NMVS Release 1.10 – April 2022 – Breaking Changes
26 July 2021
In April 2022 the UKNI MVS will be updated to Arvato NMVS version 1.10 and the release will bring some breaking changes. Please read on to understand the changes so that you can confirm whether your NMVS software is impacted…
UKNI MVS v3 interface to be deprecated
As you know, two versions of the NMVS interface are supported and there is a limitation of only one interface version update per year, to give software suppliers adequate time to implement the changes in their software. NMVS version 1.06 introduced the new v4 interface in April 2020 and software suppliers were encouraged to implement the changes and migrate from v3 to v4 thereafter. When NMVS version 1.10 is delivered in April 2022 the v3 interface will be deprecated and a new v5 interface will be implemented. At that time, any users still operating on the v3 interface will no longer be able to connect to the UKNI MVS. If your software is still connecting to the v3 interface, you will need to implement the new v4 interface and roll it out to your users prior to the release in April 2022.
The implementation guideline and related documentation can be found on the Arvato Software Supplier Portal. You should refer to the documentation for NMVS 1.06, which introduced the v4 interface, as well as the documentation for NMVS 1.08 which is the current version.
Host-header validation will be enforced
The web servers hosting the NMVS interfaces (both v3 and v4) do not currently validate the host-header information in each web services transaction and this has been identified as a security issue. This will be corrected at the same time that NMVS version 1.10 is delivered in April 2022. From this point on, any web service transaction that does not include a valid host-header will be rejected. If your NMVS software does not transmit valid host-headers your users will effectively be disconnected from the NMVS as they will not be able to successfully submit pack transactions after this change.
Example: Web service transactions submitted to the URL ws-single-transaction-int-uk.nmvs.eu must include a host-header of ws-single-transaction-int-uk.nmvs.eu. If the host-header is empty or contains any other value it will be rejected with HTTP status code: 421.
Testing: This change has already been applied to the UKNI Integration Qualification Environment (IQE) so you can test that your software is compliant, if you have an account in that environment. If you do not have an account for IQE and would like to use it for testing, we can set that up for you. Please contact SecurMed Technical Services.
Arvato have already communicated this change to you, and we are reiterating this issue here because of its criticality to your users' ability to connect to the NMVS.