6. Security - nhsconnect/nrls-reference-implementation GitHub Wiki

There are a number of layers to security mostly focused around the NRL Stub.

In this section:

• 6.1 NRL Stub
• 6.2 Demonstrator
• 6.3 SSP Stub

6.1 NRL Stub

6.1.1 JWT

A JWT is required in order to connect to the stub, details of which can be found on the specification.

The JWT is created automatically for you in the Demonstrator app.

6.1.2 Request Headers

Each request requires a set of additional HTTP headers. Again details of these are in the specification and the app will automatically create these for you.

6.1.3 Mutual Authentication

The Spine also requires that you connect over TLS Mutual Authentication (TLS v1.2).

Certificates are issues by NHS Digital, more details will be in the specification and provided during the Solutions Assurance phase.

In this app it is configurable to allow you to connect to the stub over TLS, this is turned off by default though.

Please note; valid development certificates will be required in order to test this.

6.1.4 Configuration

The Headers, JWT and Certificates are pulled together and checked based on values stored in the SDS data, which includes:

• Organasations ODS Code
• System ASIDs
• Allowed InteractionIDs
• Certificate Thumbprints

In the Demonstrator and NRL Stub share this data.

appsettings.json

Along with this, both the Stub and the Demonstrator need to know about the SPINE's ASID and Certificate thumbprint.

For the Demonstrator and the Stub this is located in their respective appsettings.json file located in the WebApp projects.

:warning: Warning!

These values are used to mimc the SPINE authentication process and help you set up a valid request.

The actual steps and process in the Stub do not match the real steps taken by the SPINE exactly but give you an idea of the concept and types of values required.

6.2 Demonstrator

The Demonstrator itself does not have to run over HTTPS although in a real world setting it will be and you would also be required to login.

The connections that the Demonstrator make to the Stub though can be secure, as detailed above.

6.3 SSP Stub

The SSP Stub located within the NRLS-API solution also contains some checks that attempt to mimic what the real SSP does. These checks include:

• Header checks\
  • ASIDs
  • Interaction IDs
  • JWT Validation
• TLS Mutual Authentication (if turned on)
• Endpoint matching
  This looks at the URL that needs to be forwarded to a Provider and checks it against the Endpoints registered for that Provider.