Introduction

Overview

Truphone’s solution is fully compliant with the GSMA Consumer eSIM Remote SIM Provisioning architecture and includes the implementation of SM-DP+, SM-DS, and interfaces such as ES2+, ES2+ User Interface, and all auxiliary services.

Architecture

These include a transport mechanism for file exchanges with an Operator BSS, and reporting APIs for data access.

Truphone supports all standard specification interfaces including SM-DS functionality.

Truphone recommends Operator integration over ES2+ interface for Profile Management functions. 

Additionally, a BSS interface for exchange of eSIM Input/Output files is available as an extended feature of ES2+

Integration and Onboarding

This high-level flow shows the integration steps with the platform.

The main focus of the onboarding and integration process is a strong focus on enabling eSIM provisioning and validation with eSIM-enabled devices, at the quickest speed possible.

Onboarding Process

Onboarding to the Io3 SIM provisioning platform consists of 5 main activities:

  1. Definition of the eSIM Profile
  2. Establishment of a secure data transport with Truphone 
  3. Configuration and provisioning of the first live subscriptions
  4. Setup of a platform API's and management user interface console for access to  Io3 SIM Provisioning
  5. Ordering and installation of first eSIM profiles

Onboarding

Introduction

Truphone offers various Remote SIM Provisioning services, allowing operators and device manufacturers to easily integrate with the Truphone Io3 eSIM ecosystem.

The Truphone Io3 platform enables eSIM services handsets equipped with eSIM, such as Apple iPhone XS/XR  and the Google Pixel 3. 

The Truphone Io3 Remote Sim Provisioning (Io3 RSP) platform is able to generate, manage, host and install mobile network operator eSIM profiles. 

Onboarding Process

For an operator to utilise the Io3 SIM provisioning platform, an onboarding process is required. This involves the integration of the Truphone Io3 Platform with the operational processes within a network operator in order to implement the relevant use cases for eSIM enabled devices. 

This onboarding process is similar for operators to the onboarding of a traditional SIM manufacturer. The same SIM lifecycle management practices can be utilised, minimising disruption to the operator BSS environment as existing physical SIM procurement processes are mirrored for the new digital eSIM.

Onboarding Process

The process consists of these main activities: 

  • Establish a secure data exchange between Truphone and the network operator
  • Definition and testing of the eSIM profile definition
  • Establish an automated ordering process for eSIM profiles and network subscriptions
  • API access to the Io3 SIM Provisioning platform
  • Access to Io3 SIM Provisioning reports and analytics 
  • Online ordering and/or generation of activation codes for eSIM profiles

Onboarding Checklist

A typical on-boarding process to the Io3 SIM provisioning platform will consist of the following activities. 

Pre-requisites

Non-Disclosure Agreement Signed

Truphone Remote SIM Provisioning terms and conditions signed

Remote SIM Provisioning Platform Configuration

Creation of specific operator instance in Io3 RSP platform

API Access

Security

Key Exchange(s)

Key Ceremony (for operator credentials)

Issue API  certificates for Mutual SSL and optional VPN network integration

Profile Creation

Definition of SIM Alliance interoperable Profile Package Template

Profile Template configuration in Io3 RSP platform

Profile testing and validation

Profile acceptance

Profile Ordering

 

Definition of profile order input template

eSIM profile ordering and input file (with active subscriptions)

Client Access

Access to Io3 Remote SIM Provisioning User Interface Provisioned

ES2+ functionality via API or user interface

Profile Validation

Generation of QR Codes vprofile installation

Operator BSS/OSS Integration

API documentation shared

Connectivity questionnaire for operator integration

ES2+ interface and connectivity for operator BSS/OSS

Reporting

 

Provision access to Remote SIM Provisioning Dashboard

Support

 

Support process and contacts shared

Acceptance and Go Live

 

Service acceptance

Go live

Profile Management

Key Exchange

A critical activity to be completed before any eSIM profile can be generated is the establishment of a secure data transport with Truphone. 

Key Exchange Process

The establishment of a secure transport key for the exchange of sensitive data between Truphone and the network operator ensures protection of network credentials needed for the creation of eSIM profiles. 

 

Profile Definition

The definition and validation of an eSIM profile template is required before any eSIM profiles can be provisioned in the Io3 SIM Provisioning platform. 

Profile Definition

This involves creating and registering a profile description on the Truphone Io3 RSP platform based on the profile description agreed with the operator.

Truphone will issue a template to support the development of this profile. 

Profile Ordering

The eSIM Profile Packages will be created, protected and stored in Truphone Io3 RSP platform. This step performed after an order from the respective Operator.

An operator orders the Protected Profile Package generation by providing the profile description ID of a previous Profile Description registered on Truphone Io3 RSP platform, along with some corresponding input data (credentials like ICCID and IMSI).

This is an MNO Profile Batch Input File and the overall flow for creating a batch of protected profile packages (PPPs) is depicted below:

Profile Ordering Process

The input data required for the Protected Profile Package generation (IMSI, ICCID, Ki, OTA Keys, PIN, PUK, etc.) depends on the Profile Description and needs to be prepared accordingly.  

The data will then be loaded into the Io3 SIM provisioning platform which will automatically create and securely store the Protected Profile Packages based on the input data and the profile template that has been already loaded.

The Io3 SIM provisioning platform then confirms the Protected Profile Package generation and, once completed, sends the additional operator output data (if created by the Truphone Io3 RSP platform) as well as confirmation of successful generation.

The network operator can then register the data in the operator systems like HLR/HSS/AuC and BSS.

Profile Input Data

The profile management primarily expects operator INPUT files. 

An INPUT file is typically a text file of an industry-standard format, which defines all the variable properties for each card or chip in batch. Sensitive information is encrypted on a transport key, implicitly known by all parties involved.

This file is used as input for the creation of a batch of profiles, containing all the subscription specific information needed by the Profile Descriptor (ICCID, IMSI, OPc, Ki, OTA Keys, etc). The keys are encrypted using the transport key previously exchanged with the customer.

Specific fields in the INPUT file are marked as sensitive and must be encrypted using the pre-established transport key.

An Input File will typically contain the following variables:

  • ICCID
  • IMSI1
  • KI
  • OPC
  • PIN1
  • PUK1
  • PIN2
  • PUK2
  • ADM1
  • ADM2
  • ACC
  • KIC
  • KID
  • KIK
  • PSK
  • DEK
  • PSK_ID

Profile Deletion

During in-life Operations, it is also be possible for an operator to request deletion of profiles. This involves the Io3 SIM Provisioning platform removing the previously personalised protected profile packages from the platform.

An operator may request the deletion of a SIM profile batch when the previous profile has become obsolete (e.g. the already produced profiles contain an IMSI that must be replaced).

Profile Deletion

This process is considered an exception and a profile only needs to be deleted in very rare conditions.

The SIM profile deletion can only be applied to the batch if no profiles within the batch have been downloaded or bound to EIDs.

The deletion request is performed through sending a deletion request file to the Io3 SIM Provisioning platform with the ICCIDs to be deleted.

The platform removes the profiles sends the result of the deletion process to the Operator.

A Deletion Result File is generated, and a file contains an entry for each profile that could not be deleted and an associated reason.

 

Profile States

eSIM Profiles may be in various states throughout their lifecycle. 

Profile State Diagram

State Name

Description

Available

The Profile is available in the inventory of the Io3 RSP platform.

Allocated

The Profile is reserved for downloading without being linked to an EID.

Linked

The Profile is reserved for downloading and is linked to an EID.

Confirmed

The Profile is reserved for downloading (linked or not linked to an EID) with Matching ID and Confirmation Code if required.

Released

The Profile is ready for download and installation after Network Configuration by the Operator (e.g.: HSS Registration).

Downloaded

The Bound Profile was delivered to the LPA. 

Installed

The Profile was successfully installed on the eUICC.

Error

The Profile has not been installed due to an error.

Deleted

The profile was deleted from the eUICC by the User.

Use Cases

Use Cases

A number of different profile ordering use cases can be supported by the Io3 SIM provisioning platform. 
1. Purchase via in Store
When a customer purchases an iPhone in a store, an eSIM is automatically assigned to that specific device. The customer can access the eSIM via the two above methods.
2. Purchase via eCommerce
As above, but for purchases via an eCommerce portal or in an App on the device
3. Install via QR Code
Provide QR codes to customers which represent an eSIM.  Delivery via different mediums, such as Email, In Store, Online.  Customer scans QR code on iPhone to install the eSIM
4. Install via App on device
The Operator releases an iOS App which a customer can log into.  The app includes a process to install an eSIM, either as a result of a customer purchase, or if the customer has an eSIM ‘waiting’ for them from an earlier purchase.

API's

ES2+ API's

Function

Path

Type

Description

DownloadOrder

https://domain/gsma/rsp2/es2plus/downloadOrder

Request/response

RSP platform is a server

Instruct the RSP platform of a new Profile download request

ConfirmOrder

https://domain/gsma/rsp2/es2plus/confirmOrder

Request/response

RSP platform is a server

Confirm a previously requested download order

CancelOrder

https://domain/gsma/rsp2/es2plus/cancelOrder

Request/response

RSP platform is a server

Cancel a pending download order request

ReleaseProfile

https://domain/gsma/rsp2/es2plus/cancelOrder

Request/response

RSP platform is a server

Release the profile for downloading by the User

HandleDownloadProgressInfo

 

https://domain/gsma/rsp2/es2plus/HandleDownloadProgressInfo

Notification

RSP platform is a client

Notify the Operator of the progress

The Io3 SIM provisioning API's all follow these standards. 
  • Transport: HTTP/1.1 over TLS v1.2 with mutual TLS certificates
  • Truphone will provide certificates for mutual SSL authentication
  • HTTP verb : POST
  • Payload: JSON encoded
  • Operator is acting as an HTTP client and server (for notifications)
  • The Operator  platform can be hosted under an operator.truphone.com domain, or a direct Operator URL

Extended API's

In addition to the standard APIs, Io3 SIM Provisioning platform offers a number of extended functions to improve reporting and profile pool management:

  • getEidInfo() - This API is used to get the details of all the profiles associated with an EID under the Operator.
  • getProfileInfo() - This API is used to get the details of an individual profile under the Operator
  • getInventory() - This API is used to get the inventory (list of profiles across all applicable profile types) for the Operator
  • getProfileReport() – This API is used to get information on recently updated profiles for an Operator over a date range

Reporting

Available Reports

In addition to the standard Io3 SIM Provisioning user interface, Truphone can provide various off-the-shelf reporting options to the operator, based on requirements.

Data Extracts

Truphone can provide data delivery to the operator in the form of daily extracts in JSON or CSV format, for ingestion into the operator’s existing reporting solution. This can be via standard transport mechanisms, such as sFTP, or delivered into an operator cloud such as AWS S3.

Usage Summary Report

Truphone can provide a hosted summary report to the operator capturing key information valuable to the operator.  This report can be delivered via email to an audience each day and made available online.

Reporting API's

The operator may choose to utilise extended the Io3 Platform extended ES2+ APIs, in addition to SM-DP+ platform specific APIs for reporting. These can be utilised by the operator to integrate with an existing reporting solution.

Operational Integration 

Truphone additionally provides complete Platform Operations Integration to the operator for service, problem and change management.

Reportable Data

The following data items are included in profile reporting. Additional data including:

  • ICCID of profile
  • Profile Matching ID
  • Operator ID
  • Profile Owner ID
  • Profile Type (Operational / Bootstrap)
  • Profile Status (Installed, Downloaded etc)
  • Profile Type (the unique ID for this class of profile)
  • SM-DP+ Address (URL)
  • EID of device
  • Old State of Profile
  • New State of Profile
  • Profile Transition ID (an ID for each change of Profile state)
  • Caller (ID of Operator)

Useful links

Useful References

SIM Alliance

  • SIMalliance: eUICC Profile Package Interoperable Format Technical Specification V2.1

GSMA (Consumer Remote SIM Provisioning)

  • GSMA SGP.21.RSP Architecture, Version 2.2
  • GSMA SGP.22 RSP Technical Specification, Version 2.2
  • GSMA SGP.23 RSP Test Specification, Version 1.2


GSMA (M2M Remote SIM Provisioning)

  • GSMA Embedded SIM Remote Provisioning Architecture, Version 1.1
  • GSMA SGP.11 Remote Provisioning Architecture for Embedded UICC Test Specification v3.1
  • GSMA SGP.02 v3.2, Remote Provisioning Architecture for Embedded UICC Technical Specification


Security Accreditation Scheme

  • GSMA SAS Standard for Subscription Manager Roles Version 3.0
  • GSMA SAS Methodology for Subscription Manager Roles Version 4.0
  • Security Accreditation Scheme - Consolidated Security Requirements, Version 2.0


Cryptography

  • Advanced Encryption Standard (AES), as defined by NIST in FIPS 197
  • The Data Encryption Standard, as defined by NIST in FIPS 46-1 and 46-2
  • Secure Hash Algorithm, as defined in Secure Hash Standard, NIST FIPS 180-1
  • RFC 5639 Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation
  • BSI TR-03111 BSI Technical Guideline; Elliptic Curve Cryptography
  • RFC 4492 Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security
  • RFC 7027 Elliptic Curve Cryptography (ECC) Brainpool Curves for Transport Layer Security (TLS)