Opentest: Technical Information for Suppliers and NHS IT Professionals

Opentest is NHS Digital's open-access network for developing and testing healthcare applications. The Opentest network consists of a hosted component, and a VPN through which users connect. The network is not N3 connected and so is accessible to users without IGSoC conformance.

The hosted network contains instances of:

From time to time, the Digital Delivery Centre, and NHS Digital programmes, will use Opentest to host proof-of-concept or trial service versions.

Opentest user nodes can route to one another over the VPN. To assist this, each VPN login is associated with a static IP address. Whilst this does imply responsible behaviour on the part of users, the Usage Policy contains sanctions where necessary.

How much does it cost ?

The basic service as described in this document, is free. NHS Digital reserves the right to charge for extensions to, and customised configurations of the basic service, or for providing specialised consultancy.

Test services

An evolving set of services to support testing, are implemented and being developed. These will provide:

How do I sign up?

Email the
NHS Digital Solutions Assurance Service Desk with your request. Please provide your contact details and ideally brief information about the type of development you are interested in.

You will receive:

Test data details will be available on request.

Why do I have to ask NHS Digital's Service Desk rather than being able to do it all myself ?

Opentest provides an environment that gives unrestricted development access to all the current "integration styles" in use in the NHS England environment, today. That includes use of Spine services and ITK which require registered endpoints, certificates and so on. Use of the evolving automated test support systems require that those systems be able to decrypt user traffic for analysis and reporting.

To enable these services, user accounts are set up ahead of time with everything they need: a Spine endpoint permissioned for all services, certificates, keys, and a known location on the network. When you ask for an Opentest account you are allocated one of these pre-configured endpoints - so that if you need Spine or a colleague to talk to you, both you and they know one anothers' location on the network.

Also, the basic service includes a single IP address on the Opentest network. NHS Digital are however open to requests for network VPN logins, in which case specialised user requirements will need to be discussed so we can make sure your needs are understood and addressed properly.

What can I use it for ?

Opentest is intended to support healthcare app and systems development. These may use Spine, e-RS, ITK, IHE or other protocols such as those based on FHIR. This may be for single projects, or as a shared environment used by multiple developers or companies, working together on integrated solutions. Also, there are scenarios where a project or company that does not hold IGSoC on its own account needs an environment, for example to hold demonstrations to potential customers. Potential systems customers may also wish to run procurement competitions between vendors. Both these additional uses are welcome.

NHS Digital is a supporter of the Hack Day concept and Opentest may be used to host a "virtual" Hack Day. These are events in which computer programmers and others involved in software development collaborate intensively on software projects. The aim is for people with a wide range of expertise to find solutions to problems that improve and enhance systems. Additionally, an instance of an Opentest-compatible environment may be deployed locally for the event. Please contact the Solutions Assurance Service Desk to discuss your particular requirements. For further information on Hack Days see

How "real" is it ?

Opentest is intended to provide support for the "hard" parts of integration - when on either side of the APIs individual systems' semantics and information models come in contact.

The Spine 2 Core and other NHS Digital services instances are a fully-operational instance at a similar patch level to that of the N3- facing "Development" environment. The Spine 2 Core instance, for example, is updated once per month to the latest build. There are some differences between what is available in the open-access platform, and what is in path-to-live. Open access implementations other than Opentest may be configured for specific purposes without some components of the full service.


In order fully to differentiate the open access environments from those on N3 (including live), a discrete PKI is used. This consists of a trusted root CA, and sub-CAs for endpoints, users and EPS non- repudiation. Certificates issued by the sub CAs, and the signing chain, are structurally the same as that in Spine, but distinct from it. Certificate Distinguished Names contain (o=HSCIC,ou=OpenTest) rather than (o=nhs,ou=devices) and so are not compatible with any of the N3 facing Spine services. Spine user certificates are issued by the same sub CA as are endpoints, and are distinguished by DN. Open access user certificates are issued by a dedicated sub CA. At present, no CRL distribution point is published or populated.

Provision of keys and certificates with the user logins will enable automated capture and decryption of traffic, under user control. This decrypted traffic will then be used for the automated content validation reports, and to support scenario-based automated testing services that are planned for introduction during 2017. Where users subsequently seek compliance for Spine or ITK deployment, outputs from these services will count towards accreditation.

Is availability guaranteed ?

There are no SLAs associated with the service in terms of update frequency or performance. At present the number of available logins matches our coverage for concurrent VPN connections. There may be instances where we have more logins configured than we have concurrent licences - this will only happen when the connected user population is consistently larger than the number of concurrent connections. The service will be managed so that conflict is minimal, however due to cost implications we cannot guarantee availability all the time.

The Opentest service depends on a concurrent-connection licence for the VPN. Although NHS Digital will manage provision, we reserve the right to introduce a "login expiry" period for inactive users.

Usage Policy

NHS Digital will maintain a synthetic patient population, plus associated SCRs, courtesy of the Solutions Assurance Test Data team. The population will not be routinely "re-set". In the unlikely event that unauthorised data is inputted into the system, NHS Digital reserves the right to take any appropriate action, up to and including a complete data refresh. The service is intended for functional development and testing. It is not scaled for volumetric and performance tests. Nor is it a 'playground'. Activities contrary to this, or that may reasonably be considered abuse either of the system or other users, will result in access being revoked