Creating, generating, and distributing ESIMs

The system generates eSIM profiles within a secure private network, addressing inefficiencies and compliance issues by integrating UICC into baseband processors and using a cloud-based security server for fast, secure, and cost-effective distribution.

JP2026094106APending Publication Date: 2026-06-09RIPSIM TECHNOLOGIES INC

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
RIPSIM TECHNOLOGIES INC
Filing Date
2026-01-26
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing SIM technologies are inefficient, costly, and cumbersome, requiring manual processes and taking over a month to generate eSIM profiles, and struggle with compliance to ever-changing global data security regulations, necessitating local infrastructure for each country.

Method used

A system for generating eSIM profiles within a secure private network of a wireless service provider, using an intuitive software solution to create and distribute eSIM profiles over-the-air, integrating UICC into baseband processors, and utilizing a cloud-based security server for secure, fast, and simple eSIM profile generation and distribution.

Benefits of technology

Enables quick, secure, and cost-effective generation and distribution of eSIM profiles without external data exchange, reducing reliance on third-party vendors and ensuring compliance with global data security regulations.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026094106000001_ABST
    Figure 2026094106000001_ABST
Patent Text Reader

Abstract

This invention provides a system and method for informing a user in real time that it is impossible to generate an eSIM that performs authentication functions for the network. [Solution] eSIM software for generating eSIMs running within a wireless communication service provider's (WSP) secure private network receives user input information via a user interface to create or modify an eSIM profile template. The eSIM generated within the WSP secure private network is shared outside the secure private network using information entered via a partner user interface accessed with restricted access using authentication credentials to modify the eSIM profile template.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present invention relates to the generation of eSIM profiles.

Background Art

[0002] A "SIM card" has software and software applications associated with the hardware manufacturing process. The plug-in SIM card hardware has been miniaturized over the past 30 years since the embedded SIM card was used in 2010, about 10 years ago. The embedded form factor of the hardware SIM is a game-changer and uses the Over-the-Air (OTA) update function of software applications. One of the software applications is called an eSIM or eSIM profile, which can have unique secure authentication information for each wireless service provider (WSP) worldwide.

[0003] An eSIM is electronic / digital SIM software with a network authentication key and is an evolved form of SIM software that operates on a UICC or UICC (secure hardware) embedded in a device. Currently, an eSIM is separated from the secure hardware and is not pre-loaded onto the hardware during the manufacturing process.

[0004] The technology used to produce SIM software and applications has not changed much in the 30 years since the release of the "SIM card" in 1991. WSPs have to wait more than a month to receive new eSIMs or eSIM profiles from current SIM vendors, and since the eSIM profile information is inseparably connected to the vendor's hardware (i.e., an eUICC), WSPs have to repeat the working process with various vendors. WSPs may also incur costly network management due to human errors of current SIM vendors who still use a manual process when generating eSIMs.

[0005] The business model has remained unchanged for 30 years, and the current model is also approaching the aging of SIM card hardware, which is seen as a sign of its continued decline. Finally, new data security and personal data protection regulations are shifting globally towards requiring security-related data to be stored domestically. Existing SIM vendors cannot manage the numerous, ever-changing regulations, which are costly and cumbersome to comply with, because doing so would require building local offline sales outlets and data centers in each country. [Overview of the Initiative] [Problems that the invention aims to solve]

[0006] Therefore, a method is needed to generate eSIM profiles and software and transfer them over a network such as the World Wide Web or the Internet via a WSP Secure Private Network (i.e., a WSP trusted network environment where devices and entities cannot be accessed without authorization / authentication information provided by WSP), thereby eliminating dependence on a third SIM vendor. [Means for solving the problem]

[0007] In one embodiment, the hardware portion or form of the UICC can be incorporated into a baseband processor chip (i.e., integrated UICC or iUICC) or other forms of built-in secure elements of wireless user devices to save space on future in-device printed circuit boards. To leverage this functionality, an intuitive software solution can be controlled within the scope of WSP. WSP includes, but is not limited to, the operator types listed in the abbreviations section below. Using eSIM design and generation software solutions, WSP can generate eSIM profile templates and eSIM profiles in a new, fast, secure, and simple manner. The eSIM design and generation software solution includes the following elements and modules: an intuitive online profile generation wizard that guides WSP users through the generation of new eSIM profile templates (online but still inaccessible from networks outside the WSP Secure Private Network); an eSIM profile generation / data processing module that generally automatically generates eSIM profiles by clicking software buttons; and a WSP cloud-based security server that stores eSIM profiles in real time and transmits them as needed to wireless mobile user equipment (which must be authenticated and connected to the WSP network) (inaccessible from networks outside the WSP Private Network and maintained within the WSP Private Network).

[0008] WSP or authorized WSP personnel can quickly, easily, and securely generate as many eSIM profiles as needed for UICC, eUICC, iUICC, or future security versions. WSP and trusted users / personnel can define, generate, and package eSIM profiles and eSIM profile information using an intuitive, user-friendly, and new security browser-based user interface tool, without requiring any information or data from outside the private network, and without sending any information or data from the private network to devices or network components outside the WSP private network.

[0009] eSIMs and eSIM profiles are WSP (Wireless Service Provider) specific software used for device authentication and secure connectivity to WSP networks. eSIM profiles, also called digital SIMs (not physical SIM cards), are loaded over-the-air (OTA) into the device's secure element and can be added, removed, activated, deactivated, or updated throughout the device's lifespan. In describing novel aspects herein, the term “eSIM” may refer to an eSIM profile and not necessarily to an internal SIM.

[0010] In one embodiment, the method of the present invention includes the step of receiving a wireless subscriber eSIM profile template parameter selection via a user interface running on a user data input computer device connected to a trusted private network of a wireless service provider. The trusted secure private network can be defined as a software-based or hardware-based firewall or other technology. The firewall or other technology is configured to prevent intrusion from the secure private network of highly secure data and information that the wireless service provider wishes to be protected and secured from the outside (i.e., users and devices that do not have the authority to access highly secure or protected information). The user data input computer device may be a PC, tablet, smartphone, etc., and may also be a computer device or element that is part of an administrator system. The user interface is also called an administrator interface. The user interface may include a browser-based eSIM profile creation tool user interface. The method may include the step of automatically selecting a wireless subscriber eSIM profile template template based on the wireless eSIM profile template parameter selection. "Automatically" may include selecting a profile template based on the data and information entered by the user when there is a mismatch between the data and information entered by the user for the available templates. For example, if a user enters the relevant information only into a machine-to-machine wireless device and then enters the same information into a consumer wireless device, an error message informing the user of such a mismatch may be displayed. "Automatically" can also mean that when the user selects the "hit enter" button or another button, a computer program running on the network computer determines the eSIM profile template based on the information and data entered by the user.

[0011] The selection of wireless eSIM profile template parameters includes onboarding data. Examples of onboarding data parameters are shown in Tables 1 and 4. This method involves generating a wireless subscriber eSIM profile that conforms to the wireless subscriber eSIM profile template, and the wireless subscriber eSIM profile has subscriber information applicable (generally unique) to a specific subscriber for use in that subscriber's wireless subscriber equipment when receiving services wirelessly from the wireless service provider's secure private network. To generate eSIM profiles, the user can specify the number of eSIM profiles to be generated using the user interface provided by the eSIM generation tool. In this method, the eSIM generation tool causes the wireless subscriber eSIM profile to be stored in the network system components of the wireless service provider's private network for future download to the subscriber equipment corresponding to the wireless subscriber eSIM profile from within the wireless service provider's secure private network. One or more eSIM profiles do not need to be downloaded to some or all of the relevant wireless equipment in the field in a single deployment.

[0012] In one embodiment, subscriber information includes network authentication credentials used to authenticate wireless devices to the wireless service provider's secure private network. For example, WSP secret keys and encryption keys are securely stored in elements of the wireless service provider's secure private network. Such elements include hardware security modules.

[0013] In one embodiment, the reception of parameter selection for the wireless subscriber eSIM profile template, the automatic selection of the wireless subscriber eSIM profile template, the generation of the wireless subscriber eSIM profile, and the saving of the wireless subscriber eSIM profile are performed by an element of the wireless service provider's private network, which is inaccessible to computer devices that are not elements of the wireless service provider's private network.

[0014] In one embodiment, a computer device that is not an element of the wireless service provider's private network may be one or more elements of the wireless service provider's private network that it cannot access, such as an SM-DP / SM-SR / SM-DP+ element, an HLR / HSS / UDM element, a SIM OTA element, or an OSS / BSS component.

[0015] In one aspect, the wireless subscriber eSIM profile template parameters include Profile Header, Master File, CD, PINCodes, PUKCodes, TELECOM, USIM, OPT-USIM, Phonebook, GSM-Access, 5GS, SAIP, ISIM, OPT-ISIM, EAP, GenericFileManagement, AKAParameter, SecurityDomain, Application, Remote File Management, NonStandard, and End.

[0016] In one embodiment, the user application running on the user data input computer device also provides a user interface for receiving onboarding data and eSIM profile template parameter selections from the user. In one embodiment, the user application running on the user data input computer device may be a browser. The browser can access, view, or interact with web pages provided or hosted by the eSIM application running on a computer component that is part of the wireless service provider's secure private network. Examples of eSIM applications include an eSIM profile creation tool user interface and an eSIM generation tool user interface.

[0017] In one embodiment, a system is provided for generating eSIM profiles within a secure private network of a wireless service provider. Certain secure information, such as input data, is held within the secure private network of the wireless service provider and can be used to generate eSIM profiles without any specific secure information leaving the secure private network. In another embodiment, the secure computer components of this system can operate within the secure private network and be logically isolated from computer components outside the secure private network that have a processor. This processor operates in response to instructions from an eSIM generation tool and can provide an interface for receiving wireless subscriber eSIM profile template parameter selections via a user interface executed on a user data input computer device coupled to the secure private network. This processor can also provide an eSIM generation tool user interface in response to instructions from the eSIM generation tool. The eSIM generation tool and the processor receiving its instructions can use the selected wireless subscriber eSIM profile template, determined based on the selection of wireless eSIM profile template parameters, and the information entered by the user in the user interface provided by the eSIM generation tool. In one embodiment, the processor, upon receiving instructions from an eSIM generation tool, generates a wireless subscriber eSIM that conforms to a selected wireless subscriber eSIM profile template, and the wireless subscriber eSIM has subscriber information corresponding to a specific subscriber for use in the wireless subscriber equipment of that specific subscriber to receive services wirelessly from the secure private network of the wireless service provider. The processor may also, upon receiving instructions from the eSIM generation tool, cause the wireless subscriber eSIM profile to be stored in a network system component coupled within the secure private network of the wireless service provider for wireless download to the wireless subscriber equipment corresponding to the wireless subscriber eSIM profile.

[0018] In one embodiment, the secure information of a wireless service provider used to generate an eSIM profile that does not leave a secure private network includes input data obtained from a WSP input data server that is accessible only from within the wireless service provider's secure network by command from the eSIM generation tool.

[0019] In one embodiment, a computer component equipped with a processor receives input data from an input data server via an input data interface, but such a computer component, input data server, and input data interface are connected within a secure private network, operate only within that network, and are inaccessible from the outside.

[0020] In one embodiment, the input data interface has an API, which can be embodied as a REST API or a SOAP API. Different API protocols can be used for each WSP to accept different requirements for each WSP.

[0021] In one embodiment, for wireless download to a wireless subscriber device corresponding to a wireless subscriber eSIM profile, the network system components coupled within the secure private network of the wireless service provider may be one or more HLR / HSS / UDM, SM-DP+ / SM-DP / SM-SR, SIM-OTA, or OSS / BSS components.

[0022] In one embodiment, a computer component with a processor, operating within a secure private network and logically isolated from computer components outside the secure private network, generates a wireless subscriber eSIM profile for a selected wireless subscriber that conforms to an eSIM profile template, and for wireless download to the wireless subscriber device corresponding to the wireless subscriber eSIM profile, the wireless subscriber eSIM profile can be stored a predetermined number of times for multiple eSIM profiles from a network system component coupled within the secure private network of the wireless service provider, and each eSIM profile can have unique data for each of the remaining eSIM profiles. For example, a user can enter 100 in an eSIM generation tool user interface dialog box such as an alphanumeric text / value field, a dropdown box, or radio buttons. In this case, the eSIM generation tool generates 100 eSIM profiles with eSIM profile data that adds multiple parameter fields as determined by the eSIM profile template selected to be used to generate 100 eSIM profiles. The eSIM profile data has information unique to each generated eSIM and identifies and authenticates the WSP of a specific wireless user device that downloaded the eSIM profile to the secure private network.

[0023] In one embodiment, the system may also contain an eSIM generation tool running on a computer device within the Wireless Service Provider's Secure Private Network. This eSIM generation tool, also known as an eSIM generation engine or eSIM generation module, is generally a software / application element that is part of the eSIM design and generation system, along with other software and applications used for data onboarding and profile template generation that enable the creation of a Secure Private Network for the WSP.

[0024] In one embodiment, the eSIM generation tool may also use a selected wireless subscriber eSIM profile template generated from onboarding data entered by a first user through the eSIM profile creation tool user interface. The eSIM generation tool can respond to information entered by a second user through the eSIM generation tool user interface, hosted by a computer device operating within the wireless service provider's secure private network, and generate a wireless subscriber eSIM that conforms to the selected wireless subscriber eSIM profile template. The wireless subscriber eSIM includes subscriber information corresponding to a specific subscriber for use in the wireless subscriber device of that particular subscriber to receive wireless services from the wireless service provider's secure private network. The eSIM generation tool can cause the wireless subscriber eSIM profile to be stored in a network system component accessible from within the wireless service provider's secure private network for wireless download to the wireless subscriber device corresponding to the wireless subscriber eSIM profile. The matching of the eSIM profile with its corresponding wireless user device may be based on values, numbers, or other identifiers unique to the wireless user device and the eSIM, such as pairing the IMEI of the wireless user device with the ICCID of the eSIM profile.

[0025] In one embodiment, the first user is a highly secure user, and the second user is not a highly secure user. In another embodiment, both the first and second users are highly secure users. The second user or both may be the same highly secure user.

[0026] Also, in one aspect, a hardware security module interface can be used between an eSIM generation tool and a hardware security module (“HSM”), and the hardware security module interface and the hardware security module operate only within the secure private network of the wireless service provider and are not accessible from the outside. The hardware security module interface can provide an interface to the WSP's HSM so that the eSIM generation tool can interact with the HSM to obtain key data, but a third eSIM vendor that generates eSIM profiles outside the WSP's secure private network cannot access the WSP's hardware security module.

[0027] Also, in one aspect, the eSIM generation tool can generate a number of eSIM profiles according to the quantity input by a second user via an eSIM generation tool user interface, and store the plurality of eSIM profiles in network system components, where the network system components include HLR / HSS / UDM, SM-DP+ / SM-DP / SM-SR, SIM-OTA, or OSS / BSS components.

[0028] In one embodiment, the method of the present invention includes the step of receiving an eSIM profile template parameter selection via an MVNO / partner portal user interface that runs on a first computer device not operating within the secure private network of a wireless service provider, the MVNO / partner portal user interface may provide a restricted subset of eSIM profile template parameters that the MVNO / partner user can modify based on the MVNO / partner user's authentication information. For example, the first computer device providing the MVNO / partner portal user interface may be a laptop, desktop, or wireless mobile device used by the MVNO / partner user running the application. The profile template parameters are profile elements, and the restricted subset of eSIM profile template parameters may be specific profile elements to which the MVNO / partner has been granted access rights so that they can only access and modify the restricted subset. The method includes the step of modifying an eSIM profile template within the secure private network of a wireless service provider so that the eSIM profile template becomes an eSIM profile template modified based on the eSIM profile template parameter selection. The template parameter selection may be parameters that the WSP user has enabled, allowed, or made accessible to the MVNO / partner user. WSP users typically log in to the partner management tool user interface using their WSP user credentials, while MVNO / partner users typically log in to the MVNO / partner portal user interface using their MVNO / partner credentials.This method includes receiving a request originating from a second computer device that does not operate within a secure private network, based on a selection received from a first computer device that generates an eSIM profile to conform to a modified eSIM profile template and does not operate within a secure private network. The second computer device can be a laptop, desktop, or wireless mobile device used by an MVNO / partner user who executes an MVNO / partner portal user interface. This method may include causing a network system component that is part of a wireless service provider's secure private network or not to store the eSIM profile to enable wireless download of the eSIM profile to a partner wireless subscriber device. Network system components that enable wireless download include HLR / HSS / UDM, SM-DP+ / SM-DP / SM-SR, SIM-OTA, or OSS / BSS components.

[0029] In one aspect, the eSIM profile has subscriber information including network authentication credentials for use in authenticating the partner wireless subscriber device to a wireless service provider's secure private network.

[0030] In one aspect, the first computer device and the second computer device that do not operate within a secure private network are not the same computer device. In one aspect, the first computer device and the second computer device that do not operate within a secure private network are the same computer device.

[0031] In one embodiment, SM-DP / SM-SR / SM-DP+ elements, HLR / HSS / UDM elements, SIM OTA elements, or OSS / BSS components are elements of the wireless service provider's secure private network that are not part of the wireless service provider's secure private network and cannot access computer devices, and the partner SM-DP+ / SM-DP server is instructed to store the eSIM profile on a network system component that is not part of the wireless service provider's secure private network for wireless download to partner wireless subscriber devices that support the eSIM profile.

[0032] In one embodiment, wireless subscriber eSIM profile template parameters, or a limited subset of profile elements, that are accessible to WSP users and can be modified by MVNO / partner users may include Java® applets, network names, or GID1 / GID2.

[0033] In one embodiment, the application running on the first and second computer devices that provide the MVNO / partner user interface to the MVNO / partner user is a browser.

[0034] In one embodiment, the MVNO / partner portal user interface is provided by an eSIM partner portal application hosted within the WSP's secure private network.

[0035] In one embodiment, this step is performed by an eSIM generation and management software system running on a computer component operating within a secure private network.

[0036] In one embodiment, a computer component operating within a secure private network of a wireless service provider, equipped with a processor that provides an MVNO / partner portal user interface running on a computer device, receives a selection of eSIM profile template parameters via the MVNO / partner portal user interface running on a first computer device not operating within the secure private network, the MVNO / partner portal user interface provides a limited subset of eSIM profile template parameters, which the user of the MVNO / partner user interface modifies based on user authentication information used to access specific elements of the secure private network; modifies the eSIM profile template based on the selection of eSIM profile template parameters received from the first computer device not operating within the secure private network; receives a request initiated from a second computer device not operating within the secure private network for an eSIM profile based on the modified eSIM profile template; and generates an eSIM profile that conforms to the modified eSIM profile template. In one embodiment, the storage of the eSIM profile in a network system component, whether or not it is part of the wireless service provider's secure private network, may also enable wireless download to partner wireless subscribers.

[0037] In one embodiment, the eSIM profile includes subscriber information, which includes network authentication credentials used to authenticate a partner radio subscriber device to the radio service provider's secure private network.

[0038] In one embodiment, elements of the wireless service provider's secure private network that are inaccessible to computer devices that are not elements of the wireless service provider's secure private network include SM-DP / SMSR / SM-DP+ elements, HLR / HSS / UDM elements, SIM OTA elements, or OSS / BSS components, and the partner or WSP SM-DP+ / SM-DP server may be instructed to store the eSIM profile on a network system component that is not part of the wireless service provider's secure private network for wireless download to the partner wireless subscriber device.

[0039] In one embodiment, a limited subset of wireless subscriber eSIM profile template parameters that can be modified include Java applets, network names, or GID1 / GID2.

[0040] In one embodiment, the applications running on first and second computer devices that provide the user with an MVNO / partner portal user interface are browser-based applications.

[0041] In one embodiment, the method of the present invention prepares a partner account configuration via a partner management tool user interface hosted by a computer component operating within a secure private network of a wireless service provider, the partner management tool user interface is accessed using WSP authentication information, the partner account configuration determines a limited subset of eSIM profile template parameters of an eSIM profile template, and the eSIM profile template is modified by accessing the MVNO / partner portal user interface using partner authentication information entered on a computer device not operating within the secure private network; based on the receipt of partner authentication information entered via the MVNO / partner portal user interface, access to a first computer device not operating within the secure private network is permitted to modify the eSIM profile parameters of the eSIM profile template; secure private The steps include: receiving the eSIM profile template parameter selection of the eSIM profile via the MVNO / Partner Portal user interface, which is run on a first computer device not operating within the network; the user MVNO / Partner Portal user interface providing a limited subset of eSIM profile template parameters that are accessed and modified within the MVNO / Partner Portal user interface using partner authentication information for selection; modifying the eSIM profile template so that the first eSIM profile template is modified based on the limited subset of eSIM profile template parameter selection within the secure private network of the wireless service provider; receiving a request for the eSIM profile originating from a second computer device not operating within the secure private network based on the modified eSIM profile template; and generating an eSIM profile that conforms to the modified eSIM profile template.The process may also include the step of storing the eSIM profile on a network system component that is not part of the wireless service provider's secure private network for wireless download to partner wireless subscriber equipment.

[0042] WSP credentials can also access the eSIM profile creation tool user interface, which can generate or modify eSIM profile templates, even within a secure private network.

[0043] In one aspect, WSP authentication information can also access an eSIM generation tool that can generate an eSIM profile, within a secure private network.

[0044] In one aspect, access to the eSIM generation tool user interface, which can receive requests for WSP authentication information to generate an eSIM profile, can also be performed within a secure private network.

[0045] In another embodiment, the method may include a step of receiving a request to generate an eSIM profile that conforms to an eSIM profile template based on a WSP input data file. This method may be embodied in computer instructions executed on a computer device, or in the eSIM generation tool described above. After receiving the request, a first record is obtained from one or more input data records. Such a record may be contained in an input data file and may be provided or separated by identifier pairs, such as IMSI / ICCID pairs. After obtaining the first data record, first eSIM profile data is generated based on the first record. A first eSIM profile is generated based on the first eSIM profile data, and corresponding first output data is generated.

[0046] In a further embodiment, the method may further include the steps of: acquiring a second data record; generating a second eSIM profile data based on the second data record; generating a second eSIM profile based on the second eSIM profile data; and generating second output data corresponding to the generated second eSIM profile.

[0047] In one embodiment, each of one or more input data records has an IMSI / ICCID pair, which are obtained from a WSP input data server operating within a WSP secure private network.

[0048] In one embodiment, one or more steps of the embodiment are performed within a WSP secure private network.

[0049] In one embodiment, a request is received by the WSP Secure Private Network to generate one or more eSIM profiles that match an eSIM profile template.

[0050] In another embodiment, the first and second requests may be received from first and second user devices not operating within the WSP Secure Private Network, and may not be transmitted by or received by the first and second user devices at predetermined intervals. The transmission of the first and second requests is temporarily random and may be forwarded using the first and second user devices at the user's discretion.

[0051] In a further embodiment, the method may further include a step of generating an authentication key for the eSIM profile based on a master key, but such an authentication key generation step and other steps are performed within the WSP Secure Private Network, and the master key is not shared outside the WSP Secure Private Network.

[0052] This method may further include a step of distributing the first eSIM profile before the steps related to creating the second eSIM profile.

[0053] In another embodiment, the process may include the steps of receiving batches of multiple input data records from an input data server of the WSP Secure Private Network, and preparing the first and second input data records from the multiple input data records before obtaining each of the first and second data records. In the preparation step, the WSP input data arrangement can be separated into individual subscriber identifiers, which means creating each record having an ICCID-IMSI pair used to generate the eSIM profile.

[0054] This method may further include the step of saving the generated first eSIM profile and first output data to one or more servers before generating other eSIM profiles.

[0055] The first eSIM profile may be generated before the steps associated with generating the second eSIM profile are performed.

[0056] In another embodiment, a computer component operating within a WSP Secure Private Network can perform the steps and operations described above. Such a computer component includes a processor capable of receiving a request to generate an eSIM profile that conforms to an eSIM profile template, retrieves a first record from the input data records, generates first eSIM profile data based on the first record, generates a first eSIM profile based on the first eSIM profile data, and generates first output data corresponding to the generated first eSIM profile. The computer component can have the generated first eSIM profile and the corresponding output data stored on a server before generating other eSIM profile data.

[0057] A computer component or processor can be configured to retrieve a second record from one or more input data records, generate a second eSIM profile data based on the second record of the one or more input data records, generate a second eSIM profile based on the second eSIM profile data, and generate second output data corresponding to the generated second eSIM profile. Such a computer component or processor can have the generated second eSIM profile and the corresponding output data stored on a server before generating other eSIM profile data.

[0058] In one embodiment, each of one or more input data records may include an IMSI / ICCID pair obtained from a WSP input data server operating within a WSP secure private network.

[0059] In one embodiment, it is also possible to receive requests from outside the WSP Secure Private Network to generate an eSIM profile that conforms to an eSIM profile template.

[0060] In one embodiment, the first and second requests may also be received from first and second user devices that are not operating within the WSP Secure Private Network, and the first and second requests may not be sent or received by the first and second user devices at predetermined intervals.

[0061] The system may further include a step of generating one or more authentication keys for an eSIM profile based on a master key, which may be based on or without the master key, and such a step and the other steps are performed within a WSP Secure Private Network, and the master key is not shared outside the WSP Secure Private Network.

[0062] In yet another embodiment, the method may include the steps of: receiving a request to generate an eSIM profile matching an eSIM profile template based on a WSP input data file; receiving a batch of multiple input data records in the WSP input data file from an input data server in a WSP secure private network; preparing input data records from the multiple input data records in the WSP input data file as first and second input data records; acquiring the first input data record; generating first eSIM profile data based on the first input data record and based on at least one pre-configured data generation command; generating a first eSIM profile based on the first eSIM profile data; generating first output data corresponding to the generated first eSIM profile; acquiring a second input data record; generating second eSIM profile data based on the second input data record and based on at least one pre-configured data generation command; generating a second eSIM profile based on the second eSIM profile data; and generating second output data corresponding to the generated second eSIM profile. These steps can be performed within a secure private network.

[0063] In this case, the steps of acquiring a first input data record, generating first eSIM profile data based on the first input data record and at least one pre-configured data generation command, generating a first eSIM profile based on the first eSIM profile data, and generating first output data corresponding to the generated first eSIM profile may be performed before the steps of acquiring a second input data record, generating second eSIM profile data based on the second input data record and at least one pre-configured data generation command, generating a second eSIM profile based on the second eSIM profile data, and generating second output data corresponding to the generated second eSIM profile.

[0064] This method may further include a step of distributing the first eSIM profile and the output data corresponding to the first eSIM profile before the second eSIM profile data is generated. [Brief explanation of the drawing]

[0065] [Figure 1] This diagram illustrates a system that designs and generates eSIM profiles within a private network without sharing information with entities outside the WSP private network, and then transmits the eSIM to wireless user devices used to access the private network to receive services. [Figure 2] This diagram illustrates a schematic of a multiplex system that designs and generates eSIM profiles within a private network without sharing information with entities outside the WSP private network, and then transmits these WSP eSIM profiles to wireless user devices used to access the private network to receive services. [Figure 3] This diagram shows a block diagram of an eSIM design and generation system that is part of the WSP private network but is inaccessible from networks, devices, systems, or elements that are not approved as part of or are inaccessible as part of the WSP private network. [Figure 3A] This shows a block diagram of an eSIM design and generation system with specific, modifiable design parameters, accessed via a user interface running on a device outside the WSP's secure private network. [Figure 4] This shows a block diagram of the eSIM design and generation system, including the administrator interface and eSIM generation tool. [Figure 5] This shows the login page for the administrator interface. [Figure 6]This includes selecting the authentication algorithm and corresponding value used by the WSP's private network authentication process configuration, and shows the administrator interface data entry page for entering network authentication. [Figure 7] This displays an administrator interface landing page for selecting various actions, including creating and modifying eSIM profile templates. [Figure 8] This shows the start page of the eSIM profile creation tool user interface. [Figure 9] This shows the data entry screen of the eSIM profile creation tool user interface in Wizard mode to specify whether the eSIM profile template must have SMS over IMS functionality. [Figure 10] This shows the start page of the eSIM generation tool user interface. [Figure 11] This shows the status dashboard of the eSIM generation tool user interface. [Figure 12] This flowchart shows how to select an eSIM profile template to use to generate an eSIM profile using an administrator interface hosted within a private network of WSP. [Figure 13] This flowchart shows how to generate an eSIM profile using an eSIM generation tool that is hosted and running within a WSP secure private network. [Figure 14] This document presents a block diagram of the system architecture for designing an eSIM profile template and generating an eSIM profile within a secure private network using WSP. [Figure 14A]This shows a block diagram of the system architecture for designing or modifying eSIM profile templates from outside the WSP's secure private network and generating eSIM profiles within the WSP's trusted, secure private network. [Figure 15] This flowchart shows how MVNOs / partners can generate eSIM profiles using the MVNO / partner portal user interface. [Figure 16] This flowchart shows how WSP users can manage MVNO / partner users' access to the MVNO / partner portal user interface. [Figure 17] This flowchart shows how WSP users can onboard MVNO / partner users to access a limited subset of eSIM profile template parameters for modification purposes. [Figure 18] This flowchart shows how MVNOs / partners can generate eSIM profiles on computer devices that are not part of or internal to the WSP's Secure Private Network. [Figure 19] This shows the onboarding start screen for the Partner Management Tools user interface of the WSP administrator interface. [Figure 20] This shows the contact screen of the Partner Management Tool user interface for entering contact information to send invitations to partners, in order to set up an account via the MVNO / Partner Portal user interface of the WSP administrator interface. [Figure 21] Based on the contact information entered into the partner management tool user interface, the MVNO / partner user receives an invitation to set up an account via this user interface, and after clicking or responding, is presented with the initial screen. [Figure 22]This shows the account settings screen of the MVNO / Partner Portal user interface, which is the administrator interface for configuring the authentication information of MVNO / Partner users used when logging into the MVNO / Partner Portal. [Figure 23] This shows a confirmation screen of the MVNO / partner portal user interface in the administrator interface, informing the MVNO / partner user that their account and authentication information have been sent to WSP, and that an account has been set up to grant restricted access to the eSIM generation management system operating within WSP's secure private network. [Figure 24] This shows the confirmation screen of the Partner Management Tool user interface, which allows WSP users to verify or reject when an MVNO / partner user requests account setup and submits related authentication information. [Figure 25] This shows the Partner Management Tools user interface screen, an administrator interface that can be used to specify eSIM profile templates that MVNO / partner users can use or modify when a WSP user generates an eSIM profile. [Figure 26] This shows the Partner Management Tool user interface screen, an administrator interface that WSP users can use to specify the required profile elements of an eSIM profile template that an MVNO / partner can modify. [Figure 27] This shows the Partner Management Tool user interface screen, an administrator interface used by WSP users to specify profile elements of eSIM profile templates that can be modified by MVNOs / partners. [Figure 28] This flowchart shows how to generate an eSIM profile. [Figure 29] This flowchart shows how to generate an eSIM profile inline using an eSIM generation tool. [Figure 30]This flowchart shows a detailed explanation of how to generate an eSIM profile inline using an eSIM generation tool. [Figure 31] This shows the user interface screen of the eSIM generation tool for selecting the eSIM profile template to use when generating an eSIM. [Modes for carrying out the invention]

[0066] As a preliminary matter, it will be readily apparent to those skilled in the art that one or more embodiments described herein are widely useful and applicable. Many other methods, embodiments, and adaptations, as well as many variations, modifications, and equivalent configurations, will be evident from the content or scope of this disclosure and reasonably suggested thereby. Therefore, while embodiments are described in detail in relation to preferred embodiments, it should be understood that this disclosure is merely an example and illustrative and is prepared solely for the purpose of providing a complete disclosure. The following disclosure is not intended to limit or exclude, and should not be construed as such, other such embodiments, adaptations, variations, modifications, and equivalent configurations, and embodiments are limited only by the claims and equivalents appended herein.

[0067] The terms “components,” “systems,” etc., as used herein include computer-related entities or entities relating to actuators having one or more functions, where an entity may be hardware, a combination of hardware and software, or running software. Elements may be, but are not limited to, processes running on a processor, processors, objects, executable files, execution threads, computer execution instructions, programs, and / or computers. For example, both an application running on a server and the server itself may be elements. These components may reside in processes and / or execution threads and may reside on one computer or be distributed across two or more computers. Furthermore, these elements may also run on several computer-readable media where various data structures are stored. These elements may also communicate remotely or via local processes, such as signals with one or more data packets (e.g., data from elements interacting with a local system, a distributed system, and / or the internet).

[0068] Abbreviation / Definition 1. An eSIM profile, or eSIM-electronic SIM profile, contains software, information, data, algorithms, or applications that can uniquely activate the authentication and secure connectivity of a wireless communication device (such as a smartphone, tablet, smartwatch, Internet of Things ("IoT") device, machine-to-machine (M2M) device, or WSP network device) that is uniquely assigned to each Wireless Service Provider (WSP). Also called a digital SIM (as opposed to a physical SIM card), an eSIM profile is loaded over the air (OTA) into a secure element within the device and can be added, deleted, activated, deactivated, and updated on the secure element ("SE") during the device's lifespan.

[0069] 2. Profile Package - A personal eSIM profile using an interoperable description format (e.g., Trusted Connectivity Alliance eUICC Profile Package: Interoperable Format Technical Specification) sent to an embedded secure element ("eSE") or secure element ("SE"). A profile package represents a specific format for an eSIM profile to be loaded and installed into an eSE or SE, while eSIM profile is a general term unrelated to format or state (e.g., generated, loaded, installed, activated, deactivated, etc.).

[0070] 3. eSE or SE - An embedded secure element or secure element is secure hardware used in devices connected to a wireless network. eSE / SE ensures the safety and security of various types of personal data in the device. A secure element may include discrete hardware components such as a UICC (Universal Integrated Circuit Card), an embedded UICC (e.g., a UICC permanently connected / soldered to the circuit board of a wireless user device), or it may be an integrated secure element such as memory on a baseband processor chip or a system-on-a-chip (e.g., iUICC) designed to store eSIM profile information, data, applications, and algorithms.

[0071] 4. The HLR-Home Location Register is a key component used by WSP to provide mobile services over 2G / GSM and 3G / UMTS networks, and includes a database containing various information about all mobile subscribers, such as their mobile phone number, subscribed services, and whether that number is ported to other networks.

[0072] 5. HSS - Home Subscriber Server, an evolution of HLR; located on IMS 4G / LTE networks. It connects HLR (Home Location Register) and AuC (Authentication Center), and these two functions are present on pre-IMS 2G / GSM and 3G / UMTS networks.

[0073] 6. UDM - User Data Management is a 5G core network component that corresponds to HLR and HSS.

[0074] 7. SIM OTA-OTA (Over-The-Air) is a technology for updating or modifying data in a secure element. Through OTA, WSPs can introduce new services or modify the content of secure elements in a fast and cost-effective manner.

[0075] 8. Preparation of SM-DP or SM-DP+ subscription administrator data. This is the entity that WSP uses to securely encrypt and store proof for OTA installation within the device's secure element. SM-DP+ exists in the Consumer Remote SIM Provision (RSP) architecture and extends the role of SM-DP in the M2M Remote SIM Provision architecture to perform OTA transmission of eSIMs.

[0076] 9. OSS / BSS - Computational Support Systems / Business Support Systems are core components of WSP's IT infrastructure, managing the computational and business aspects of the network. OSS includes order management, network inventory management, and network operations. BSS includes order capture, customer service, and billing.

[0077] 10. The secret key used for symmetric key generation by K or Ki-WSP; also known as the subscriber key. It is part of the information required to activate device authentication and connectivity to the WSP network using the Milenage or TUAK algorithm.

[0078] 11. OP - This is an operator code unique to each WSP and is used in the 3G, 4G, and 5G key generation algorithms.

[0079] 12. This corresponds to the OP in the TOP-TUAK authentication algorithm.

[0080] 13. Opc - A derived key generated from the WSP Operator Code (OP) and Secret Key (K), unique to each secure element, used in the WSP network authentication and key consent process.

[0081] 14. MILENAGE - A set of authentication algorithms specified by 3GPP that define authentication and key generation functions. The specification for Milenage is 3GPP TS 35.206.

[0082] 15. A set of authentication algorithms for TUAK-3GPP authentication and key generation functions. The TUAK specification is 3GPP TS 135 231.

[0083] 16. The rotation constant used in the R-Milenage function.

[0084] 17. XORing constant used in the C-Milenage function.

[0085] 18. PIN - Personal Identification Number. A password used for mobile devices.

[0086] 19. The PUK - PIN unlock or unblock key is a code required by the user to reset their PIN.

[0087] 20. SIM - Subscriber Identification Module. A SIM application is the proprietary software of each WSP (Radio Service Provider) that enables device authentication and secure connectivity to the WSP's 2G network. It is a pre-cursor for the eSIM profile or eSIM application.

[0088] 21. USIM - General-purpose SIM. USIM applications emerged with the advent of 3G networks. USIM supports more secure network authentication algorithms such as Milenage, which are based on mutual authentication between UE (User Equipment) devices and network components.

[0089] 22. ISIM - IP Multimedia Service SIM. ISIM emerged with the advent of IMS networks. ISIM applications can coexist with USIM applications in the same secure element, making them usable on both types of networks.

[0090] 23. IMPI-IP Multimedia Private Identity is a global ID assigned by the home network. IMPI includes the home operator's domain information as part of the ISIM application.

[0091] 24. The IMPU-IP multimedia shared ID serves the same purpose as a telephone number in ISIM applications.

[0092] 25. An HSM (Hardware Security Module) is a physical computing device / server that protects and manages digital keys and performs encryption and decryption functions for digital signatures, strong authentication, and other cryptographic functions.

[0093] 26. ICCID - Integrated Circuit Card Identifier. A maximum of 22 digits that uniquely identifies each secure element. The EID and EUICC ID are the same as the ICCID of the embedded secure element.

[0094] 27. IMSI - International Mobile Subscriber ID. A 15-digit unique identification number issued by WSP used to identify WSP service subscribers. IMSI consists of the following three parts: a. MCC: Mobile Country Code - Identifies the geographical area of ​​the secure element. b. MNC: Mobile Network Code - WSP Identifier. c.MSIN: Mobile Subscriber Identifier - Individual subscriber identification.

[0095] 28. A telephone number that uniquely identifies a subscription to an MSISDN-GSM or UMTS network. This involves mapping the telephone number to the secure element of a mobile or cellular device upon subscription.

[0096] 29. SUCI - Subscription Concealed Identifier is a privacy-preserving identifier that includes a hidden SUCI, introduced in 5G networks.

[0097] 30. SUPI - Subscription Permanent Identifier - is a 5G-like identifier similar to IMSI. SUPI can also be formatted as NAI (Network Access Identifier).

[0098] 31. Profile Element (PE) - A part of an eSIM profile representing one or more functions of a profile encoded using a TLV structure based on the description in ASN.l; see Trusted Connectivity Alliance's "eUICC Profile Package: Interoperable Format Technical Specification".

[0099] 32. Wireless service providers include mobile network operators (MNOs), mobile virtual network operators (MVNOs), IoT connectivity service providers (CSPs), citizens broadband wireless service (CBRS) network operators, personal LTE (Long-Term Evolution) network operators, and all future-oriented network operators that provide wireless services.

[0100] 33. WSP Input Data - Information such as ICCID and IMSI used to generate data unique to each of the eSIM profiles. See the "Input Data" section below.

[0101] 34. WSP (Wave Speed ​​Private Network) – A communication network that provides voice and data services to mobile radio devices / subscribers, among other types of services. A secure private network typically includes a radio access network that includes base stations / network nodes (i.e., Node B, eNode B, gNode B) to which mobile devices can connect once authenticated via the WSP's core network components such as HLR / HSS / UDM. A secure private network typically also includes a large-scale IT infrastructure for operating the network and managing devices on the network. The security of the network's core elements, IT infrastructure, and mobile devices is multi-layered and critical to the operation of a private network. WSPs can protect or logically isolate secure private networks using technologies such as encryption, random key generation, firewalls, and countless cybersecurity tools.

[0102] Methods and systems for designing and generating eSIM profiles within a WSP Secure Private Network and for transmitting eSIM profiles to wireless user devices for use in authenticating and accessing services on the WSP Private Network consist of two main software pillars: eSIM profile creation tools (e.g., eWTZ, a software application for WSP data onboarding and eSIM profile template generation provided by RiPSIM Technologies, Inc. (“RiPSIM”)) and eSIM generation tools (e.g., EDGAR, which provides the eSIM profile generation software application RiPSIM).

[0103] The administrator interface ("UI") includes two browser-based user interfaces. The first is the eSIM profile creation tool user interface (eWIZ UI in RiPSIM terminology), which allows users to input data and build eSIM profile templates based on their proficiency level. For example, "Wizard Mode" provides step-by-step guidance through an adaptive questionnaire, while "Expert Mode" grants users full control over building eSIM profile templates and their configurations. The second UI is the eSIM generation tool user interface (EDGAR UI in RiPSIM terminology), which allows users to generate eSIMs based on the eSIM profile templates defined through the eSIM profile creation tool user interface.

[0104] The eSIM generation tool may include software components that interface with entities outside of WSP (but within WSP's private network), such as WSP's OSS / BSS system. The core functions of the eSIM generation tool are: generating an eSIM based on data entered via the eSIM generation tool user interface; and distributing the eSIM and output data based on WSP's providing / distribution elements, such as HLR / HSS / UDM, SIM-OTA, SM-DP / SM-SR / SM-DP+ and other systems that provide or transmit network authentication information. The eSIM generation tool generates eSIMs in accordance with wireless industry specifications.

[0105] Figures 3 and 4 illustrate the overall system and process for designing and generating eSIM profiles, including collecting onboarding data from WSP users using the eSIM profile creation tool UI, defining / saving eSIM profile templates, and generating eSIMs within the eSIM generation tool using the eSIM generation tool UI, but all of these tools and processes are shown. The eSIM within the eSIM generation tool is logically located within the WSP IT infrastructure of a secure private network (for example, behind a firewall that defines a vacant network surrounded by WSP's personal wall protecting connections to devices, systems, and applications outside the network).

[0106] The eSIM profile creation tool UI and eSIM generation tool UI are part of the administrator interface ("UI"). Through the administrator UI, the eSIM profile creation tool and eSIM generation tool provide a new, automated way to design and generate eSIMs, as described below. Currently, a common method used by existing SIM suppliers is to separate the definition of network authentication information and eSIM profile creation into separate, independent stages as part of the current hardware / SIM card manufacturing process. Another common method used by existing SIM suppliers, extending the current hardware / SIM card manufacturing process, separates the eSIM profile creation process into various stages based on different geographical locations. Such methods have drawbacks, such as the WSP eliminating made-to-order eSIM orders and the time between ordering and eSIM download readiness confirmation, which can take several weeks. For example, if a WSP needs a new profile, it sends an Excel spreadsheet to the SIM supplier, who then manually programs a proprietary tool to generate the eSIM. The eSIM is then loaded onto a test SIM card and sent to the WSP for verification. If there are errors in the eSIM profile, the SIM supplier must rerun the entire process until the WSP approves the eSIM profile. Then, when the WSP orders 50,000 eSIMs, the SIM supplier first processes the order by generating network authentication information for all 50,000 eSIMs in batches, and then combines the data with the eSIM profile template. After several additional steps, the entire deployment of 50,000 eSIM profiles is ready to be communicated to the WSP. Generally, a single eSIM profile cannot be used until the entire data deployment has been processed.

[0107] In contrast, the new administrator interface and the software application providing the administrator interface disclosed herein can notify the user in real time (i.e., when the user generates an eSIM profile template) of errors resulting from data entry, and can notify the user of inconsistent, mismatched, inappropriate, or otherwise inappropriate information that the user may enter or select, by comparing it with other data the user enters or selects. This provides real-time error trapping of data entered by the user during the process of generating or modifying an eSIM template. Such real-time error notifications can be performed by the software application providing the administrator interface, which compares the data entered by the user with information and data stored in the WSP's secure private network components, and the software application providing the administrator interface is running on such a network. The new eSIM generation tool disclosed herein simplifies the WSP experience by generating eSIM profiles in one simple step. Regardless of the quantity of eSIMs requested (e.g., 1, 50,000, or more), it can generate eSIM profiles tailored to the specific needs of a WSP without exchanging information or data between the WSP and the SIM supplier (i.e., without WSP's sensitive data traversing the network edge of the WSP's secure private network). If there is an error in requesting the generation of an eSIM profile, the eSIM profile can be regenerated without reprocessing the entire arrangement of WSP input data. Therefore, WSP has more flexibility in planning eSIM demand and handling errors during eSIM generation.

[0108] Using the administrator interface (e.g., the eSIM profile creation tool UI), a WSP user with required access privileges (i.e., a high-security user) can input the most sensitive data required for the eSIM profile template. Examples of sensitive data include network authentication parameters for the Mileage and TUAK authentication algorithm, 5G Home Network Public Key, and Master Key (a general term representing all Master Keys used as seeds for key derivation). The same WSP user or a different WSP user can then build the eSIM profile template using either "Wizard Mode" (step-by-step guidance through adaptive questionnaires) or "Expert Mode" via the administrator interface. The same WSP user or a different WSP user can then request one or more eSIMs to be generated by the eSIM generation tool via the eSIM generation tool UI. The eSIM generation tool generates the eSIM by parsing the selected eSIM profile template and inserting dynamically generated data specific to each eSIM / eSIM profile. Once one iteration is complete, the eSIM generation tool has generated an eSIM profile that, where possible, conforms to the Trusted Connectivity Alliance standard requirements. The eSIM generation tool can repeat this process until it reaches the number of eSIM profiles displayed by the request amount entered using the eSIM generation tool user interface. Each eSIM is unique and corresponds to a unique entry in the input data file managed by the WSP. Therefore, since a specific WSP holds the input data file, the WSP does not have to take the risk of sending sensitive input data outside the secure private network, because the eSIM generation tool accesses the input data from within the WSP's secure private network without the input data having to pass through the network edge of the secure private network.

[0109] Another function of the eSIM generation tool is to automate eSIM generation. Figure 10 shows the start page of the eSIM generation tool user interface. In Figure 10, the user is prompted to select an eSIM profile template (also called an eWIZ profile template in RiPSIM terminology), a WSP input data file, and a specific number of eSIM profiles to generate via the interface. When the user clicks a button on the eSIM generation tool user interface, the eSIM generation tool retrieves the WSP input data file corresponding to the data provided or entered via the eSIM generation tool user interface, automatically determines the type of data to extract, and proceeds with additional processes according to the specified WSP requirements when creating or modifying the eSIM profile template selected by the user. At the same time, the eSIM generation tool aggregates the eSIM output data in a format specified via the administrator interface, which is either stored in the WSP backend system such as HLR / HSS / UDM, SIM OTA, SM-DP+ / SM-DP / SM-SR, or OSS / BSS, or used. This is a simpler eSIM generation process than any conventional one, as the eSIM generation tool generates the output data and saves it in real time (usually within a few seconds) to one of the backend system elements, without requiring the output data to pass through the WSP's secure private network edge from the SIM supplier's internet transfer, nor requiring the output data to be physically loaded from a device such as a flash drive received from the SIM supplier.

[0110] Figure 1 shows an eSIM generation management system 20 for generating subscriber identification profiles (eSIMs) in a management system 12 and transmitting the eSIM profiles to end-user devices 14 via a WSP secure private network 18. The administrator system 12 may include a user interface that runs on a user data entry computer device connected to or located within the secure private network 18. The administrator system 12 is also called an onboarding data entry system for use by personnel certified by the WSP to generate eSIM profile templates using the administrator system 12. The subscriber identification / eSIM profile is software containing information stored in computer memory. The subscriber identification / eSIM profile information is stored on an existing subscriber identification module ("SIM") card, which is removable hardware installed in user equipment ("UE") that communicates over long-range wireless networks such as cellular networks, 2G, 3G, 4G, and 5G. Long-range wireless networks, such as the secure private network 18, typically include a radio access network ("RAN") 19 for wireless connection to UE devices such as device 14. The secure private network also includes the WSP's wireless infrastructure cloud 16. The eSIM generation management system 20, the secure private network 18, and the IT infrastructure cloud 16 can all be part of an overall communication system 10 controlled and operated by a single entity, the WSP. In Figure 1, a portion of the broken line representing the eSIM generation management system 20 is outside the IT infrastructure cloud 16, but the eSIM generation management system 20 may be embodied using elements that logically reside entirely within the IT infrastructure. For example, there are countless M2M (Machine-to-Machine) wireless devices, such as device 14, that collect or transmit information to smartphones, tablets, laptop computers, and other devices that communicate with the secure private network 18. A typical UE is unique to each UE and contains specific information used to authenticate the UE with elements of the secure private network 18. A unique cryptographic key is one such piece of information specific to a UE.Unique information present in or stored in Device 14 includes, but is not limited to, telephone numbers, IMEI, and IMSI, as well as contact information stored by the user in the UE, information used by the Secure Private Network 18 to manage the radio connection between the Secure Private Network 18 and Device 14, and the aforementioned profile, or information constituting the whole or a part of the profile. Such a profile is also called an electronic SIM profile ("eSIM"). Such profile information may be stored in a UICC (i.e., a SIM card) or an eUICC (i.e., an embedded SIM card), which may be a SIM card that is essentially permanently attached (e.g., soldered) to the circuit board of the UE device. Instead of a separate SIM card / UICC attached to the radio device, the eSIM profile may be stored in the memory of Device 14, such as the memory of the processor of a dedicated device that stores eSIM profile information, data, algorithms, applications, or authentication information (i.e., an iUICC or integrated SIM card).

[0111] Such eSIM profile information can be generated within the WSP's IT infrastructure cloud 16 from information entered via a user interface running on the computer device of the management interface 12, and third parties using devices that are not part of the network 18 or are not on the network (i.e., have no network connectivity to the outside of the network) are ultimately not used to generate the profile information stored in the device 14.

[0112] The eSIM generation management system 20, which can also be described as a self-contained eSIM generation system (i.e., included in the WSP's IT infrastructure cloud 16), receives information from the administrator system 12. The eSIM generation management system 20 sends and receives information and data with one or more computer components (hardware or software) of the WSP's information technology ("IT") infrastructure backend system 22. The IT infrastructure backend system 22 sends and receives information and data with one or more computer components (hardware or software). The IT infrastructure backend 22 includes computer components, including hardware or software, which are not part of the WSP secure private network 18, or are part of an element or network to which access is denied, and are connected and inaccessible.

[0113] In addition to the eSIM generation management system 20, Figure 1 shows various high-level stages of how the eSIM generation management system is executed from various hardware components. This system facilitates the generation and transmission of eSIM profile information to end-user wireless devices without transmitting information between the WSP network 18 and computers that are not part of this network or to a third network.

[0114] In the first stage, the authenticated WSP user 24 enters onboarding data used to generate an eSIM profile template using the administrator interface 26. The administrator interface 26 may include software-based applications such as a browser or a customized data screen. The user interface 26 may include hardware components such as an alphanumeric display, such as an LCD reading module. In the first stage, the WSP user 24 can select or enter information containing data about a specific eSIM profile template, for example, using a software browser administrator interface application.

[0115] After the WSP user 24 enters information via the administrator interface 26, this interface or the computer device driving the interface transmits or hosts an eSIM profile template determined by the administrator interface 26. This determination may be based on data items provided by the WSP user 24 via the administrator interface 26. In the second stage, the administrator interface 26 or the computer device driving the interface transmits the determined eSIM profile template and its identifier to the eSIM generation tool 40 provided by the autonomous eSIM generation management system 20. In the third stage, the required WSP input data files are selected by the eSIM generation tool 40. In the fourth stage, the eSIM generation tool 40 processes the information received in the second and third stages, including derived information based on the information received in the second stage, and in the fifth stage, some of the information can be sent to the WSP IT infrastructure system 22. In the sixth stage, the WSP IT infrastructure 22 receives and stores the eSIM provision data and responds to the eSIM generation management system 20 with an error code for successful provision recognition or failed provision. Also, in the fourth stage, the eSIM generation tool 40 generates an eSIM profile, in the seventh stage the eSIM profile is sent to the elements of the network 18, and in the eighth stage the eSIM profile is sent to the user device 14 via the RAN 19.

[0116] An eSIM profile template can be described as a specific set of information types, data types, or network parameters corresponding to a particular user device 14. In Figure 1, the image of device 14 is represented by a symbol for a smartphone. An eSIM profile template for a smartphone has fields for storing data, information, algorithms, applications, and authentication information used by the smartphone for various functions that the smartphone generally provides. For example, an eSIM profile for a consumer smartphone may contain specific information, data, algorithms, applications, or authentication information including a publicly accessible (callable) phone number. An eSIM profile for a wireless device such as a smartwatch may contain specific information, data, algorithms, applications, or authentication information including a publicly accessible (callable) phone number for such a device, and may differ from the aforementioned smartphone eSIM profile. Generally, an eSIM profile for wireless M2M devices that are not operated by human intervention may contain specific information, data, algorithms, applications, or authentication information. Such information may partially overlap with or differ from the information and data in eSIM profiles for smartphones, smartwatches, and other devices. eSIM information, data, algorithms, applications, or specific authentication information for a particular type of device can be specified by the WSP. Therefore, the eSIM profile template can be determined based on data input to the administrator interface 26 and may differ for each device provided to the WSP private network 18.

[0117] Figure 2 illustrates a scenario in which multiple WSP systems 10A, 10B, ..., 10n each use elements similar to those in Figure 1 to generate eSIM profiles that are only valid for authentication to their respective private networks, using the information stored in eSIM profiles 32A, 32B, ..., 32n, respectively.

[0118] WSP Onboarding Data The eSIM profile can be selected based on information entered by the user using the administrator system 12. The information entered via system 12 may include information corresponding to the parameters shown in Table 1 below. Table 1 shows the information received via the administrator system 12 and the corresponding parameter fields in the eSIM profile into which the information provided via the administrator system is inserted.

[0119] [Table 1]

[0120] The onboarding data shown in Table 1 contains information specific to the designated WSP and its network distribution. For example, network authentication data is essential and unique for establishing a reliable communication path or link between the eSIM and the core network. Role-based access allows authenticated WSP personnel to securely enter network authentication data used in the eSIM generation management system 20 via the browser-based application administrator interface 26. As a result, software running on the administrator system 12 computer can use the onboarding data entered by an authenticated user with the designated WSP to generate authentication key information that conforms to one or more parameters specified in a particular eSIM profile template. The onboarding data in Table 1 does not cover all parameter data that may be included in an eSIM profile template. Table 4 shows a more comprehensive list of profile elements that may be included in a complete eSIM profile template or an eSIM profile generated based on it.

[0121] Data entry using WSP A specific WSP generally uses a unique format for input data or input data files ("input files"), and their contents are more diverse compared to other WSPs. A WSP can manage the range of ICCID and / or IMSI based on the SKU (Stock Keeping Unit) value of a particular wireless user device, the network functions it can provide or is configured to provide, or a specific provisioning purpose applicable to a particular wireless user device. Generally, the input data in an input data file includes unique identifiers of the eSIM, such as ICCID and IMSI. During eSIM generation, unique provisioning information and data are generated, associated with the ICCID / IMSI, and stored according to an eSIM profile template selected based on the information entered by the user in the administrator interface 26 of the management system 12 in the first stage shown in Figure 1. Tables 2 and 3 provide two examples of a typical WSP input data file and the information extracted from this file for further processing.

[0122] [Table 2]

[0123] [Table 3]

[0124] eSIM provided For an eSIM to operate on the WSP network, authentication information is loaded and provided to the WSP backend system, such as the WSP IT infrastructure backend system 22, shown as part of the IT infrastructure cloud 16 in Figure 1. The WSP IT infrastructure backend system has OSS / BSS components that interface with the HLR / HSS / UDM, which is part of the core network of the secure private network 18. The HLR / HSS / UDM identifies and authenticates a specific eSIM before authorizing network resources to the radio user device corresponding to that eSIM. The SIM-OTA server is an integrated element of the WSP IT infrastructure backend system and can push, transmit, and provide data to each eSIM when the corresponding eSIM is activated (i.e., users of radio user devices corresponding to a specific eSIM subscribe to receive services from the WSP, the WSP "activates" the eSIM, and the user's corresponding radio user device receives radio services and other services), as well as perform maintenance on the eSIM wirelessly. SM-DP+ or SM-DP / SM-SR is a subscription management element whose primary role is to securely store and transmit eSIMs wirelessly to field wireless user devices. The following backend systems / elements may, but are not limited to, use certain eSIM information and data, such as those listed below. -HLR / HSS / UDM, OSS / BSS: ICCID, IMSI, K (key), PIN, PUK, ADM, ACC, IMPI, IMPU -SIM-OTA:ICCID, IMSI, OTA key-SCP80(KiC, KID, DEK), SCP81(PSK, DEK) -SM-DP+ or SM-DP / SM-SR: ICCID, eSIM (.DER), activation code (applicable to SM-DP+)

[0125] Downloaded eSIM As an example, software running in management system 12 and in parts of the eSIM generation management system 20 in Figure 2 constructs eSIM profiles based on the TCA (Trusted Connectivity Alliance) industry specification. This specification is called "eUICC Profile Package: Compatible Format Technical Specification". Table 4 shows examples of profile element ("PE") parameters / types and information / data content for eSIM profiles, and not all PEs are required to build an eSIM profile. For example, software that may run in management system 12 or in parts of the self-eSIM generation management system 20 constructs an eSIM profile template based on data entered by the USP user 24 using a management interface 26 driven from management system 12 (which can be seen as a data record similar to a stencil generated by an eSIM profile, having information and data that match the parameters and attributes of one or more data filters of the template, like a stencil equipment that sprays paint onto a surface to create a pattern by matching the stencil area deleted from the stencil generation data). Next, the software a) generates eSIM data based on WSP input data obtained directly from the WSP input data server, as well as onboarding data, and b) combines the eSIM data with an eSIM profile template (i.e., fills the fields of the eSIM profile template with the generated eSIM data) to generate a ready-to-use eSIM. The final format of the eSIM is generally provided according to a standard specification such as the TCA specification, and once downloaded to the device via SM-DP+ / SM-DP / SM-SR, the eSIM profile is installed on the physical eUICC or iUICC (or future hardware secure element) of the final device, such as a smartphone or M2M radio device. At this point, the eSIM profile becomes a unique subscriber ID profile that enables the WSP customer's radio device to access the WSP network for connectivity services.

[0126] [Table 4-1]

[0127] [Table 4-2]

[0128] [Table 4-3]

[0129] [Table 4-4]

[0130] [Table 4-5]

[0131] [Table 4-6]

[0132] [Table 4-7]

[0133] Nodes 101-114 in Figure 3 are used as reference points to explain several elements and their functions. While the elements in Figure 3 are explained, the numbers 101-114 do not necessarily correspond to the order in which data flows or the step-by-step sequence of the method.

[0134] At node 101, WSP user 24 inputs information and data into the administrator interface 26, for example, a browser application for accessing a web portal developed by RiPSIM, as shown in Figure 1. Typically, WSP user 24 is an authorized WSP operator managing a private network 18 that has been granted access to the web portal. The administrator interface 26 may include a browser-based eSIM profile creation tool UI 34, such as eWIZ UI developed by RiPSIM, and an eSIM generation tool user interface 36, such as EDGARUI, for creating and modifying eSIM profile templates.

[0135] When onboarding a WSP (i.e., the process of collecting the WSP data necessary to design an eSIM profile template), a WSP user 24 (i.e., a person designated by the operator of the private network 18) is guided through the data input section of the eSIM profile creation tool user interface 34 to provide / input information (e.g., network authentication parameters for Mileage and TUAK authentication algorithms, 5G Home Network Public Key and Master Key (representing all master keys used as key derivation sheets), ISIM configuration, PIN and PUK, Java applet). When using the administrator interface 26, the WSP user 24 can select the eSIM profile creation tool UI 34 to create or modify an eSIM profile template. "Onboarding" is the process of using WSP Secure Private Network information to generate an eSIM profile template, which is used for wireless user devices to authenticate to and receive services from the private network. Onboarding is generally performed by a designated user, or a user like user 24, who is generally a trustworthy person within the WSP organization who has undergone in-depth background checks.

[0136] A WSP user 24 using the eSIM generation tool user interface 36 can select an eSIM profile template to begin generating an eSIM, but such templates may have already been generated, modified, or selected by the eSIM profile creation tool UI 34, and by selecting the WSP input data file to use and specifying the number of eSIMs to generate. "Input data" or "input file data" are terms used in the field of eSIM profile generation (profiles have historically been generated outside of the WSP's secure private network 18) and refer to the information and data, namely ICCID and IMSI, that the secure private network 18 operator uses specifically to generate the eSIM profile used to authenticate and access or receive services on the private network.

[0137] At node 102, the eSIM profile creation tool UI 34 transmits the entered, or selected or determined, information to the eSIM profile template repository 38, which may be a table, database, or other means of storing digital information. When a WSP user 24 uses the eSIM profile creation tool UI 34 to create or modify an eSIM profile template, this template is stored in the repository 38, which may be a disk drive, solid-state memory, dynamic memory, or static memory computer memory, accessible by elements within the network 18 but not accessible from computer devices outside the network 18. When a WSP user 24 accesses the eSIM profile creation tool UI 34 and modifies an eSIM profile template that has been generated and saved, the already created / existing template is retrieved from the repository 38. Templates generally contain profile elements, and the eSIM profile creation tool UI 34 can intelligently determine a given PE and add to the template stored in the repository 38 based on information or data, such as onboarding information and data entered by the WSP user 24 into the eSIM profile creation tool UI 34. For example, when WSP user 24 enters the data and corresponding configuration from the left column of Table 1 into the eSIM profile creation tool user interface 34 in Wizard Mode, the eSIM profile creation tool user interface 34 can automatically add the corresponding PE-applications and information values ​​from the right column of Table 1 to the eSIM profile template. The eSIM profile creation tool UI 34 can also determine where within the PE to store / mine onboarding data. The eSIM profile creation tool UI 34 can determine in real time one or more PEs to add to the profile template when WSP user 24 enters onboarding data and information via the eSIM profile creation tool UI 34.

[0138] At node 103, the eSIM profile creation UI 34 provides sensitive onboarding data or information to the hardware security module (HSM) 46 via interface 48. Some onboarding data typically includes sensitive information that a particular WSP seeks to protect from its security data store. The WSP generally ensures one aspect of the HSM's security (i.e., protection against hacking from outside the WSP's secure private network 18, as shown in Figure 3) by restricting access to the HSM from intrusions from devices outside the private network via physical or logical means. Therefore, interface 48 is an element specifically permitted by the WSP and is not an interface like a software port that can be easily accessed from outside the WSP's private network. There is a network authentication parameter that includes a master key called OP from which individual eSIM keys are derived. Once entered into the eSIM profile creation tool user interface 34, this interface sends the sensitive onboarding data directly to the HSM interface 48, which then provides this data to the HSM 46.

[0139] Interface 48 provides onboarding data from node 104 to HSM46, as shown in Figure 3. As an example, interface 48 to HSM46 is embodied in the form of an application programming interface ("API"). Specific calls can be made by the eSIM profile template storage 38 to interface 48 to HSM46 in order to inject or provide sensitive data to HSM46 during onboarding. Alternatively, when the eSIM generation tool user interface 36 initiates, triggers, or manages the generation of eSIM profile data and information, the eSIM generation tool 40 can initiate encryption work based on the injected sensitive data within HSM46.

[0140] A typical WSP operates an input data server 42 as part of a secure private network 18. The input data server interface 44 generally provides an interface between the input data server 42 and an eSIM generation tool 40, which is part of the eSIM generation management system 20 and has software components. The eSIM generation tool 40 may also have hardware components, but it is preferable that it is a physical or logical part of the private network 18 or a software component that runs on a computer device performing the applied communication. The eSIM generation tool 40 can be considered the core software engine of the eSIM generation management system 20, and such an engine (also called a module) runs on a computer device inside or behind the firewall of the WSP's secure private network, providing an interface to the user, receiving onboarding data from the eSIM profile creation tool UI, requesting input data from the WSP's input data server 42, generating an eSIM profile based on the generated or modified template, onboarding data and WSP input data, outputting it to the WSP's private network server, and then distributing the eSIM profile to field wireless user devices and wireless machine devices.

[0141] The input data server 42 is generally part of the WSP's IT infrastructure and generates input data that meets the requirements of the WSP. The WSP input data server 42 then provides the input data to the input data server interface 44.

[0142] At node 106, data flows from the input data server interface 44 to the eSIM generation tool 40. The input data server interface 44 can be implemented as a proxy and generally plays the role of syntactically analyzing the original input data provided by the WSP and extracting specific information from the input data necessary for further processing by the eSIM generation tool 40. The input data extracted from the input data server 42 and provided via the input data server interface 44 is sent to the eSIM generation tool 40, stored there, and then used to generate eSIM data. As an example, an eSIM can be generated and saved using a given input dataset.

[0143] At node 107, data entered by the user of the eSIM generation tool user interface 36 is provided to the eSIM generation tool / module 40. The administrator interface 26 also has the eSIM generation tool user interface 36. Users who use the eSIM generation tool user interface 36 are the same as WSP users 24 who use the eSIM profile creation tool UI 34, but users other than those who can access the eSIM profile creation tool UI 34 can also access the eSIM generation tool user interface 36.

[0144] When a WSP user initiates eSIM generation from the eSIM generation tool user interface 36, the eSIM generation tool 40 retrieves specific data from the storage 38 and HSM 46 and generates an eSIM profile and its providing / output data. The eSIM generation tool 40 then pushes the eSIM profile and providing / output data to the interfaces displayed on nodes 110 and 111, as well as to the eSIM loading interface 52 and output file interface 58, respectively.

[0145] At node 108, the eSIM generation tool 40 retrieves the eSIM profile template from the storage 38.

[0146] At node 109, when the eSIM generation tool 40 generates eSIM data, it specifies the master key (i.e., the identifier of the WSP private network 18), provides other information (e.g., diversification factors), and makes an API call to the HSM interface 48. At node 104, the HSM interface 48 makes contact with the HSM 46, and the HSM performs cryptographic operations to obtain the necessary data.

[0147] At node 110, the eSIM loading interface 52 can be embodied by an API configured to handle specific calls to the eSIM generation tool 40 and the WSP SM-DP+ / SM-DP / SM-SR module 50. The eSIM generation tool 40 makes API calls to the eSIM loading interface 52, sends the eSIM profile to the WSP SM-DP+ / SM-DP / SM-SR 50, and receives a response from the WSP SM-DP+ / SM-DP / SM-SR module 50 via the eSIM loading interface 52.

[0148] At node 111, the output file interface 58 can be embodied as an API configured to handle specific calls to the eSIM generation tool 40, the HLR / HSS / UDM module 54, or the SIM-OTA server 56, as needed. At node 111, the eSIM generation tool 40 can make API calls to the output file interface 58, send two output files, one for HLR / HSS / UDM and one for SIM-OTA, and receive responses from the HLR / HSS / UDM module 54 and the SIM-OTA server 56, respectively, via the output file interface.

[0149] At node 112, the eSIM loading interface provides the eSIM generated by the eSIM generation tool 40 to the SM-DP+ / SM-DP / SM-SR module 50. The SM-DP+ / SM-DP / SM-SR module 50 responds with "ack (acknowledgement)" if loading is successful, and "nack (no acknowledgement)" if loading fails.

[0150] At node 113, the output file interface 58 provides the HLR / HSS / UDM module 54 with network-authentication-related data (e.g., K) generated from the eSIM generation tool 40, and the HLR / HSS / UDM module 54 responds with an "ack" for successful loading or a "nack" for failure, along with a specific reason code.

[0151] At node 114, the output file interface 58 provides the SIM-OTA data (e.g., OTA key) generated by the eSIM generation tool 40 to the SIM-OTA server 56. The SIM-OTA server 56 responds with an ack for successful loading and a nack for failure, along with a specific reason code. By including the various applications, elements, modules, and interfaces of the eSIM generation management system 20 in the WSP's private network 18, the aforementioned parts of the eSIM generation management system 20 can interact with the elements of the WSP's private network, including the highly secure HSM 46 and input data file server 42, and can generate eSIM profile templates and the eSIM profile itself without going through many time-consuming manual steps used to generate eSIMs from third-party eSIM suppliers who are not permitted to interact with the HSM and input data server. Thus, the eSIM generation management system 20 transmits the WSP's own eSIM profile to field wireless user equipment and uses the transmitted eSIM profile to connect to and access services on the WSP's private network 18.

[0152] Returning to the description of Figure 4, Figure 4 includes block diagrams of various components, regardless of the software or hardware described herein. Furthermore, Figure 4 shows the various steps and symbols of Method 400 of the present invention, with these steps denoted as 4xx.

[0153] The eSIM profile creation tool UI34 has onboarding data 60, an eSIM profile definition 64, and an eSIM profile template repository 38. During a session in which a user provides data and information via the eSIM profile creation tool UI34, or between other users' other sessions, the data in the eSIM profile template repository 38 of the eSIM profile creation tool UI34 is sent from node 108 to the eSIM generation tool 40. For example, when accessing the eSIM profile creation tool UI34 and the eSIM generation tool user interface 36, each user will always have a different session using system 26 because the login authentication information is different for each user. This is because many individuals can access the eSIM generation tool user interface, but only one or a very small number of users have access rights to the eSIM profile creation tool UI34.

[0154] In step 405 of Method 400, a user using the eSIM generation tool user interface 36 can request the creation of an eSIM profile via an interface such as the browser-based eSIM generation request interface 1000 shown in Figure 10. The user of interface 1000 can specify an eSIM profile template by entering a profile template name in dialog box 1008. Such templates can also be generated or modified by the same or different users using the eSIM profile creation tool UI 34. The user of interface 1000 can enter a job name, number, or identifier that uniquely identifies the eSIM profile they intend to generate. In dialog box 1015, the user of interface 1000 can determine the desired number of eSIM profiles to comprise the job they intend to generate. The user of interface 1000 can select the input data file from the input data file server 42 shown in Figure 3 as selection item 1018. The user of interface 1000 can specify the output file name for the output data to be saved when the eSIM profile is generated using selection item 1020. When the user of interface 1000 is ready to generate the specified number of eSIM profiles, they press the "Submit" button 1025, which corresponds to the eSIM generation request stage 405 in Figure 4.

[0155] Continuing the explanation of Figure 4, in step 410, the eSIM generation tool 40 evaluates the information received from the storage 38 at node 108 and generates the corresponding eSIM profile in step 415. In step 420, the eSIM generation tool 40 determines whether a predetermined amount of eSIM profiles, as determined in the dialog box 1015 of interface 1000, has arrived. If no, method 400 returns to step 410.

[0156] If the decision in step 420 is Yes, the eSIM generation tool 40 provides output data to servers 54 and 56 at nodes 113 and 114, as described in Figure 3, and provides the eSIM profile generated in step 415 to server 50 at node 112. Rather than waiting for all of a predetermined number of eSIM profiles to be generated before providing the output data to servers 54 and 56, the output data of a particular eSIM profile can be stored in the server each time an eSIM profile is generated. Server 50, also commonly known as SM-DP+ / SM-DP / SM-SR, distributes the eSIM profiles to field wireless user devices such as user device 14 shown in Figure 1. Preferably, all elements in Figure 4, all software methods, all associated interface usage, and all data input, stored, retrieved, processed, evaluated, generated, and distributed are performed within the personal network 18 of the WSP as shown in Figures 1-3.

[0157] Referring to Figure 3A, which is in contrast to the embodiment in Figure 3, it shows an example in which a user 25 using the administrator interface 26 outside the WSP secure private network 18 (logically outside, but not necessarily physically outside the geographical area controlled by a particular WSP) generates or modifies an eSIM profile. In this embodiment, user 25 could be employed, for example, as a partner mobile virtual network operator ("MVNO"). An MVNO is typically a small WSP that sells wireless network services as its own branded service, leveraging the wireless infrastructure of a larger WSP within a designated area. An MVNO typically brings in customers, provides services to customers, and bills customers for the wireless services provided. The MVNO then typically pays a larger WSP for the use of the secure private network: the larger WSP generally owns and operates the wireless infrastructure equipment that facilitates the secure private network 18. Because WSPs strongly protect access to the secure private network 18, a particular WSP generally operates within the secure private network and is wary of outsiders accessing elements (hardware and software) that are part of it. Therefore, while a particular WSP may allow users outside the secure private network 18 to modify eSIM profile template parameters, such access corresponds to login credentials used by MVNO / partner users 25 to log in to the secure private network via the user interface 26 from outside the secure private network, and generally has reduced functionality compared to the WSP user 24 in Figure 3.

[0158] The MVNO / partner user interface 37 is provided to the MVNO / partner user 25 who has logged in via the administrator interface 26. As shown in detail in other figures, the MVNO / partner portal interface provides fewer parameters compared to the parameters used by the WSP user 24 to generate / modify the eSIM profile template, as described in Figure 3. For example, the reduced set of features available to the MVNO / partner's representative via the MVNO / partner portal user interface 37 may only include Java applets, network names, or GID1 / GID2. These parameters are a subset of those shown in Table 1, and all of them are generally accessible to the WSP user 24, who is the WSP representative operating the secure private network 18. The parameters available to the MVNO / partner user 25 via the MVNO / partner portal user interface 37 are generally related to information that the MVNO / partner intends to modify to provide a customized user experience to the customer (i.e., Java applets that provide functionality that WSP cannot provide) and are made on the radio network that is thought to be related to the MVNO / partner instead of the WSP that operates the actual secure private network 18 (i.e., the network name is entered in the MVNO / partner portal user interface 37 as the MVNO's network name instead of the WSP's network name). The GID1 / GID2 parameters also contain information that connects the eSIM profile to the device that the MVNO / partner intends to distribute to the WSP's secure private network. This device reads the information stored in GID1 / GID2 and loads the device image specified by the MVNO / partner. Because this type of information that can be stored in the GID1 / GID2 parameters is related to entity and provider names, the MVNO / partner may wish to modify the information stored in these parameters before multiple eSIM / eSIM profiles are generated and distributed to customer devices.In addition to Java applets, network names, or GID1 / GID2, other parameters used by WSP to control the secure private network, as shown in Table 1, or which are not currently used in eSIM profiles but may be used in the future, can be accessed or modified by MVNO / partner users 25 via the MVNO / partner user interface 37, if MVNO / partner user 25 logs into the administrator interface 26 using authentication credentials (e.g., login and password) related to access to a reduced set of parameters that WSP, which operates the secure private network, has allowed MVNO / partner access to, for the purpose of modifying WSP's eSIM template to generate a custom template appropriate to the specific MVNO / partner requirements.

[0159] Specific eSIM profile templates are stored in the eSIM profile template repository 38, which may also be accessed, modified, and displayed. Information stored in this repository for given parameters may be restricted, as shown in Figure 3a, as previously described. Figure 3a shows examples of profile template elements and parameters that can be modified based on the credentials used by the MVNO / partner user 25 to log in to the administrator interface 26. Due to such restricted access, the credentials of the MVNO / partner user 25 are associated with the login credentials of a specific user. Such a relationship between the credentials of a specific MVNO / partner user and the parameters that a specific MVNO / partner user 25 can access or modify via the MVNO / partner portal 37 can be modified via the partner management tool user interface 35, and the WSP operating the secure private network 18 generally restricts access to only trusted WSP users 24.

[0160] The MVNO / partner user 25 can also use the MVNO / partner portal user interface 37 to have the eSIM generation tool 40 generate an eSIM to be delivered to the MVNO customer user device 15.

[0161] One or more eSIM profiles generated by the eSIM profile generation tool 40 are sent to an MVNO / partner distribution server 51, which may be an SM-DP+ / SM-DP server, and this server is operated and controlled by the WSP's MVNO / partner operating the secure private network 18. To prevent intrusion into the secure private network 18 via the communication network 21, the WSP operating the secure private network 18 and evaluating and providing access to the secure private network from interface 52 can utilize the external subscriber management API ("SMX") 53.

[0162] Figure 15 is a flowchart of method 1500 for generating an eSIM profile using the MVNO / Partner Portal User Interface 37. Method 1500 begins at step 1505. As shown in Figure 3a, at step 1510, the MVNO / Partner User 25 logs in to the MVNO / Partner Portal UI 37 using their authentication credentials. The login authentication credentials of the MVNO / Partner User 25 are linked to an eSIM profile template with reduced parameters, and these parameters are modifiable. The authentication credentials of the MVNO / Partner User 25 are also used by the Partner Management Tool UI 35 to determine the user interface screen provided to the user, the information that can be displayed to the user, and the information that can and cannot be modified, although information that cannot be modified may also be displayed to the user. For example, if the authentication credentials entered in the login dialog box field of the Administrator Interface 26 correspond to the MVNO / Partner User 25, the Administrator Interface can present the MVNO / Partner Portal UI 37 to the user who entered their partner login (see Figure 3a). If the authentication information entered in the login dialog box field of the administrator interface 26 corresponds to a WSP user 24, the administrator interface can either provide the user who entered their WSP login authentication information with access to the partner management tool user interface 35, as shown in Figure 3A, or provide access to the eSIM profile creation tool user interface 34 or the eSIM generation tool user interface 36, as shown in Figure 3.

[0163] Continuing the explanation of Figure 15, in step 1515, the MVNO / partner user selects an eSIM profile template to use to generate the eSIM profile used by the MVNO / partner's customers. In step 1515, the MVNO / partner user can simply select an eSIM profile template to use, as previously generated by WSP user 24 in Figure 3 or Figure 3A. Alternatively, MVNO / partner user 25 in Figure 3A can select an eSIM profile template to modify before using it to generate the eSIM profile, as further explained in Figure 18. The MVNO / partner portal UI 37 generally retrieves the eSIM profile template to use / modify from the eSIM profile template repository 38 before generating the eSIM profile.

[0164] Continuing the explanation of Figure 15, after selecting an eSIM profile template to use as is or to modify before generating the eSIM profile, in step 1520, the MVNO / partner user 25 enters the number of eSIM profiles to generate into the MVNO / partner portal UI 37. The number of eSIM profiles can be a number or value, such as a predetermined number of eSIM profiles, limited by system resources or other system limitations, including 1. Based on contractual or technical values ​​corresponding to a predetermined number of MVNO / partner user devices 15 provided by the WSP operating the secure private network 18 in Figure 3a, the WSP user 24 can enter predetermined limits into the partner management tool user interface 35.

[0165] Continuing the explanation of Figure 15, in step 1525, the MVNO / partner user presses "Enter" or selects another user input item from the MVNO / partner user interface 37 to begin the process of generating the eSIM profile entered by the user in step 1520. The eSIM profile is generated by the eSIM generation tool 40, and the generated eSIM profile is sent to the MVNO / partner distribution server 51 or the WSP's SM-DP+ / SM-DP 50 in step 1530. The output data generated during the generation of a predetermined amount of eSIM profiles in step 1525 is passed by the eSIM generation tool 40 to elements of the WSP's IT infrastructure cloud 16 in step 1535, examples of such elements include HLR / HSS / UDM, SIM-OTA, or OSS / BSS. This method 1500 ends in step 1540.

[0166] Figure 16 is a flowchart of Method 1600 for setting up MVNO / Partner accounts and managing MVNO / Partner user access to the MVNO / Partner Portal user interface. Method 1600 is driven through the Partner Management Tool user interface 35 in Figure 3A and receives input from WSP users 24 when managing, adding, updating, deleting, or modifying access for MVNO / Partner users 25 via the MVNO / Partner Portal user interface 37 to System 20 in Figure 3A.

[0167] Continuing the explanation of Figure 16, Method 1600 begins in step 1605. In step 1610, WSP user 24 logs into the Partner Management Tool user interface 35 using their WSP credentials and enters MVNO / Partner entity information that can access the MVNO / Partner Portal UI 37 in step 1615. If the information entered by WSP user 24 does not match an MVNO / Partner already set, registered, or configured for access, in step 1620, WSP user 24 generates Partner Login credentials for a specific MVNO / Partner user 25 to authorize access to the MVNO / Partner Portal user interface 37. The credentials set in step 1620 are linked to a specific person or all MVNO / Partner entities within the MVNO / Partner entity, allowing the MVNO / Partner entity to authenticate anyone who wishes to access the MVNO / Partner Portal UI 37 as provided by WSP user 24. The MVNO / Partner credentials generated in step 1620 may or may not be changeable by the user after the MVNO / Partner user has been set as an authorized user.

[0168] In step 1625, the WSP user 25 can determine which of the profile templates that generated the partner user credentials configured in step 1620 can provide access. In step 1630, the WSP user 25 can configure the amount of eSIM profiles to be generated for the credentials configured in step 1620. For each template corresponding to the credentials assigned in step 1625, the amount of eSIM profiles can be configured in step 1630, which is a predetermined number of eSIM profiles generated within a predetermined period during a given session, corresponding to the use of the credentials configured in step 1620. In step 1635, the partner management tool UI 35 informs the MVNO / partner or MVNO / partner user that their account has been created and informs them of the eSIM template profiles that can be accessed or modified with the credentials and the amount of parameters / profiles allowed in step 1630. This method 1600 ends in step 1640.

[0169] Returning to step 1615, if the MVNO / partner is not a new MVNO / partner, proceed to step 1645. If it is determined in step 1645 that the MVNO / partner needs to be removed, in step 1685, WSP user 24 uses the partner management tool user interface 35 to remove the MVNO / partner's portal access. In step 1690, WSP partner 24 uses the partner management tool UI 35 to remove the MVNO / partner's login credentials and associated profile information. In step 1695, WSP partner management tool UI 35 notifies the MVNO / partner of the removal of their portal access via email or other notification methods. In step 1699, if the MVNO / partner attempts to log in to the MVNO / partner portal user interface 37, partner management tool UI 35 warns the MVNO / partner user that they no longer have access rights, and proceeds to step 1640 to terminate.

[0170] If it is decided at step 1645 that the MVNO / partner whose information has been entered at step 1615 should be placed in a suspended state, the process proceeds to step 1650. At step 1650, the WSP user 24 suspends the MVNO / partner using the partner management tool user interface 35 shown in Figure 3a. At step 1655, the WSP partner management tool updates the access rights of the suspended MVNO / partner. The WSP partner management tool is provided by the eSIM generation management system 20, embodied as a software application, and may be the application that provides the MVNO / partner portal user interface 37 and the partner management tool user interface 35. At step 1660, the WSP partner management tool UI 35 notifies the MVNO / partner of the suspension of MVNO / partner portal access via email or other notification methods. At step 1665, if the partner attempts to log in via the MVNO / partner portal user interface 37, the WSP partner management tool UI 35 denies the MVNO / partner's access and informs the MVNO / partner user 25 of the suspension. This method 1600 ends at step 1640.

[0171] At stage 1645, if it is determined that the MVNO / partner account has been suspended from accessing the MVNO / partner portal UI37 but should only be "paused", proceed to stage 1670. At stage 1670, WSP user 24 allows the MVNO / partner to access the portal. At stage 1675, the WSP partner management tool restores the MVNO / partner account to an active state. At stage 1680, the WSP partner management tool UI35 notifies the MVNO / partner of the recovery of their portal access via email or other notification methods. This process 1600 ends at stage 1640.

[0172] Figure 5 shows the login interface 500 of the administrator interface 26 of the eSIM profile creation tool UI 34 described in Figure 3. The WSP user 24 is prompted to enter login credentials in the login credentials input dialog box 502 to access the eSIM profile creation tool UI 34. The login credentials include a login name and password. As described in other figures, users who can access the eSIM profile creation tool user interface 34 are generally individuals within a highly trusted subset of individuals (even just one person) that the WSP can access, such as sensitive security data and information, including network credentials stored in the HSM. Such individuals are also referred to as "high security" users / employees.

[0173] Figure 6 shows the interface 600 of the eSIM profile creation tool UI 34, which allows a high-security WSP user 24, logged in via the interface 500 of Figure 5, to select network authentication parameters to generate or modify the eSIM profile template displayed in the navigation window 602. The high-security user can enter the corresponding values ​​for the network authentication parameters via the data input window 604. In the figure, after the user selects "Network Authentication" in the navigation window 602, they can select the authentication algorithm corresponding to the values ​​in the eSIM profile template they are generating or modifying.

[0174] Figure 7 shows a possible welcome page 700 of the administrator interface 26 in Figure 1. The eSIM profile template icon group 702 contains icons that, when clicked, guide the user through the aspects and features of the eSIM profile creation tool UI 34 in Figure 3. The eSIM generation icon group 704 contains icons that, when clicked, guide the user through the aspects and features of the eSIM generation tool UI 36 in Figure 3.

[0175] Figure 8 shows the Wizard Mode start screen interface 800, which is generated when the user clicks icon 706 in the eSIM profile template icon group 702 shown in Figure 7. The Wizard Mode start screen interface 800 includes a profile template dialog box 802 that the user can use to enter the name of the eSIM profile template to be generated or modified using the Wizard Mode of the eSIM profile creation tool UI 34 in Figure 3. The user can select the device type for which to generate or modify the eSIM profile template by selecting the radio button 804 corresponding to consumer devices or M2M devices. The parameters that the eSIM profile can use for a particular WSP may differ for consumer devices such as smartphones and for M2M devices. The user can select the type of network that will use the generated eSIM profile to match the eSIM profile template being generated or modified. For example, radio button 806 provides a means to select from network types 3G, 4G / LTE, or 5G. Depending on the type of network on which a particular WSP operates or the type of device supported by the network, the options presented in radio buttons 804, 806 may differ for each WSP. When the user clicks the "Next" button 808, the options selected using radio buttons 804 and 806 are associated with a named profile template in the profile template dialog box 802, which may be a new template generated during the current user session or a template generated by the user in a previous session.

[0176] Other wizard questions / examples are shown in Figure 9, namely the SMS configuration data input screen interface 900. If the WSP user 24 selects the "No" button for SMS using radio button 902, input into the dialog box 904 is not permitted. If the user selects "Yes," the user is presented with a dialog box 904 for entering various values ​​and information belonging to the eSIM profile configuration that will be generated to match the eSIM profile template being generated or modified.

[0177] Figure 10 shows the eSIM generation request interface 1000 in Figure 4, and the user of the eSIM generation request interface 1000 does not necessarily have to be a high-security user; other WSP users can also access the eSIM generation request interface to generate test or production eSIM profiles.

[0178] Figure 11 is the status dashboard 1100 of the eSIM generation tool user interface 36 in Figure 3, showing a list of eSIM profile tasks generated by the eSIM generation tool 40 of the eSIM generation management system 20 in Figure 1, which is located within the private network 18 of the WSP and is not involved in the transmission of onboarding data, eSIM profile templates, output data, or eSIMs with third-party suppliers or networks that are not part of the network 18.

[0179] While various input methods such as dialog boxes, dropdown boxes, radio buttons, and function start buttons have been described with reference to various user interface screens, these input methods are merely examples. These input techniques are illustrated and described for illustrative purposes, but other techniques may also be used instead of, or in addition to, the techniques shown in the figures and described herein with reference.

[0180] Figure 12 is a flowchart of Method 1200 used by WSP user 24 when generating or modifying an eSIM profile template. After being authenticated in step 1210, WSP user 24 logs into an administrator interface, such as interface 500 in Figure 5. In step 1215, the user enters onboarding information and data, for example, network authentication algorithm information to be used for the eSIM profile resulting from the eSIM profile template being generated in this flowchart. Other information that can be entered includes OTA key, PIN and PUK information, output data file information and other information, an example of which is shown in interface 600 in Figure 6. Other information that the user can enter is the information displayed in the interfaces in Figures 8 and 9.

[0181] In step 1220, user input data is compared with already stored WSP data that must correspond to the user input data and industry specifications (e.g., UST or USIM service table specifications). If a mismatch between the input data and other input data (internal mismatch) or a mismatch between the input data and industry specification data (external mismatch) is detected in step 1220, the process proceeds to step 1225, where the eSIM profile creation tool UI must resolve this mismatch and propose data that the user can accept in step 1230. One example of a mismatch is when the user specifies that the eSIM profile will be used to operate on a 5G independent network and that 5G SUCI calculations must be performed in the eSIM profile template. If the 5G SUCI calculation service is not present in the user-entered data in the Basic USIM Service Table ("UST"), the eSIM generation tool UI will display the mismatch and propose that the user enter the correct data. This is an example of a mismatch that generates a real-time error warning to inform the user that an error situation has occurred that needs to be corrected before continuing to generate eSIM profile templates based on incorrect information due to the information entered by the user. While it is possible to detect other error situations in real time by comparing user-entered information and data with information specific to the WSP private network, such a private network is not visible to other SIM suppliers, for example, if they need to generate a profile outside of the WSP private network. Therefore, a benefit is that data mismatches can be warned in real time before attempting to create an eSIM profile, a benefit that is not possible if the eSIM generation management system 20 in Figure 1 is not used within the WSP secure private network 18.

[0182] If the user chooses not to accept the data suggested via the eSIM profile creation tool UI in step 1230, the user returns to step 1215 where they can re-enter the data.

[0183] If the user chooses to accept the data proposed in step 1225, or if no mismatch is detected in step 1220, the process proceeds to step 1235. In step 1235, the user can press a button to give a voice command, enter a key, or generate or modify an eSIM template based on the data entered in step 1215 or proposed in step 1225, which will then be saved to the eSIM profile template repository 38 as shown in Figure 3. This method 1200 ends in step 1240. The eSIM profile creation tool UI 34 in Figure 3 can be realized by executing the steps of this method 1200.

[0184] Figure 13 shows the method for generating an eSIM profile, starting at step 1305. In step 1310, the authenticated user logs in to the eSIM generation tool user interface. The user logged in in step 1310 does not have to be the same user logged in in step 1210 in Figure 12. In step 1315, the user selects the eSIM profile template to use. In step 1320, the user assigns a work identifier. The work identifier can be a name, a number, or other unique indicator that refers to a particular eSIM profile execution. In step 1325, the user specifies the number of eSIM profiles to be generated. In step 1330, the user selects the WSP input data file to be used with the eSIM profile template from step 1315 to generate the eSIMs. In step 1335, the user selects the output file definition used to encrypt and securely store each eSIM profile generated during the execution of the work. In step 1340, the user executes the work, and in step 1345, the user finishes.

[0185] Figure 14 shows the WSP's IT infrastructure cloud 16 and eSIM generation management system 20 isolated by firewall 160. Firewall 160 is a firewall service that isolates the eSIM generation management system 20 from the rest of the WSP's IT infrastructure, ensuring that only authorized WSP personnel can use the eSIM generation management system. The elements found within the private cloud, including the eSIM generation management system 20, are part of the WSP's so-called "walled garden" secure private network, and the WSP maintains a high level of security against devices attempting to access the elements, modules, servers, computers, interfaces, nodes, or other elements that make up the private network. The autonomous eSIM generation management system 20 includes several elements described here, including an input file interface 44, output file interfaces 52, 58, and a hardware security module ("HSM") interface 48. Such interfaces / adapters facilitate communication between elements of the autonomous eSIM generation management system 20 and WSP IT infrastructure elements that WSP strongly protects (e.g., OSS / BSS interfaces for HSM 46, HLR / HSS / UDM 54, SMP+ / SM-DP / SM-SR 50, and SIM-OTA 56), and because the eSIM profile was generated by a third party outside of WSP's secure private network, these factors have not previously allowed access when WSP generates the eSIM profile. The autonomous eSIM generation management system 20 allows WSP users 24A (eSIM profile creation tool user interface users) and 24B (eSIM generation tool user interface users) to access elements of the WSP IT infrastructure cloud 16 on the other side of the firewall 160 from a computer on one side of the firewall 160, and adapters 44, 48, 52, and 58 provide a security interface between the elements corresponding to the various interfaces shown in the figure and the eSIM generation tool 40.Furthermore, while previously (i.e., before the present inventors presented embodiments) eSIM profiles and associated information were generally loaded into recordable memory / media or into various elements (e.g., HLR / HSS / UDM 54, SM-DP+ / SM-DP / SM-SR 50, and SIM-OTA 56), eSIM profiles and associated information generated outside the secure private network via middleware within the WSP's IT infrastructure cloud 16 were already in the required format for some elements 50, 54, and 56. Thus, interfaces 44, 48, 52, and 58 are configured to transmit information from the eSIM generation tool 40 to the server without interfering with the operation of various elements in accordance with previous modes, processes, technologies, and working specifications.

[0186] The autonomous eSIM generation and management system 20 also includes elements such as a web server 72, an API server 74, and a database 76. An access control module 70 provides authentication and authentication interfaces between WSP users who are authorized to access the WSP's IT infrastructure cloud 16, so that the authentication information used by users to access the WSP's IT infrastructure cloud 16 is also used to determine the level of functionality that WSP users 24A and 24B can have with respect to the eSIM generation and management system 20. The access control module 70 may be bundled as part of the eSIM generation and management system 20 or it may be an existing Open ID Connect / oAuth2 system of the WSP. As described above, if WSP user 24A is a high-security user, they can access the WSP's IT infrastructure cloud 16 and the data input section of the eSIM profile creation UI 34 / web server 72 to input key data. Other users, on the other hand, can only access the Wizard Mode of the eSIM profile creation UI 34 / web server 72 to design or update existing profile templates.

[0187] The web server 72 can provide a graphical user interface as described in Figures 5 to 11, in addition to the eSIM profile creation tool UI 34 and eSIM generation tool UI 36 shown here. The eSIM profile creation tool UI 34 is a single-page application ("SPA") that allows WSP user 24A to input WSP onboarding data and build an eSIM profile template. The eSIM generation tool UI 36 is a single-page application that allows WSP user 24B to manage eSIM generation. The web server 72 can send the data entered via user interfaces 34 and 36 to the API server 74, the eSIM generation tool 40, or, in the case of sensitive data, directly to the HSM 46 via the HSM adapter 48.

[0188] The API server 74 is a microservice used by the eSIM profile creation UI 34, for example, to manage eSIM profile templates, and can interact with the database 76 to store all onboarding data entered by the WSP user 24A (excluding the aforementioned sensitive data that must be stored in the HSM 46). The API server 74 can also send the eSIM profile template to the eSIM generation tool 40 via the API. The API protocol used will vary depending on the WSP implementation and may be one of the following common API protocols: REST, SOAP, or JSON-RPC. The database 76 may include a relational database with a SQL (Structured Query Language) API that holds metadata different from the eSIM profile template required by the API server 74.

[0189] The eSIM generation tool 40 may be a microservice that manages eSIM generation at the request of WSP user 24B. The eSIM generation tool 40 interacts with the eSIM generation tool UI 36 to collect data entered by WSP user 24B, such as the number of eSIMs, and interacts with the input adapter 44 to select the necessary WSP input data required during eSIM generation. Furthermore, via the HSM adapter 48, the eSIM generation tool 40 interacts with the HSM 46 to request the necessary encryption operations during eSIM generation. Finally, the eSIM generation tool 40 interacts with the output adapter, which is an API that interfaces with WSP elements 50, 54, and 56, to route output data to the corresponding WSP elements. The eSIM generation tool 40 can perform these functions in a single-user session or a multi-user session.

[0190] In Figure 14A, the WSP's IT infrastructure cloud 16 and the eSIM generation management system 20 are isolated by a firewall 160. The firewall 160 service separates / isolates the eSIM generation management system 20 from the rest of the WSP's IT infrastructure and provides additional access control security, ensuring that only authorized personnel can use the system 20. The elements displayed within the private cloud, including the eSIM generation management system 20, are part of the WSP's so-called “World Garden” secure private network, ensuring that the WSP maintains high security against devices that might attempt to access modules, servers, computers, interfaces, nodes, or other network components that make up the private network through it. The autonomous eSIM generation management system 20 includes other elements described herein, including an input file interface 44, output file interfaces 52, 58, and a hardware security module ("HSM") interface 48. These interfaces / adapters facilitate communication between elements of the autonomous eSIM generation management system 20 and WSP IT infrastructure elements that WSP strongly protects (e.g., HSM 46, OSS / BSS interface 54 for HLR / HSS / UDM, SM-DP+ / SM-DP / SM-SR 50, and SIM-OTA 56), but such infrastructure elements are elements that WSP has not allowed access to when generating eSIM profiles, because eSIM profiles are generated from outside WSP's secure private network by third-party SIM suppliers in various locations.The autonomous eSIM generation management system 20 allows WSP users 24 (i.e., users of the partner management tool user interface 35) and partner users 25 (i.e., MVNO / partner users who can use the MVNO / partner portal user interface 37) to access elements of the WSP's IT infrastructure cloud 16 located on one side of the firewall 160 (i.e., the protected side). To this end, adapters 44, 48, 52, and 58 provide a security interface between the eSIM generation tool 40 and elements corresponding to various interfaces in the diagram, from computer devices on the other side of the firewall 160 (i.e., the unprotected outside world). Furthermore, until now (i.e., before the present inventors of this application introduced here), eSIM profiles and related information were generally loaded from recordable memory / media via middleware of the WSP's IT infrastructure cloud 16, or loaded via various elements (e.g., HLR / HSS / UDM 54, SM-DP+ / SM-DP / SM-SR 50, SIM-OTA 56), so eSIM profiles and related information generated outside the secure private network were already in the format required by some elements 50, 54, and 56. Also, interface 52 can be configured with a Subscription Management eXternal (SMX) API 53 to provide a security interface between the eSIM generation tool 40 and the MVNO / partner's private cloud 21 protecting the subscription management server 51, also known as SM-DP+ or SM-DP. Thus, interfaces 44, 48, 52, 58, and 53 provide and transmit information from the eSIM generation tool 40 to the server without interfering with the operation of various elements according to their respective previous modes, processes, technologies, and operational specifications.

[0191] The autonomous eSIM generation and management system 20 also includes elements such as a web server 72, an API server 74, and a database 76. As an example, the access control module 70 authenticates and provides an authentication interface to WSP users 24 and MVNO / partner users 25 who have different authentication levels to access the WSP's IT infrastructure cloud 16, and the authentication information used by users accessing the WSP's IT infrastructure cloud 16 is also used to determine the level of functionality that WSP users 24 and MVNO / partner users 25 can have with respect to the eSIM generation and management system 20. The access control module 70 may be integrated into the eSIM generation and management system 20 or it may be an existing OpenID Connect / oAuth2 system of the WSP.

[0192] The web server 72 can provide a graphical user interface, a partner management tool user interface 35, and an MVNO / partner portal user interface 37, as shown in Figures 14A and 19-27. The partner management tool user interface 35 allows a WSP user 24 onboarding a specific partner and an MVNO / partner user 25, who may be the partner's representative, to access the MVNO / partner portal user interface 37, so that the eSIM generation management system 20 modifies the reduced profile element set of the eSIM profile template as determined by the WSP user. The MVNO / partner user 25 can use the MVNO / partner portal user interface 37 to modify the profile elements of the eSIM profile template and request the generation of the eSIM profile using a computer device that is physically or logically outside the WSP's secure private network 18.

[0193] The API server 74 may be a microservice that sends eSIM profile templates to the eSIM generation tool 40 via an API. The API protocol used will differ for each individual WSP and may be one of the common API protocols such as REST, SOAP, or JSON-RPC. The database 76 may include a relational database having a SQL (Structured Query Language) API that holds the eSIM profile templates and other metadata requested by the API server 74.

[0194] The eSIM generation tool 40 is a microservice that a partner user 25 requests eSIM generation from via the MVNO / partner portal user interface 37. It interacts with the MVNO / partner portal user interface 37 to collect data entered by the partner user 25, such as the number of eSIMs, and interacts with the input adapter 44 to select the necessary WSP input data required during eSIM generation. The eSIM generation tool 40 can also interact with the HSM 46 via the HSM adapter 48 to request encryption operations required during eSIM generation. Finally, the eSIM generation tool 40 can interact with the output adapter, which is an API that interfaces with WSP elements 50, 54, and 56, to route output data to the corresponding WSP elements. The eSIM generation tool 40 can perform these functions during a single user session or multiple user sessions.

[0195] Figure 17 is a flowchart of how to onboard or prepare an MVNO / partner representative or other designated user 25 for the WSP operating the secure private network 18 of Figure 3A, for accessing a limited set of variables in an eSIM profile template that can be modified by the MVNO / partner user 25. In step 1710, the WSP agrees to the terms and conditions with the MVNO / partner so that the MVNO / partner provides wireless services to customers acquired by the MVNO / partner via the secure private network 18 owned, controlled, and operated by the WSP. In step 1715, the WSP user 24 begins onboarding the MVNO / partner user 25 and "setting up" the MVNO / partner representative / user to use the MVNO / partner portal user interface 37 using the partner management tool user interface 35 of Figure 3a. An example of the user interface screen of the partner management tool user interface 35 that the WSP user 24 uses to begin onboarding is the preparation screen 1900 in Figure 19. When WSP user 24 responds "Yes" on screen 1900, the partner management tool user interface 35 proceeds to screen 2000 in Figure 20, where WSP user 24 can enter the MVNO / partner's email address in input field 2010, at which point the MVNO / partner's email address corresponds to MVNO / partner user 25. Instead of the email address corresponding to MVNO / partner user 25, WSP user 24 can also enter a mobile device identifier such as a mobile phone number, or another unique identifier corresponding to the MVNO / partner or user 25.

[0196] Figure 21 is an example of the initial screen 2100 presented to the MVNO / partner user 25, and Figure 22 is an example of the screen 2200 used by the MVNO / partner user to configure their login credentials for logging into the MVNO / partner portal 37 in Figure 3a. Figure 23 is a confirmation screen of the MVNO / partner portal user interface that informs the MVNO / partner user that their login credentials have been sent to the WSP for review and that the MVNO / partner has been sent to the WSP to configure an account for restricted access to the eSIM generation and management system operating on the WSP's secure private network. Figure 24 is an example of a confirmation screen of the partner management tool user interface of the administrator interface that allows the WSP user 24 to confirm or reject the MVNO / partner user's account configuration request and the submission of related credentials.

[0197] In step 1720 of Figure 17, using screen 2500 of Figure 25, the WSP user 24 can specify eSIM profile templates that the MVNO / partner user 25 can use or modify when generating an eSIM profile (see Figure 18). As an example, in screen 2500 of Figure 25, the WSP user 24 satisfies two eSIM profile templates that the MVNO / partner user 25 can select: eSIM profile template #1 and eSIM profile template #2. As shown in Figure 25, eSIM profile template #1 is the template used to generate an eSIM profile for download and is intended for the operation of a wireless user device 15 (shown in Figure 3a) on a 4th generation Long Time Evolution radio service ("4G LTE") over the WSP's secure private network 18 without an IP multimedia subsystem ("IMS"). Such profiles, which are not for IMS, are generally used for M2M wireless devices 15 that do not support wireless voice services. As shown in Figure 25, eSIM profile template #2 is used to generate the eSIM profile to be downloaded, and is a template for the operation of a wireless user device 15 operating on a 5G standalone network, where user-specific identifiers such as IMSI are hidden to protect user privacy, which was not possible in all generations of wireless networks, including 4G LTE and 5G Non-Standalone.

[0198] In Figure 17, at 1725, the WSP user 24 can select eSIM profile template parameters or profile elements ("PE") that can be modified by the MVNO / partner user 25, whose authentication information is set on screen 2200 in Figure 22. In Figure 26, the WSP user 24 selected the parameters of eSIM profile template #1 to be entered in the dropdown box 2610. The MVNO / partner user 25 can select the profile elements to modify in box 2610. In Figure 27, at screen 2700, the data input field 2710 is displayed on screen 2700. In box 2610 in Figure 26, the WSP user 24 selected "Other". The WSP user 24 can select / enter the profile elements that the WSP has determined can be modified by the MVNO / partner in Table 1. If the WSP user 24 enters the wrong profile element name / value in Table 1, an error message will be displayed on screen 2700 or on another screen of the Partner Management Tool User Interface 35 in the Administrator Interface 26.

[0199] In step 1730, WSP user 24 can enter policy rules to be applied to the creation of eSIM profiles by MVNO / partner user 25. These policy rules may include the maximum and minimum number of eSIM profiles that the MVNO / partner can generate during an overall session or a given session, such a session starting when MVNO / partner user 25 enters login credentials (created using screen 2200 in Figure 22) on the login screen of the MVNO / partner portal user interface 37 of the administrator interface 26.

[0200] Figure 18 is a flowchart of how an MVNO / partner user 25 generates an eSIM for use by a partner radio user device on the WSP's secure private network from a computer device that is not on the WSP's secure private network. In step 1810, the MVNO / partner user 25 logs into the MVNO / partner portal user interface 37, which may be part of the administrator interface 26 operated from within the WSP's secure private network as shown in Figures 3a and 14a, using partner authentication information generated using screen 2200 in Figure 22. In step 1815 of Figure 18, the MVNO / partner user 25 can modify the limited parameter set of the eSIM profile template specified by the WSP user 24, as described in step 1720 of Figure 17 and in other figures. In step 1820, the MVNO / partner user 25 inputs the amount of eSIM profiles to generate based on the selected or modified eSIM profile template. If the quantity specified / entered in step 1820 does not conform to the rules set by the WSP user 24 in step 1730 of Figure 17, the MVNO / partner user 25 is presented with an error message prompting them to enter a different quantity. If no error message is presented, the MVNO / partner user selects a control item or "hit enter" to trigger the eSIM generation tool 40, as shown in Figure 4, and uses the eSIM generation tool 40 in Figure 3a to generate an eSIM profile for the quantity specified by the MVNO / partner user.

[0201] If the MVNO / partner user 25 has a relevant or related MVNO / partner that maintains, manages, and operates an external Subscriber Management ("SM") server of the WSP's Secure Private Network 18, the eSIM generation management system 20 in Figure 3A sends a predetermined number of generated eSIM profiles to the MVNO / partner's SM server 51 via the SMX API 53 in step 1825 as shown in Figure 18, and the eSIMs are provided to the WSP's backend servers, such as servers 54 and 56 in Figure 3a, in step 1830. Furthermore, even if the MVNO / partner operates the SM server, the WSP may or may not allow the generated eSIM profiles to be stored on the MVNO / partner's SM server 51. Such permission can be entered by the WSP user 24 via the partner management tool UI 35.

[0202] If the MVNO / partner user 25 is applicable to or related to the MVNO / partner does not maintain, manage, or operate the subscriber management server from outside the WSP's secure private network 18, the eSIM generation management system 20 in Figure 3a sends the amount of generated eSIM profiles to the WSP's SM server 50 in Figure 3a in step 1835, and the eSIMs are provided to the WSP's backend servers such as servers 54 and 56 in Figure 3a in step 1830.

[0203] Figure 28 is a flowchart of method 2800 for generating one or more eSIM profiles inline, where “inline” means that after generating the eSIM data and corresponding output data for one eSIM, the eSIM data and corresponding output data for other eSIM profiles are generated. This method begins in step 2805. In step 2810, the eSIM generation tool 40 is requested to generate an eSIM profile that fits an eSIM profile template. This request also includes the selection of a WSP input data file containing input data records. In step 2815, the eSIM generation tool 40 retrieves the first record from one or more records that can be prepared / split into each record, this record comes from the WSP input data file and has a unique subscriber identifier, the input data file has one or more records, this record has a unique ICCID and IMSI data pair. In step 2820, the first eSIM profile data is generated based on the retrieved first input data record and a pre-configured data generation command. The data generation command is described in detail in step 408 of Figure 30. The eSIM profile data has ICCID / IMSI pair values ​​formatted in a predetermined format. In step 2825, a first eSIM profile can be generated based on the first eSIM profile data, and in step 2830, output data corresponding to the first eSIM profile data can be generated. Step 2830 can also occur before step 2825 or vice versa. After generating output data in step 2830 and generating an eSIM profile in step 2825, the process can be repeated to generate second or subsequent eSIM profile data in step 2820. This method 2800 ends in step 2835.

[0204] In one embodiment, in response to a request to generate an eSIM profile, the eSIM generation tool 40 can obtain a second record from one or more records that may have been prepared or split from the WSP input data file. The eSIM generation tool 40 can generate a second eSIM profile data based on the second record of the one or more input data records. The eSIM generation tool 40 can then generate a second eSIM profile and corresponding output data based on the second eSIM profile data.

[0205] In embodiments of Method 2800, the second eSIM profile creation step is performed after the first eSIM profile is generated; however, the eSIM data generation step used for the second eSIM profile may also be performed after the first eSIM profile has been generated in these steps.

[0206] In an embodiment of Method 2800, after the first output data is generated and stored in the server, the second output data may be generated and stored in the server.

[0207] Alternatively, the steps and system elements described in Figure 28 may be executed / controlled according to software running on computer components within the WSP's secure private network.

[0208] Figure 29 is a flowchart of method 2900 performed by the eSIM generation tool 40, which is also illustrated in other figures such as Figures 1, 3, and 3A. The eSIM generation tool 40 receives a request from a user to generate an eSIM or eSIM profile and implements or performs method 2900. Users who can request the generation of an eSIM profile may be users or MVNOs / partners of the WSP operating the secure private network on which the eSIM generation tool 40 operates. Generally, MVNOs / partners of the WSP request eSIM profiles using devices that do not operate within the WSP's secure private network.

[0209] Before and after receiving a request for an eSIM profile, the eSIM generation tool 40 can obtain WSP input data from the input data server 42 via the input data interface 44 shown in Figure 3. The WSP input data can be received from the input data server 42 in a deployment format (i.e., sufficient input data for generating one or more eSIM profiles). The input data server 42, interface 44, and eSIM generation tool 40 are securely located within the WSP IT infrastructure cloud 16 within the WSP's secure private network 18.

[0210] In stage 2920 of Figure 29, the eSIM generation tool 40 prepares / divides the WSP deployment input data into individual subscriber identifiers, which means refining the data into ICCID / IMSI pairs used to generate eSIM profiles. The number of ICCID / IMSI pairs prepared / divided in the WSP input data file, which contains batches of data records, can match the number of eSIM profiles to be generated. The number of input data records in a particular WSP input data file is prepared / divided into separate IMSI / ICCID pairs, but not all of these pairs may be used in a particular session that performs stages 2930, 2935, and 2940, which will be discussed later. Additional subscriber identifiers may also be added to specific ICCID-IMSI pairs of input data in stage 2920. Currently, the WSP operator stores and provides the input data ICCID / IMSI pairs of the input data server in batches of multiple input data pairs / records. In the future, the WSP input data server may provide one ICCID / IMSI pair of input data per case, in which case the separation of ICCID / IMSI pairs from multiple input data file records in a batch in step 2920 may not be performed.

[0211] The eSIM generation tool 40 processes one ICCID-IMSI pair using data generation commands specified via the user interface and generates an eSIM using an eSIM profile template automatically retrieved from the eSIM profile template repository 38 and the corresponding output data in 2930 steps (see Figure 3). In step 2935, the eSIM profile is stored on a server such as the SM-DP+ servers 50 and 51 in Figure 3, 3A, and the output data corresponding to the eSIM profile can be stored on a server such as the HLR / HSS / UDM server 54 in Figure 3, 3A.

[0212] If the WSP cannot assist in real-time collection of eSIMs (i.e., one by one as they are generated) and cannot output data from the eSIM generation tool 40 to a backend server (e.g., HLR / HSS / UDM, SIM-OTA, SM+DP server), then the storage function within the eSIM generation tool 40 can be utilized. If the WSP system has the capability to perform real-time processing, the eSIM generation tool 40 can load the eSIM profile and output the data one by one to the backend server via interfaces 52 and 58. In addition, if data is lost or damaged during transfer to the backend server, a storage function is needed within the eSIM generation tool 40 to back up the output data and eSIM profile. The eSIM generation tool 40 stores the eSIM profile and output data in accordance with the WSP's data retention rules / policies.

[0213] When WSP assists with real-time data collection, the eSIM profile generated by the eSIM generation tool 40 is loaded to the backend server via interfaces 52 and 58 in step 2940, and then steps 2920, 2930, and 2935 are repeated to generate other eSIM profiles. If it is determined in step 2950 that an eSIM profile creation request has been made, steps 2930, 2935, and 2940 can be repeated until the desired number of eSIMs are generated using the new ICCID-IMSI pairs of the input data formatted in step 2920. The eSIM profiles and output data may be reformatted to conform to the conditions of the WSP network. After the eSIM profiles are generated, the eSIM profiles and the corresponding output data may also be loaded to the server. For example, the profiles may be sent one by one to the distribution server as generated by the eSIM generation tool 40 before all of a predetermined number of eSIM profiles have been generated. Alternatively, the eSIM profiles and output data may be sent sequentially according to the rules or conditions of the WSP or WSP network infrastructure. For example, the WSP network can be configured so that the output data is sent to the HLR / HSS / UDM server before the eSIM corresponding to the output data is sent to the SM-DP+ server. In such a scenario, the eSIM generation tool 40 can follow WSP data sequence instructions or rules to send the output data to the WSP's HLR / HSS / UDM backend server before sending the relevant eSIM profile to the SM-DP+ server. Since these sequence instructions and rules may differ depending on the WSP, the eSIM generation tool 40 can also be configured differently depending on the WSP.

[0214] The advantage of preparing / splitting the input data records for record placement contained in the WSP input data file received from the WSP input data server is that, while generating one eSIM profile data and corresponding output data for each case, it is not necessary to generate the entire eSIM profile because the data records are already placed in the WSP input data file. Although eSIM profiles can be generated in stages 2930, 2935, and 2940, the number of eSIMs generated before proceeding to stage 2960 may be less than the number of data records contained in the WSP input data file received in stage 2910, until it is determined in stage 2950 that a predetermined number of eSIM profiles have been generated. In stage 2920, the number of data records prepared / separated from the WSP input data file can correspond to the amount of eSIM profiles generated for a session that runs stages 2930, 2935, and 2940 before proceeding to stage 2960 where the session ends.

[0215] Figure 31 shows the screen of the eSIM generation tool user interface 36, which displays a list of available eSIM profile templates. After the WSP user 24 in Figure 3 requests an eSIM quantity via the eSIM generation tool user interface 36, the eSIM generation tool 40 queries the eSIM profile template repository 38 to present possible profile templates. A specific profile template can be identified by attributes including, for example, Profile ID (alphanumeric), Status (Active, Draft, Test, Retired), Type (M2M, Consumer), Created by (username), Last Modified (year / month / day / hour / minute / second)).

[0216] After the WSP user selects a profile template and the corresponding WSP input data file, pressing the "Start" button causes the eSIM generation tool 40 to retrieve the WSP input data file corresponding to the selected template. A range of input data file records can be assigned to be used by a specific WSP for a specific profile type. For example, a first range of input data file records may be assigned for creating an eSIM profile for an M2M device, and a second range for creating a consumer eSIM profile for use with consumer smartphone user devices. After retrieval, the eSIM generation tool 40 can determine the data types (e.g., ICCID-IMSI pairs) to be extracted and processed according to the data generation instructions generated by the eSIM profile creation tool 34. Other examples of retrieved input data include, but are not limited to, data corresponding to parameters such as PO number, placement number, SKU, IMPI-IMPU pair, and network authentication algorithm identifier.

[0217] Next, the eSIM generation tool 40 generates data for one eSIM profile, syntactically analyzes this data through the profile elements of the profile template, and inserts it into the eSIM profile template. After one iteration is complete, the eSIM generation tool can repeat this process until it generates a predetermined number of eSIM profiles, for example, based on standards set by the Trusted Connectivity Alliance, and continues to do so through the eSIM generation tool UI 36.

[0218] Simultaneously, the eSIM generation tool 40 can aggregate eSIM provision data according to the format determined via the eSIM profile creation tool user interface 34. The aggregated eSIM provision data is output data and used in the backend systems of WSPs such as HLR / HSS / UDM, SIM OTA, and SM-DP+ / SM-DP / SM-SR.

[0219] In Figure 30, the eSIM generation tool 40 performs inline eSIM generation according to the steps described below, in accordance with the extended method 400 of Figures 4 and 30.

[0220] Input Data Collection: Each WSP generally has its own unique input data file (input file), and its contents may differ from other WSPs or from other input data files within the same WSP. WSPs manage the range of ICCID and / or IMSI based on SKU, network characteristics, and specific delivery purposes. Generally, the input file contains unique identifiers for the eSIM, such as ICCID and IMSI. The eSIM generation tool 40 collects WSP input data in step 106 and prepares eSIM data unique to ICCID-IMSI pairs in step 408. The following is an example of input data showing what information is extracted for further processing.

[0221] Example of input data [Table 5]

[0222] eSIM Data Preparation (Stage 408): The eSIM generation tool 40 is a data generation instruction and sub-definition that specifies how to generate eSIM data. For example, for network authentication, the main role of the eSIM is to store network authentication information used for network authentication and to agree on a session key to protect communication between the user equipment (including the eSIM) and the secure private network. A common network authentication algorithm used in 3G / 4G / 5G networks is Mileage, and the eSIM generation tool 40 generates Mileage data as follows: JPEG2026094106000013.jpg162155

[0223] Syntax analysis using the eSIM profile template (stage 410) and insertion of eSIM data into the eSIM profile template (stage 411): The eSIM generation tool 40 generates an eSIM by combining the eSIM data generated in stage 408 with the selected eSIM profile template 107, which was automatically retrieved from the eSIM profile template repository 38. Table 6 summarizes the content that makes up the eSIM and the corresponding data sources. The data generally comes from a) data generation based on pre-configured data generation instructions used by the eSIM generation tool 40, and b) input data files from the WSP.

[0224] Data generation items and data sources [Table 6]

[0225] Following the network authentication example described above, the following shows how the eSIM generation tool 40 inserts Mileage data into the PE-AKAParameter of the eSIM profile template. *Milenage data: key, opc, rotationConstants, xoringConstants *key='465B5CE8B199B49FAA5F0A2EE238A6BCH(Generation) *opc='CD63CB71954A9F4E48A5994E37A02BAFH(Generation) *rotationConstants='4000204060'H(provided by the user via eSIM profile creation tool 34) *xoringConstants= ‘00000000000000000000000000000000000000000000000000000000000000010 00000000000000000000000000000200000000000000000000000000000004000 00000000000000000000000000008‘H (Provided to the user via eSIM profile creation tool 34)

[0226] The eSIM profile template includes a PE-AKAParameter in ASN.l format. ASN.l stands for Abstract Syntax Notation One, a standard interface technology language that defines data structures that can be read by both humans and machines. The Trusted Connectivity Alliance has adopted ASN.l as the basic technology language for profile elements in eSIM profiles.

[0227] The example data will be inserted into the underlined field below: JPEG2026094106000015.jpg166143

[0228] Converting ASN.1 to DER (Step 412): Includes encoding of personalized eSIMs. Personalized eSIMs are first formatted in ASN.1 format, and then can be encoded into a TLV (Tag Length Value) structure using the DER (Distinguished Encoding Rule) specified in the Trusted Connectivity Alliance's eUICC Profile Package: Interoperable Format Technical Specification. The DER encoding rules are found in ITU-T X.690.

[0229] eSIM generation (stage 415): This stage in Figure 4 includes / constitutes the processes of stages 411 and 412 in Figure 30.

[0230] Preparation of output data (stage 416): The eSIM generation tool 40 can aggregate eSIM provision data in the specified format via the eSIM profile creation tool UI 34. This provision data can also be called output data, and this data is stored in the WSP backend system, such as HLR / HSS / UDM, SIM OTA, SM-DP+ / SM-DP / SM-SR.

[0231] The eSIM profile creation tool 34 allows users to specify data types that match the backend elements of a particular WSP. The WSP user 24 can then determine the structure of the output file (e.g., File Header, File Detail, File Footer). Because the requirements differ for each WSP, it is preferable for the WSP user 24 to determine the output file when entering onboarding data.

[0232] Once determined, the eSIM generation tool 40 inserts the generated data during onboarding data entry to conform to the output file structure specified by the WSP user 24. Some content in the eSIM profile may also need to be encrypted based on the transmission key and the specified encryption scheme (e.g., AES-128). The following backend systems can use certain eSIM data, including:

[0233] *HLR / HSS / UDM, OSS / BSS: ICCID, IMSI, K(key), PIN, PUK, ADM, ACC, IMPI, IMPU *SIM-OTA: ICCID, IMSI, OTA Keys-SCP80(KiC, KID, DEK), SCP81(PSK, DEK) *SM-DP+ or SM-DP / SM-SR: ICCID, eSIM (.DER), activation code (applicable to SM-DP+)

Claims

1. A system for designing and generating an eSIM profile within a secure private network, while ensuring that the secure information of the wireless service provider used to generate the eSIM profile does not leak from the secure private network, It includes one or more computer components that operate within the secure private network and are logically isolated from computer components outside the secure private network, the processor of the computer component providing an eSIM profile creation tool interface and an eSIM generation tool; The aforementioned eSIM profile creation tool interface is -Receive onboarding data via a user interface running on a user data input computer device connected to the secure private network of the wireless service provider; - The user interface, which is run on the user data input computer device connected to the secure private network of the wireless service provider, receives a selection of one or more wireless subscriber eSIM profile template parameters; The aforementioned eSIM generation tool is - Using the selected wireless subscriber eSIM profile template determined based on the selection of the wireless subscriber eSIM profile template parameters; - Generate a wireless subscriber eSIM that matches the selected wireless subscriber eSIM profile template, the wireless subscriber eSIM including subscriber information corresponding to the specific subscriber to be used in the wireless subscriber equipment of the specific subscriber to wirelessly obtain one or more services from the secure private network of the wireless service provider; A system characterized in that the wireless subscriber eSIM profile is stored in a network system component connected within the secure private network of the wireless service provider for wireless download to the wireless subscriber device corresponding to the wireless subscriber eSIM profile.

2. The system according to claim 1, characterized in that the secure information of the wireless service provider used to generate the eSIM profile that does not leak from the secure private network includes input data.

3. The system according to claim 2, characterized in that the input data is received from an input data server via an input data interface by one or more computer components comprising the processor, and the computer components, the input data server, and the input data interface are connected within the secure private network.

4. The system according to claim 3, characterized in that the input data interface includes an API, the API of the input data interface is embodied as a REST API or a SOAP API, and different API protocols can be used for each WSP to accept different requirements for each WSP.

5. The system according to claim 1, characterized in that the network system components coupled within the secure private network of the wireless service provider for wireless download to the wireless subscriber device corresponding to the wireless subscriber eSIM profile are one or more HLR / HSS / UDM, SM-DP+ / SM-DP / SM-SR, SIM-OTA, or OSS / BSS components.

6. Operating within the secure private network and logically isolated from the external computer components of the secure private network, the computer component comprising one or more processors generates the wireless subscriber eSIM profile that matches the selected wireless subscriber eSIM profile template, and performs a predetermined number of wireless downloads of the predetermined eSIM profiles to the wireless subscriber device corresponding to the wireless subscriber eSIM profile for a predetermined number of times. The system according to claim 1, characterized in that the network system components connected within the secure private network of the wireless service provider store the wireless subscriber eSIM profiles, and each of the eSIM profiles has unique data relating to each of the other eSIM profiles.

7. The process involves preparing a partner account configuration via a partner management tool user interface hosted by a computer component operating within the wireless service provider's secure private network, accessing the partner management tool user interface using WSP authentication credentials, determining a limited subset of eSIM profile template parameters for the eSIM profile template, and accessing and modifying the eSIM profile template via the MVNO / partner portal user interface using partner authentication credentials entered into a computer device not operating within the secure private network; A step of allowing access to a first computer device not operating within the secure private network in order to modify one or more eSIM profile parameters of the eSIM profile template, based on the receipt of the partner authentication information entered via the MVNO / partner portal user interface; The user receives one or more eSIM profile template parameter selections for an eSIM profile via the MVNO / Partner Portal User Interface, which is running on the first computer device not operating within the secure private network, and the user MVNO / Partner Portal User Interface provides a limited subset of eSIM profile template parameters that are accessed and modified by the MVNO / Partner Portal User Interface using the Partner Authentication Information for selection; Within the secure private network of the wireless service provider, the step of modifying the eSIM profile template such that the first eSIM profile template becomes an eSIM profile template modified based on a limited subset of the eSIM profile template parameter selection; The step of receiving a request for the eSIM profile originating from a second computer device not operating within the secure private network, based on the modified eSIM profile template; The step of generating the eSIM profile that matches the modified eSIM profile template; and The step of storing the eSIM profile on a network system component that is not part of the secure private network of the wireless service provider for wireless download to partner wireless subscriber equipment; A method characterized by including

8. The method according to claim 7, characterized in that the WSP authentication information also provides access to the eSIM profile creation tool user interface, which can create or modify the eSIM profile template, within the secure private network.

9. The method according to claim 7, characterized in that the WSP authentication information also provides access to an eSIM generation tool capable of generating the eSIM profile within the secure private network.

10. The method according to claim 7, characterized in that the WSP authentication information also provides access to an eSIM generation tool user interface that can receive a request to generate the eSIM profile, within the secure private network.

11. The stage where a request is received to generate an eSIM profile that matches the eSIM profile template based on the WSP input data file; The step of receiving a batch of multiple input data records in the WSP input data file from the input data server of the WSP Secure Private Network; The step of preparing the input data records from the multiple input data records of the WSP input data file as a first input data record and a second input data record; Step of obtaining the first input data record; A step of generating first eSIM profile data based on the first input data record and on at least one pre-configured data generation command; Steps to generate a first eSIM profile based on the first eSIM profile data; A step of generating first output data corresponding to the generated first eSIM profile; Steps to obtain the second input data record; A step of generating a second eSIM profile data based on the second input data record and on at least one pre-configured data generation command; The step of generating a second eSIM profile based on the second eSIM profile data; and A step of generating second output data corresponding to the generated second eSIM profile; Includes, A method characterized in that the aforementioned step is performed within a secure private network.

12. The method according to claim 11, characterized in that the steps of acquiring the first input data record, generating the first eSIM profile data based on the first input data record and at least one pre-configured data generation command, generating the first eSIM profile based on the first eSIM profile data, and generating the first output data corresponding to the generated first eSIM profile are performed before the steps of acquiring the second input data record, generating the second eSIM profile data based on the second input data record and at least one pre-configured data generation command, generating the second eSIM profile based on the second eSIM profile data, and generating the second output data corresponding to the generated second eSIM profile.

13. The method according to claim 11, further comprising the step of distributing the first eSIM profile and output data corresponding to the first eSIM profile before the second eSIM profile data is generated.