eSIM Subscription Management for M2M

The functional scope of the Subscription Management platform is to handle the network access credentials securely in the form of MNO profiles and to provide these profiles to the eUICC in an IoT or in a consumer device. A close integration of the SM-DP and/or SM-DP+ components with the MNO infrastructure and adoption of the supported workflows for the MNO business processes are the key to success for deploying the Subscription Management services.

The strategy of achelos IoT is to offer an interoperable solution with eUICCs of any vendor in order to offer customers a choice instead of a closed product ecosystem. Our solution allows customers to be in full control of the service. An open platform is the key to successful subscription management deployments, providing an easy and transparent way for any party to connect: an MNO, a SIM manufacturer, a device manufacturer and an M2M/IoT platform provider, to name just a few examples.

The solution offered provides the following key features in relation to eUICC management:

  • Support of the use cases defined by GSMA
  • Compliance with GSMA specifications for M2M (SGP.02, v3.2)
  • Compliance with GSMA SAS requirements with regard to software implementation
  • Multiple delivery channels: SMS (SMPP v3.4 or higher) and HTTPS as standard (CAT_TP provided on demand)
  • External interfaces as defined by GSMA (SOAP mapping provided on demand)

All core components are built in the form of microservices and are loosely coupled, communicating via TCP/HTTP(S)/MessageBroker interface for asynchronous and via TCP/HTTP(S) interface for synchronous data exchange, providing a high level of cohesion between the services. This approach has been selected in order to achieve excellent horizontal scalability of the complete system and to significantly improve system testability.

SM-SR

As the name “Secure Router” indicates, the SM-SR is the central transport node in the M2M solution, responsible for establishing a secure channel via which commands and encrypted profiles are securely sent to the eUICC.

Information about available eUICC types and their respective configuration and state is stored in its eUICC repository in the form of an extended EIS record (eUICC Information Set), which contains proprietary fields in addition to those defined by GSMA.

Logical components of achelos IoT SM-SR

When an eUICC or a profile state needs to be changed, the SM-SR packages the messages in compliance with the selected OTA protocol and sends using the selected transport protocol to a particular eUICC.

Transport protocols are implemented by a dedicated service in order to enable layered firewall and DMZ configurations. The transport selection algorithm is configured using deployment-specific script files that implement the required workflows.

The transport subsystem implementation supports the following protocols:

  • SCP80 CAT/SMS-PP
  • SCP81 HTTPS
  • SCP80 CAT-TP (on demand)

The SMPP/SMS module is a standalone application implementing Short Message Peer-to-Peer protocol (SMPP v3.4). This protocol is used to send and receive SMS to and from the eUICC. Other protocols can be supported on request.

The HTTPS module supports HTTP with the Transport Layer Security (TLS) protocol. Each eUICC has a unique Pre-Shared Key (PSK) that is used to establish secure communication with the server. The HTTPS module is in charge of managing the TLS layer and translates HTTP messages to a form that can be processed by other services.

Both push and pull modes are supported for HTTPS connections. While the push mode requires a mobile terminated SMS to trigger the establishment of the data channel by the eUICC with the subscription manager, the pull mode allows the operation of the solution without this push SMS and does not need the integration of an SMS‑C at all.

In the case of the pull mode, the eUICC periodically establishes an HTTPS channel with the SM-SR. At this point, the SM-SR delivers any commands from a queue stored for this particular eUICC. The command queue, which is stored within the SM-SR, can be managed via API or GUI. Support of the pull functionality depends on eUICC implementation and is out of GSMA scope.

SM-DP

The SM-DP is responsible for creating and protecting operator credentials, i.e. the profile. It uses the functionality of the SM-SR for communication with eUICC. The core of the SM-DP is the service to deliver MNO profile to devices compatible with GSMA M2M specification.

As a separate security domain, the SM-DP ensures that mobile operator profiles are encrypted and, in principle, can therefore be passed through any SM-SR, whether it is the solution’s internal module or an interconnected external SM-SR.

Unlike the SM-SR, which uses pre-shared keys for transport security, the SM-DP performs a key establishment procedure with the eUICC to achieve this, creating a fresh set of keys that are used to encrypt the commands for profile download.

The following steps should be performed by SM-DP acting on behalf of the MNO:

  • MNO defines a profile template – a set of files and applications available for download to eSIMs. Profile template is represented in ASN.1 form defined by TCA (ex. SIMalliance) Interoperable Profile Package Description specification with some extensions related to subscription personalization variables
  • MNO imports subscription details – network authentication keys and identifiers
  • MNO orders a profile for download
  • SM-DP connects to eUICC via the channel established by SM-SR and performs mutual authentication
  • SM-DP prepares the profile package and sends it to SM-SR for download to the target eUICC

Logical components of achelos IoT SM-DP

The “Profile Download and Installation Procedure” as defined by GSMA is executed by the APDU Engine component. The APDU Engine uses the services of the common CryptoServer module for encryption and decryption of profile packages using SCP03/03t (application-level security) protocols.

The Profile Repository manages the orders placed by the Connectivity Provider at the SM‑DP and manages the status of each order.

You want more information?

 

Download product data sheet