y8Dth/VGWiDaOgYDauBOkSKdxVmPl1qZOv7cN/p
wD4TyZxs0CrqUrkRT4WfvABrOaG7jLbeKKhVfMYXSJhPs1g7STJaOzvrRAwt1O83
q4Objc3/oPnbbN1AyXlVyHI2exkxmNllYHRMogQMSFOpdj/g+zibw7tPpKDE49Xx
YFtfGOUHusb2Fj7kYh7bevdOibrmzG+zT1l29VNzaYp0sFMSrHaCBVZ6Rw/q3BHV
vRXfb+zpiSpmUG67FULKWQRCSKEBw7pfD1+cg8050PT+JnnhONjwzbwJMZjiibV7
f0JGP0G2JX1sRSad+EBHPYd1is0SESFhfrkSm5pQxgTkxGFKhBC0fm3LSP6qhelz
z1YIKupi66wC74dnV/YJkxOQ38r3uH0WTiZ8SL2Zd3Gd+1DPWXydvjfH94yQpOHj
ihRhHlkn+uRynOBqcCTsZ+9xyOjAQ3AicSLAsK9V+YxK+mO1IatgnmafLGNWYAsK
YpGS+BsOnS6Znecv9lFPcWWdTQsUpwIDAQABo4IDwDCCA7wwHwYDVR0jBBgwFoAU
t2ui6qiqhIx56rTaD5iyxZV2ufQwHQYDVR0OBBYEFMa79aKSfMUaT2POYUTKkpfF
mocAMG0GA1UdEQRmMGSCFmRldi5hcGkuc2VydmljZS5uaHMudWuCFnJlZi5hcGku
c2VydmljZS5uaHMudWuCGnNhbmRib3guYXBpLnNlcnZpY2UubmhzLnVrghZkZXAu
YXBpLnNlcnZpY2UubmhzLnVrMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwgY8GA1UdHwSBhzCBhDBAoD6gPIY6aHR0cDovL2Ny
bDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VExTUlNBU0hBMjU2MjAyMENBMS00LmNy
bDBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VExTUlNB
U0hBMjU2MjAyMENBMS00LmNybDA+BgNVHSAENzA1MDMGBmeBDAECAjApMCcGCCsG
AQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwfwYIKwYBBQUHAQEE
czBxMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wSQYIKwYB
BQUHMAKGPWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU1JT
QVNIQTI1NjIwMjBDQTEtMS5jcnQwCQYDVR0TBAIwADCCAXwGCisGAQQB1nkCBAIE
ggFsBIIBaAFmAHYArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAGB
r8Mt1gAABAMARzBFAiEA3y5VxP+JXtBoJdaQUf+DvWzfq7hfm7tSrKpDxLzr3LsC
ID8AtMzjnVttILxLmAZFmr/Xq2tEM7ubqJprZjqmZtxBAHUANc8ZG7+xbFe/D61M
bULLu7YnICZR6j/hKu+oA8M71kwAAAGBr8MtNwAABAMARjBEAiAhvkbK+nr8p1+s
fTqfrslKaI0K5prTdt65yHRdhJdtdAIgKlEWGUSlCH7AwfQJ04Xxo1o+rJ1nyl8Y
bD17Fmee4I0AdQCzc3cH4YRQ+GOG1gWp3BEJSnktsWcMC4fc8AMOeTalmgAAAYGv
wy1YAAAEAwBGMEQCIBoJtWDLt+0gBNbbW+73bJtYnD2/eLGF+ASZO9NjrgdcAiBx
UChWKBEH5ndm9j2MfiDfhb8CIkMDxYwl7cNU+owJhDANBgkqhkiG9w0BAQsFAAOC
AQEAm/i6ZvIf03/3YgF9dWoSygDDuziv5u5CQu6Vn9ojHPN6y+zzF8V6fyrgjo2q
+BILKe5AkhCak/YmBEKN4PcoLerCFmBS5F2GaJ0fYx4+BevaeauewMmXq3WrduAp
QwmVtvBfY4MdvFTZ1afLxPbBoMduwjI/7F8Vsq9yPWdwSlkEXCb5v8mCcWqIOr6F
mntXmZoNig+cWTWebyX3B/dVnYezQqcd2clM5yb3Tz/C4YPa/pHrXP4Uekskh9wm
LrKCzc961OVITemj0KA6xkbeVNnXjRjyKiZS//iDRugZJf3yh5oTON9fqoVgV+bd
9UWHkyVsonT2QQWayu4R2mb30g==
-----END CERTIFICATE-----

int.api.service.nhs.uk (Digicert)

-----BEGIN CERTIFICATE-----
MIIHpjCCBo6gAwIBAgIQCbufxB/0/HfjHDnytP71fTANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjAzMDcwMDAwMDBa
Fw0yMzA0MDcyMzU5NTlaMFQxCzAJBgNVBAYTAkdCMQ4wDAYDVQQHEwVMZWVkczEU
MBIGA1UEChMLTkhTIERpZ2l0YWwxHzAdBgNVBAMTFmludC5hcGkuc2VydmljZS5u
aHMudWswggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC4JPKFpz/Rl8QC
tMERVDSLXehOKlzBg7V5tsFerUwMAvKSZwfd9gRDWnH+QarjypoKM6VkH+hv6NsU
ApWHngeO6BOstltMaIVXZ4GRfKD3iaJCA3WO2qaixjXjZDhWTCLrCnmUYnkpf3Sp
f8aIzLS9LMfLn84Xa0VvOtGTYN9/Cf6zPdfhI6Qy3qRJote8w73lWxs4SZ8ObFya
9c+OEb7gnZfhg0kgQFM6qwYPAqAuNHt47Sd/TLySQ186j2ItoFfRih2pMfEDw1a9
2HQTpYZDCrUCqkMyKacZAlf66LEOKnqAaqn+VxKGJa9wZghJP/ZrkSJ11jfnBBzN
IhUV5KGyTC2xjaHj3jXD8rzwRyNafHfQX1YYM4572+0LbXs+ZKrX0HXj34W765o7
PAUjJk4Ih52r7fFpch4hYkpyGfoN+riMxbBmSRelAbLXHOdi6LvsXGdxPtRQwlYa
zsjOD1+lhOFLtLXZplViNyKEGh1J5UVeL0OZuMW9b9x8Ug6/DPBVcoZ0UmnyUVr/
pgjRKF/zU67LWR0Vqzq9OUdTNLImEfMLsfKx2ytO/kSk9PB8Ifp0E5tz6j17kNeh
Q3TjR++e1AUrOq2DrqwzpH8QIfIIiEfsd/Y267YfWmPPwo6A6h7HqSH9BQuJihme
GO/aVQLpUUzZn/tbtuIFffvE8EovEwIDAQABo4IDdzCCA3MwHwYDVR0jBBgwFoAU
t2ui6qiqhIx56rTaD5iyxZV2ufQwHQYDVR0OBBYEFMxc1yJdMXn5cMQY/y/eYQIp
7zm+MCEGA1UdEQQaMBiCFmludC5hcGkuc2VydmljZS5uaHMudWswDgYDVR0PAQH/
BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBjwYDVR0fBIGH
MIGEMECgPqA8hjpodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNS
U0FTSEEyNTYyMDIwQ0ExLTQuY3JsMECgPqA8hjpodHRwOi8vY3JsNC5kaWdpY2Vy
dC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTQuY3JsMD4GA1UdIAQ3
MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQu
Y29tL0NQUzB/BggrBgEFBQcBAQRzMHEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw
LmRpZ2ljZXJ0LmNvbTBJBggrBgEFBQcwAoY9aHR0cDovL2NhY2VydHMuZGlnaWNl
cnQuY29tL0RpZ2lDZXJ0VExTUlNBU0hBMjU2MjAyMENBMS0xLmNydDAJBgNVHRME
AjAAMIIBfwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdgDoPtDaPvUGNTLnVyi8iWvJ
A9PL0RFr7Otp4Xd9bQa9bgAAAX9kHjD2AAAEAwBHMEUCIGtBH7mnWeRxvFLZN2E5
Q/9lrFm4Xhjcj9Zi9L9ThlzRAiEAulA+1XiMw6M5M23M/FB55fcvbIosAkQUAkuy
1yeaPv0AdgA1zxkbv7FsV78PrUxtQsu7ticgJlHqP+Eq76gDwzvWTAAAAX9kHjEd
AAAEAwBHMEUCIQDgRdzMBcsF6fI25ieut74nDBF0CMeI/3aXZKppdT6sdwIgU3Sy
90+7k1dyBUCGXqTJgodgkYLDaYNEvAQ+NmnA4nEAdwCzc3cH4YRQ+GOG1gWp3BEJ
SnktsWcMC4fc8AMOeTalmgAAAX9kHjFDAAAEAwBIMEYCIQC9aCfRJ6cPGwty3FP1
BAw3RRXQYr2Su4Xk+boJyNGe6gIhAIwV8BftA2Ee6dvSAhhtfOz5eddHy/am+lfJ
UYrw9j3jMA0GCSqGSIb3DQEBCwUAA4IBAQAMOtj25/qQDCzg1ceaZnWiORgyYpbh
ZGlR2jI9ujWPzbl/7SmUpFS6SnXaOh6L45NAR7Ld7Fhuqf34rgSobc5/cVaLMq5v
QduAlYq9aO5xG32TNsWQRXMFG9WFFg7HD00p8DMkF/cxXFACsCAwt1dGNbwbgAEj
+qn/TDymJ85HzQfcpTkQXvB7571DpDBvxPkYMxkzQtgb5Wz+VVyi2LL5J3AqOSWV
KKigsYqVwEiNTzgInknUmDHJN2igFUfpsPqVB41Xy8dc5SNTStbWsWLXA/0aHleK
D1TONGVLMXdZh3uFto9Q/E1kXw6LYKO9MUYnGweyFm7ipWERPzjE/w3N
-----END CERTIFICATE-----

api.service.nhs.uk (Digicert)

-----BEGIN CERTIFICATE-----
MIIHtDCCBpygAwIBAgIQCo1zwR1XPV9LCf6wELDvIzANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjAzMDcwMDAwMDBa
Fw0yMzA0MDcyMzU5NTlaMFAxCzAJBgNVBAYTAkdCMQ4wDAYDVQQHEwVMZWVkczEU
MBIGA1UEChMLTkhTIERpZ2l0YWwxGzAZBgNVBAMTEmFwaS5zZXJ2aWNlLm5ocy51
azCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL5Giwu+wLvQlcWJGZnV
5sswmYiknViv84orFv38P+9GLNXC48wMgJPu3rtuZsTe5JdtaVRPflXK4rxfuIUd
ybfbDmW4zeUn5Yj2ZdkoZMqLlLX7D9H04wl2Aw/C0OP+pMq3Ear6KuCA8Y9kF+zF
KcR1foUvc4Fw2LxkWal10S2lzPLTbN4f2pZjT3JT1HMobRDQKt4kG/XDGbpkox/9
xQSNHdLYemenKVFQLGt+EVc51NTfMHFg8KXR/T0gvs0e0r/IOZZxl1+NEXkIvnQQ
fYJQB+LeMgpuMK1dj8xBnHnmsO3B8vvwJDycrSq50BfvXZpARUDhAiy2n+WWoM+s
hKmuojkDmnBEVtq78eDDF40vMahzpDhgSHhzM5pdpIvnofXGO4IkzLrNKTGlIXl8
2PERRM7zScuAWl5P6OWX7ygN8uoUh+NdDoiWsbQxZrTTO7kFgIbiheEMzMH28Myi
BWN9/LvRYpqWSSW7R4/NNfd8M62ER36xWetYk/IHdSXfBbfg1hJQMK+QZrA+Io8T
QABhTc0eBxlctOYCsKeXkhOBNTokED8DwQSG8f+LN2tA48cX+HrSRZ0gYA4X6vbl
TpdlmxbqXjQeTCrG65qmh3gffPNzZc+Ck2qL4SVlHBLw2LowagmjVvyWnfP8o0dH
LIic/3Tbx5hzUGsX4OHiM55ZAgMBAAGjggOJMIIDhTAfBgNVHSMEGDAWgBS3a6Lq
qKqEjHnqtNoPmLLFlXa59DAdBgNVHQ4EFgQU6lxJ78pLAnSpbhbSmCSt+zZgPvow
NgYDVR0RBC8wLYISYXBpLnNlcnZpY2UubmhzLnVrghdwb3J0YWwuZGV2ZWxvcGVy
Lm5ocy51azAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMIGPBgNVHR8EgYcwgYQwQKA+oDyGOmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0
LmNvbS9EaWdpQ2VydFRMU1JTQVNIQTI1NjIwMjBDQTEtNC5jcmwwQKA+oDyGOmh0
dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU1JTQVNIQTI1NjIwMjBD
QTEtNC5jcmwwPgYDVR0gBDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0
cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMH8GCCsGAQUFBwEBBHMwcTAkBggrBgEF
BQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEkGCCsGAQUFBzAChj1odHRw
Oi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIw
Q0ExLTEuY3J0MAkGA1UdEwQCMAAwggF8BgorBgEEAdZ5AgQCBIIBbASCAWgBZgB1
AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1uAAABf2QbUbgAAAQDAEYw
RAIgQ8/ac+so1XceqvA6MPcVg1uN4XobN1UKdhkbtPyCUCMCIFkXRGBI+H7pjyHR
qiRQjt2EUusUs5U+L9TqK807fkivAHUANc8ZG7+xbFe/D61MbULLu7YnICZR6j/h
Ku+oA8M71kwAAAF/ZBtRrQAABAMARjBEAiB2Efj+Xq7BsWTU6E+FfMQ0CXis2aSt
CpTqcpnnc5+GlgIgXJxSXIQ9N2dhiqcAtDEQmZzZUZLh+nK/JjHAq2MShVsAdgCz
c3cH4YRQ+GOG1gWp3BEJSnktsWcMC4fc8AMOeTalmgAAAX9kG1HcAAAEAwBHMEUC
IBLnTvDSHa4jE24pDTqMpvemVyA5n6+7laNwI4DKN128AiEA1UyzaSEpGulrYeJ0
0ht+Y6PxJSDbqOAGQdHQfSKwJo4wDQYJKoZIhvcNAQELBQADggEBAFlPTQfhMH/i
xhBxX6MqEo/LaRWsbJWeP1ncKph3M/UvFXJdHeTHoZlUWTyispY+81DRwzC0pFhr
UL0OxspiPcW3MI4hMzaFOOzEYr6n2Cpqm36e+Z3hM78a8AO3rMtSjnYStkl9jNfU
6aGHiuUxPkl95BxMkIO156UQpyVrRuVQ/WCQrJgo3R+C9QK+VTh91JUyyGf6NluM
iRWLy2pTVHUX+7nBWVFR7ACgdwij2utwIDtzyOjynR3KmLE8UWVIu0I1NLwpMnRc
47nIWuRFvU/obcmfqZk8LiQMwoOKoG6GEfF2/32i9o6ucmvhJwnpNbqOlne8kv4D
ysWdIG7hl3g=
-----END CERTIFICATE-----

Outbound

All outbound connections from the BaRS API proxy to Receivers, with the exception of the Sandbox environment, will be secured using TLS-MA.

PTL

The PTL environments will present a certificate issued by the NHS PTL Root Authority, as the RootCA. This does not include the Sandbox environment.

Details of the certificate chain described in the table below can be found in the How to Connect Guidance.

int.api.service.nhs.uk (NHS PTL Root)

-----BEGIN CERTIFICATE-----
MIIE2jCCA8KgAwIBAgIEXcnbeTANBgkqhkiG9w0BAQsFADA2MQwwCgYDVQQKEwNu
aHMxCzAJBgNVBAsTAkNBMRkwFwYDVQQDExBOSFMgSU5UIExldmVsIDFDMB4XDTIx
MTAyMjA3MjUzNloXDTI0MTAyMjA3NTUzNlowQTEMMAoGA1UEChMDbmhzMRAwDgYD
VQQLEwdEZXZpY2VzMR8wHQYDVQQDExZpbnQuYXBpLnNlcnZpY2UubmhzLnVrMIIC
IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwMXSm2iNiR4xxX1AYVDWkviT
rEjidc91Ypcg5BbK3hEIgx7tPsKleef87TCj/7Io6XxV95VyIVhv9mw0m2VYtd7+
o9aAXDxsagmGWI3WSPp4UnS99jrC1jKyoEw7yLlXK0spoJ8i7+nZDpcytmKEX5wb
O6I5+QW2fNA3/sCwUXbEfpZsyURa+plZGR9qWpTnLxFRkTb5zxasGS5MrBBsX3ZP
uEmU1qDcNQlwm59NXVQPfC07X/POd8/sHXFGdB0BhtSOTYeCAOa/IlE+sX1hdTyt
g1u8sRmOc2LPh5H5MN75A7oJuLbapWz+BvmUAAl3n+8pIUT2wpk/CjSUIQhWJRG0
W7RwnGiT3PF8ZTuY4xTT0EaZEDc/BEvo063xTY7Nnr770WaQAeDwVkdyDpMOkJh/
/aVN3uIjituTPhOzIbBYyXEFc59IJZAlWFMaFWMN5wo7JXhWhWLcxXU//bSMjU+K
e0yKHHpPdsVgwBV7mp4Pd6/PhrzCxhaGp5f3a0rn/+gmwuJCfjvcuV3twZBkmCdw
lpyjxQn/ZzJt2CuNAJRAW5J2FogpDxBxSk7NZnf255KaNUYEMF68Ff12RhuX7mmO
eIrpUwStZF8wfNv9suLPk9oWqt4DjAzdxgs5URRnkJbAGEv7je55A6mZxUJdfe1+
PKnqUy0tx7MuHUT/ZdsCAwEAAaOB5DCB4TALBgNVHQ8EBAMCBaAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMBgGA1UdIAQRMA8wDQYLKoY6AIl7ZQADAQEw
MwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5uaHMudWsvaW50LzFjL2NybGM3
LmNybDAfBgNVHSMEGDAWgBQABoJtq6YSQ+22DfTmPMQgwWGboDAdBgNVHQ4EFgQU
a1IdNWkENZuJ6oVZbX3tvyJUmX8wCQYDVR0TBAIwADAZBgkqhkiG9n0HQQAEDDAK
GwRWOC4zAwIEsDANBgkqhkiG9w0BAQsFAAOCAQEAM1vfrfUhzRfMsNprGI5qQE99
eRLGXsvWY45eWJKMcCvw4VBFbcABMxACfuO/arIQvYrkzpBpnF8fMu5tiwi+PgIQ
k7xIf2l7UsIM+f13gj+YDHsQaRF5MO3ywFC56/ybGEMI+pp6Co0pKvbXQtk14rRR
213tWOxoV9W/keEHiNZTOM54EbAzXwvsVjvIwyxxwDGNbhsLKfCYPLgHpExFMSFF
08fEKUAbPiLUUBIQpLtSGv/Sn/SAk1wh0nG2UXcjTGIX0ZNhT8DyYNonjg9kQ6J8
8g6Nu/awWRl7a6Kf9mWsxaspCGHYi5Q10tXSZdDuBzAkQJ0MZS3DZ7/mb+ISvQ==
-----END CERTIFICATE-----

Prod

The production environment will present a certificate issued by the NHS Root Authority, as the RootCA.

Details of the certificate chain described in the table below can be found in the How to Connect Guidance

-----BEGIN CERTIFICATE-----
MIIEEjCCAvqgAwIBAgIEYQ6SIzANBgkqhkiG9w0BAQsFADAyMQwwCgYDVQQKDANu
aHMxCzAJBgNVBAsMAkNBMRUwEwYDVQQDDAxOSFMgTGV2ZWwgMUMwHhcNMjIxMjEy
MTU1NjI1WhcNMjQwNjA0MTEyODMxWjBKMQwwCgYDVQQKDANuaHMxEDAOBgNVBAsM
B0RldmljZXMxKDAmBgNVBAMMH2JhcnMtcHJveHkuc3BpbmVzZXJ2aWNlcy5uaHMu
dWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+3ACj/4ijhnV9F4V9
Encu1ulski0sK36XX8etuwqRbpzW6dpRmACUE001zSp0Fg6kaW1OE13kfMNJzTgy
cjjL7FnQLG0UAuK7ghTKp/I7SvqwNkCCPVnMm+s1wfzBKQGbWRhsgiUy/jKizgTz
163BHoB8WzGPDwV0K+9nmf3tBiqi+dB1UWtBOZc9mUgqt9+Hy54pjX/aYVL//L04
24kSntJoP4pzeumTeHHKTLPv2FT3lfBW7cDh6cBZ62Dv15P1EopgZwirNrmZTFox
Hm0rmIh4WFQrtQ8TxNAKfBIq32hxL51bfJRctKgQGc/VDaQ2MoV2cSTZSF+6CQn8
E2wvAgMBAAGjggEWMIIBEjALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMBgGA1UdIAQRMA8wDQYLKoY6AIl7ZQADAQEwNwYDVR0fBDAw
LjAsoCqgKIYmaHR0cDovL2NybC5uaHMudWsvbGl2ZS8xYy9jcmxjNDUxOS5jcmww
KwYDVR0QBCQwIoAPMjAyMjEyMTIxNTU2MjVagQ8yMDIzMTIyNTEyNTc1M1owHwYD
VR0jBBgwFoAUummj43rifD03V1Jv6fMTZEzhwLUwHQYDVR0OBBYEFNZdTAjy6Qt2
K/kPx7eoIPC6WnwRMAkGA1UdEwQCMAAwGQYJKoZIhvZ9B0EABAwwChsEVjguMwMC
BLAwDQYJKoZIhvcNAQELBQADggEBAEO5dJfCpEXu5PvYXvh0iHMLGeNd00ghyfMH
9F8rLw3LVTEWlrkOg1d76wEuHeBo2pM1A5YFvBkv+FpDxcKizqHXlryXZxIdkfMw
GEFIPBK+wdZAFDcKXlSZZUvUpvpC6MycJHN3i5sgE8jkugfmTZvc0orjg2pgh4y8
vsBI/yY8M4hqxF0fUd9msVo0tvCf8gNfMmRYN/3XfUrGtUjjBmXVj7GsKoijBqzS
ynbcbOis4iXQJz78K2lGMw0sGx44C7e+L+Bd/gr9B+locaEHXuDMYY/lH+ckcFGT
XOLsRJNdE3hyGSUwn7eCJA8La5XLrjo9EgfVo6GKX4sX1L+Ibtw=
-----END CERTIFICATE-----