PKB Sandbox (HL7)

Status	Active
Last Updated	19th March 2025
Version	6

Available endpoints on Port 443:

Deprecations

sandbox.patientsknowbest.com :7443 is now deprecated.

Overview

The two available endpoints will only accepts ciphers that are deemed as recommeded and secure by the industry, if you are unable to support the below listed ciphers, please contact our support desk (email: help@patientsknowbest.com).

Option 1 - Preferred - mTLS Endpoint

mtls.hl7.sandbox.patientsknowbest.com is for customers who have:

Moved to the cloud
Can’t use static IPs when accessing our services

Identity is still derived from client credentials and not the client certificate. mTLS in this scenario is only used to replace IP allow listing. This is our preferred setup for new customers.

To start the process of mTLS client certificate creation please contact ca@patientsknowbest.com stating you wish to set up certificates for the UK Sandbox environment.

Full URL: https://mtls.hl7.sandbox.patientsknowbest.com/services/hl7

Option 2 - no-mTLS Endpoint

no-mtls.hl7.sandbox.patientsknowbest.com is for customers who have:

up-to-date client software tools that support the state of the art cipher suites
have static IPs that we can allow-list
can’t allocate budget to implement mTLS in short term

Full URL: https://no-mtls.hl7.sandbox.patientsknowbest.com/services/hl7

Standard ports

Using standard ports (443) allows us to consolidate our server certificate management and fully automate the renewal process for all our endpoints.

Local Firewall

Please ensure your ruleset is added to/updated to reflect the above URL/s

If you previously had a whitelisting by IP address this will need to be updated to the URL as the IPs addresses are dynamic and will change periodically.
We recommend you remove the deprecated URL/IP from your ruleset when you have successfully tested with the new URL/s.

WSDL

If you require a WSDL file please use one of the following paths depending on which option you are using:

no-mTLS - https://no-mtls.hl7.sandbox.patientsknowbest.com/hl7_wsdl.xml
mTLS - https://mtls.hl7.sandbox.patientsknowbest.com/hl7_wsdl.xml

Root CA

Server side - If you previously relied on the use of the root certificate ISRG Root CA you will need to update to a suitable Google Trust Services Root CA certificate.

Client side - If you are using an mtls certificate generated by PKB and require the root certificate please use a GlobalSign certificate.

Supported ciphers

Name (OpenSSL)		mtls	no-mtls

Name (OpenSSL)		mtls	no-mtls
TLS_AES_128_GCM_SHA256	recommended
TLS_AES_256_GCM_SHA384	recommended
TLS_CHACHA20_POLY1305_SHA256	recommended
ECDHE-ECDSA-AES128-GCM-SHA256	recommended
ECDHE-ECDSA-AES256-GCM-SHA384	recommended
ECDHE-ECDSA-CHACHA20-POLY1305	recommended
ECDHE-RSA-AES128-GCM-SHA256	secure
ECDHE-RSA-AES256-GCM-SHA384	secure
ECDHE-RSA-CHACHA20-POLY1305	secure