Opentest: Technical Information for Suppliers and NHS IT Professionals
Opentest is NHS Digital's open-access network for developing and testing healthcare applications.
The Opentest network consists of a hosted component, and a VPN through which users connect. The network
is not N3 connected and so is accessible to users without IGSoC conformance.
The hosted network contains instances of:
From time to time, the Digital Delivery Centre, and NHS Digital programmes, will use Opentest to
host proof-of-concept or trial service versions.
Opentest user nodes can route to one another over the VPN. To assist this, each VPN login is
associated with a static IP address. Whilst this does imply responsible behaviour on the part of
users, the Usage Policy contains sanctions where necessary.
How much does it cost ?
The basic service as described in this document, is free. NHS Digital reserves the right to charge for extensions
to, and customised configurations of the basic service, or for providing specialised consultancy.
An evolving set of services to support testing, are implemented and being developed. These will
- Test counterparties (synthetic clients with web interfaces and servers with rules-based
- Automated, user configurable content validation (due end of Q1 calendar 2017)
- Automated, user configurable scenario-based test support (due Q3 calendar 2017)
How do I sign up?
Email the NHS Digital Solutions Assurance Service Desk with your request. Please provide your contact
details and ideally brief information about the type of development you are interested in.
You will receive:
Test data details will be available on request.
- A VPN login, plus connection instructions and a password
- Your IP address on the VPN network
- Spine Party key and ASID details
- Service locations on the network, and Spine 2 Core service URLs
- An endpoint certificate and private key, both as separate files and a PKCS#12 chain.
- Copies of the root CA and endpoint sub CA
Why do I have to ask NHS Digital's Service Desk rather than being able to do it all myself ?
Opentest provides an environment that gives unrestricted development access to all the current
"integration styles" in use in the NHS England environment, today. That includes use of Spine
services and ITK which require registered endpoints, certificates and so on. Use of the evolving automated test support
systems require that those systems be able to decrypt user traffic for analysis and reporting.
To enable these services, user accounts are set up ahead of time with everything they need: a Spine
endpoint permissioned for all services, certificates, keys, and a known location on the network. When
you ask for an Opentest account you are allocated one of these pre-configured endpoints - so that if you
need Spine or a colleague to talk to you, both you and they know one anothers' location on the network.
Also, the basic service includes a single IP address on the Opentest network. NHS Digital are however open
to requests for network VPN logins, in which case specialised user requirements will need to be discussed so we
can make sure your needs are understood and addressed properly.
What can I use it for ?
Opentest is intended to support healthcare app and systems development. These may use Spine,
e-RS, ITK, IHE or other protocols such as those based on FHIR. This may be for single projects, or as a shared
environment used by multiple developers or companies, working together on integrated solutions.
Also, there are scenarios where a project or company that does not hold IGSoC on its own account
needs an environment, for example to hold demonstrations to potential customers. Potential
systems customers may also wish to run procurement competitions between vendors. Both these
additional uses are welcome.
NHS Digital is a supporter of the Hack Day concept and Opentest may be used to host a "virtual" Hack Day.
These are events in which computer programmers and others involved in software development
collaborate intensively on software projects. The aim is for people with a wide range of expertise to
find solutions to problems that improve and enhance systems. Additionally, an instance of an Opentest-compatible
environment may be deployed locally for the event. Please contact the Solutions Assurance Service
Desk to discuss your particular requirements. For further information on Hack Days see
How "real" is it ?
Opentest is intended to provide support for the "hard" parts of integration - when on
either side of the APIs individual systems' semantics and information models come in contact.
The Spine 2 Core and other NHS Digital services instances are a fully-operational instance at a
similar patch level to that of the N3-
facing "Development" environment. The Spine 2 Core instance, for example, is updated once per month to
the latest build. There are some differences between what is available in the
open-access platform, and what is in path-to-live. Open access implementations other than
Opentest may be configured for specific purposes without some components of the full service.
In order fully to differentiate the open access environments from those on N3 (including live), a
discrete PKI is used. This consists of a trusted root CA, and sub-CAs for endpoints, users and EPS non-
repudiation. Certificates issued by the sub CAs, and the signing chain, are structurally the same as
that in Spine, but distinct from it. Certificate Distinguished Names contain (o=HSCIC,ou=OpenTest)
rather than (o=nhs,ou=devices) and so are not compatible with any of the N3 facing Spine services.
Spine user certificates are issued by the same sub CA as are endpoints, and are distinguished by DN.
Open access user certificates are issued by a dedicated sub CA. At present, no CRL distribution point
is published or populated.
Provision of keys and certificates with the user logins will enable automated capture and decryption of
traffic, under user control. This decrypted traffic will then be used for the automated content validation
reports, and to support scenario-based automated testing services that are planned for introduction
during 2017. Where users subsequently seek compliance for Spine or ITK deployment, outputs from these
services will count towards accreditation.
Is availability guaranteed ?
There are no SLAs associated with the service in terms of update frequency or performance. At
present the number of available logins matches our coverage for concurrent VPN connections. There
may be instances where we have more logins configured than we have concurrent licences - this will
only happen when the connected user population is consistently larger than the number of
concurrent connections. The service will be managed so that conflict is minimal, however due to cost
implications we cannot guarantee availability all the time.
The Opentest service depends on a concurrent-connection licence for the VPN. Although NHS Digital will
manage provision, we reserve the right to introduce a "login expiry" period for inactive users.
NHS Digital will maintain a synthetic patient population, plus associated SCRs, courtesy of the Solutions
Assurance Test Data team. The population will not be routinely "re-set". In the unlikely event that
unauthorised data is inputted into the system, NHS Digital reserves the right to take any appropriate
action, up to and including a complete data refresh. The service is intended for functional
development and testing. It is not scaled for volumetric and performance tests. Nor is it a
'playground'. Activities contrary to this, or that may reasonably be considered abuse either of the
system or other users, will result in access being revoked