Roadmap - Network Connectivity

Planned changes that could impact your connectivity with PKB will be detailed here.

Project Timeline
Deadline	Environment	Project Task	Status
26th March 2025	UK Production - Internet	Legacy HL7 Port 7443 Deprecation	COMPLETE
26th March 2025	Sandbox	Legacy HL7 Port 7443 Deprecation	COMPLETE
29th April 2025	EU Production	Legacy HL7 Port 7443 Deprecation	COMPLETE
20th May 2025	Sandbox	URL Connectivity - Dynamic IP Addressing	COMPLETE
27th May 2025	EU Production	URL Connectivity - Dynamic IP Addressing	COMPLETE
30th May 2025	UK Production - Internet	New Authentication Servers Available	COMPLETE
17th June 2025	UK Production - Internet	URL Connectivity - Dynamic IP Addressing	Ongoing
15th July 2025	UK Production - HSCN	New HL7 interface available for migration	noT STARTED
27th August 2025	Sandbox	Consolidating Authentication Servers	noT STARTED
9th September 2025	Sandbox	Deprecation of Weak Ciphers	Ongoing
16th September 2025	EU Production	Deprecation of Weak Ciphers	Ongoing
23rd September 2025	UK Production - Internet	Deprecation of Weak Ciphers	Ongoing
30th September 2025	UK Production - Internet	Consolidating Authentication Servers	noT STARTED
14th October 2025	UK Production - HSCN	HSCN - Legacy HL7 Port 7443 Deprecation	noT STARTED
18th November 2025	UK Production - HSCN	HSCN - Deprecation of Weak Ciphers	noT STARTED

Description of Changes

Legacy HL7 Port 7443 Deprecation

What is changing: PKB are moving HL7 services from a non-standard 7443 interface to a standard 443 interface using modern encryption.

Affected Systems: Any system that is sending HL7 messages to PKB.

What I need to do: Refer to the Sandbox, UK Production - Internet, or EU Production wiki page and make the URL change before the stated deadline.

URL Connectivity - Dynamic IP Addressing

What is changing: The underlying IP addresses will become dynamic, this means that they will change at anytime without notification, whitelisting by URL handles such an implementation. Our developer wiki outlines all of the services that you could be interfacing with.

Affected Systems: Any system that is calling PKB’s APIs and customers logging into our portal.

What I need to do: Check that any PKB whitelisting on your local firewalls is configured using URLs and not IP addresses, these rules should be updated as soon as possible and before the dates listed above.

If you are unable to whitelist by URL: You would need to whitelist these ranges. This method is not recommended and should only be used if whitelisting by URL is not possible, these IP addresses will change at anytime without notification.

Deprecation of Weak Ciphers

What is changing: To ensure security is maintained we are removing weak ciphers from all environments.

Affected Systems: Any system that is making TLS connections to PKB services.

What I need to do: Please check what cipher suites you are currently using for PKB services. Our developer wiki outlines all of the services that you could be interfacing with. Below are two tables showing a list of supported ciphers and ones that will be deprecated on the above schedule.

Supported Cipher Suites

Supported Cipher Suites
TLS_AES_128_GCM_SHA256	recommended
TLS_AES_256_GCM_SHA384	recommended
TLS_CHACHA20_POLY1305_SHA256	recommended
ECDHE-ECDSA-AES128-GCM-SHA256	recommended
ECDHE-ECDSA-AES256-GCM-SHA384	recommended
ECDHE-ECDSA-CHACHA20-POLY1305	recommended
ECDHE-RSA-AES128-GCM-SHA256	secure
ECDHE-RSA-AES256-GCM-SHA384	secure
ECDHE-RSA-CHACHA20-POLY1305	secure

Cipher Suites to be deprecated

Cipher Suites to be deprecated
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256	Weak
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384	Weak
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384	Weak
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	Weak
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	Weak
TLS_RSA_WITH_AES_128_GCM_SHA256	Weak
TLS_RSA_WITH_AES_256_GCM_SHA384	Weak
TLS_RSA_WITH_AES_128_CBC_SHA256	Weak
TLS_RSA_WITH_AES_256_CBC_SHA256	Weak
TLS_RSA_WITH_AES_128_CBC_SHA	Weak
TLS_RSA_WITH_AES_256_CBC_SHA	Weak

Consolidating Authentication Servers

What is changing: Currently there are several authentication endpoints for accessing PKB APIs, we are consolidating them. The new endpoints will be ready for migration by the 30th May 2025, please note that this change applies to UK Production and Sandbox only.

Affected Systems: Any system that is using PKB authentication endpoints for accessing PKB APIs.

What I need to do: Update your PKB integration with the token URLs as shown below. The same credentials (client ID + secret) can be retained, only the token URL will change.

UK Production
Current: https://iam.uk.patientsknowbest.com/auth/realms/pkb/protocol/openid-connect/token
New: https://oauth2.patientsknowbest.com/api/oauth/token

Sandbox
Current: https://iam.sandbox.patientsknowbest.com/auth/realms/pkb/protocol/openid-connect/token
New: https://oauth2.sandbox.patientsknowbest.com/api/oauth/token

HSCN - Legacy HL7 Port 7443 Deprecation

What is changing: PKB are moving HL7 services from a non-standard 7443 interface to a standard 443 interface using modern encryption. The new endpoint will be made available in July which will allow customers time to move over at any point up to the deadline in October.

Affected Systems: Any system that is sending HL7 messages to PKB on HSCN.

What I need to do: Update your configuration to test and start using 443 instead of 7443, this should be done after the enablement of the new endpoint on the date listed in the above schedule. The endpoint details are:

New endpoint on Port 443:

https://nww.patientsknowbest.com/services/hl7

Endpoint deprecation on port 7443:

https://nww.patientsknowbest.com:7443/services/hl7

HSCN - Deprecation of Weak Ciphers