WO2018098713A1 - Method and device for acquiring authorization file - Google Patents

Method and device for acquiring authorization file Download PDF

Info

Publication number
WO2018098713A1
WO2018098713A1 PCT/CN2016/108094 CN2016108094W WO2018098713A1 WO 2018098713 A1 WO2018098713 A1 WO 2018098713A1 CN 2016108094 W CN2016108094 W CN 2016108094W WO 2018098713 A1 WO2018098713 A1 WO 2018098713A1
Authority
WO
WIPO (PCT)
Prior art keywords
user terminal
authorization file
policy rule
operator
server
Prior art date
Application number
PCT/CN2016/108094
Other languages
French (fr)
Chinese (zh)
Inventor
衣强
高林毅
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN201680058539.XA priority Critical patent/CN108235821B/en
Priority to PCT/CN2016/108094 priority patent/WO2018098713A1/en
Publication of WO2018098713A1 publication Critical patent/WO2018098713A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/183Processing at user equipment or user record carrier
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0893Assignment of logical groups to network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • H04W8/205Transfer to or from user equipment or user record carrier

Definitions

  • the embodiments of the present invention relate to the field of communications technologies, and in particular, to a method and a device for obtaining an authorization file.
  • a smart card is one of the necessary devices for a user terminal in a mobile communication network.
  • an embedded universal integrated circuit card eUICC
  • the eUICC can download and store at least one user identity data and interface. Enter information for legitimate users to access the carrier network.
  • the user identity data and the access information are referred to as a contract information set (referred to as a profile).
  • the profile or order data of the eUICC and an operator may be saved in each profile in at least one profile.
  • the at least one profile may be downloaded from the subscription management data preparation server (English: Subscription Manager Data Preparation, SM-DP for short) and then stored in the eUICC.
  • the terminal can access the carrier network corresponding to the profile by activating the profile.
  • the operator sets a series of policy rules (English: policy rule) for restricting the user's operation on the profile.
  • policy rule of the profile can be: "The profile is not allowed to be deactivated", "The profile is not allowed to be deleted” or "The profile should be deleted after activation”.
  • the user terminal or the eUICC also stores an authorization file for managing the permission of the operator to set the policy rule of the profile.
  • the authorization file can be implemented only when the authorization file allows the operator to set a policy rule.
  • the policy rule of the profile can be activated when the profile is installed.
  • the problem is that the authorization file in the eUICC in the prior art is in the eUICC.
  • the fixed, unchangeable files in the eUICC are configured by the manufacturer.
  • the permission of the operator to set the policy rule can be changed according to the requirements of each user. That is, the fixed and unchangeable authorization files preset in the eUICC in the prior art cannot be adapted to the change of the authority of the operator to set the policy rule. .
  • the embodiment of the present invention provides a method and a device for acquiring an authorization file, which are used to solve the problem that the authorization file that is fixed and unchangeable in the eUICC is not adapted to the change of the authority of the operator to set the policy rule.
  • the embodiment of the present invention provides a method for obtaining an authorization file, where the method for obtaining an authorization file may include: the user terminal sends an embedded universal integrated circuit card identifier of the eUICC on the user terminal to the server (English: Embedded Universal) Integrated circuit card identification (EID); the user terminal receives an authorization file sent by the server, and the authorization file corresponds to an EID of the eUICC on the user terminal, where the authorization file includes at least one policy rule and each of the at least one policy rule The information corresponding to the policy rule allows the operator to set the policy rule; the user terminal saves the authorization file in the eUICC, or the user terminal uses the authorization file to update the authorization file saved in the eUICC.
  • the above server may be an SM-DS or a push server.
  • the user terminal After the user terminal can send the EID of the eUICC on the user terminal to the server, the user terminal can receive the authorization file corresponding to the eUICC sent by the server, and update the user terminal after receiving the authorization file.
  • Authorization file saved in eUICC In this way, the fixed and unchangeable authorization file preset in the eUICC in the prior art can be solved, and the authorization file in the eUICC cannot be adapted to the problem that the operator changes the permission of the policy rule for the user.
  • the method for obtaining an authorization file provided by the embodiment of the present invention can update the authorization file saved in the eUICC on the user terminal in real time.
  • the foregoing server may be an SM-DS.
  • the method for “the user terminal sends the EID of the eUICC on the user terminal to the server” may include: the user terminal sends a polling message to the SM-DS, the polling The message carries the EID of the eUICC on the user terminal, and the user terminal receives the response message of the polling message sent by the SM-DS, and the response message of the polling message carries the authorization file.
  • the foregoing server may be a push server.
  • the method for the user terminal to send the EID of the eUICC on the user terminal to the server may include: the user terminal sends a registration request to the push server, where the registration request carries the EID of the eUICC on the user terminal.
  • the registration request may further carry an LPA identifier of the LPA in the user terminal, where the LPA identifier is used to uniquely identify one LPA in the user terminal.
  • the method of the embodiment of the present invention may further include: the user terminal receives the response message of the registration request sent by the push server, where the response message of the registration request carries the push server as the registration The password assigned by the LPA indicated by the LPA identifier carried in the request; the user terminal receives the authorization file sent by the push server and the password corresponding to the EID corresponding to the authorization file.
  • the push server may send the password assigned by the push server to an LPA in the user terminal to the user terminal, so that the user terminal can save the password of the LPA and receive the password.
  • the password corresponding to the EID corresponding to the authorization file may be used to compare the password assigned by the push server to the LPA, and the LPA corresponding to the authorization file is determined.
  • the method for the “user terminal storing the authorization file in the eUICC” may include: if the password corresponding to the EID corresponding to the authorization file is the same as the password allocated by the push server for the LPA, the user terminal passes the LPA. Save the authorization file in eUICC.
  • the user terminal compares the password corresponding to the EID corresponding to the authorization file and the password assigned by the push server to the LPA.
  • the user terminal passes the LPA on the eUICC. Save the authorization file; the password and push service corresponding to the EID corresponding to the authorization file
  • the password assigned to the LPA is different, the user terminal does not save the authorization file in the eUICC.
  • the method that the “user terminal uses the authorization file to update the authorization file saved in the eUICC” may include: if the password corresponding to the EID corresponding to the authorization file is the same as the password allocated by the push server for the LPA, the user The terminal updates the authorization file saved in the eUICC through the LPA using the authorization file.
  • the method of the embodiment of the present invention may further include: the user terminal receives the subscription management data preparation server of the first operator (English: Subscription Manager-Date Preparation)
  • the first policy rule sent by the SM-DP is a policy rule associated with the first subscription information set set by the first operator, and the first operator is the operation to which the first subscription information set belongs.
  • the SM-DP may be the SM-DP of the first carrier, and the user equipment may establish a connection with the SM-DP and authenticate each other, and request to obtain the first subscription information set of the first operator.
  • the SM-DP may first send the metadata of the first subscription information set of the first operator to the user terminal, where the metadata includes the first policy. The rule, so that the user terminal can receive the first policy rule in the metadata of the first subscription information set of the first operator sent by the SM-DP.
  • the method of the embodiment of the present invention may further include: after receiving the first policy rule, the user terminal sends a polling message to the SM-DS, where the polling The message carries the EID of the eUICC on the user terminal, and the foregoing polling message is used to request the SM-DS to send an authorization file corresponding to the EID of the eUICC on the user terminal to the user terminal.
  • the user terminal determines that the information of the operator that is allowed to set the first policy rule corresponding to the first policy rule included in the authorization file does not include the first carrier.
  • the user terminal sends a polling message to the SM-DS.
  • the information of the operator that allows the setting of the first policy rule does not include the information of the first carrier may be the permission of at least one policy rule in the authorization file.
  • the operator of the policy setting rule does not include the information of the first operator, and the operator of the at least one policy rule in the authorization file that allows the policy rule to be set may be all operators.
  • the user equipment may first determine whether the first policy rule is included in the authorization file saved on the user terminal, and the user policy is included in the user terminal.
  • the authorization file is obtained from the SM-DS by sending a polling message to the SM-DS. In order to avoid the user terminal repeatedly obtaining the authorization file from the SM-DS.
  • the method of the embodiment of the present invention may further include: after receiving the first policy rule, the user terminal starts a timer, and is within a timer time. Waiting to receive the authorization file sent by the push server, the first operator is the operator to which the first subscription information set belongs.
  • the SM-DP may be the SM-DP of the first carrier, and the user equipment may establish a connection with the SM-DP and authenticate each other, and request to obtain the first subscription information set of the first operator.
  • the SM-DP may first send the metadata of the first subscription information set of the first operator to the user terminal, where the metadata includes the first policy.
  • the rule so that the user terminal can receive the first policy rule in the metadata of the first subscription information set of the first operator sent by the SM-DP. It is conceivable that if the user terminal can receive the authorization file sent by the push server within the time limit of the timer, the received authorization file can be saved or the received authorization can be saved after receiving the authorization file sent by the push server.
  • the file is updated with the authorization file saved in the eUICC on the user terminal; if the user terminal does not receive the authorization file sent by the push server within the time limit of the timer, it indicates that the push server may not receive the authorization file sent by the authorized file server. .
  • the method that the user terminal starts the timer after receiving the first policy rule and waits to receive the authorization file sent by the push server within the time limit of the timer may include: the user terminal. After receiving the first policy rule, if the information of the operator that allows the policy rule to be set in the authorization file does not include the information of the first carrier, the user terminal starts a timer and is at the timing of the timer. Waiting to receive the authorization file sent by the push server.
  • the user terminal determines that the information of the operator that is allowed to set the first policy rule corresponding to the first policy rule included in the authorization file does not include the first carrier.
  • the user terminal starts a timer and waits to receive the authorization file sent by the push server within the timer time.
  • the information of the operator that allows the setting of the policy rule does not include the information of the first carrier.
  • the operator that can set the policy rule for the at least one policy rule in the authorization file does not include the information of the first carrier.
  • the operator of at least one policy rule in the authorization file that allows the policy rule to be set can be for all operators.
  • the user equipment may first determine whether the first policy rule is included in the authorization file saved on the user terminal, and the user policy is included in the user terminal.
  • the timer is started, and the authorization file sent by the push server is waited for within the time limit of the timer. In this way, when the authorization file is saved in the user terminal, it is also necessary to wait for the authorization file sent by the push server to be received within the timer time.
  • the at least one policy rule includes at least one of: the subscription information set is not allowed to be deleted, the subscription information set is not allowed to be deactivated, and at least one of the subscription information set is deactivated, wherein at least one policy is deleted.
  • the rules include the first policy rule. The effective time that the operator sets the policy rule may be used to prompt the user that the operator can only have the right to set the policy rule within the valid time period when the policy rule or profile is activated.
  • the method of the embodiment of the present invention may further include: receiving, by the user terminal, a valid time of the first policy rule, where the effective time of the first policy rule is used to limit the effective time of the first policy rule.
  • the method of the embodiment of the present invention may further include: after the user terminal successfully installs the first subscription information set or the user terminal activates the first subscription information set, prompting the user with the first policy rule and the first The effective time of a policy rule. It is conceivable that the user terminal prompts the user with the first policy rule and the first policy. During the effective time of the rule, at least one of the subscription information set is not allowed to be deleted, the subscription information set is not allowed to be deactivated, and the subscription information set is deactivated, and the operator is allowed to set the policy rule of the operator.
  • the authorization file further includes an effective time for allowing the operator to set at least one policy rule, and the operator is allowed to set an effective time of any one of the at least one policy rule to limit the carrier to have the setting.
  • the method of the embodiment of the present invention may further include: when the user terminal activates the first policy rule, the user terminal determines whether the current time is within a valid time period allowed in the authorization file to allow the first operator to set the first policy rule; The user terminal prohibits activation of the first policy rule when the effective time for allowing the first operator to set the first policy rule is exceeded.
  • the authorization file may be used to restrict the permission of the operator to set the policy rule, but also whether the current time is within the validity time of the first policy rule that the first carrier is allowed to be included in the authorization file. It is determined whether the operator has the right to set the first policy rule at the current time, that is, the effective time for allowing the operator to set the policy rule of the operator may be specified.
  • the method of the embodiment of the present invention may further include: the user terminal receiving the policy rule release request message sent by the function entity of the first operator, the policy The rule release request message carries the information of the first operator and/or the policy rule to be released; if the policy rule to be released included in the authorization file contains the information of the operator that is allowed to set the policy rule to be released, The information of the first carrier, the user terminal deletes the information of the first operator in the information of the operator that is allowed to set the policy rule to be released corresponding to the policy rule to be released included in the authorization file.
  • the first operator may be any operator in the current network.
  • the user terminal may cancel the request message according to the policy rule sent by the function entity of the first operator, and delete part of the content in the authorization file.
  • the method of the embodiment of the present invention may further include: after the user terminal successfully installs the first subscription information set, deleting the first content included in the authorization file.
  • Policy rules correspond to Setting the information of the first operator in the information of the operator of the first policy rule; or, after successfully installing the first subscription information set, the user terminal deletes the authorization file containing the information of the first operator saved in the user terminal. .
  • the user terminal before the user terminal activates the second subscription information set installed in the user terminal, if it is determined that the second policy rule is that the subscription information set is not allowed to be deactivated, the user terminal checks the authorization file, and the second subscription
  • the information set belongs to the second operator, and the second policy rule is a policy rule that is associated with the second subscription information set set by the second operator; if the second policy rule included in the authorization file is allowed, the second policy rule is allowed to be set.
  • the information of the operator includes the information of the third carrier, the user terminal sends the prompt information, and the third operator includes any operator other than the second operator.
  • the foregoing prompt information at least includes: if the second subscription information set is activated, the subscription information set of the third operator cannot be downloaded, or the second subscription information set is activated, and the subscription information set of the third operator and the information of the third carrier cannot be downloaded. .
  • the user terminal may prompt the user to activate the second subscription information set by issuing a prompt message to the user, which may cause problems, such as activation of the second subscription information set may result in failure to activate the first
  • the contract information set of the three operators enables the user to select whether to continue to activate the second subscription information set according to the prompt information.
  • the embodiment of the present invention provides a method for obtaining an authorization file, where the method for obtaining an authorization file may include: obtaining, by the server, an authorization file, where the authorization file corresponds to an EID of an eUICC on the user terminal, where the authorization file includes An EID of the eUICC, at least one policy rule, and information corresponding to each of the at least one policy rule that allows the operator to set the policy rule; the server sends the authorization file to the user terminal.
  • the server may be a subscription management-service discovery server (English: Subscription Manager-Discovery Service, SM-DS for short) or a push (English: Push) server.
  • the server may send the authorization file to the user terminal after obtaining the authorization file, so that the user terminal can update the authorization file saved in the eUICC on the user terminal in real time.
  • the fixed and unchangeable authorization files preset in the eUICC in the prior art can be solved, and the authorization file in the eUICC cannot be adapted.
  • the problem of changes in the authority of the operator to set the policy rule for the user can update the authorization file saved in the eUICC on the user terminal in real time.
  • the foregoing server may be an SM-DS.
  • the method for the server to send the authorization file to the user terminal may include: the SM-DS receives the polling message sent by the user terminal (English: Polling), where the polling message carries the EID of the eUICC on the user terminal; The DS sends a response message to the user terminal, and the response message of the polling message carries an authorization file corresponding to the EID carried in the polling message.
  • the SM-DS may send a response message to the user terminal that includes the authorization file corresponding to the EID carried in the polling message, that is, the SM-DS may send and send to the user terminal.
  • the authorization file corresponding to the eUICC on the user terminal In this way, after receiving the authorization file sent by the SM-DS, the user terminal can save the authorization file or update the authorization file saved in the user terminal by using the received authorization file.
  • the foregoing server may be a push server.
  • the method of the embodiment of the present invention may further include: the push server generates, according to the EID and the push server saved in the push server, a local file assistant (English: Local Profile Assistant, LPA) in the user terminal.
  • the password corresponds to the password corresponding to the EID corresponding to the authorization file
  • the user terminal includes at least one LPA.
  • the method for the server to send the authorization file to the user terminal may include: the push server sends the authorization file and the password corresponding to the EID corresponding to the authorization file to the user terminal.
  • the authorization file may correspond to one eUICC, and each eUICC has its EID; therefore, the authorization file may also correspond to the EID of an eUICC, and the push server may be the user ID in the user terminal according to the EID and the push server saved in the push server.
  • the correspondence between the passwords generated by the LPA determines the password corresponding to the EID corresponding to the authorization file.
  • the server sends an authorization file to the user terminal.
  • the method of the embodiment of the present invention may further include: the sending server receiving the registration request sent by the user terminal, where the registration request carries the LPA identifier and the EID of the eUICC on the user terminal; the push server is the LPA identifier carried in the registration request.
  • the indicated LPA assigns a password, and stores a correspondence between the password assigned by the push server for the LPA indicated by the LPA identifier and the EID carried in the registration request.
  • the “correspondence between the EID stored in the push server and the password generated by the push server for the LPA in the user terminal” may be generated by the push server after receiving the registration request sent by the user terminal, and stored in the push server. of.
  • the method of the embodiment of the present invention may further include: the push server sends a response message of the registration request to the user terminal, The response message of the registration request carries a password assigned by the push server to the LPA indicated by the LPA identifier.
  • the push server may send the password assigned by the push server to one of the user terminals to the user terminal, so that the user terminal can save the password of the LPA and receive the password.
  • the LPA corresponding to the authorization file may be determined by comparing the password corresponding to the EID corresponding to the authorization file with the password of the LPA in the user terminal.
  • an embodiment of the present invention provides a user terminal, where the user terminal may include: a sending unit, a receiving unit, and a control unit. And a sending unit, configured to send, to the server, an EID of the eUICC on the user terminal. a receiving unit, configured to receive an authorization file sent by the server, where the authorization file corresponds to an EID of the eUICC on the user terminal, where the authorization file includes at least one policy rule and a permission setting corresponding to each policy rule in the at least one policy rule. The information of the operator of the policy rule.
  • the control unit is configured to save the authorization file received by the receiving unit in the eUICC, or update the authorization file saved in the eUICC by using the authorization file received by the receiving unit.
  • the server is an SM-DS
  • the sending unit is specifically configured to: send a polling message to the SM-DS, where the polling message carries the user terminal.
  • the EID of the eUICC; the receiving unit is specifically configured to: receive a response message of the polling message sent by the SM-DS, where the response message of the polling message carries an authorization file.
  • the server is a push server
  • the sending unit is configured to send a registration request to the push server, where the registration request carries the EID of the eUICC on the user terminal.
  • the server is a push server
  • the registration request sent by the sending unit further carries the LPA identifier of the LPA in the user terminal.
  • the receiving unit is further configured to: after the sending unit sends the registration request to the push server, receive a response message of the registration request sent by the push server, where the response message of the registration request carries the indication that the push server is the LPA identifier carried in the registration request.
  • the password assigned by the LPA; the receiving unit is specifically configured to: receive the authorization file sent by the push server and the password corresponding to the EID corresponding to the authorization file.
  • the user terminal may further include: a comparison unit.
  • the comparing unit is configured to compare the password assigned by the push server to the LPA by using a password corresponding to the EID corresponding to the authorization file.
  • control unit may be specifically configured to: when the password corresponding to the EID corresponding to the authorization file is the same as the password allocated by the push server for the LPA, save the authorization file in the eUICC through the LPA.
  • control unit may be specifically configured to: if the password corresponding to the EID corresponding to the authorization file is the same as the password allocated by the push server for the LPA, update the authorization file saved in the eUICC by using the authorization file by the LPA. .
  • the server may be an SM-DS.
  • the receiving unit is further configured to receive a first policy rule that is sent by the SM-DP of the first operator, where the first policy rule is a policy rule that is set by the first operator and is associated with the first subscription information set, where the first carrier is The operator to which the first contract information set belongs.
  • the server may be an SM-DS.
  • the sending unit is further configured to: after receiving the first policy rule, the sending unit sends a polling message to the SM-DS, where the polling message carries the EID of the eUICC on the user terminal, where the polling is performed.
  • the information is used to request the SM-DS to send an authorization file corresponding to the EID of the eUICC on the user terminal to the user terminal.
  • the sending unit may be specifically configured to: after the receiving, by the receiving unit, the first policy rule, if the information of the operator that allows the setting of the policy rule in the authorization file does not include the first carrier The information is sent to the SM-DS for polling messages.
  • the server is a push server.
  • the user terminal may further include: a boot unit.
  • the startup unit is configured to start a timer after the receiving unit receives the first policy rule.
  • the receiving unit is further configured to wait for receiving the authorization file sent by the push server within a timing time of the timer started by the startup unit.
  • the initiating unit is specifically configured to: after receiving the first policy rule, if the information of the operator that allows the policy rule to be set in the authorization file does not include the information of the first operator, Then start the timer.
  • the receiving unit is further configured to wait for receiving the authorization file sent by the push server within a timing time of the timer started by the startup unit.
  • the at least one policy rule includes at least one of: the subscription information set is not allowed to be deleted, the subscription information set is not allowed to be deactivated, and at least one of the subscription information set is deactivated.
  • the at least one policy rule includes a first policy rule.
  • the receiving unit is further configured to receive a valid time of the first policy rule, where the effective time of the first policy rule may be used to define an effective time of the first policy rule.
  • the user terminal may further include: an installation unit, a first activation unit unit, and a first prompt unit.
  • the installation unit is configured to install the first subscription information set on the user terminal.
  • the first activation unit is configured to activate the first subscription information set.
  • the first prompting unit is configured to prompt the user of the first policy rule and the valid time of the first policy rule after the installation unit successfully installs the first subscription information set or the first activation unit activates the first subscription information set.
  • the authorization file also includes allowing the operator to set The effective time of at least one policy rule allows the operator to set the effective time of any one of the at least one policy rule to limit the time when the operator has the right to set any policy rule.
  • the user terminal may further include: a second activation unit, a determination unit, and a prohibition unit. a second activation unit, configured to activate the first policy rule.
  • the determining unit is configured to determine, when the second activation unit activates the first policy rule, whether the current time is within a valid time period allowed in the authorization file to allow the first operator to set the first policy rule.
  • the forbidden unit is configured to prohibit activation of the first policy rule if the determining unit determines that the current time exceeds a valid time for allowing the first operator to set the first policy rule.
  • the receiving unit is further configured to: after receiving the authorization file sent by the server, receive a policy rule release request message sent by the function entity of the first operator, where the policy rule release request message carries the An operator's information and policy rules to be released.
  • the user terminal may further include: a deleting unit. Deleting a unit, if the information of the operator that is allowed to set the policy rule to be released corresponding to the policy rule to be released included in the authorization file includes the information of the first operator, deleting the information to be released included in the authorization file The information of the first operator in the information of the operator that is allowed to set the policy rule to be released corresponding to the policy rule.
  • the deleting unit is further configured to delete the first policy rule included in the authorization file after the installation unit successfully installs the first subscription information set.
  • Authorization file is further configured to delete the first policy rule included in the authorization file after the installation unit successfully installs the first subscription information set.
  • the installation unit is further configured to install a second subscription information set in the user terminal
  • the first activation unit is further configured to activate the second subscription information set installed by the installation unit.
  • the user terminal may further include: an inspection unit and a second prompt unit.
  • the checking unit is configured to: before the first activation unit activates the second subscription information set, if it is determined that the second policy rule is that the subscription information set is not allowed to be deactivated, the authorization file is checked, and the second subscription information set belongs to the second operator,
  • the second policy rule is a policy rule that is set by the second operator and associated with the second subscription information set.
  • Second prompt unit if the authorization text If the information of the operator that is allowed to set the second policy rule corresponding to the second policy rule included in the device includes the information of the third operator, the prompt information is sent, and the third operator includes any other than the second operator.
  • the prompt information includes at least: the activation of the second subscription information set may fail to download the subscription information set of the third operator or activate the second subscription information set to download the subscription information set of the third operator and the information of the third carrier.
  • each of the functional units of the third aspect and various possible implementation manners of the embodiments of the present invention is to obtain the authorization file according to the foregoing first aspect and various optional manners of the first aspect.
  • the method while logically dividing the user terminal.
  • a user terminal comprising: one or more processors, a memory, a bus, and a transceiver.
  • the memory is used to store computer execution instructions, the processor and the memory are connected by a bus, and when the user terminal is running, the processor executes the computer stored instructions of the memory storage to enable the user terminal to perform various optional aspects as in the first aspect and the first aspect.
  • a non-volatile storage medium is provided.
  • One or more program codes are stored in a non-volatile storage medium.
  • the processor of the user terminal in the fourth aspect executes the program code
  • the user terminal executes A method for obtaining an authorization file as in the first aspect and the various alternatives of the first aspect.
  • the processor in the fourth aspect may be the control unit, the comparison unit, the activation unit, the installation unit, the first activation unit, the first prompt unit, and the second activation unit in the third aspect and various possible implementation manners thereof.
  • Integration of functional units such as a judging unit, a disabling unit, a deleting unit, an inspecting unit, and a second prompting unit, and the transceiver in the fourth aspect may be the transmitting unit and receiving in the above third aspect and various possible implementation manners thereof Unit integration for information interaction between user terminals and other communication devices such as servers.
  • the user terminal in the fourth aspect and the user terminal perform the meter described in the fifth aspect
  • the program stored in the computer readable storage medium and the related analysis process reference may be made to the related technical effects in the first aspect or the implementation manner of the first aspect of the present invention, and details are not described herein again. .
  • an embodiment of the present invention provides a server, where the server may include: an obtaining unit and a sending unit.
  • An obtaining unit configured to obtain an authorization file, where the authorization file corresponds to an EID of an eUICC on the user terminal, where the authorization file includes an EID of the eUICC, at least one policy rule, and an allowable corresponding to each policy rule in the at least one policy rule.
  • a sending unit configured to send, to the user terminal, an authorization file obtained by the acquiring unit.
  • the server is an SM-DS; the server may further include: a receiving unit.
  • the receiving unit is configured to receive a polling message sent by the user terminal, where the polling message carries an EID of the eUICC on the user terminal.
  • the sending unit is specifically configured to: send a response message of the polling message to the user terminal, where the response message of the polling message carries an authorization file corresponding to the EID carried in the polling message.
  • the server is a push server; the server may further include: a determining unit. a determining unit, configured to determine, according to the correspondence between the EID saved in the push server and the password generated by the push server for the LPA in the user terminal, after the obtaining unit obtains the authorization file, the password corresponding to the EID corresponding to the authorization file, in the user terminal Contains at least one LPA.
  • the sending unit is specifically configured to: send, to the user terminal, an authorization file obtained by the obtaining unit and a password corresponding to the EID corresponding to the authorization file determined by the determining unit.
  • the receiving unit is further configured to: before the sending unit sends the authorization file obtained by the acquiring unit to the user terminal, receive a registration request sent by the user terminal, where the registration request carries the LPA identifier and the user terminal. EID of eUICC.
  • the server may further include: an allocating unit and a saving unit. And an allocating unit, configured to allocate a password for the LPA indicated by the LPA identifier carried in the registration request received by the receiving unit. And a saving unit, configured to save a correspondence between the password allocated by the allocation unit for the LPA indicated by the LPA identifier and the EID carried in the registration request received by the receiving unit.
  • the sending unit is further configured to be connected in the allocating unit After receiving the LPA assignment password indicated by the LPA identifier carried in the registration request received by the receiving unit, the response message of the registration request is sent to the user terminal, where the response message of the registration request carries the LPA allocated by the push server for the LPA indication. Password.
  • each functional unit of the sixth aspect of the embodiments of the present invention and various possible implementation manners thereof is a method for obtaining an authorization file in order to perform the foregoing second aspect and various alternative manners of the second aspect. And the logical division of the server.
  • the various functional units of the sixth aspect and its various possible implementations, and the beneficial effects analysis reference may be made to the corresponding descriptions and technical effects in the foregoing second aspect and various possible implementation manners, and details are not described herein again.
  • a server comprising: one or more processors, a memory, a bus, and a transceiver.
  • the memory is used to store computer execution instructions
  • the processor is coupled to the memory via a bus, and when the server is running, the processor executes the memory stored computer execution instructions to cause the server to perform the various alternatives as in the second aspect and the second aspect.
  • the method used to obtain the authorization file is not limited to: one or more processors, a memory, a bus, and a transceiver.
  • the memory is used to store computer execution instructions
  • the processor is coupled to the memory via a bus, and when the server is running, the processor executes the memory stored computer execution instructions to cause the server to perform the various alternatives as in the second aspect and the second aspect.
  • the method used to obtain the authorization file is used to obtain the authorization file.
  • a nonvolatile storage medium stores one or more program codes.
  • the server executes the first A method for obtaining an authorization file in two aspects and various alternatives of the second aspect.
  • the processor in the seventh aspect may be the integration of the acquiring unit, the determining unit, the allocating unit, and the saving unit in the sixth aspect and various possible implementation manners thereof, where the transceiver in the seventh aspect may be The integration of the sending unit and the receiving unit in the sixth aspect and various possible implementation manners thereof is used to implement information interaction between the server and other communication devices (such as user terminals).
  • the server of the seventh aspect, and the specific technical effect of the program stored in the computer-readable storage medium described in the eighth aspect, and the related analysis process may refer to any of the second aspect or the second aspect of the embodiment of the present invention. Description of related technical effects in the implementation manner, and details are not described herein again.
  • FIG. 1 is a schematic diagram of a network architecture of a communication network to which the method according to an embodiment of the present invention is applied;
  • FIG. 2 is a schematic diagram of another network architecture of a communication network to which the method according to an embodiment of the present invention is applied;
  • FIG. 3 is a schematic diagram of another network architecture of a communication network to which the method according to an embodiment of the present invention is applied;
  • FIG. 4 is a flowchart of a method for obtaining an authorization file according to an embodiment of the present invention.
  • FIG. 5 is a flowchart of another method for obtaining an authorization file according to an embodiment of the present invention.
  • FIG. 6 is a flowchart of another method for obtaining an authorization file according to an embodiment of the present invention.
  • FIG. 7 is a flowchart of another method for obtaining an authorization file according to an embodiment of the present invention.
  • FIG. 8 is a flowchart of another method for obtaining an authorization file according to an embodiment of the present invention.
  • FIG. 9 is a flowchart of another method for obtaining an authorization file according to an embodiment of the present invention.
  • FIG. 10 is a flowchart of another method for obtaining an authorization file according to an embodiment of the present invention.
  • FIG. 11 is a flowchart of another method for obtaining an authorization file according to an embodiment of the present invention.
  • FIG. 12 is a schematic structural diagram of a server according to an embodiment of the present disclosure.
  • FIG. 13 is a schematic structural diagram of another server according to an embodiment of the present disclosure.
  • FIG. 14 is a schematic structural diagram of another server according to an embodiment of the present disclosure.
  • FIG. 15 is a schematic structural diagram of a user terminal according to an embodiment of the present disclosure.
  • FIG. 16 is a schematic structural diagram of another user terminal according to an embodiment of the present disclosure.
  • FIG. 17 is a schematic structural diagram of another user terminal according to an embodiment of the present invention.
  • first and second and the like in the description of the present invention and the drawings are used to distinguish different objects, or to distinguish different processing of the same object, rather than to describe a specific order of the objects.
  • first carrier, the second carrier, and the third carrier may be different operators.
  • a plurality means two or more unless otherwise indicated.
  • a plurality of processors refers to a processor that includes two or more physical cores.
  • a method for obtaining an authorization file according to an embodiment of the present invention may be applied to a process in which a user terminal saves an authorization file in an eUICC installed in the user terminal or updates an authorization file saved in the eUICC.
  • FIG. 1 is a schematic diagram of a network architecture of a communication network to which a method for obtaining an authorization file according to an embodiment of the present invention is applied.
  • the communication network may include an authorization file server 11, a server 12, an SM-DP 13, and at least one user terminal 14 including an eUICC.
  • the server 12 may be an SM-DS or a push server.
  • the authorization file server 11 is configured to generate an authorization file and send the generated authorization file to the server 12.
  • the server 12 is configured to receive the authorization file sent by the authorization file server 11 and send the authorization file to the user terminal 14 where the eUICC corresponding to the EID is located according to the EID corresponding to the authorization file.
  • the user terminal 14 is configured to receive the authorization file sent by the server 12, and save the authorization file in the eUICC on the user terminal 14 or update the saved in the eUICC on the user terminal 14 with the authorization file.
  • Authorization file may be a logical function entity deployed by the terminal device manufacturer, and the authorization file server may be integrated on the server, or may be integrated on other function servers independently of the above server.
  • the eUICC hardware module can be included in the user terminal.
  • the SM-DP 13 described above is used to generate and store a profile and send a profile to the user terminal 14.
  • the user terminal 14 can install the profile on the eUICC after receiving the profile sent by the SM-DP 13.
  • the user terminal can also back up the authorization file saved on the eUICC in the user terminal.
  • the authorization file in the embodiment of the present invention may be a rule authorization table (English: Rules Authorization Table, RAT for short).
  • an LPA can be installed in the user terminal 14.
  • the LPA is an application that can be installed in the user terminal.
  • the user terminal 14 can perform operations such as downloading and local management of the profile through the LPA in the user terminal 14.
  • the LPA can also provide a user interface for the user terminal 14 to interact with the user.
  • the user terminal 14 can detect an operation instruction triggered by the user for activation, deactivation, deletion, and the like of the profile through the user interface, and implement management of the profile downloaded in the user terminal 14.
  • the LPA in the user terminal 14 may include: a local file download (English: Local Profile Download, LPD) module, a local user interface (English: Local User Interface, LUI) module, and a local device.
  • Discovery Service English: Local Discovery Service, LDS
  • the LPD module is used to implement downloading of the profile
  • the LUI module is used to provide a user interface
  • the LDS module is used to implement interaction with the server 12 (such as an SM-DS or a push server).
  • the server 12 in FIG. 1 is an SM-DS.
  • the SM-DS can be divided into a root SM-DS and an optional SM-DS.
  • the SM-DS in the embodiment of the present invention can be a root SM-DS, and the root SM-DS can pass through the user terminal.
  • the LPA in 14 (specifically the LDS module in the LPA) is an SM-DS that communicates directly with the user terminal.
  • the user terminal 14 can preset the address of the root SM-DS, and communicate with the root SM-DS according to the LDS module in the address LPA of the root SM-DS.
  • the SM-DP address is obtained from the root SM-DS, and after obtaining the SM-DP address, the profile can be downloaded from the SM-DP.
  • an authorization file may be obtained, so that the obtained authorization file is saved on the eUICC or the user terminal.
  • the server 12 in FIG. 1 is a push server.
  • a push client may be installed in the user terminal 14 in FIG. 1.
  • the user terminal 14 may register the LPA to the push server through the push client, and the push server may exist on the eUICC to be sent to the user terminal.
  • the authorization file can be pushed to the user terminal by pushing the client, and the user terminal receives the authorization file pushed by the push server through the LPA registered to the push server.
  • the method for obtaining an authorization file provided by the embodiment of the present invention after obtaining the authorization file, the server may send the authorization file to the user terminal, so that the user terminal can update the authorization file saved in the eUICC on the user terminal in real time.
  • the problem that the authorization file in the eUICC cannot adapt to the change of the authority of the operator to set the policy rule cannot be solved due to the fixed and unchangeable authorization file preset in the eUICC in the prior art.
  • the method for obtaining an authorization file provided by the embodiment of the present invention can update the authorization file saved in the eUICC on the user terminal in real time.
  • An embodiment of the present invention provides a method for obtaining an authorization file.
  • the method may be applied to a communication network as shown in any of FIG. 1 to FIG. 3.
  • the method for obtaining an authorization file includes:
  • the authorization file server generates an authorization file, where the authorization file corresponds to an EID of the eUICC on the user terminal, where the authorization file includes an EID of the eUICC, at least one policy rule, and an allow setting corresponding to each policy rule in the at least one policy rule.
  • the information of the operator of the policy rule is not limited to a configurable period of time, a configurable period of time, a configurable period of time, a configurable period of the policy rule.
  • the authorization file server may receive the EID, the carrier information, and the at least one policy rule carried in the message according to the authorization file request message after receiving the authorization file request message sent by the operator's functional entity (such as the operator server). Such information generates the above authorization file.
  • the at least one policy rule indicates a policy rule set by the operator for the profile corresponding to the EID.
  • the policy rule in the authorization file may be an identifier of the policy rule. If the authorization file server allows the operator to set the policy rule, the information in the authorization file corresponding to the policy rule that allows the operator to set the policy rule is written in the authorization file. Carrier information.
  • the authorization file in the embodiment of the present invention may include the EID of the eUICC or the EID of the eUICC.
  • the method for authorizing the file server to generate the authorization file reference may be made to the related method for generating the authorization file in the prior art, which is not described herein again.
  • the at least one policy rule in the embodiment of the present invention includes at least: the subscription information set is not allowed to be deleted (that is, the profile is not allowed to be deleted), the subscription information set is not allowed to be deactivated (that is, the profile is not allowed to be deactivated), and the subscription information set is deactivated. At least one of the following should be deleted (ie, the profile should be deleted after deactivation).
  • the information of the operator that allows the setting of the policy rule may be the mobile network code (English: Mobile Network Code, MNC for short).
  • the authorization file includes information of at least one operator that can set the policy rule (eg, at least one operator's MNC).
  • the MNC of the operator consists of two to three decimal numbers, which can uniquely identify each carrier. For example, China Mobile's MNCs can be 00, 02, 04, and 07, China Unicom's MNCs can be 01, 06, and China Telecom's MNCs can be 03, 05.
  • the EID contained in the authorization file in the embodiment of the present invention is EID-x; at least one policy rule may be “ The profile does not allow deactivation” and "this profile does not allow deletion”; the information of the operator with the permission to set "this profile is not allowed to deactivate” is 00 and 03, with the permission to set "this profile does not allow deletion”
  • the operator's information is 00 and 01.
  • the manner of restricting the authority of the operator to set the policy rule by using the “information of the operator that allows the policy rule to be set” includes, but is not limited to, the method in the foregoing example.
  • the information of the operator corresponding to the policy rule in the authorization file is a special symbol, such as *, it means that any operator is allowed to set the policy rule; when the authorization file does not contain a policy of a certain policy rule
  • the configuration file does not contain the information of the operator corresponding to the policy rule, it means that any operator is allowed to set the policy rule.
  • the authorization file in the embodiment of the present invention may further include an integrated circuit card identifier (English: Integrated Circuit Card Identification, ICCID), where the ICCID is used to uniquely identify a subscription information set (ie, a profile).
  • ICCID Integrated Circuit Card Identification
  • the authorization file server sends an authorization file to the server.
  • the server in the embodiment of the present invention may be an SM-DS or a push server.
  • the authorization file server may send an authorization file corresponding to the eUICC to the server, that is, the authorization file server may send at least one authorization file to the server, and each authorization file in the at least one authorization file corresponds to On an eUICC.
  • the server determines that an authorization file corresponds to an eUICC, and specifically that the authorization file corresponds to the eUICC indicated by the EID included in the authorization file, and the authorization file server may also send the authorization file to the server and the EID of the eUICC corresponding to the authorization file. Therefore, the authorization file can determine the eUICC corresponding thereto by the eUICC indicated by the EID transmitted together with the authorization file.
  • the server receives an authorization file sent by an authorization file server.
  • the authorization file corresponds to the EID of the eUICC on the user terminal, and the authorization file includes an EID of the eUICC, at least one policy rule, and an operator corresponding to each policy rule in the at least one policy rule that allows the policy rule to be set. information.
  • Each of the at least one policy rule may be an identifier of the policy rule, and the information of the operator in the information of the operator that is allowed to set the policy rule may be the identifier information of the operator, such as the operation. Business mobile network number.
  • the user terminal sends the EID of the eUICC on the user terminal to the server.
  • the server receives the EID sent by the user terminal.
  • S401-S403 may be performed first, and then S404-S405 may be executed; S404-S405 may be executed first, then S401-S403 may be executed; and S401-S403 and S404-S405 may be simultaneously executed.
  • the embodiment of the present invention does not limit the order of execution of S401-S403 and S404-S405.
  • the server determines, according to the EID sent by the user terminal, an authorization file corresponding to the EID of the eUICC on the user terminal, and sends the determined authorization file to the user terminal, where the authorization file includes the EID of the eUICC, at least one policy rule, and Information of an operator corresponding to each policy rule in at least one policy rule that allows the policy rule to be set.
  • the server may receive the at least one authorization file sent by the authorization file server, so after receiving the EID sent by the user terminal, the server may compare the EID sent by the user terminal with the corresponding EID in the at least one authorization file, if the user terminal The EID sent is the same as the EID contained in an authorization file, and the server can determine that the authorization file corresponds to the eUICC on the user terminal.
  • the user terminal receives an authorization file sent by the server.
  • the user terminal may save the authorization file or use the received authorization file to update the authorization file saved in the user terminal.
  • the method in the embodiment of the present invention may further include S408a or S408b. .
  • the user terminal saves the authorization file in the eUICC.
  • the user terminal updates the user terminal by using the received authorization file.
  • Authorization file saved in eUICC.
  • the server may send the authorization file to the user terminal after obtaining the authorization file, so that the user terminal can update the authorization file saved in the eUICC on the user terminal in real time, and the operator can Set the permissions of the policy rule based on the real-time updated configuration file.
  • the problem that the authorization file in the eUICC cannot adapt to the change of the authority of the operator to set the policy rule cannot be solved due to the fixed and unchangeable authorization file preset in the eUICC in the prior art.
  • the method for obtaining an authorization file provided by the embodiment of the present invention can update the authorization file saved in the eUICC on the user terminal in real time.
  • the server in FIG. 4 may be an SM-DS.
  • the first application scenario of the embodiment of the present invention may be a scenario corresponding to the network architecture shown in FIG. 2 .
  • the user terminal may send the EID of the eUICC on the user terminal to the SM-DS by sending a polling message to the SM-DS.
  • S404 in FIG. 4 may be replaced by S404a
  • S405 may be replaced by S405a
  • S406 may be replaced by S406a
  • S407 may be replaced by S407a:
  • S404a The user terminal sends a polling message to the SM-DS, where the polling message carries the EID of the eUICC on the user terminal.
  • S405a and SM-DS receive the polling message sent by the user terminal.
  • the S406a and the SM-DS send a response message to the user terminal, and the response message of the polling message carries an authorization file corresponding to the EID carried in the polling message.
  • S407a The user terminal receives a response message of the polling message sent by the SM-DS, where the response message of the polling message carries an authorization file.
  • the user terminal may obtain metadata of the first subscription information set of the first carrier from the SM-DP, and determine the first subscription information set.
  • the user terminal can pass the The manner in which the SM-DS sends a polling message to obtain an authorization file from the SM-DS.
  • the method in the embodiment of the present invention may further include S409 and S404a' and subsequent processes:
  • the user terminal receives the first policy rule sent by the SM-DP of the first operator.
  • the first policy rule is a policy rule that is set by the first operator and is associated with the first subscription information set, and the first operator is the operator to which the first subscription information set belongs.
  • the user equipment can establish a connection with the first operator's SM-DP and authenticate each other, and request to obtain the first subscription information set, and the SM-DP can receive the user equipment for requesting to acquire the first subscription information set.
  • the metadata of the first subscription information set of the first carrier is sent to the user terminal, where the metadata includes the first policy rule, so that the user terminal can receive the first carrier of the first carrier sent by the SM-DP.
  • the first policy rule in the metadata of the contracted information set.
  • the user terminal after receiving the first policy rule, the user terminal sends a polling message to the SM-DS, where the polling message carries the EID of the eUICC on the user terminal, and the polling message is used to request the SM-DS to the user terminal.
  • the user terminal When receiving the first policy rule in the metadata sent by the SM-DP, the user terminal sends a polling message to the SM-DS, where the polling message carries the EID of the eUICC on the user terminal.
  • the user terminal may only include the first operation in determining the authorization file saved in the user terminal.
  • the authorization file is obtained from the SM-DS by sending a polling message to the SM-DS.
  • the user terminal After receiving the first policy rule, the user terminal sends a polling message to the SM-DS if the information of the operator that allows the policy rule to be set in the authorization file does not include the information of the first operator.
  • the user terminal may determine that the information of the operator that is allowed to set the first policy rule corresponding to the first policy rule included in the authorization file does not include the information of the first operator.
  • the user terminal sends a polling message to the SM-DS.
  • the user terminal receives the first policy rule included in the metadata sent by the SM-DP, where the polling message carries the EID of the eUICC on the user terminal.
  • the above-mentioned "authorization file saved on the user terminal" may be an authorization file stored in a storage space (such as a memory or a disk) of the user terminal, or may be an authorization file stored in the eUICC on the user terminal.
  • the information of the operator that allows the policy rule to be set in the authorization file does not include the information of the first carrier.
  • the carrier that can set the policy rule for the at least one policy rule in the authorization file does not include the information of the first carrier.
  • the operator of the at least one policy rule in the authorization file that allows the policy rule to be set can be for all operators.
  • the user equipment after the user equipment downloads the metadata of the first subscription information set from the SM-DP, that is, the user equipment receives the first policy rule in the metadata of the first operator sent by the SM-DP, the user equipment first determines the Whether the first policy rule is included in the authorization file saved on the user terminal, and only when the information of the operator that allows the policy rule to be set in the authorization file saved on the user terminal does not include the information of the first carrier, When the SM-DS sends a polling message, the authorization file is obtained from the SM-DS, and the user terminal can be prevented from repeatedly obtaining the authorization file from the SM-DS.
  • the server in FIG. 4 may be a push server.
  • the second application scenario of the embodiment of the present invention may be a scenario corresponding to the network architecture shown in FIG. 3 .
  • S404 in FIG. 4 may be replaced by S404b
  • S405 may be replaced by S405b
  • S406 may be replaced by S406b:
  • S404b The user terminal sends a registration request to the push server, where the registration request carries the EID of the eUICC on the user terminal.
  • the LPA can use the LPA to send a registration request to the push server through the push client in the user terminal as shown in FIG. 3 to register the LPA application of the terminal in the push server, and the above registration.
  • the request carries the EID of the eUICC on the user terminal.
  • the push server receives the registration request sent by the user terminal.
  • the registration request may also carry the identifier of the LPA that logs in to the push client.
  • the push server may assign a password to the LPA indicated by the LPA identifier.
  • the method in the embodiment of the present invention may further include S410:
  • S410 The push server allocates a password for the LPA indicated by the LPA identifier carried in the registration request, and saves the correspondence between the password allocated by the push server for the LPA indicated by the LPA identifier and the EID carried in the registration request.
  • the push server can save the correspondence between the password and the EID in a list manner.
  • Table 1 an example of the correspondence between the password and the EID provided by the embodiment of the present invention is as follows:
  • password 1 has a correspondence with EID-a
  • password 2 has a correspondence with EID-b
  • password n has a correspondence with EID-x.
  • the push server may determine the EID corresponding to the authorization file according to the corresponding relationship.
  • the corresponding password may be determined by the push server.
  • the method in the embodiment of the present invention may further include S411:
  • the push server determines a password corresponding to the EID corresponding to the authorization file according to the correspondence between the EID stored in the push server and the password generated by the push server for the LPA in the user terminal.
  • the push server may determine the password corresponding to the EID-b according to the correspondence between the password and the EID shown in Table 1. For password 2.
  • the push server since the user terminal is the LPA registered to the push server through the push client in the user terminal, the push server carries the determined password (such as the password 2 above) when sending the authorization file to the user terminal through the push client.
  • the push client determines, based on the password 2, that the push message should be pushed to the LPA application.
  • S406 in FIG. 4 may be replaced by S406b, and correspondingly, S407 may be replaced by S407b:
  • S406b The push server sends the authorization file and the password corresponding to the EID corresponding to the authorization file to the user terminal.
  • S407b The user terminal receives the authorization file sent by the push server and the password corresponding to the EID corresponding to the authorization file.
  • the user terminal may receive, by the push client, an authorization file sent by the push server and a password corresponding to the EID corresponding to the authorization file.
  • the method of the embodiment of the present invention may further include S412-S413:
  • the push server sends a response message of the registration request to the user terminal, where the response message of the registration request carries a password allocated by the push server for the LPA indicated by the LPA identifier.
  • the user terminal receives a response message of the registration request sent by the push server.
  • the user terminal can receive the note sent by the push server by pushing the client.
  • the response message of the request can be
  • the user terminal may use the password corresponding to the EID corresponding to the authorization file to compare the password allocated by the push server to the LPA. If the password corresponding to the EID corresponding to the authorization file is the same as the password assigned by the push server to the LPA, the user terminal saves the authorization file in the eUICC through the LPA; or, if the password corresponding to the EID corresponding to the authorization file and the push server are The password assigned by the LPA is the same, and the user terminal updates the authorization file saved in the eUICC through the LPA using the authorization file.
  • the user terminal may determine that the password carried in the response message of the registration request is the push server is the LPA identifier carried in the registration request.
  • the indicated LPA assigned password (referred to as the configuration password), that is, the password that the push server assigns to the LPA registered to the push server.
  • the push client compares the configuration password with the authorization file sent by the push server.
  • the password corresponding to the EID may be pushed to the corresponding LPA by the push client if the configuration password is the same as the password corresponding to the EID corresponding to the authorization file sent by the push server.
  • the user terminal may obtain the first policy rule from the SM-DP, whether the authorization file saved in the user terminal includes the policy rule of the first operator, The user terminal can wait for a predetermined time to obtain an authorization file from the push server.
  • the method in the embodiment of the present invention may further include S414 and S407b' and subsequent processes:
  • the user terminal receives the first policy rule sent by the SM-DP.
  • the SM-DP may be the SM-DP of the first carrier, and the first policy rule is a policy rule that is set by the first operator and is associated with the first subscription information set, where the first carrier is the first subscription. The operator to which the information set belongs.
  • the user equipment can establish a connection with the first operator's SM-DP and authenticate each other, and request to obtain the first subscription information set, and the SM-DP can receive the user equipment for requesting to acquire the first subscription information set.
  • the metadata of the first subscription information set of the first carrier is sent to the user terminal, where the metadata includes the first policy rule, so that the user terminal can receive the first carrier of the first carrier sent by the SM-DP.
  • the first policy rule in the metadata of the contracted information set.
  • the user terminal after receiving the first policy rule, the user terminal starts a timer, and waits to receive the authorization file sent by the push server within the time limit of the timer.
  • the metadata of the first subscription information set includes a first policy rule, and the first operator is an operator to which the first subscription information set belongs.
  • the user terminal may continue to execute S408a or S408b after receiving the authorization file sent by the push server; if the user terminal is in the timer If the authorization file sent by the push server is not received within the time limit, it indicates that the push server may not receive the authorization file sent by the authorized file server.
  • the user terminal may only allow the setting of the policy rule in the authorization file saved on the user terminal.
  • the timer is started, and the authorization file sent by the push server is waiting to be received within the time limit of the timer.
  • S407b' in FIG. 10 can be replaced with S407b ⁇ :
  • the timer is started, and the timer is started. Waiting to receive the authorization file sent by the push server.
  • the user terminal may determine that the information of the operator that is allowed to set the first policy rule corresponding to the first policy rule included in the authorization file does not include the information of the first operator.
  • the user terminal starts a timer and waits to receive the authorization file sent by the push server within the timer time.
  • the first policy rule is included in the metadata of the first subscription information set.
  • the "authorization file saved on the user terminal" in the embodiment of the present invention may be an authorization file stored in a storage space (such as a memory or a disk) of the user terminal, or may be an authorization stored in the eUICC on the user terminal. file.
  • the information of the operator that allows the setting of the policy rule does not include the information of the first carrier.
  • the operator that can set the policy rule for the at least one policy rule in the authorization file does not include the information of the first carrier.
  • the operator of at least one policy rule in the authorization file that allows the policy rule to be set can be for all operators.
  • the user equipment downloads the metadata of the first subscription information set from the SM-DP, that is, after the user equipment receives the first policy rule sent by the SM-DP, it determines whether the authorization file saved on the user terminal is The first policy rule is included, and the timer is started only when the information of the operator that allows the policy rule to be set in the authorization file saved on the user terminal does not include the information of the first carrier, and is in the timer time. Waiting to receive the authorization file sent by the push server, the user terminal can be prevented from repeatedly obtaining the authorization file from the push server.
  • the user terminal may receive the first policy rule, and may also receive the validity time of the first policy rule, where the effective time of the first policy rule is used to define the first policy rule. Effective time.
  • the user terminal After the user terminal successfully installs the first subscription information set or the user terminal activates the first subscription information set, the user is prompted with the first policy rule and the valid time of the first policy rule.
  • the subscription information set may not be deleted, the subscription information set is not allowed to be deactivated, and the subscription information set is deactivated. At least one of the deletions restricts the user's management operation on the first subscription information set.
  • the authorization file in the embodiment of the present invention may include at least one policy rule and information corresponding to each of the at least one policy rule that allows the operator to set the policy rule, and may also include allowing the operator to set at least The effective time of a policy rule, allowing the operator to set any of the at least one policy rule.
  • the time is used to limit the time that the operator has permission to set any of the policy rules.
  • the method of the embodiment of the present invention may further include: when the user terminal activates the first policy rule, the user terminal determines whether the current time is within a valid time period allowed in the authorization file to allow the first operator to set the first policy rule; If the current time exceeds the valid time allowed for the first operator to set the first policy rule, the user terminal prohibits activation of the first policy rule.
  • the authorization file can be used to restrict the operator's permission to set policy rules, but also the effective time for allowing the operator to set policy rules.
  • the user terminal may also cancel the request according to the policy rule sent by the function entity (such as the operator server) of the operator, and delete part of the content of the authorization file saved in the user terminal.
  • the carrier server in the embodiment of the present invention may be an over-the-air (English: Over The Air, OTA for short) server.
  • the method of the embodiment of the present invention may further include S501:
  • S501 The user terminal receives the policy rule release request sent by the function entity of the first operator, where the policy rule release request carries the information of the first operator and the policy rule to be released.
  • the first operator may be any operator in the current communication network, and the information of the first operator may be identification information of the first operator, such as an MNC.
  • the information of the first carrier is included, and the user terminal deletes the authorization file.
  • the information of the first operator in the information of the operator that is allowed to set the policy rule to be released corresponding to the policy rule to be released.
  • the user terminal may delete the operator that allows the policy rule to be released to be set.
  • Information of the first carrier in the information includes the information of the first operator and the information of the second operator.
  • the authorization file saved on the user terminal includes multiple policy rules, when there is only information of the first operator in any of the policy rules, the user terminal deletes any one of the policy rules; There is only one policy rule in the authorization file saved on the user terminal. Only the information of the first operator is included in the policy rule, and the user terminal deletes the authorization file saved on the user terminal.
  • the authorization file saved in the user terminal can be updated in real time, but also the request message can be released according to the policy rule sent by the operator's device, and part of the content of the authorization file saved in the user terminal is deleted.
  • the user terminal deletes part of the content of the authorization file saved in the user terminal.
  • the method of the embodiment of the present invention may further include S601-S602:
  • the user terminal installs the first subscription information set.
  • the user terminal deletes the information of the first operator in the information of the operator that is allowed to set the first policy rule corresponding to the first policy rule included in the authorization file saved in the user terminal, or deletes the information saved in the user terminal.
  • the authorization file saved on the user terminal includes multiple policy rules, when only the information of the first operator is included in any of the policy rules, the user terminal deletes the authorization file, that is, deletes the user terminal.
  • the user terminal activates the second subscription information set.
  • the operator to which the second subscription information set belongs is the second operator, and the second subscription information set and the first subscription information set may be the same or different.
  • the user terminal may detect an activation instruction of the second subscription information set triggered by the user through the UI of the LPA, and activate the second subscription information set after detecting the activation instruction.
  • the method of the embodiment of the present invention may further include S603-S604:
  • the user terminal Before the user terminal activates the second subscription information set installed by the user terminal, if the second policy rule is determined that the subscription information set is not allowed to be deactivated, the user terminal checks Authorization file.
  • the second subscription information set belongs to the second operator, and the second policy rule is a policy rule that is set by the second operator and is associated with the second subscription information set.
  • the user terminal sends the prompt message.
  • the third operator includes any operator other than the second operator.
  • the foregoing prompt information may at least include: “Activating the second subscription information set will not be able to download the third operator's subscription information set” or “Activating the second subscription information set will not be able to download the third operator's subscription information set and the third. Carrier's information.”
  • the method for obtaining an authorization file provided by the embodiment of the present invention can not only update the authorization file saved in the user terminal in real time, but also limit the setting of the policy rule in the authorization file by the operator according to the authorization file, and can restrict the operator to set the policy arbitrarily.
  • the user when the user installs the contract information set of any operator, the user may be prompted according to the information of the authorization file to the user to influence the authorization file of the other operator when installing the contract information set of the operator.
  • the server and the user terminal include corresponding hardware structures and/or software modules for performing the respective functions in order to implement the above functions.
  • the present invention can be implemented in a combination of hardware or hardware and computer software in combination with the server and user terminal and algorithm steps of the various examples described in the embodiments disclosed herein. Whether a function is implemented in hardware or computer software to drive hardware depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
  • the embodiment of the present invention may perform the division of the function module or the function unit between the server and the user terminal according to the foregoing method example.
  • each function module or function unit may be divided according to each function, or two or more functions may be integrated in the function.
  • the above integrated modules can be implemented in the form of hardware or in the form of software functional modules or functional units.
  • the division of a module or a unit in the embodiment of the present invention is schematic, and is only a logical function division. In actual implementation, there may be another division manner.
  • FIG. 12 shows a possible structural diagram of a server involved in the above embodiment.
  • the server 1200 can include an obtaining unit 1201 and a sending unit 1202.
  • the obtaining unit 1201 is configured to obtain an authorization file.
  • the acquisition unit 1201 is for supporting S403 in the above embodiments, and/or other processes for the techniques described herein.
  • the sending unit 1202 is configured to send an authorization file to the user terminal.
  • the transmitting unit 1202 is configured to support S406, S406a, S406b, and S412 in the above embodiments, and/or other processes for the techniques described herein.
  • the server may be an SM-DS or a push server, and the server 1200 may further include: a receiving unit 1203, a determining unit 1204, an allocating unit 1205, and a saving unit 1206.
  • the receiving unit 1203 is configured to receive an authorization file sent by the authorization file server.
  • receiving unit 1203 is for supporting S403 and S405 in the above embodiments, and/or other processes for the techniques described herein.
  • the determining unit 1204 is configured to determine an authorization file corresponding to the eUICC on the user terminal.
  • determining unit 1204 is for supporting S406 in the above-described embodiments, and/or other processes for the techniques described herein.
  • the receiving unit 1203 is further configured to receive a polling message sent by the user terminal, when the server is an SM-DS.
  • receiving unit 1203 is also used to support S405a in the above-described embodiments, and/or other processes for the techniques described herein.
  • the receiving unit 1203 is further configured to receive a registration request sent by the user terminal.
  • the receiving unit is also used to support S405b in the above embodiments, and/or other processes for the techniques described herein.
  • the determining unit 1204 is further configured to determine a password corresponding to the EID corresponding to the authorization file.
  • determining unit 1204 is also used to support S406 and S411 in the above-described embodiments, and/or other processes for the techniques described herein.
  • the allocating unit 1205 is configured to carry the request for registration The LPA assigned password indicated by the LPA tag.
  • allocation unit 1205 is used to support S410 in the above-described embodiments, and/or other processes for the techniques described herein.
  • the saving unit 1206 is configured to save a correspondence between a password allocated by the push server for the LPA indicated by the LPA identifier and an EID carried in the registration request.
  • save unit 1206 is used to support S410 in the above-described embodiments, and/or other processes for the techniques described herein.
  • the above-mentioned obtaining unit 1201, determining unit 1204, allocating unit 1205 and saving unit 1206, etc. may be implemented in one processing unit, which may be a processor or a controller, for example, may be a CPU.
  • processing unit which may be a processor or a controller, for example, may be a CPU.
  • general purpose processor digital signal processor (English: Digital Signal Processor, referred to as: DSP), ASIC (English: Application-Specific Integrated Circuit, referred to as: ASIC), field programmable gate array (English: Field Programmable Gate Array , abbreviated as: FPGA) or other programmable logic device, transistor logic device, hardware component or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processing unit may also be a combination of computing functions, such as one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the transmitting unit 1202 and the receiving unit 1203 may be implemented by being integrated in one communication unit, and the communication unit may be a communication interface, a transceiver circuit or a transceiver, or the like.
  • the storage unit can be a memory.
  • the server 1200 When the processing unit is a processor, the storage unit is a memory, and the communication unit is a transceiver, the server 1200 according to the embodiment of the present invention may be the server 1400 shown in FIG.
  • the server 1400 includes one or more processors 1401, a memory 1402, a transceiver 1403, and a bus 1404.
  • the one or more processors 1401, the memory 1402, and the transceiver 1403 are connected to one another via a bus 1404.
  • the bus 1404 may be a Peripheral Component Interconnect (PCI) bus or an extended industry standard architecture (English: Extended Industry Standard Architecture, referred to as: EISA) bus and so on.
  • the bus 1404 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 14, but it does not mean that there is only one bus or one type of bus.
  • the embodiment of the present invention further provides a non-volatile storage medium having one or more program codes stored therein.
  • the processor 1401 of the server 1400 executes the program code
  • the server 1400 executes the map. 4- related method steps in any of the figures of FIG.
  • each module or unit in the server 1400 provided by the embodiment of the present invention and the technical effects brought by each module or unit performing the related method steps in any of the figures in FIG. 4 can be referred to.
  • the related description in the method embodiment of the present invention is not described herein again.
  • FIG. 15 is a schematic diagram showing a possible structure of a user terminal involved in the above embodiment.
  • the user terminal 1500 may include a transmitting unit 1501, a receiving unit 1502, and a control unit 1503.
  • the sending unit 1501 is configured to send, to the server, an EID, a polling message, and a registration request of the eUICC on the user terminal.
  • the transmitting unit 1501 is configured to support S404, S404a, S404a', S404a, and S404b in the above embodiments, and/or other processes for the techniques described herein.
  • the receiving unit 1502 is configured to receive the sending by the server.
  • the receiving unit 1502 is further configured to receive a response message of the polling message sent by the SM-DS, and the receiving unit 1502 is further configured to receive a response message of the registration request sent by the push server, and the receiving unit 1502 is further configured to receive the first The first policy rule sent by the SM-DP of the operator; the receiving unit 1502 is further configured to wait for receiving the authorization file sent by the push server during the timing of the timer; the receiving unit 1502 is further configured to receive the first policy rule.
  • the receiving unit 1502 is further configured to receive the policy rule release request message sent by the function entity of the first operator.
  • the receiving unit 1502 is configured to support S407, S407a, S409, S407b, and S413 in the foregoing embodiment.
  • the control unit 1503 is configured to save the authorization file in the eUICC, or update the authorization file saved in the eUICC by using the authorization file.
  • the control unit 1503 is configured to support the above embodiments. S408a, S408b, and/or other processes for the techniques described herein.
  • the user terminal 1500 may further include: an activation unit 1504, an installation unit 1505, a first activation unit 1506, a first prompt unit 1507, a second activation unit 1508, a determination unit 1509, and a prohibition unit 1510.
  • the startup unit 1504 is configured to start a timer.
  • the activation unit 1504 is configured to support S407b' and S407b ⁇ in the above embodiments, and/or other processes for the techniques described herein.
  • the installation unit 1505 is configured to install the first subscription information set or the second subscription.
  • An information set for example, an installation unit 1505 for supporting S601 in the above embodiments, and/or other processes for the techniques described herein.
  • a first activation unit 1506 for activating a first subscription information set or a second The first information unit 1507 is configured to prompt the user of the policy information of the first operator's policy rule and the effective time of the policy information.
  • the second activation unit 1508 is configured to activate the policy rule of the first operator.
  • the determining unit 1509 is configured to determine, when the policy rule of the first operator is activated, whether the current time is within the validity time of the policy rule included in the authorization file that allows the first operator to set the first operator.
  • the prohibiting unit 1510 If it is determined that the current time exceeds the valid time of the first operator to set the first operator's policy rule, the first operator's policy rule is prohibited from being activated.
  • the deleting unit 1511 is configured to delete the information of the first operator in the information of the operator corresponding to the policy rule to be released, and delete the first operation in the information of the operator that allows the setting of the policy rule in the authorization file saved in the user terminal. The information of the quotient, or the authorization file corresponding to the first operator saved in the user terminal.
  • the deleting unit 1511 is used to support S502 and S602 in the above embodiment, and/or other technologies used in the techniques described herein.
  • the checking unit 1512 is configured to check the authorization file saved in the user terminal.
  • the checking unit 1512 is configured to support S603 in the above embodiment, and/or other processes for the techniques described herein.
  • the unit 1513 is configured to issue prompt information.
  • the second prompting unit 1513 is configured to support S604 in the above embodiment, and/or other processes for the techniques described herein.
  • the comparing unit 1514 is configured to adopt and authorize The password corresponding to the EID corresponding to the file is compared with the password assigned by the push server to the LPA.
  • control unit 1503, activation unit 1504, installation unit 1505, first activation unit 1506, first prompt unit 1507, second activation unit 1508, determination unit 1509, inhibition unit 1510, deletion unit 1511, the function unit such as the checking unit 1512 and the second prompting unit 1513 may be integrated and implemented in one processing unit, and the processing unit may be a processor or a controller, such as a CPU, a general-purpose processor, a DSP, an ASIC, an FPGA or the like. Programming logic devices, transistor logic devices, hardware components, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processing unit may also be a combination of computing functions, such as one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the transmitting unit 1501 and the receiving unit 1502 may be implemented by being integrated in one communication unit, which may be a communication interface, a transceiver circuit or a transceiver, or the like.
  • the storage unit can be a memory.
  • the processing unit is a processor
  • the storage unit is a memory
  • the communication unit is a transceiver
  • the user terminal 1500 according to the embodiment of the present invention may be the user terminal 1700 shown in FIG.
  • the user terminal 1700 includes one or more processors 1701, a memory 1702, a transceiver 1702, and a bus 1704. Among them, one or more processors 1701, a memory 1702, and a transceiver 1703 are connected to each other through a bus 1704.
  • the bus 1704 can be a PCI bus or an EISA bus.
  • the bus 1704 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 17, but it does not mean that there is only one bus or one type of bus.
  • the embodiment of the present invention further provides a non-volatile storage medium having one or more program codes stored therein.
  • the processor 1701 of the user terminal 1700 executes the program code
  • the user terminal 1700 executes Related method steps in any of Figures 4-11.
  • each module in the user terminal 1700 provided by the embodiment of the present invention and the technical effects of each module performing the related method steps in any of the figures in FIG. 4 can refer to the method embodiment of the present invention. The related descriptions are not repeated here.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the modules or units is only a logical function division.
  • there may be another division manner for example, multiple units or components may be used. Combinations can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • the technical solution of the present invention which is essential or contributes to the prior art, or all or part of the technical solution, may be embodied in the form of a software product stored in a storage medium. , including several instructions All or part of the steps of the method of the various embodiments of the present invention are performed by a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor.
  • the foregoing storage medium includes: a memory card, a SIM card, a U disk, a removable hard disk, a read only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention relates to the technical field of communications, and disclosed in embodiments of the present invention are a method and device for acquiring an authorization file, used to perform a real-time update of an authorization file stored in a user terminal. The method comprises: a user terminal sending to a server an EID of an eUICC in the user terminal; the user terminal receiving an authorization file sent by the server, wherein the authorization file corresponds to the EID of the eUICC in the user terminal, and comprises one or more policy rules and information, corresponding to each of the one or more policy rules, about operators having permission to configure the one or more policy rules; and the user terminal storing the authorization file in the eUICC; alternatively, the user terminal using the authorization file to update an authorization file stored in the eUICC. The embodiments of the present invention are applicable to an authorization file acquisition process of a user terminal.

Description

一种获取授权文件的方法及设备Method and device for obtaining authorization file 技术领域Technical field
本发明实施例涉及通信技术领域,尤其涉及一种获取授权文件的方法及设备。The embodiments of the present invention relate to the field of communications technologies, and in particular, to a method and a device for obtaining an authorization file.
背景技术Background technique
作为接入鉴权和身份认证的模块,智能卡是移动通信网络中用户终端必备的设备之一。例如,嵌入式通用集成电路卡(英文:embedded Universal Integrated Circuit Card,简称:eUICC)是一种智能卡,允许运营商的身份鉴权应用在线动态加载,eUICC可以下载并存储至少一个用户身份数据和接入信息,供合法用户接入运营商网络。其中,上述用户身份数据和接入信息称为签约信息集(简称profile)。其中,至少一个Profile中的每个Profile中可以保存eUICC与一个运营商的签约或订购数据。上述至少一个Profile可以是从运营商网络侧的签约管理-数据准备服务器(英文:Subscription Manager Data Preparation,简称:SM-DP)下载而后存储在eUICC中的。终端可以通过激活Profile,接入该Profile对应的运营商网络。As a module for access authentication and identity authentication, a smart card is one of the necessary devices for a user terminal in a mobile communication network. For example, an embedded universal integrated circuit card (eUICC) is a smart card that allows an operator's identity authentication application to be dynamically loaded online. The eUICC can download and store at least one user identity data and interface. Enter information for legitimate users to access the carrier network. The user identity data and the access information are referred to as a contract information set (referred to as a profile). The profile or order data of the eUICC and an operator may be saved in each profile in at least one profile. The at least one profile may be downloaded from the subscription management data preparation server (English: Subscription Manager Data Preparation, SM-DP for short) and then stored in the eUICC. The terminal can access the carrier network corresponding to the profile by activating the profile.
为了限制用户对profile的操作,运营商设置了一系列用于限制用户对profile的操作的策略规则(英文:policy rule)。如,profile的policy rule可以为:“该profile不允许去激活”、“该profile不允许删除”或者“该profile去激活后应删除”等。In order to limit the user's operation on the profile, the operator sets a series of policy rules (English: policy rule) for restricting the user's operation on the profile. For example, the policy rule of the profile can be: "The profile is not allowed to be deactivated", "The profile is not allowed to be deleted" or "The profile should be deleted after activation".
同时,用户终端上或eUICC中也存储有一种用于管理运营商设置其profile的policy rule的权限的授权文件,该授权文件可以实现只有在授权文件允许运营商设置某个policy rule时,该运营商的profile的policy rule才可以在安装profile时被激活。At the same time, the user terminal or the eUICC also stores an authorization file for managing the permission of the operator to set the policy rule of the profile. The authorization file can be implemented only when the authorization file allows the operator to set a policy rule. The policy rule of the profile can be activated when the profile is installed.
存在的问题是:现有技术中eUICC中的授权文件是在eUICC出 厂时,由厂商配置在eUICC中的固定、不可更改的文件。但是,运营商设置policy rule的权限可以根据每个用户需求的不同而变化,即现有技术中预置在eUICC中的固定、不可更改的授权文件不能适应于运营商设置policy rule的权限的变化。The problem is that the authorization file in the eUICC in the prior art is in the eUICC. At the factory, the fixed, unchangeable files in the eUICC are configured by the manufacturer. However, the permission of the operator to set the policy rule can be changed according to the requirements of each user. That is, the fixed and unchangeable authorization files preset in the eUICC in the prior art cannot be adapted to the change of the authority of the operator to set the policy rule. .
发明内容Summary of the invention
本发明的实施例提供一种获取授权文件的方法及设备,用以解决预置在eUICC中固定、不可更改的授权文件,不能适应于运营商设置policy rule的权限的变化的问题。The embodiment of the present invention provides a method and a device for acquiring an authorization file, which are used to solve the problem that the authorization file that is fixed and unchangeable in the eUICC is not adapted to the change of the authority of the operator to set the policy rule.
第一方面,本发明实施例提供了一种获取授权文件的方法,该获取授权文件的方法可以包括:用户终端向服务器发送用户终端上的eUICC的嵌入式通用集成电路卡标识(英文:Embedded Universal Integrated Circuit Card Identification,简称:EID);用户终端接收服务器发送的授权文件,该授权文件与用户终端上的eUICC的EID对应,上述授权文件中包含至少一个策略规则和与至少一个策略规则中每个策略规则对应的、允许设置该策略规则的运营商的信息;用户终端在eUICC中保存授权文件,或者,用户终端采用授权文件更新eUICC中保存的授权文件。其中,上述服务器可以为SM-DS或者推送服务器。In a first aspect, the embodiment of the present invention provides a method for obtaining an authorization file, where the method for obtaining an authorization file may include: the user terminal sends an embedded universal integrated circuit card identifier of the eUICC on the user terminal to the server (English: Embedded Universal) Integrated circuit card identification (EID); the user terminal receives an authorization file sent by the server, and the authorization file corresponds to an EID of the eUICC on the user terminal, where the authorization file includes at least one policy rule and each of the at least one policy rule The information corresponding to the policy rule allows the operator to set the policy rule; the user terminal saves the authorization file in the eUICC, or the user terminal uses the authorization file to update the authorization file saved in the eUICC. The above server may be an SM-DS or a push server.
其中,由于用户终端可以在向服务器发送该用户终端上的eUICC的EID后,接收到服务器发送的与该用户终端上的eUICC对应的授权文件,并在接收到授权文件后更新该用户终端上的eUICC中保存的授权文件。如此,便可以解决由于现有技术中预置在eUICC中的固定、不可更改的授权文件,而导致eUICC中的授权文件不能适应于运营商针对用户设置policy rule的权限的变化的问题。本发明实施例提供的获取授权文件的方法,可以实时更新该用户终端上的eUICC中保存的授权文件。After the user terminal can send the EID of the eUICC on the user terminal to the server, the user terminal can receive the authorization file corresponding to the eUICC sent by the server, and update the user terminal after receiving the authorization file. Authorization file saved in eUICC. In this way, the fixed and unchangeable authorization file preset in the eUICC in the prior art can be solved, and the authorization file in the eUICC cannot be adapted to the problem that the operator changes the permission of the policy rule for the user. The method for obtaining an authorization file provided by the embodiment of the present invention can update the authorization file saved in the eUICC on the user terminal in real time.
在一种可能的实现方式中,上述服务器可以为SM-DS。在这种实现方式中,“用户终端向服务器发送用户终端上的eUICC的EID”的方法可以包括:用户终端向SM-DS发送轮询消息,该轮询 消息中携带有用户终端上的eUICC的EID,用户终端接收SM-DS发送的轮询消息的响应消息,该轮询消息的响应消息中携带有授权文件。In a possible implementation manner, the foregoing server may be an SM-DS. In this implementation manner, the method for “the user terminal sends the EID of the eUICC on the user terminal to the server” may include: the user terminal sends a polling message to the SM-DS, the polling The message carries the EID of the eUICC on the user terminal, and the user terminal receives the response message of the polling message sent by the SM-DS, and the response message of the polling message carries the authorization file.
在一种可能的实现方式中,上述服务器可以为推送服务器。在这种实现方式中,“用户终端向服务器发送用户终端上的eUICC的EID”的方法可以包括:用户终端向推送服务器发送注册请求,该注册请求中携带有用户终端上的eUICC的EID。In a possible implementation manner, the foregoing server may be a push server. In this implementation, the method for the user terminal to send the EID of the eUICC on the user terminal to the server may include: the user terminal sends a registration request to the push server, where the registration request carries the EID of the eUICC on the user terminal.
在一种可能的实现方式中,当上述服务器为推送服务器时,上述注册请求中还可以携带有用户终端中的LPA的LPA标识,该LPA标识用于唯一标识该用户终端中的一个LPA。相应的,在用户终端向推送服务器发送注册请求之后,本发明实施例的方法还可以包括:用户终端接收推送服务器发送的注册请求的响应消息,该注册请求的响应消息中携带有推送服务器为注册请求中携带的LPA标识所指示的LPA分配的口令;用户终端接收推送服务器发送的授权文件和与授权文件对应的EID对应的口令。In a possible implementation, when the server is a push server, the registration request may further carry an LPA identifier of the LPA in the user terminal, where the LPA identifier is used to uniquely identify one LPA in the user terminal. Correspondingly, after the user terminal sends the registration request to the push server, the method of the embodiment of the present invention may further include: the user terminal receives the response message of the registration request sent by the push server, where the response message of the registration request carries the push server as the registration The password assigned by the LPA indicated by the LPA identifier carried in the request; the user terminal receives the authorization file sent by the push server and the password corresponding to the EID corresponding to the authorization file.
可以想到的是,由于用户终端中包含至少一个LPA,推送服务器可以将推送服务器为用户终端中的一个LPA分配的口令发送给用户终端,这样用户终端便可以保存该LPA的口令,并在接收到推送服务器发送的授权文件和与授权文件对应的EID对应的口令后,可以采用与授权文件对应的EID对应的口令对比推送服务器为LPA分配的口令,确定出该授权文件所对应的LPA。It is conceivable that, since the user terminal includes at least one LPA, the push server may send the password assigned by the push server to an LPA in the user terminal to the user terminal, so that the user terminal can save the password of the LPA and receive the password. After the authorization file sent by the server and the password corresponding to the EID corresponding to the authorization file are used, the password corresponding to the EID corresponding to the authorization file may be used to compare the password assigned by the push server to the LPA, and the LPA corresponding to the authorization file is determined.
在一种可能的实现方式中,上述“用户终端在eUICC中保存授权文件”的方法可以包括:若与授权文件对应的EID对应的口令与推送服务器为LPA分配的口令相同,用户终端则通过LPA在eUICC中保存授权文件。In a possible implementation, the method for the “user terminal storing the authorization file in the eUICC” may include: if the password corresponding to the EID corresponding to the authorization file is the same as the password allocated by the push server for the LPA, the user terminal passes the LPA. Save the authorization file in eUICC.
其中,用户终端对比与授权文件对应的EID对应的口令和推送服务器为LPA分配的口令,当与授权文件对应的EID对应的口令与推送服务器为LPA分配的口令相同时,用户终端通过LPA在eUICC中保存授权文件;当与授权文件对应的EID对应的口令与推送服务 器为LPA分配的口令不同时,用户终端在eUICC中不保存授权文件。The user terminal compares the password corresponding to the EID corresponding to the authorization file and the password assigned by the push server to the LPA. When the password corresponding to the EID corresponding to the authorization file is the same as the password assigned by the push server to the LPA, the user terminal passes the LPA on the eUICC. Save the authorization file; the password and push service corresponding to the EID corresponding to the authorization file When the password assigned to the LPA is different, the user terminal does not save the authorization file in the eUICC.
在一种可能的实现方式中,上述“用户终端采用授权文件更新eUICC中保存的授权文件”的方法可以包括:若与授权文件对应的EID对应的口令与推送服务器为LPA分配的口令相同,用户终端则通过LPA采用授权文件更新eUICC中保存的授权文件。In a possible implementation manner, the method that the “user terminal uses the authorization file to update the authorization file saved in the eUICC” may include: if the password corresponding to the EID corresponding to the authorization file is the same as the password allocated by the push server for the LPA, the user The terminal updates the authorization file saved in the eUICC through the LPA using the authorization file.
在一种可能的实现方式中,当上述服务器为SM-DS时,本发明实施例的方法还可以包括:用户终端接收第一运营商的签约管理-数据准备服务器(英文:Subscription Manager-Date Preparation,简称:SM-DP)发送的第一策略规则,该第一策略规则为第一运营商设置的与第一签约信息集关联的策略规则,第一运营商为第一签约信息集所属的运营商。In a possible implementation manner, when the server is an SM-DS, the method of the embodiment of the present invention may further include: the user terminal receives the subscription management data preparation server of the first operator (English: Subscription Manager-Date Preparation) The first policy rule sent by the SM-DP, the first policy rule is a policy rule associated with the first subscription information set set by the first operator, and the first operator is the operation to which the first subscription information set belongs. Business.
其中,上述SM-DP可以为第一运营商的SM-DP,用户设备可以与该SM-DP建立连接并相互认证,并请求获得第一运营商的第一签约信息集。SM-DP可以在接收到请求获得第一运营商的第一签约信息集的消息后,先向用户终端发送第一运营商的第一签约信息集的元数据,该元数据中包含第一策略规则,从而用户终端可以接收SM-DP发送的第一运营商的第一签约信息集的元数据中的第一策略规则。The SM-DP may be the SM-DP of the first carrier, and the user equipment may establish a connection with the SM-DP and authenticate each other, and request to obtain the first subscription information set of the first operator. After receiving the message requesting the first subscription information set of the first operator, the SM-DP may first send the metadata of the first subscription information set of the first operator to the user terminal, where the metadata includes the first policy. The rule, so that the user terminal can receive the first policy rule in the metadata of the first subscription information set of the first operator sent by the SM-DP.
在一种可能的实现方式中,当服务器为SM-DS时,本发明实施例的方法还可以包括:用户终端在接收到第一策略规则后,向SM-DS发送轮询消息,该轮询消息中携带有用户终端上的eUICC的EID,上述轮询消息用于请求SM-DS向用户终端发送与用户终端上的eUICC的EID对应的授权文件。In a possible implementation manner, when the server is an SM-DS, the method of the embodiment of the present invention may further include: after receiving the first policy rule, the user terminal sends a polling message to the SM-DS, where the polling The message carries the EID of the eUICC on the user terminal, and the foregoing polling message is used to request the SM-DS to send an authorization file corresponding to the EID of the eUICC on the user terminal to the user terminal.
在这种实现方式中,用户终端在接收到第一策略规则后,若确定授权文件中包含的第一策略规则对应的、允许设置第一策略规则的运营商的信息中不包含第一运营商的信息,用户终端则向SM-DS发送轮询消息。上述“允许设置第一策略规则的运营商的信息中不包含第一运营商的信息”可以为授权文件中至少一个策略规则的允 许设置策略规则的运营商中不包含第一运营商的信息,其中,授权文件中至少一个策略规则的允许设置策略规则的运营商可以为所有运营商。用户设备在接收到SM-DP发送的第一签约信息集的元数据中的第一策略规则后,可以先判断该用户终端上保存的授权文件中是否包含第一策略规则,并在该用户终端上保存的授权文件中允许设置第一策略规则的运营商的信息中不包含第一运营商的信息时,才通过向SM-DS发送轮询消息的方式,从SM-DS获得授权文件,如此,便可以避免用户终端重复从SM-DS获取授权文件。In this implementation manner, after receiving the first policy rule, the user terminal determines that the information of the operator that is allowed to set the first policy rule corresponding to the first policy rule included in the authorization file does not include the first carrier. The user terminal sends a polling message to the SM-DS. The information of the operator that allows the setting of the first policy rule does not include the information of the first carrier may be the permission of at least one policy rule in the authorization file. The operator of the policy setting rule does not include the information of the first operator, and the operator of the at least one policy rule in the authorization file that allows the policy rule to be set may be all operators. After receiving the first policy rule in the metadata of the first subscription information set sent by the SM-DP, the user equipment may first determine whether the first policy rule is included in the authorization file saved on the user terminal, and the user policy is included in the user terminal. When the information of the operator that allows the first policy rule to be set in the saved authorization file does not include the information of the first carrier, the authorization file is obtained from the SM-DS by sending a polling message to the SM-DS. In order to avoid the user terminal repeatedly obtaining the authorization file from the SM-DS.
在一种可能的实现方式中,当上述服务器为推送服务器时,本发明实施例的方法还可以包括:用户终端在接收到第一策略规则后,启动定时器,并在定时器的定时时间内等待接收推送服务器发送的授权文件,第一运营商为第一签约信息集所属的运营商。In a possible implementation manner, when the server is a push server, the method of the embodiment of the present invention may further include: after receiving the first policy rule, the user terminal starts a timer, and is within a timer time. Waiting to receive the authorization file sent by the push server, the first operator is the operator to which the first subscription information set belongs.
其中,上述SM-DP可以为第一运营商的SM-DP,用户设备可以与该SM-DP建立连接并相互认证,并请求获得第一运营商的第一签约信息集。SM-DP可以在接收到请求获得第一运营商的第一签约信息集的消息后,先向用户终端发送第一运营商的第一签约信息集的元数据,该元数据中包含第一策略规则,从而用户终端可以接收SM-DP发送的第一运营商的第一签约信息集的元数据中的第一策略规则。可以想到的是,如果用户终端在定时器的定时时间内可以接收到推送服务器发送的授权文件,则可以在接收到推送服务器发送的授权文件后,保存接收到的授权文件或者采用接收到的授权文件更新用户终端上的eUICC中已保存的授权文件;若用户终端在定时器的定时时间内没有接收到推送服务器发送的授权文件,则表示推送服务器可能并未接收到授权文件服务器发送的授权文件。The SM-DP may be the SM-DP of the first carrier, and the user equipment may establish a connection with the SM-DP and authenticate each other, and request to obtain the first subscription information set of the first operator. After receiving the message requesting the first subscription information set of the first operator, the SM-DP may first send the metadata of the first subscription information set of the first operator to the user terminal, where the metadata includes the first policy. The rule, so that the user terminal can receive the first policy rule in the metadata of the first subscription information set of the first operator sent by the SM-DP. It is conceivable that if the user terminal can receive the authorization file sent by the push server within the time limit of the timer, the received authorization file can be saved or the received authorization can be saved after receiving the authorization file sent by the push server. The file is updated with the authorization file saved in the eUICC on the user terminal; if the user terminal does not receive the authorization file sent by the push server within the time limit of the timer, it indicates that the push server may not receive the authorization file sent by the authorized file server. .
在一种可能的实现方式中,上述“用户终端在接收到第一策略规则后,启动定时器,并在定时器的定时时间内等待接收推送服务器发送的授权文件”的方法可以包括:用户终端在接收到第一策略规则后,若授权文件中允许设置策略规则的运营商的信息中不包含第一运营商的信息,用户终端则启动定时器,并在定时器的定时时 间内等待接收推送服务器发送的授权文件。In a possible implementation, the method that the user terminal starts the timer after receiving the first policy rule and waits to receive the authorization file sent by the push server within the time limit of the timer may include: the user terminal. After receiving the first policy rule, if the information of the operator that allows the policy rule to be set in the authorization file does not include the information of the first carrier, the user terminal starts a timer and is at the timing of the timer. Waiting to receive the authorization file sent by the push server.
在这种实现方式中,用户终端在接收到第一策略规则后,若确定授权文件中包含的第一策略规则对应的、允许设置第一策略规则的运营商的信息中不包含第一运营商的信息,用户终端则启动定时器,并在定时器的定时时间内等待接收推送服务器发送的授权文件。上述“允许设置策略规则的运营商的信息中不包含第一运营商的信息”可以为授权文件中至少一个策略规则的允许设置策略规则的运营商中不包含第一运营商的信息,其中,授权文件中至少一个策略规则的允许设置策略规则的运营商可以为所有运营商。用户设备在接收到SM-DP发送的第一签约信息集的元数据中的第一策略规则后,可以先判断该用户终端上保存的授权文件中是否包含第一策略规则,并在该用户终端上保存的授权文件中允许设置策略规则的运营商的信息中不包含第一运营商的信息时,才启动定时器,并在定时器的定时时间内等待接收推送服务器发送的授权文件。如此,便可以避免当用户终端中保存有授权文件时,还要在定时器的定时时间内等待接收推送服务器发送的授权文件。In this implementation manner, after receiving the first policy rule, the user terminal determines that the information of the operator that is allowed to set the first policy rule corresponding to the first policy rule included in the authorization file does not include the first carrier. The user terminal starts a timer and waits to receive the authorization file sent by the push server within the timer time. The information of the operator that allows the setting of the policy rule does not include the information of the first carrier. The operator that can set the policy rule for the at least one policy rule in the authorization file does not include the information of the first carrier. The operator of at least one policy rule in the authorization file that allows the policy rule to be set can be for all operators. After receiving the first policy rule in the metadata of the first subscription information set sent by the SM-DP, the user equipment may first determine whether the first policy rule is included in the authorization file saved on the user terminal, and the user policy is included in the user terminal. When the information of the operator that allows the policy rule to be set in the saved authorization file does not include the information of the first carrier, the timer is started, and the authorization file sent by the push server is waited for within the time limit of the timer. In this way, when the authorization file is saved in the user terminal, it is also necessary to wait for the authorization file sent by the push server to be received within the timer time.
在一种可能的实现方式中,至少一个策略规则至少包括:签约信息集不允许删除、签约信息集不允许去激活以及签约信息集去激活后应删除中的至少一项,其中,至少一个策略规则包括第一策略规则。其中,运营商设置该策略规则的有效时间可以用于在激活策略规则或profile时,提示用户该运营商只能够在上述有效时间内具有设置该策略规则的权限。In a possible implementation, the at least one policy rule includes at least one of: the subscription information set is not allowed to be deleted, the subscription information set is not allowed to be deactivated, and at least one of the subscription information set is deactivated, wherein at least one policy is deleted. The rules include the first policy rule. The effective time that the operator sets the policy rule may be used to prompt the user that the operator can only have the right to set the policy rule within the valid time period when the policy rule or profile is activated.
在一种可能的实现方式中,本发明实施例的方法还可以包括:用户终端接收第一策略规则的有效时间,第一策略规则的有效时间用于限定第一策略规则的生效时间。In a possible implementation, the method of the embodiment of the present invention may further include: receiving, by the user terminal, a valid time of the first policy rule, where the effective time of the first policy rule is used to limit the effective time of the first policy rule.
在一种可能的实现方式中,本发明实施例的方法还可以包括:当用户终端成功安装第一签约信息集或者用户终端激活第一签约信息集后,向用户提示第一策略规则和该第一策略规则的有效时间。可以想到的是,在用户终端向用户提示第一策略规则和该第一策略 规则的有效时间内,可以根据签约信息集不允许删除、签约信息集不允许去激活以及签约信息集去激活后应删除中的至少一项,限制运营商设置该运营商的策略规则。In a possible implementation manner, the method of the embodiment of the present invention may further include: after the user terminal successfully installs the first subscription information set or the user terminal activates the first subscription information set, prompting the user with the first policy rule and the first The effective time of a policy rule. It is conceivable that the user terminal prompts the user with the first policy rule and the first policy. During the effective time of the rule, at least one of the subscription information set is not allowed to be deleted, the subscription information set is not allowed to be deactivated, and the subscription information set is deactivated, and the operator is allowed to set the policy rule of the operator.
在一种可能的实现方式中,授权文件中还包含允许运营商设置至少一个策略规则的有效时间,允许运营商设置至少一个策略规则中任一策略规则的有效时间用于限定运营商具备设置任一策略规则的权限的时间。本发明实施例的方法还可以包括:当用户终端激活第一策略规则时,用户终端判断当前时间是否在授权文件中包含的允许第一运营商设置第一策略规则的有效时间内;若当前时间超过允许第一运营商设置第一策略规则的有效时间,用户终端则禁止激活第一策略规则。在这种实现方式中,不仅可以通过授权文件限制运营商对策略规则的设置权限,还可以根据“当前时间是否在授权文件中包含的允许第一运营商设置第一策略规则的有效时间内”判断运营商在当前时间是否还具有设置该第一策略规则的权限,即可以规定允许运营商设置该运营商的策略规则的有效时间。In a possible implementation manner, the authorization file further includes an effective time for allowing the operator to set at least one policy rule, and the operator is allowed to set an effective time of any one of the at least one policy rule to limit the carrier to have the setting. The time of a policy rule's permissions. The method of the embodiment of the present invention may further include: when the user terminal activates the first policy rule, the user terminal determines whether the current time is within a valid time period allowed in the authorization file to allow the first operator to set the first policy rule; The user terminal prohibits activation of the first policy rule when the effective time for allowing the first operator to set the first policy rule is exceeded. In this implementation manner, not only the authorization file may be used to restrict the permission of the operator to set the policy rule, but also whether the current time is within the validity time of the first policy rule that the first carrier is allowed to be included in the authorization file. It is determined whether the operator has the right to set the first policy rule at the current time, that is, the effective time for allowing the operator to set the policy rule of the operator may be specified.
在一种可能的实现方式中,在用户终端接收服务器发送的授权文件之后,本发明实施例的方法还可以包括:用户终端接收第一运营商的功能实体发送的策略规则解除请求消息,该策略规则解除请求消息中携带有第一运营商的信息和/或待解除的策略规则;若授权文件中包含的待解除的策略规则对应的、允许设置待解除的策略规则的运营商的信息中包含第一运营商的信息,用户终端则删除授权文件中包含的待解除的策略规则对应的、允许设置待解除的策略规则的运营商的信息中的第一运营商的信息。其中,第一运营商可以为当前网络中的任一运营商。用户终端可以根据第一运营商的功能实体发送的策略规则解除请求消息,删除授权文件中的部分内容。In a possible implementation, after the user terminal receives the authorization file sent by the server, the method of the embodiment of the present invention may further include: the user terminal receiving the policy rule release request message sent by the function entity of the first operator, the policy The rule release request message carries the information of the first operator and/or the policy rule to be released; if the policy rule to be released included in the authorization file contains the information of the operator that is allowed to set the policy rule to be released, The information of the first carrier, the user terminal deletes the information of the first operator in the information of the operator that is allowed to set the policy rule to be released corresponding to the policy rule to be released included in the authorization file. The first operator may be any operator in the current network. The user terminal may cancel the request message according to the policy rule sent by the function entity of the first operator, and delete part of the content in the authorization file.
在一种可能的实现方式中,在用户终端接收服务器发送的授权文件之后,本发明实施例的方法还可以包括:用户终端在成功安装第一签约信息集后,删除授权文件中包含的第一策略规则对应、允 许设置第一策略规则的运营商的信息中的第一运营商的信息;或者,用户终端在成功安装第一签约信息集后,删除用户终端中保存的包含第一运营商的信息的授权文件。In a possible implementation, after the user terminal receives the authorization file sent by the server, the method of the embodiment of the present invention may further include: after the user terminal successfully installs the first subscription information set, deleting the first content included in the authorization file. Policy rules correspond to Setting the information of the first operator in the information of the operator of the first policy rule; or, after successfully installing the first subscription information set, the user terminal deletes the authorization file containing the information of the first operator saved in the user terminal. .
在一种可能的实现方式中,在用户终端激活用户终端中安装的第二签约信息集之前,若确定第二策略规则为签约信息集不允许去激活,用户终端则检查授权文件,第二签约信息集归属于第二运营商,第二策略规则为第二运营商设置的与第二签约信息集关联的策略规则;若授权文件中包含的第二策略规则对应的、允许设置第二策略规则的运营商的信息中包含第三运营商的信息,用户终端则发出提示信息,第三运营商包括除第二运营商之外的任一运营商。其中,上述提示信息至少包括:激活第二签约信息集将无法下载第三运营商的签约信息集或者激活第二签约信息集将无法下载第三运营商的签约信息集和第三运营商的信息。In a possible implementation manner, before the user terminal activates the second subscription information set installed in the user terminal, if it is determined that the second policy rule is that the subscription information set is not allowed to be deactivated, the user terminal checks the authorization file, and the second subscription The information set belongs to the second operator, and the second policy rule is a policy rule that is associated with the second subscription information set set by the second operator; if the second policy rule included in the authorization file is allowed, the second policy rule is allowed to be set. The information of the operator includes the information of the third carrier, the user terminal sends the prompt information, and the third operator includes any operator other than the second operator. The foregoing prompt information at least includes: if the second subscription information set is activated, the subscription information set of the third operator cannot be downloaded, or the second subscription information set is activated, and the subscription information set of the third operator and the information of the third carrier cannot be downloaded. .
在这种实现方式中,用户终端可以通过向用户发出提示信息,提示用户如果激活该第二签约信息集,则可能会导致的问题,如激活该第二签约信息集后可能会导致不能激活第三运营商的签约信息集,使用户根据该提示信息选择是否继续激活该第二签约信息集。In this implementation manner, the user terminal may prompt the user to activate the second subscription information set by issuing a prompt message to the user, which may cause problems, such as activation of the second subscription information set may result in failure to activate the first The contract information set of the three operators enables the user to select whether to continue to activate the second subscription information set according to the prompt information.
第二方面,本发明实施例提供了一种获取授权文件的方法,该获取授权文件的方法可以包括:服务器获得授权文件,该授权文件与用户终端上的eUICC的EID对应,上述授权文件中包含eUICC的EID、至少一个策略规则和与至少一个策略规则中每个策略规则对应的、允许设置该策略规则的运营商的信息;服务器在向用户终端发送上述授权文件。其中,上述服务器可以为签约管理-业务发现服务器(英文:Subscription Manager-Discovery Service,简称:SM-DS)或者推送(英文:Push)服务器。In a second aspect, the embodiment of the present invention provides a method for obtaining an authorization file, where the method for obtaining an authorization file may include: obtaining, by the server, an authorization file, where the authorization file corresponds to an EID of an eUICC on the user terminal, where the authorization file includes An EID of the eUICC, at least one policy rule, and information corresponding to each of the at least one policy rule that allows the operator to set the policy rule; the server sends the authorization file to the user terminal. The server may be a subscription management-service discovery server (English: Subscription Manager-Discovery Service, SM-DS for short) or a push (English: Push) server.
其中,服务器可以在获得授权文件后,便向用户终端发送该授权文件,使得用户终端可以实时更新该用户终端上的eUICC中保存的授权文件。如此,便可以解决由于现有技术中预置在eUICC中的固定、不可更改的授权文件,而导致eUICC中的授权文件不能适应 于运营商针对用户设置policy rule的权限的变化的问题。本发明实施例提供的获取授权文件的方法,可以实时更新该用户终端上的eUICC中保存的授权文件。The server may send the authorization file to the user terminal after obtaining the authorization file, so that the user terminal can update the authorization file saved in the eUICC on the user terminal in real time. In this way, the fixed and unchangeable authorization files preset in the eUICC in the prior art can be solved, and the authorization file in the eUICC cannot be adapted. The problem of changes in the authority of the operator to set the policy rule for the user. The method for obtaining an authorization file provided by the embodiment of the present invention can update the authorization file saved in the eUICC on the user terminal in real time.
在一种可能的实现方式中,上述服务器可以为SM-DS。相应的,“服务器向用户终端发送授权文件”的方法可以包括:SM-DS接收用户终端发送的轮询消息(英文:Polling),该轮询消息中携带有用户终端上的eUICC的EID;SM-DS向用户终端发送轮询消息的响应消息,该轮询消息的响应消息中携带有与轮询消息中携带的EID对应的授权文件。In a possible implementation manner, the foregoing server may be an SM-DS. Correspondingly, the method for the server to send the authorization file to the user terminal may include: the SM-DS receives the polling message sent by the user terminal (English: Polling), where the polling message carries the EID of the eUICC on the user terminal; The DS sends a response message to the user terminal, and the response message of the polling message carries an authorization file corresponding to the EID carried in the polling message.
其中,当SM-DS接收到用户终端发送的轮询消息后,可以向用户终端发送包含与上述轮询消息中携带的EID对应的授权文件的响应消息,即SM-DS可以向用户终端发送与该用户终端上的eUICC对应的授权文件。如此,用户终端在接收到SM-DS发送的授权文件后,便可以保存该授权文件或者采用接收到的授权文件更新用户终端中已保存的授权文件。After receiving the polling message sent by the user terminal, the SM-DS may send a response message to the user terminal that includes the authorization file corresponding to the EID carried in the polling message, that is, the SM-DS may send and send to the user terminal. The authorization file corresponding to the eUICC on the user terminal. In this way, after receiving the authorization file sent by the SM-DS, the user terminal can save the authorization file or update the authorization file saved in the user terminal by using the received authorization file.
在一种可能的实现方式中,上述服务器可以为推送服务器。在服务器获得授权文件之后,本发明实施例的方法还可以包括:推送服务器根据推送服务器中保存的EID与推送服务器为用户终端中的本地文件助手(英文:Local Profile Assistant,简称:LPA)生成的口令的对应关系,确定与授权文件对应的EID对应的口令,用户终端中包含至少一个LPA。相应的,“服务器向用户终端发送授权文件”的方法可以包括:推送服务器向用户终端发送授权文件和与授权文件对应的EID对应的口令。In a possible implementation manner, the foregoing server may be a push server. After the server obtains the authorization file, the method of the embodiment of the present invention may further include: the push server generates, according to the EID and the push server saved in the push server, a local file assistant (English: Local Profile Assistant, LPA) in the user terminal. The password corresponds to the password corresponding to the EID corresponding to the authorization file, and the user terminal includes at least one LPA. Correspondingly, the method for the server to send the authorization file to the user terminal may include: the push server sends the authorization file and the password corresponding to the EID corresponding to the authorization file to the user terminal.
其中,由于授权文件可以对应于一个eUICC,而每一个eUICC都有其EID;因此授权文件也可以对应于一个eUICC的EID,推送服务器可以根据推送服务器中保存的EID与推送服务器为用户终端中的LPA生成的口令的对应关系,确定出与授权文件对应的EID对应的口令。The authorization file may correspond to one eUICC, and each eUICC has its EID; therefore, the authorization file may also correspond to the EID of an eUICC, and the push server may be the user ID in the user terminal according to the EID and the push server saved in the push server. The correspondence between the passwords generated by the LPA determines the password corresponding to the EID corresponding to the authorization file.
在一种可能的实现方式中,在服务器向用户终端发送授权文件 之前,本发明实施例的方法还可以包括:推送服务器接收用户终端发送的注册请求,该注册请求中携带有LPA标识和用户终端上的eUICC的EID;推送服务器为注册请求中携带的LPA标识所指示的LPA分配口令,并保存推送服务器为LPA标识所指示的LPA分配的口令与注册请求中携带的EID的对应关系。即上述实现方式中“推送服务器中保存的EID与推送服务器为用户终端中的LPA生成的口令的对应关系”可以为推送服务器在接收到用户终端发送的注册请求后,生成并保存在推送服务器中的。In a possible implementation manner, the server sends an authorization file to the user terminal. The method of the embodiment of the present invention may further include: the sending server receiving the registration request sent by the user terminal, where the registration request carries the LPA identifier and the EID of the eUICC on the user terminal; the push server is the LPA identifier carried in the registration request. The indicated LPA assigns a password, and stores a correspondence between the password assigned by the push server for the LPA indicated by the LPA identifier and the EID carried in the registration request. That is, in the above implementation manner, the “correspondence between the EID stored in the push server and the password generated by the push server for the LPA in the user terminal” may be generated by the push server after receiving the registration request sent by the user terminal, and stored in the push server. of.
在一种可能的实现方式中,在推送服务器为注册请求中携带的LPA标识所指示的LPA分配口令之后,本发明实施例的方法还可以包括:推送服务器向用户终端发送注册请求的响应消息,该注册请求的响应消息中携带有推送服务器为LPA标识所指示的LPA分配的口令。In a possible implementation, after the push server allocates a password for the LPA indicated by the LPA identifier carried in the registration request, the method of the embodiment of the present invention may further include: the push server sends a response message of the registration request to the user terminal, The response message of the registration request carries a password assigned by the push server to the LPA indicated by the LPA identifier.
可以想到的是,由于用户终端中包含至少一个LPA,推送服务器可以将推送服务器为用户终端中的一个LPA分配的口令发送给用户终端,以使得用户终端可以保存该LPA的口令,并在接收到推送服务器发送的“授权文件和与授权文件对应的EID对应的口令”后,可以通过对比授权文件对应的EID对应的口令和用户终端中的LPA的口令,确定出该授权文件所对应的LPA。It is conceivable that, since the user terminal includes at least one LPA, the push server may send the password assigned by the push server to one of the user terminals to the user terminal, so that the user terminal can save the password of the LPA and receive the password. After the "authorization file and the password corresponding to the EID corresponding to the authorization file" sent by the server are forwarded, the LPA corresponding to the authorization file may be determined by comparing the password corresponding to the EID corresponding to the authorization file with the password of the LPA in the user terminal.
第三方面,本发明实施例提供了一种用户终端,该用户终端可以包括:发送单元、接收单元和控制单元。发送单元,用于向服务器发送用户终端上的eUICC的EID。接收单元,用于接收服务器发送的授权文件,该授权文件与用户终端上的eUICC的EID对应,上述授权文件中包含至少一个策略规则和与至少一个策略规则中每个策略规则对应的、允许设置该策略规则的运营商的信息。控制单元,用于在eUICC中保存接收单元接收到的授权文件,或者,采用接收单元接收到的授权文件更新eUICC中保存的授权文件。In a third aspect, an embodiment of the present invention provides a user terminal, where the user terminal may include: a sending unit, a receiving unit, and a control unit. And a sending unit, configured to send, to the server, an EID of the eUICC on the user terminal. a receiving unit, configured to receive an authorization file sent by the server, where the authorization file corresponds to an EID of the eUICC on the user terminal, where the authorization file includes at least one policy rule and a permission setting corresponding to each policy rule in the at least one policy rule. The information of the operator of the policy rule. The control unit is configured to save the authorization file received by the receiving unit in the eUICC, or update the authorization file saved in the eUICC by using the authorization file received by the receiving unit.
在一种可能的实现方式中,服务器为SM-DS,发送单元,具体用于:向SM-DS发送轮询消息,轮询消息中携带有用户终端上的 eUICC的EID;接收单元,具体用于:接收SM-DS发送的轮询消息的响应消息,该轮询消息的响应消息中携带有授权文件。In a possible implementation manner, the server is an SM-DS, and the sending unit is specifically configured to: send a polling message to the SM-DS, where the polling message carries the user terminal. The EID of the eUICC; the receiving unit is specifically configured to: receive a response message of the polling message sent by the SM-DS, where the response message of the polling message carries an authorization file.
在一种可能的实现方式中,服务器为推送服务器,发送单元,具体用于:向推送服务器发送注册请求,注册请求中携带有用户终端上的eUICC的EID。In a possible implementation manner, the server is a push server, and the sending unit is configured to send a registration request to the push server, where the registration request carries the EID of the eUICC on the user terminal.
在一种可能的实现方式中,服务器为推送服务器,发送单元发送的注册请求中还携带有用户终端中的LPA的LPA标识。接收单元,还用于在发送单元向推送服务器发送注册请求之后,接收推送服务器发送的注册请求的响应消息,该注册请求的响应消息中携带有推送服务器为注册请求中携带的LPA标识所指示的LPA分配的口令;接收单元,具体用于:接收推送服务器发送的授权文件和与授权文件对应的EID对应的口令。In a possible implementation manner, the server is a push server, and the registration request sent by the sending unit further carries the LPA identifier of the LPA in the user terminal. The receiving unit is further configured to: after the sending unit sends the registration request to the push server, receive a response message of the registration request sent by the push server, where the response message of the registration request carries the indication that the push server is the LPA identifier carried in the registration request. The password assigned by the LPA; the receiving unit is specifically configured to: receive the authorization file sent by the push server and the password corresponding to the EID corresponding to the authorization file.
在一种可能的实现方式中,在接收单元接收推送服务器发送的授权文件和与授权文件对应的EID对应的口令之后,用户终端还可以包括:对比单元。对比单元,用于采用与授权文件对应的EID对应的口令对比推送服务器为LPA分配的口令。In a possible implementation, after the receiving unit receives the authorization file sent by the push server and the password corresponding to the EID corresponding to the authorization file, the user terminal may further include: a comparison unit. The comparing unit is configured to compare the password assigned by the push server to the LPA by using a password corresponding to the EID corresponding to the authorization file.
在一种可能的实现方式中,控制单元,具体可以用于:若与授权文件对应的EID对应的口令与推送服务器为LPA分配的口令相同,则通过LPA在eUICC中保存授权文件。In a possible implementation manner, the control unit may be specifically configured to: when the password corresponding to the EID corresponding to the authorization file is the same as the password allocated by the push server for the LPA, save the authorization file in the eUICC through the LPA.
在一种可能的实现方式中,控制单元,具体可以用于:若与授权文件对应的EID对应的口令与推送服务器为LPA分配的口令相同,则通过LPA采用授权文件更新eUICC中保存的授权文件。In a possible implementation, the control unit may be specifically configured to: if the password corresponding to the EID corresponding to the authorization file is the same as the password allocated by the push server for the LPA, update the authorization file saved in the eUICC by using the authorization file by the LPA. .
在一种可能的实现方式中,服务器可以为SM-DS。接收单元,还用于接收第一运营商的SM-DP发送的第一策略规则,该第一策略规则为第一运营商设置的与第一签约信息集关联的策略规则,第一运营商为第一签约信息集所属的运营商。In one possible implementation, the server may be an SM-DS. The receiving unit is further configured to receive a first policy rule that is sent by the SM-DP of the first operator, where the first policy rule is a policy rule that is set by the first operator and is associated with the first subscription information set, where the first carrier is The operator to which the first contract information set belongs.
在一种可能的实现方式中,服务器可以为SM-DS。发送单元,还用于在接收单元接收到第一策略规则后,向SM-DS发送轮询消息,该轮询消息中携带有用户终端上的eUICC的EID,上述轮询消 息用于请求SM-DS向用户终端发送与用户终端上的eUICC的EID对应的授权文件。In one possible implementation, the server may be an SM-DS. The sending unit is further configured to: after receiving the first policy rule, the sending unit sends a polling message to the SM-DS, where the polling message carries the EID of the eUICC on the user terminal, where the polling is performed. The information is used to request the SM-DS to send an authorization file corresponding to the EID of the eUICC on the user terminal to the user terminal.
在一种可能的实现方式中,发送单元,具体可以用于:在接收单元接收到第一策略规则后,若授权文件中允许设置策略规则的运营商的信息中不包含所述第一运营商的信息,则向SM-DS发送轮询消息。In a possible implementation manner, the sending unit may be specifically configured to: after the receiving, by the receiving unit, the first policy rule, if the information of the operator that allows the setting of the policy rule in the authorization file does not include the first carrier The information is sent to the SM-DS for polling messages.
在一种可能的实现方式中,服务器为推送服务器。用户终端还可以包括:启动单元。启动单元,用于在接收单元接收到第一策略规则后,则启动定时器。接收单元,还用于在启动单元启动的定时器的定时时间内等待接收推送服务器发送的授权文件。In a possible implementation, the server is a push server. The user terminal may further include: a boot unit. The startup unit is configured to start a timer after the receiving unit receives the first policy rule. The receiving unit is further configured to wait for receiving the authorization file sent by the push server within a timing time of the timer started by the startup unit.
在一种可能的实现方式中,启动单元,具体用于:在接收单元接收到第一策略规则后,若授权文件中允许设置策略规则的运营商的信息中不包含第一运营商的信息,则启动定时器。接收单元,还用于在启动单元启动的定时器的定时时间内等待接收推送服务器发送的授权文件。In a possible implementation, the initiating unit is specifically configured to: after receiving the first policy rule, if the information of the operator that allows the policy rule to be set in the authorization file does not include the information of the first operator, Then start the timer. The receiving unit is further configured to wait for receiving the authorization file sent by the push server within a timing time of the timer started by the startup unit.
在一种可能的实现方式中,至少一个策略规则至少包括:签约信息集不允许删除、签约信息集不允许去激活以及签约信息集去激活后应删除中的至少一项。其中,至少一个策略规则包括第一策略规则。In a possible implementation manner, the at least one policy rule includes at least one of: the subscription information set is not allowed to be deleted, the subscription information set is not allowed to be deactivated, and at least one of the subscription information set is deactivated. The at least one policy rule includes a first policy rule.
在一种可能的实现方式中,接收单元,还用于接收第一策略规则的有效时间,该第一策略规则的有效时间可以用于限定第一策略规则的生效时间。In a possible implementation, the receiving unit is further configured to receive a valid time of the first policy rule, where the effective time of the first policy rule may be used to define an effective time of the first policy rule.
在一种可能的实现方式中,用户终端还可以包括:安装单元、第一激活单元单元和第一提示单元。安装单元,用于在用户终端安装第一签约信息集。第一激活单元,用于激活第一签约信息集。第一提示单元,用于当安装单元成功安装第一签约信息集或者第一激活单元激活第一签约信息集后,向用户提示第一策略规则和该第一策略规则的有效时间。In a possible implementation manner, the user terminal may further include: an installation unit, a first activation unit unit, and a first prompt unit. The installation unit is configured to install the first subscription information set on the user terminal. The first activation unit is configured to activate the first subscription information set. The first prompting unit is configured to prompt the user of the first policy rule and the valid time of the first policy rule after the installation unit successfully installs the first subscription information set or the first activation unit activates the first subscription information set.
在一种可能的实现方式中,授权文件中还包含允许运营商设置 至少一个策略规则的有效时间,允许运营商设置至少一个策略规则中任一策略规则的有效时间用于限定运营商具备设置任一策略规则的权限的时间。用户终端还可以包括:第二激活单元、判断单元和禁止单元。第二激活单元,用于激活第一策略规则。判断单元,用于当第二激活单元激活第一策略规则时,判断当前时间是否在授权文件中包含的允许第一运营商设置第一策略规则的有效时间内。禁止单元,用于若判断单元判断当前时间超过允许第一运营商设置第一策略规则的有效时间,则禁止激活第一策略规则。In a possible implementation, the authorization file also includes allowing the operator to set The effective time of at least one policy rule allows the operator to set the effective time of any one of the at least one policy rule to limit the time when the operator has the right to set any policy rule. The user terminal may further include: a second activation unit, a determination unit, and a prohibition unit. a second activation unit, configured to activate the first policy rule. The determining unit is configured to determine, when the second activation unit activates the first policy rule, whether the current time is within a valid time period allowed in the authorization file to allow the first operator to set the first policy rule. The forbidden unit is configured to prohibit activation of the first policy rule if the determining unit determines that the current time exceeds a valid time for allowing the first operator to set the first policy rule.
在一种可能的实现方式中,接收单元,还用于在接收到服务器发送的授权文件之后,接收第一运营商的功能实体发送的策略规则解除请求消息,策略规则解除请求消息中携带有第一运营商的信息和待解除的策略规则。用户终端还可以包括:删除单元。删除单元,用于若授权文件中包含的待解除的策略规则对应的、允许设置待解除的策略规则的运营商的信息中包含第一运营商的信息,则删除授权文件中包含的待解除的策略规则对应的、允许设置待解除的策略规则的运营商的信息中的第一运营商的信息。In a possible implementation manner, the receiving unit is further configured to: after receiving the authorization file sent by the server, receive a policy rule release request message sent by the function entity of the first operator, where the policy rule release request message carries the An operator's information and policy rules to be released. The user terminal may further include: a deleting unit. Deleting a unit, if the information of the operator that is allowed to set the policy rule to be released corresponding to the policy rule to be released included in the authorization file includes the information of the first operator, deleting the information to be released included in the authorization file The information of the first operator in the information of the operator that is allowed to set the policy rule to be released corresponding to the policy rule.
在一种可能的实现方式中,在接收单元接收到服务器发送的授权文件之后,删除单元,还用于在安装单元成功安装第一签约信息集后,删除授权文件中包含的第一策略规则对应的、允许设置第一策略规则的运营商的信息中的第一运营商的信息;或者,在安装单元成功安装第一签约信息集后,删除用户终端中保存的包含第一运营商的信息的授权文件。In a possible implementation, after the receiving unit receives the authorization file sent by the server, the deleting unit is further configured to delete the first policy rule included in the authorization file after the installation unit successfully installs the first subscription information set. The information of the first operator in the information of the operator that is allowed to set the first policy rule; or, after the installation unit successfully installs the first subscription information set, delete the information containing the first operator saved in the user terminal. Authorization file.
在一种可能的实现方式中,安装单元,还用于在用户终端中安装第二签约信息集;第一激活单元,还用于激活安装单元安装的第二签约信息集。用户终端还可以包括:检查单元和第二提示单元。检查单元,用于在第一激活单元激活第二签约信息集之前,若确定第二策略规则为签约信息集不允许去激活,则检查授权文件,第二签约信息集归属于第二运营商,第二策略规则为第二运营商设置的与第二签约信息集关联的策略规则。第二提示单元,用于若授权文 件中包含的第二策略规则对应的、允许设置第二策略规则的运营商的信息中包含第三运营商的信息,则发出提示信息,第三运营商包括除第二运营商之外的任一运营商。其中,提示信息至少包括:激活第二签约信息集将无法下载第三运营商的签约信息集或者激活第二签约信息集将无法下载第三运营商的签约信息集和第三运营商的信息。In a possible implementation, the installation unit is further configured to install a second subscription information set in the user terminal, and the first activation unit is further configured to activate the second subscription information set installed by the installation unit. The user terminal may further include: an inspection unit and a second prompt unit. The checking unit is configured to: before the first activation unit activates the second subscription information set, if it is determined that the second policy rule is that the subscription information set is not allowed to be deactivated, the authorization file is checked, and the second subscription information set belongs to the second operator, The second policy rule is a policy rule that is set by the second operator and associated with the second subscription information set. Second prompt unit, if the authorization text If the information of the operator that is allowed to set the second policy rule corresponding to the second policy rule included in the device includes the information of the third operator, the prompt information is sent, and the third operator includes any other than the second operator. An operator. The prompt information includes at least: the activation of the second subscription information set may fail to download the subscription information set of the third operator or activate the second subscription information set to download the subscription information set of the third operator and the information of the third carrier.
需要说明的是,本发明实施例的第三方面及其各种可能的实现方式的各个功能单元,是为了执行上述第一方面以及第一方面的各种可选方式所述的获取授权文件的方法,而对用户终端进行的逻辑上的划分。第三方面及其各种可能的实现方式的各个功能单元的详细描述以及有益效果分析可以参考上述第一方面及其各种可能的实现方式中的对应描述及技术效果,此处不再赘述。It should be noted that each of the functional units of the third aspect and various possible implementation manners of the embodiments of the present invention is to obtain the authorization file according to the foregoing first aspect and various optional manners of the first aspect. The method, while logically dividing the user terminal. For a detailed description of the various functional units of the third aspect and its various possible implementations, and the beneficial effects analysis, reference may be made to the corresponding descriptions and technical effects in the foregoing first aspect and various possible implementation manners, and details are not described herein again.
第四方面,提供一种用户终端,该用户终端包括:一个或多个处理器、存储器、总线和收发器。存储器用于存储计算机执行指令,处理器与存储器通过总线连接,当用户终端运行时,处理器执行存储器存储的计算机执行指令,以使用户终端执行如第一方面以及第一方面的各种可选方式中的用于获取授权文件的方法。In a fourth aspect, a user terminal is provided, the user terminal comprising: one or more processors, a memory, a bus, and a transceiver. The memory is used to store computer execution instructions, the processor and the memory are connected by a bus, and when the user terminal is running, the processor executes the computer stored instructions of the memory storage to enable the user terminal to perform various optional aspects as in the first aspect and the first aspect. The method used to obtain the authorization file in the mode.
第五方面,提供一种非易失性存储介质,非易失性存储介质中存储有一个或多个程序代码,当第四方面中的用户终端的处理器执行该程序代码时,用户终端执行如第一方面以及第一方面的各种可选方式中的用于获取授权文件的方法。In a fifth aspect, a non-volatile storage medium is provided. One or more program codes are stored in a non-volatile storage medium. When the processor of the user terminal in the fourth aspect executes the program code, the user terminal executes A method for obtaining an authorization file as in the first aspect and the various alternatives of the first aspect.
其中,第四方面中的处理器可以为第三方面及其各种可能的实现方式中的控制单元、对比单元、启动单元、安装单元、第一激活单元、第一提示单元、第二激活单元、判断单元、禁止单元、删除单元、检查单元和第二提示单元等功能单元的集成,第四方面中的收发器可以为上述第三方面及其各种可能的实现方式中的发送单元和接收单元的集成,用于实现用户终端与其他通信设备(如服务器)之间的信息交互。The processor in the fourth aspect may be the control unit, the comparison unit, the activation unit, the installation unit, the first activation unit, the first prompt unit, and the second activation unit in the third aspect and various possible implementation manners thereof. Integration of functional units such as a judging unit, a disabling unit, a deleting unit, an inspecting unit, and a second prompting unit, and the transceiver in the fourth aspect may be the transmitting unit and receiving in the above third aspect and various possible implementation manners thereof Unit integration for information interaction between user terminals and other communication devices such as servers.
第四方面中的用户终端以及该用户终端执行第五方面所述的计 算机可读存储介质中存储的程序的具体技术效果及其相关分析过程可以参考本发明实施例第一方面或第一方面的任一种实现方式中的相关技术效果描述,此处不再赘述。The user terminal in the fourth aspect and the user terminal perform the meter described in the fifth aspect For a specific technical effect of the program stored in the computer readable storage medium and the related analysis process, reference may be made to the related technical effects in the first aspect or the implementation manner of the first aspect of the present invention, and details are not described herein again. .
第六方面,本发明实施例提供了一种服务器,该服务器可以包括:获取单元和发送单元。获取单元,用于获得授权文件,该授权文件与用户终端上的eUICC的EID对应,上述授权文件中包含eUICC的EID、至少一个策略规则和与至少一个策略规则中每个策略规则对应的、允许设置该策略规则的运营商的信息。发送单元,用于向用户终端发送获取单元获得的授权文件。In a sixth aspect, an embodiment of the present invention provides a server, where the server may include: an obtaining unit and a sending unit. An obtaining unit, configured to obtain an authorization file, where the authorization file corresponds to an EID of an eUICC on the user terminal, where the authorization file includes an EID of the eUICC, at least one policy rule, and an allowable corresponding to each policy rule in the at least one policy rule. Set the carrier's information for this policy rule. And a sending unit, configured to send, to the user terminal, an authorization file obtained by the acquiring unit.
在一种可能的实现方式中,服务器为SM-DS;服务器还可以包括:接收单元。接收单元,用于接收用户终端发送的轮询消息,该轮询消息中携带有用户终端上的eUICC的EID。发送单元,具体用于:向用户终端发送轮询消息的响应消息,该轮询消息的响应消息中携带有与轮询消息中携带的EID对应的授权文件。In a possible implementation manner, the server is an SM-DS; the server may further include: a receiving unit. The receiving unit is configured to receive a polling message sent by the user terminal, where the polling message carries an EID of the eUICC on the user terminal. The sending unit is specifically configured to: send a response message of the polling message to the user terminal, where the response message of the polling message carries an authorization file corresponding to the EID carried in the polling message.
在一种可能的实现方式中,服务器为推送服务器;服务器还可以包括:确定单元。确定单元,用于在获取单元获得授权文件之后,根据推送服务器中保存的EID与推送服务器为用户终端中的LPA生成的口令的对应关系,确定与授权文件对应的EID对应的口令,用户终端中包含至少一个LPA。发送单元,具体用于:向用户终端发送获取单元获得的授权文件和确定单元确定的与授权文件对应的EID对应的口令。In a possible implementation, the server is a push server; the server may further include: a determining unit. a determining unit, configured to determine, according to the correspondence between the EID saved in the push server and the password generated by the push server for the LPA in the user terminal, after the obtaining unit obtains the authorization file, the password corresponding to the EID corresponding to the authorization file, in the user terminal Contains at least one LPA. The sending unit is specifically configured to: send, to the user terminal, an authorization file obtained by the obtaining unit and a password corresponding to the EID corresponding to the authorization file determined by the determining unit.
在一种可能的实现方式中,接收单元,还用于在发送单元向用户终端发送获取单元获得的授权文件之前,接收用户终端发送的注册请求,注册请求中携带有LPA标识和用户终端上的eUICC的EID。服务器还可以包括:分配单元和保存单元。分配单元,用于为接收单元接收到的注册请求中携带的LPA标识所指示的LPA分配口令。保存单元,用于保存分配单元为LPA标识所指示的LPA分配的口令与接收单元接收到的注册请求中携带的EID的对应关系。In a possible implementation manner, the receiving unit is further configured to: before the sending unit sends the authorization file obtained by the acquiring unit to the user terminal, receive a registration request sent by the user terminal, where the registration request carries the LPA identifier and the user terminal. EID of eUICC. The server may further include: an allocating unit and a saving unit. And an allocating unit, configured to allocate a password for the LPA indicated by the LPA identifier carried in the registration request received by the receiving unit. And a saving unit, configured to save a correspondence between the password allocated by the allocation unit for the LPA indicated by the LPA identifier and the EID carried in the registration request received by the receiving unit.
在一种可能的实现方式中,发送单元,还用于在分配单元为接 收单元接收到的注册请求中携带的LPA标识所指示的LPA分配口令之后,向用户终端发送注册请求的响应消息,该注册请求的响应消息中携带有推送服务器为LPA标识所指示的LPA分配的口令。In a possible implementation manner, the sending unit is further configured to be connected in the allocating unit After receiving the LPA assignment password indicated by the LPA identifier carried in the registration request received by the receiving unit, the response message of the registration request is sent to the user terminal, where the response message of the registration request carries the LPA allocated by the push server for the LPA indication. Password.
需要说明的是,本发明实施例的第六方面及其各种可能的实现方式的各个功能单元,是为了执行上述第二方面以及第二方面的各种可选方式的获取授权文件的方法,而对服务器进行的逻辑上的划分。第六方面及其各种可能的实现方式的各个功能单元的详细描述以及有益效果分析可以参考上述第二方面及其各种可能的实现方式中的对应描述及技术效果,此处不再赘述。It should be noted that each functional unit of the sixth aspect of the embodiments of the present invention and various possible implementation manners thereof is a method for obtaining an authorization file in order to perform the foregoing second aspect and various alternative manners of the second aspect. And the logical division of the server. For a detailed description of the various functional units of the sixth aspect and its various possible implementations, and the beneficial effects analysis, reference may be made to the corresponding descriptions and technical effects in the foregoing second aspect and various possible implementation manners, and details are not described herein again.
第七方面,提供一种服务器,该服务器包括:一个或多个处理器、存储器、总线和收发器。存储器用于存储计算机执行指令,处理器与存储器通过总线连接,当服务器运行时,处理器执行存储器存储的计算机执行指令,以使服务器执行如第二方面以及第二方面的各种可选方式中的用于获取授权文件的方法。In a seventh aspect, a server is provided, the server comprising: one or more processors, a memory, a bus, and a transceiver. The memory is used to store computer execution instructions, the processor is coupled to the memory via a bus, and when the server is running, the processor executes the memory stored computer execution instructions to cause the server to perform the various alternatives as in the second aspect and the second aspect. The method used to obtain the authorization file.
第八方面,提供一种非易失性存储介质,非易失性存储介质中存储有一个或多个程序代码,当第七方面中的服务器的处理器执行该程序代码时,服务器执行如第二方面以及第二方面的各种可选方式中的用于获取授权文件的方法。According to an eighth aspect, a nonvolatile storage medium is provided. The nonvolatile storage medium stores one or more program codes. When the processor of the server in the seventh aspect executes the program code, the server executes the first A method for obtaining an authorization file in two aspects and various alternatives of the second aspect.
其中,第七方面中的处理器可以为第六方面及其各种可能的实现方式中的获取单元、确定单元、分配单元和保存单元等功能单元的集成,第七方面中的收发器可以为上述第六方面及其各种可能的实现方式中的发送单元和接收单元的集成,用于实现服务器与其他通信设备(如用户终端)之间的信息交互。第七方面中的服务器以及该服务器执行第八方面所述的计算机可读存储介质中存储的程序的具体技术效果及其相关分析过程可以参考本发明实施例第二方面或第二方面的任一种实现方式中的相关技术效果描述,此处不再赘述。The processor in the seventh aspect may be the integration of the acquiring unit, the determining unit, the allocating unit, and the saving unit in the sixth aspect and various possible implementation manners thereof, where the transceiver in the seventh aspect may be The integration of the sending unit and the receiving unit in the sixth aspect and various possible implementation manners thereof is used to implement information interaction between the server and other communication devices (such as user terminals). The server of the seventh aspect, and the specific technical effect of the program stored in the computer-readable storage medium described in the eighth aspect, and the related analysis process, may refer to any of the second aspect or the second aspect of the embodiment of the present invention. Description of related technical effects in the implementation manner, and details are not described herein again.
附图说明DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下 面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are set forth in the claims
图1为本发明实施例的方法所应用的通信网络的一种网络架构示意图;1 is a schematic diagram of a network architecture of a communication network to which the method according to an embodiment of the present invention is applied;
图2为本发明实施例的方法所应用的通信网络的另一种网络架构示意图;2 is a schematic diagram of another network architecture of a communication network to which the method according to an embodiment of the present invention is applied;
图3为本发明实施例的方法所应用的通信网络的另一种网络架构示意图;3 is a schematic diagram of another network architecture of a communication network to which the method according to an embodiment of the present invention is applied;
图4为本发明实施例提供的一种获取授权文件的方法的流程图;FIG. 4 is a flowchart of a method for obtaining an authorization file according to an embodiment of the present invention;
图5为本发明实施例提供的另一种获取授权文件的方法的流程图;FIG. 5 is a flowchart of another method for obtaining an authorization file according to an embodiment of the present invention;
图6为本发明实施例提供的另一种获取授权文件的方法的流程图;FIG. 6 is a flowchart of another method for obtaining an authorization file according to an embodiment of the present invention;
图7为本发明实施例提供的另一种获取授权文件的方法的流程图;FIG. 7 is a flowchart of another method for obtaining an authorization file according to an embodiment of the present invention;
图8为本发明实施例提供的另一种获取授权文件的方法的流程图;FIG. 8 is a flowchart of another method for obtaining an authorization file according to an embodiment of the present invention;
图9为本发明实施例提供的另一种获取授权文件的方法的流程图;FIG. 9 is a flowchart of another method for obtaining an authorization file according to an embodiment of the present invention;
图10为本发明实施例提供的另一种获取授权文件的方法的流程图;FIG. 10 is a flowchart of another method for obtaining an authorization file according to an embodiment of the present invention;
图11为本发明实施例提供的另一种获取授权文件的方法的流程图;FIG. 11 is a flowchart of another method for obtaining an authorization file according to an embodiment of the present invention;
图12为本发明实施例提供的一种服务器的结构示意图;FIG. 12 is a schematic structural diagram of a server according to an embodiment of the present disclosure;
图13为本发明实施例提供的另一种服务器的结构示意图;FIG. 13 is a schematic structural diagram of another server according to an embodiment of the present disclosure;
图14为本发明实施例提供的另一种服务器的结构示意图;FIG. 14 is a schematic structural diagram of another server according to an embodiment of the present disclosure;
图15为本发明实施例提供的一种用户终端的结构示意图;FIG. 15 is a schematic structural diagram of a user terminal according to an embodiment of the present disclosure;
图16为本发明实施例提供的另一种用户终端的结构示意图; FIG. 16 is a schematic structural diagram of another user terminal according to an embodiment of the present disclosure;
图17为本发明实施例提供的另一种用户终端的结构示意图。FIG. 17 is a schematic structural diagram of another user terminal according to an embodiment of the present invention.
具体实施方式detailed description
本发明的说明书以及附图中的术语“第一”和“第二”等是用于区别不同的对象,或者用于区别对同一对象的不同处理,而不是用于描述对象的特定顺序。例如,第一运营商、第二运营商和第三运营商可以为不同的运营商。The terms "first" and "second" and the like in the description of the present invention and the drawings are used to distinguish different objects, or to distinguish different processing of the same object, rather than to describe a specific order of the objects. For example, the first carrier, the second carrier, and the third carrier may be different operators.
在本发明的描述中,除非另有说明,“多个”的含义是指两个或两个以上。例如,多个处理器是指包含两个或两个以上物理核的处理器。In the description of the present invention, the meaning of "a plurality" means two or more unless otherwise indicated. For example, a plurality of processors refers to a processor that includes two or more physical cores.
此外,本发明的描述中所提到的术语“包括”和“具有”以及它们的任何变形,意图在于覆盖不排他的包含。例如包含了一系列步骤或单元的过程、方法、系统、产品或设备没有限定于已列出的步骤或单元,而是可选地还包括其他没有列出的步骤或单元,或可选地还包括对于这些过程、方法、产品或设备固有的其它步骤或单元。Furthermore, the terms "comprises" and "comprising" and variations of the invention, as used in the description of the invention, are intended to cover a non-exclusive inclusion. For example, a process, method, system, product, or device that comprises a series of steps or units is not limited to the listed steps or units, but optionally includes other steps or units not listed, or alternatively Other steps or units inherent to these processes, methods, products or devices are included.
本发明实施例提供的一种获取授权文件的方法可以应用于用户终端在该用户终端安装的eUICC中保存授权文件或者更新eUICC中保存的授权文件的过程中。A method for obtaining an authorization file according to an embodiment of the present invention may be applied to a process in which a user terminal saves an authorization file in an eUICC installed in the user terminal or updates an authorization file saved in the eUICC.
请参考图1,其示出了本发明实施例提供的获取授权文件的方法所应用的通信网络的网络架构示意图。如图1所示,在该通信网络可以包括:授权文件服务器11、服务器12、SM-DP 13和至少一个包含eUICC的用户终端14。其中,上述服务器12可以为SM-DS或者推送服务器。Please refer to FIG. 1 , which is a schematic diagram of a network architecture of a communication network to which a method for obtaining an authorization file according to an embodiment of the present invention is applied. As shown in FIG. 1, the communication network may include an authorization file server 11, a server 12, an SM-DP 13, and at least one user terminal 14 including an eUICC. The server 12 may be an SM-DS or a push server.
其中,上述授权文件服务器11,用于生成授权文件,并向服务器12发送生成的授权文件。服务器12,用于在接收到授权文件服务器11发送的授权文件,并根据授权文件对应的EID,将授权文件发送给EID对应的eUICC所在的用户终端14。用户终端14,用于接收服务器12发送的授权文件,并该用户终端14上的eUICC中保存授权文件或者用授权文件更新该用户终端14上的eUICC中已保存 的授权文件。在本实施例中的授权文件服务器可以为由终端设备厂商部署的逻辑功能实体,该授权文件服务器可以集成在服务器上实现,也可以独立于上述服务器,集成在其它功能服务器上实现。用户终端中可以包含eUICC硬件模块。上述SM-DP 13,用于生成和存储profile,并向用户终端14发送profile。用户终端14可以在接收到SM-DP 13发送的profile后,在eUICC上安装该profile。授权文件在eUICC上保存后,用户终端也可以在该用户终端中备份eUICC上保存的授权文件。本发明实施例中的授权文件可以是规则授权表(英文:Rules Authorization Table,简称:RAT)。The authorization file server 11 is configured to generate an authorization file and send the generated authorization file to the server 12. The server 12 is configured to receive the authorization file sent by the authorization file server 11 and send the authorization file to the user terminal 14 where the eUICC corresponding to the EID is located according to the EID corresponding to the authorization file. The user terminal 14 is configured to receive the authorization file sent by the server 12, and save the authorization file in the eUICC on the user terminal 14 or update the saved in the eUICC on the user terminal 14 with the authorization file. Authorization file. The authorization file server in this embodiment may be a logical function entity deployed by the terminal device manufacturer, and the authorization file server may be integrated on the server, or may be integrated on other function servers independently of the above server. The eUICC hardware module can be included in the user terminal. The SM-DP 13 described above is used to generate and store a profile and send a profile to the user terminal 14. The user terminal 14 can install the profile on the eUICC after receiving the profile sent by the SM-DP 13. After the authorization file is saved on the eUICC, the user terminal can also back up the authorization file saved on the eUICC in the user terminal. The authorization file in the embodiment of the present invention may be a rule authorization table (English: Rules Authorization Table, RAT for short).
如图1所示,用户终端14中可以安装有LPA。其中,LPA为可以安装在用户终端中的一个应用程序,用户终端14可以通过用户终端14中的LPA实现profile的下载和本地管理等操作,该LPA还可以提供用户终端14与用户交互的用户界面,用户终端14可以通过该用户界面检测用户触发的针对profile的激活、去激活、删除等操作指令,实现对用户终端14中下载的profile的管理。As shown in FIG. 1, an LPA can be installed in the user terminal 14. The LPA is an application that can be installed in the user terminal. The user terminal 14 can perform operations such as downloading and local management of the profile through the LPA in the user terminal 14. The LPA can also provide a user interface for the user terminal 14 to interact with the user. The user terminal 14 can detect an operation instruction triggered by the user for activation, deactivation, deletion, and the like of the profile through the user interface, and implement management of the profile downloaded in the user terminal 14.
其中,如图1所示,用户终端14中的LPA可以包括:本地文件下载(英文:Local Profile Download,简称:LPD)模块、本地用户接口(英文:Local User Interface,简称:LUI)模块和本地发现服务(英文:Local Discovery Service,简称:LDS)模块。其中,LPD模块用于实现profile的下载、LUI模块用于提供用户界面,LDS模块用于实现与服务器12(如SM-DS或者推送服务器)的交互。As shown in FIG. 1 , the LPA in the user terminal 14 may include: a local file download (English: Local Profile Download, LPD) module, a local user interface (English: Local User Interface, LUI) module, and a local device. Discovery Service (English: Local Discovery Service, LDS) module. The LPD module is used to implement downloading of the profile, the LUI module is used to provide a user interface, and the LDS module is used to implement interaction with the server 12 (such as an SM-DS or a push server).
在本发明实施例的第一种应用场景中,如图2所示,图1中的服务器12为SM-DS。其中,SM-DS可以分为root SM-DS和可选(英文:alternative)SM-DS,本发明实施例中的SM-DS可以为root SM-DS,该root SM-DS为可以通过用户终端14中的LPA(具体为LPA中的LDS模块)与用户终端直接通信的SM-DS。In the first application scenario of the embodiment of the present invention, as shown in FIG. 2, the server 12 in FIG. 1 is an SM-DS. The SM-DS can be divided into a root SM-DS and an optional SM-DS. The SM-DS in the embodiment of the present invention can be a root SM-DS, and the root SM-DS can pass through the user terminal. The LPA in 14 (specifically the LDS module in the LPA) is an SM-DS that communicates directly with the user terminal.
其中,用户终端14中可以预置上述root SM-DS的地址,根据root SM-DS的地址LPA中的LDS模块与该root SM-DS进行通信, 从root SM-DS获得SM-DP地址,并在获得SM-DP地址后,可以从SM-DP下载profile。在本发明实施例中,用户终端通过LDS模块与SM-DS进行通信的过程中,除获得SM-DP地址外,还可以获得授权文件,从而将获得的授权文件保存在eUICC或者用户终端上。The user terminal 14 can preset the address of the root SM-DS, and communicate with the root SM-DS according to the LDS module in the address LPA of the root SM-DS. The SM-DP address is obtained from the root SM-DS, and after obtaining the SM-DP address, the profile can be downloaded from the SM-DP. In the embodiment of the present invention, in the process of the user terminal communicating with the SM-DS through the LDS module, in addition to obtaining the SM-DP address, an authorization file may be obtained, so that the obtained authorization file is saved on the eUICC or the user terminal.
在本发明实施例的第二种应用场景中,如图3所示,图1中的服务器12为推送服务器。如图3所示,图1中的用户终端14中可以安装有推送客户端,用户终端14可以通过该推送客户端注册LPA到推送服务器,推送服务器可以在存在待发送至用户终端的eUICC上的授权文件时,可以通过推动客户端向用户终端推送授权文件,用户终端通过注册到推送服务器的LPA接收推送服务器推送的授权文件。其中,用户终端14通过推送客户端注册到推送服务器,并接收推送服务器推送的授权文件的具体方法可以参考本发明实施例后续相关描述。In the second application scenario of the embodiment of the present invention, as shown in FIG. 3, the server 12 in FIG. 1 is a push server. As shown in FIG. 3, a push client may be installed in the user terminal 14 in FIG. 1. The user terminal 14 may register the LPA to the push server through the push client, and the push server may exist on the eUICC to be sent to the user terminal. When the file is authorized, the authorization file can be pushed to the user terminal by pushing the client, and the user terminal receives the authorization file pushed by the push server through the LPA registered to the push server. For a specific method for the user terminal 14 to register to the push server by the push client and receive the authorization file pushed by the push server, reference may be made to the subsequent related description of the embodiment of the present invention.
本发明实施例提供的获取授权文件的方法,服务器可以在获得授权文件后,便向用户终端发送该授权文件,使得用户终端可以实时更新该用户终端上的eUICC中保存的授权文件。如此,便可以解决由于现有技术中预置在eUICC中的固定、不可更改的授权文件,而导致eUICC中的授权文件不能适应于运营商设置policy rule的权限的变化的问题。本发明实施例提供的获取授权文件的方法,可以实时更新该用户终端上的eUICC中保存的授权文件。The method for obtaining an authorization file provided by the embodiment of the present invention, after obtaining the authorization file, the server may send the authorization file to the user terminal, so that the user terminal can update the authorization file saved in the eUICC on the user terminal in real time. In this way, the problem that the authorization file in the eUICC cannot adapt to the change of the authority of the operator to set the policy rule cannot be solved due to the fixed and unchangeable authorization file preset in the eUICC in the prior art. The method for obtaining an authorization file provided by the embodiment of the present invention can update the authorization file saved in the eUICC on the user terminal in real time.
下面结合附图,通过具体的实施例及其应用场景对本发明实施例提供的一种获取授权文件的方法及设备进行详细地说明。The method and device for obtaining an authorization file according to an embodiment of the present invention are described in detail below with reference to the accompanying drawings.
本发明实施例提供一种获取授权文件的方法,该方法可以应用于如图1-图3中任一附图所示的通信网络中,如图4所示,该获取授权文件的方法包括:An embodiment of the present invention provides a method for obtaining an authorization file. The method may be applied to a communication network as shown in any of FIG. 1 to FIG. 3. As shown in FIG. 4, the method for obtaining an authorization file includes:
S401、授权文件服务器生成授权文件,该授权文件与用户终端上的eUICC的EID对应,授权文件中包含eUICC的EID、至少一个策略规则和与至少一个策略规则中每个策略规则对应的、允许设置该策略规则的运营商的信息。 S401. The authorization file server generates an authorization file, where the authorization file corresponds to an EID of the eUICC on the user terminal, where the authorization file includes an EID of the eUICC, at least one policy rule, and an allow setting corresponding to each policy rule in the at least one policy rule. The information of the operator of the policy rule.
示例性的,授权文件服务器可以在接收到运营商的功能实体(如运营商服务器)发送的授权文件请求消息后,根据授权文件请求消息中携带的EID、运营商的信息,以及至少一个策略规则等信息生成上述授权文件。其中,至少一个策略规则表示运营商对EID对应的profile设置的策略规则。具体的,授权文件中策略规则可以为策略规则的标识,若授权文件服务器允许运营商设置策略规则,则在授权文件中策略规则对应的、允许设置该策略规则的运营商的信息中写入该运营商的信息。需要说明的是,本发明实施例中的授权文件中可以包含eUICC的EID,也可以不包含eUICC的EID。授权文件服务器生成授权文件的方法可以参考现有技术中生成授权文件的相关方法,本发明实施例这里不再赘述。Exemplarily, the authorization file server may receive the EID, the carrier information, and the at least one policy rule carried in the message according to the authorization file request message after receiving the authorization file request message sent by the operator's functional entity (such as the operator server). Such information generates the above authorization file. The at least one policy rule indicates a policy rule set by the operator for the profile corresponding to the EID. Specifically, the policy rule in the authorization file may be an identifier of the policy rule. If the authorization file server allows the operator to set the policy rule, the information in the authorization file corresponding to the policy rule that allows the operator to set the policy rule is written in the authorization file. Carrier information. It should be noted that the authorization file in the embodiment of the present invention may include the EID of the eUICC or the EID of the eUICC. For the method for authorizing the file server to generate the authorization file, reference may be made to the related method for generating the authorization file in the prior art, which is not described herein again.
其中,本发明实施例中的至少一个策略规则至少包括:签约信息集不允许删除(即profile不允许删除)、签约信息集不允许去激活(即profile不允许去激活)以及签约信息集去激活后应删除(即profile去激活后应删除)中的至少一项。The at least one policy rule in the embodiment of the present invention includes at least: the subscription information set is not allowed to be deleted (that is, the profile is not allowed to be deleted), the subscription information set is not allowed to be deactivated (that is, the profile is not allowed to be deactivated), and the subscription information set is deactivated. At least one of the following should be deleted (ie, the profile should be deleted after deactivation).
本发明实施例中“允许设置该策略规则的运营商的信息”具体可以为运营商的移动网络号码(英文:Mobile Network Code,简称:MNC)。其中,对于至少一个策略规则中的每一个策略规则而言,授权文件中包含可以设置该策略规则的至少一个运营商的信息(如至少一个运营商的MNC)。其中,运营商的MNC由二到三个十进制数组成,可以唯一标识各个运营商。例如,中国移动的MNC可以为00、02、04和07,中国联通的MNC可以为01、06,中国电信的MNC可以为03、05。In the embodiment of the present invention, the information of the operator that allows the setting of the policy rule may be the mobile network code (English: Mobile Network Code, MNC for short). For each of the at least one policy rule, the authorization file includes information of at least one operator that can set the policy rule (eg, at least one operator's MNC). The MNC of the operator consists of two to three decimal numbers, which can uniquely identify each carrier. For example, China Mobile's MNCs can be 00, 02, 04, and 07, China Unicom's MNCs can be 01, 06, and China Telecom's MNCs can be 03, 05.
举例来说,假设中国移动的MNC为00,中国联通的MNC为01,中国电信的MNC为03;本发明实施例中的授权文件中包含的EID为EID-x;至少一个策略规则可以为“该profile不允许去激活”和“该profile不允许删除”;具有设置“该profile不允许去激活”的权限的运营商的信息为00和03,具有设置“该profile不允许删除”的权限的运营商的信息为00和01。如此,则表示运营 商-中国移动具有设置策略规则“该profile不允许去激活”和“该profile不允许删除”的权限;运营商-中国联通具有设置策略规则“该profile不允许删除”的权限,但不具有设置策略规则“该profile不允许去激活”的权限;运营商-中国电信具有设置策略规则“该profile不允许去激活”的权限,但不具有设置策略规则“该profile不允许删除”的权限。For example, suppose that China Mobile's MNC is 00, China Unicom's MNC is 01, and China Telecom's MNC is 03; the EID contained in the authorization file in the embodiment of the present invention is EID-x; at least one policy rule may be “ The profile does not allow deactivation" and "this profile does not allow deletion"; the information of the operator with the permission to set "this profile is not allowed to deactivate" is 00 and 03, with the permission to set "this profile does not allow deletion" The operator's information is 00 and 01. In this case, it means operation 商-China Mobile has the right to set the policy rule "This profile is not allowed to deactivate" and "The profile is not allowed to delete"; Carrier-China Unicom has the permission to set the policy rule "This profile does not allow deletion", but does not have settings The policy rule "This profile does not allow deactivation" permission; Carrier-China Telecom has the permission to set the policy rule "This profile does not allow deactivation", but does not have the permission to set the policy rule "This profile does not allow deletion".
需要说明的是,本发明实施例中通过上述“允许设置策略规则的运营商的信息”限制运营商设置策略规则的权限的方式包括但不限于上述实例中的方法。例如,当授权文件中包含与该策略规则的对应的运营商的信息为特殊符号,(如*)时,表示允许任何运营商设置该策略规则;当授权文件中不包含某个策略规则的策略信息时,表示不允许任何运营商设置该策略规则;当配置文件中不包含与该策略规则对应的运营商的信息时,表示允许任何运营商设置该策略规则。It should be noted that, in the embodiment of the present invention, the manner of restricting the authority of the operator to set the policy rule by using the “information of the operator that allows the policy rule to be set” includes, but is not limited to, the method in the foregoing example. For example, when the information of the operator corresponding to the policy rule in the authorization file is a special symbol, such as *, it means that any operator is allowed to set the policy rule; when the authorization file does not contain a policy of a certain policy rule When the information is displayed, it means that no operator is allowed to set the policy rule. When the configuration file does not contain the information of the operator corresponding to the policy rule, it means that any operator is allowed to set the policy rule.
可选的,本发明实施例中的授权文件中还可以包括集成电路卡标识(英文:Integrated Circuit Card Identification,简称:ICCID),该ICCID用于唯一标识一个签约信息集(即profile)。Optionally, the authorization file in the embodiment of the present invention may further include an integrated circuit card identifier (English: Integrated Circuit Card Identification, ICCID), where the ICCID is used to uniquely identify a subscription information set (ie, a profile).
S402、授权文件服务器向服务器发送授权文件。S402. The authorization file server sends an authorization file to the server.
其中,本发明实施例中的服务器可以为SM-DS或者推送服务器。The server in the embodiment of the present invention may be an SM-DS or a push server.
可以想到的是,本发明实施例中,授权文件服务器可以向服务器发送对应于eUICC的授权文件,即授权文件服务器可以向服务器发送至少一个授权文件,该至少一个授权文件中的每个授权文件对应于一个eUICC。其中,服务器确定一个授权文件对应于一个eUICC,具体可以为授权文件对应于该授权文件中包含的EID所指示的eUICC,授权文件服务器也可以向服务器发送授权文件以及与授权文件对应的eUICC的EID,因此授权文件可以通过与该授权文件一同发送的EID所指示的eUICC确定与其对应的eUICC。It is conceivable that, in the embodiment of the present invention, the authorization file server may send an authorization file corresponding to the eUICC to the server, that is, the authorization file server may send at least one authorization file to the server, and each authorization file in the at least one authorization file corresponds to On an eUICC. The server determines that an authorization file corresponds to an eUICC, and specifically that the authorization file corresponds to the eUICC indicated by the EID included in the authorization file, and the authorization file server may also send the authorization file to the server and the EID of the eUICC corresponding to the authorization file. Therefore, the authorization file can determine the eUICC corresponding thereto by the eUICC indicated by the EID transmitted together with the authorization file.
S403、服务器接收授权文件服务器发送的授权文件。 S403. The server receives an authorization file sent by an authorization file server.
其中,上述授权文件与用户终端上的eUICC的EID对应,授权文件中包含eUICC的EID、至少一个策略规则和与至少一个策略规则中每个策略规则对应的、允许设置该策略规则的运营商的信息。其中,至少一个策略规则中的每个策略规则具体可以为该策略规则的标识,“允许设置该策略规则的运营商的信息”中的运营商的信息具体可以为运营商的标识信息,如运营商的移动网络号码。The authorization file corresponds to the EID of the eUICC on the user terminal, and the authorization file includes an EID of the eUICC, at least one policy rule, and an operator corresponding to each policy rule in the at least one policy rule that allows the policy rule to be set. information. Each of the at least one policy rule may be an identifier of the policy rule, and the information of the operator in the information of the operator that is allowed to set the policy rule may be the identifier information of the operator, such as the operation. Business mobile network number.
S404、用户终端向服务器发送该用户终端上的eUICC的EID。S404. The user terminal sends the EID of the eUICC on the user terminal to the server.
S405、服务器接收用户终端发送的EID。S405. The server receives the EID sent by the user terminal.
需要说明的是,本发明实施例中可以先执行S401-S403,再执行S404-S405;也可以先执行S404-S405,再执行S401-S403;还可以同时执行S401-S403和S404-S405。本发明实施例对于S401-S403和S404-S405执行的先后顺序不做限制。It should be noted that, in the embodiment of the present invention, S401-S403 may be performed first, and then S404-S405 may be executed; S404-S405 may be executed first, then S401-S403 may be executed; and S401-S403 and S404-S405 may be simultaneously executed. The embodiment of the present invention does not limit the order of execution of S401-S403 and S404-S405.
S406、服务器根据用户终端发送的EID,确定与用户终端上的eUICC的EID对应的授权文件,并向用户终端发送上述确定的授权文件,该授权文件中包含该eUICC的EID、至少一个策略规则和至少一个策略规则中每个策略规则对应的、允许设置该策略规则的运营商的信息。S406. The server determines, according to the EID sent by the user terminal, an authorization file corresponding to the EID of the eUICC on the user terminal, and sends the determined authorization file to the user terminal, where the authorization file includes the EID of the eUICC, at least one policy rule, and Information of an operator corresponding to each policy rule in at least one policy rule that allows the policy rule to be set.
其中,由于服务器可以接收到授权文件服务器发送的至少一个授权文件,因此服务器在接收到用户终端发送的EID后,可以对比用户终端发送的EID与该至少一个授权文件中对应的EID,若用户终端发送的EID与一个授权文件中包含的EID相同,服务器则可以确定该授权文件与该用户终端上的eUICC对应。The server may receive the at least one authorization file sent by the authorization file server, so after receiving the EID sent by the user terminal, the server may compare the EID sent by the user terminal with the corresponding EID in the at least one authorization file, if the user terminal The EID sent is the same as the EID contained in an authorization file, and the server can determine that the authorization file corresponds to the eUICC on the user terminal.
S407、用户终端接收服务器发送的授权文件。S407. The user terminal receives an authorization file sent by the server.
其中,用户终端在接收到服务器发送的授权文件后,可以保存该授权文件或者采用接收到的授权文件更新用户终端中保存的授权文件,具体的,本发明实施例的方法还可以包括S408a或者S408b。After receiving the authorization file sent by the server, the user terminal may save the authorization file or use the received authorization file to update the authorization file saved in the user terminal. Specifically, the method in the embodiment of the present invention may further include S408a or S408b. .
S408a、用户终端在eUICC中保存授权文件。S408a. The user terminal saves the authorization file in the eUICC.
S408b、用户终端采用接收到的授权文件更新用户终端上的 eUICC中保存的授权文件。S408b. The user terminal updates the user terminal by using the received authorization file. Authorization file saved in eUICC.
本发明实施例提供的获取授权文件的方法,服务器可以在获得授权文件后,便向用户终端发送该授权文件,使得用户终端可以实时更新该用户终端上的eUICC中保存的授权文件,运营商可以根据实时更新后的配置文件,设置policy rule的权限。如此,便可以解决由于现有技术中预置在eUICC中的固定、不可更改的授权文件,而导致eUICC中的授权文件不能适应于运营商设置policy rule的权限的变化的问题。The method for obtaining an authorization file provided by the embodiment of the present invention, the server may send the authorization file to the user terminal after obtaining the authorization file, so that the user terminal can update the authorization file saved in the eUICC on the user terminal in real time, and the operator can Set the permissions of the policy rule based on the real-time updated configuration file. In this way, the problem that the authorization file in the eUICC cannot adapt to the change of the authority of the operator to set the policy rule cannot be solved due to the fixed and unchangeable authorization file preset in the eUICC in the prior art.
本发明实施例提供的获取授权文件的方法,可以实时更新该用户终端上的eUICC中保存的授权文件。The method for obtaining an authorization file provided by the embodiment of the present invention can update the authorization file saved in the eUICC on the user terminal in real time.
可选的,在本发明实施例的第一种应用场景中,如图5所示,图4中的服务器可以为SM-DS。本发明实施例的第一种应用场景具体可以为如图2所示的网络架构所对应的场景。Optionally, in the first application scenario of the embodiment of the present invention, as shown in FIG. 5, the server in FIG. 4 may be an SM-DS. The first application scenario of the embodiment of the present invention may be a scenario corresponding to the network architecture shown in FIG. 2 .
在第一种应用场景中,用户终端可以通过向SM-DS发送轮询消息的方式,向SM-DS发送该用户终端上的eUICC的EID。具体的,如图5所示,图4中的S404可以替换为S404a,S405可以替换为S405a,S406可以替换为S406a,S407可以替换为S407a:In the first application scenario, the user terminal may send the EID of the eUICC on the user terminal to the SM-DS by sending a polling message to the SM-DS. Specifically, as shown in FIG. 5, S404 in FIG. 4 may be replaced by S404a, S405 may be replaced by S405a, S406 may be replaced by S406a, and S407 may be replaced by S407a:
S404a、用户终端向SM-DS发送轮询消息,该轮询消息中携带有该用户终端上的eUICC的EID。S404a: The user terminal sends a polling message to the SM-DS, where the polling message carries the EID of the eUICC on the user terminal.
S405a、SM-DS接收用户终端发送的轮询消息。S405a and SM-DS receive the polling message sent by the user terminal.
S406a、SM-DS向用户终端发送轮询消息的响应消息,该轮询消息的响应消息中携带有与轮询消息中携带的EID对应的授权文件。The S406a and the SM-DS send a response message to the user terminal, and the response message of the polling message carries an authorization file corresponding to the EID carried in the polling message.
S407a、用户终端接收SM-DS发送的轮询消息的响应消息,该轮询消息的响应消息中携带有授权文件。S407a: The user terminal receives a response message of the polling message sent by the SM-DS, where the response message of the polling message carries an authorization file.
可选的,在第一种应用场景的一种实现方式中,用户终端可以在从SM-DP获取到第一运营商的第一签约信息集的元数据,并确定该第一签约信息集的元数据中包含第一策略规则时,无论用户终端中保存的授权文件中是否包含第一策略规则,用户终端均可以通过向 SM-DS发送轮询消息的方式以从SM-DS获得授权文件。Optionally, in an implementation manner of the first application scenario, the user terminal may obtain metadata of the first subscription information set of the first carrier from the SM-DP, and determine the first subscription information set. When the first policy rule is included in the metadata, whether the first policy rule is included in the authorization file saved in the user terminal, the user terminal can pass the The manner in which the SM-DS sends a polling message to obtain an authorization file from the SM-DS.
具体的,如图6所示,在用户终端获得SM-DP地址并向SM-DP请求下载profile之后,本发明实施例的方法还可以包括S409和S404a′以及后续流程:Specifically, as shown in FIG. 6, after the user terminal obtains the SM-DP address and requests the SM-DP to download the profile, the method in the embodiment of the present invention may further include S409 and S404a' and subsequent processes:
S409、用户终端接收第一运营商的SM-DP发送的第一策略规则。S409. The user terminal receives the first policy rule sent by the SM-DP of the first operator.
其中,上述第一策略规则为第一运营商设置的与第一签约信息集关联的策略规则,且第一运营商为第一签约信息集所属的运营商。The first policy rule is a policy rule that is set by the first operator and is associated with the first subscription information set, and the first operator is the operator to which the first subscription information set belongs.
可以想到的是,用户设备可以与第一运营商的SM-DP建立连接并相互认证,并请求获取第一签约信息集,SM-DP可以在接收到用户设备用于请求获取第一签约信息集的消息后,先向用户终端发送第一运营商的第一签约信息集的元数据,该元数据中包含第一策略规则,从而用户终端可以接收SM-DP发送的第一运营商的第一签约信息集的元数据中的第一策略规则。It is conceivable that the user equipment can establish a connection with the first operator's SM-DP and authenticate each other, and request to obtain the first subscription information set, and the SM-DP can receive the user equipment for requesting to acquire the first subscription information set. After the message, the metadata of the first subscription information set of the first carrier is sent to the user terminal, where the metadata includes the first policy rule, so that the user terminal can receive the first carrier of the first carrier sent by the SM-DP. The first policy rule in the metadata of the contracted information set.
S404a′、用户终端在接收到第一策略规则后,向SM-DS发送轮询消息,该轮询消息中携带有用户终端上的eUICC的EID,轮询消息用于请求SM-DS向用户终端发送与用户终端上的eUICC的EID对应的授权文件。S404a', after receiving the first policy rule, the user terminal sends a polling message to the SM-DS, where the polling message carries the EID of the eUICC on the user terminal, and the polling message is used to request the SM-DS to the user terminal. Send an authorization file corresponding to the EID of the eUICC on the user terminal.
其中,用户终端在接收到SM-DP发送的元数据中包含第一策略规则时,向SM-DS发送轮询消息,该轮询消息中携带有该用户终端上的eUICC的EID。When receiving the first policy rule in the metadata sent by the SM-DP, the user terminal sends a polling message to the SM-DS, where the polling message carries the EID of the eUICC on the user terminal.
可以想到的是,用户终端在向SM-DS发送轮询消息后,SM-DS和用户终端则可以继续执行S405a、S406a、S407a,以及S408a或者S408b。It is conceivable that after the user terminal sends a polling message to the SM-DS, the SM-DS and the user terminal can continue to execute S405a, S406a, S407a, and S408a or S408b.
优选的,在第一种应用场景的第二种实现方式中,为了避免用户终端重复从SM-DS获取授权文件,用户终端可以仅在确定该用户终端中保存的授权文件中不包含第一运营商的设置策略规则的信息时,才通过向SM-DS发送轮询消息的方式,从SM-DS获得授权文件。具 体的,如图7所示,图6中的S404a′可以替换为S404a〞:Preferably, in the second implementation manner of the first application scenario, in order to prevent the user terminal from repeatedly obtaining the authorization file from the SM-DS, the user terminal may only include the first operation in determining the authorization file saved in the user terminal. When the information of the policy rule is set, the authorization file is obtained from the SM-DS by sending a polling message to the SM-DS. With Body, as shown in FIG. 7, S404a' in FIG. 6 can be replaced with S404a〞:
S404a〞、用户终端在接收到第一策略规则后,若授权文件中允许设置策略规则的运营商的信息中不包含第一运营商的信息,用户终端则向SM-DS发送轮询消息。After receiving the first policy rule, the user terminal sends a polling message to the SM-DS if the information of the operator that allows the policy rule to be set in the authorization file does not include the information of the first operator.
具体的,用户终端可以在接收到第一策略规则后,若确定授权文件中包含的第一策略规则对应的、允许设置第一策略规则的运营商的信息中不包含第一运营商的信息,用户终端则向SM-DS发送轮询消息。用户终端接收SM-DP发送的元数据中包含的第一策略规则,上述轮询消息中携带有用户终端上的eUICC的EID。上述“用户终端上保存的授权文件”可以为保存在该用户终端的存储空间(如内存或者磁盘)中的授权文件,或者可以为保存在该用户终端上的eUICC中的授权文件。上述“授权文件中允许设置策略规则的运营商的信息中不包含第一运营商的信息”可以为授权文件中至少一个策略规则的允许设置策略规则的运营商中不包含第一运营商的信息,其中,授权文件中至少一个策略规则的允许设置策略规则的运营商可以为所有运营商。Specifically, after receiving the first policy rule, the user terminal may determine that the information of the operator that is allowed to set the first policy rule corresponding to the first policy rule included in the authorization file does not include the information of the first operator. The user terminal sends a polling message to the SM-DS. The user terminal receives the first policy rule included in the metadata sent by the SM-DP, where the polling message carries the EID of the eUICC on the user terminal. The above-mentioned "authorization file saved on the user terminal" may be an authorization file stored in a storage space (such as a memory or a disk) of the user terminal, or may be an authorization file stored in the eUICC on the user terminal. The information of the operator that allows the policy rule to be set in the authorization file does not include the information of the first carrier. The carrier that can set the policy rule for the at least one policy rule in the authorization file does not include the information of the first carrier. , wherein the operator of the at least one policy rule in the authorization file that allows the policy rule to be set can be for all operators.
本发明实施例中,用户设备在从SM-DP下载第一签约信息集的元数据,即用户设备接收SM-DP发送的第一运营商的元数据中的第一策略规则后,先判断该用户终端上保存的授权文件中是否包含第一策略规则,并仅在该用户终端上保存的授权文件中允许设置策略规则的运营商的信息中不包含第一运营商的信息时,才通过向SM-DS发送轮询消息的方式,从SM-DS获得授权文件,可以避免用户终端重复从SM-DS获取授权文件。In the embodiment of the present invention, after the user equipment downloads the metadata of the first subscription information set from the SM-DP, that is, the user equipment receives the first policy rule in the metadata of the first operator sent by the SM-DP, the user equipment first determines the Whether the first policy rule is included in the authorization file saved on the user terminal, and only when the information of the operator that allows the policy rule to be set in the authorization file saved on the user terminal does not include the information of the first carrier, When the SM-DS sends a polling message, the authorization file is obtained from the SM-DS, and the user terminal can be prevented from repeatedly obtaining the authorization file from the SM-DS.
在本发明实施例的第二种应用场景中,如图8所示,图4中的服务器可以为推送服务器。本发明实施例的第二种应用场景具体可以为如图3所示的网络架构所对应的场景。In the second application scenario of the embodiment of the present invention, as shown in FIG. 8, the server in FIG. 4 may be a push server. The second application scenario of the embodiment of the present invention may be a scenario corresponding to the network architecture shown in FIG. 3 .
在第二种应用场景中,用户终端可以在注册到推送服务器后,由推送服务器向用户终端推送授权文件。如图8所示,图4中的S404可以替换为S404b,S405可以替换为S405b,S406可以替换为 S406b:In the second application scenario, after the user terminal registers with the push server, the push server pushes the authorization file to the user terminal. As shown in FIG. 8, S404 in FIG. 4 may be replaced by S404b, S405 may be replaced by S405b, and S406 may be replaced by S406b:
S404b、用户终端向推送服务器发送注册请求,注册请求中携带有用户终端上的eUICC的EID。S404b: The user terminal sends a registration request to the push server, where the registration request carries the EID of the eUICC on the user terminal.
其中,用户终端可以在启动用户终端中的LPA后,可以采用LPA通过如图3所示的用户终端中的推送客户端向推送服务器发送注册请求,以在推送服务器注册终端的LPA应用,上述注册请求携带有该用户终端上的eUICC的EID。After the user terminal starts the LPA in the user terminal, the LPA can use the LPA to send a registration request to the push server through the push client in the user terminal as shown in FIG. 3 to register the LPA application of the terminal in the push server, and the above registration. The request carries the EID of the eUICC on the user terminal.
S405b、推送服务器接收用户终端发送的注册请求。S405b. The push server receives the registration request sent by the user terminal.
其中,上述注册请求中还可以携带有登录推送客户端的LPA的标识。推送服务器在接收到用户终端通过推送客户端发送的注册请求后,可以为LPA标识所指示的LPA分配口令。具体的,如图8所示,在S405b之后,本发明实施例的方法还可以包括S410:The registration request may also carry the identifier of the LPA that logs in to the push client. After receiving the registration request sent by the user terminal through the push client, the push server may assign a password to the LPA indicated by the LPA identifier. Specifically, as shown in FIG. 8, after S405b, the method in the embodiment of the present invention may further include S410:
S410、推送服务器为注册请求中携带的LPA标识所指示的LPA分配口令,并保存推送服务器为LPA标识所指示的LPA分配的口令与注册请求中携带的EID的对应关系。S410: The push server allocates a password for the LPA indicated by the LPA identifier carried in the registration request, and saves the correspondence between the password allocated by the push server for the LPA indicated by the LPA identifier and the EID carried in the registration request.
示例性的,推送服务器可以采用列表的方式保存口令与EID的对应关系,如表1所示,为本发明实施例提供的一种口令与EID的对应关系表实例:Exemplarily, the push server can save the correspondence between the password and the EID in a list manner. As shown in Table 1, an example of the correspondence between the password and the EID provided by the embodiment of the present invention is as follows:
表1Table 1
Figure PCTCN2016108094-appb-000001
Figure PCTCN2016108094-appb-000001
如表1所示,口令1与EID-a存在对应关系,口令2与EID-b存在对应关系,口令n与EID-x存在对应关系。As shown in Table 1, password 1 has a correspondence with EID-a, password 2 has a correspondence with EID-b, and password n has a correspondence with EID-x.
可以想到的是,推送服务器可以在接收到授权文件服务器发送的授权文件后,根据上述对应关系,确定出与授权文件对应的EID 对应的口令。It is conceivable that after receiving the authorization file sent by the authorization file server, the push server may determine the EID corresponding to the authorization file according to the corresponding relationship. The corresponding password.
具体的,如图8所示,在如图5所示的S403(即推送服务器接收授权文件服务器发送的授权文件)之后,本发明实施例的方法还可以包括S411:Specifically, as shown in FIG. 8, after the S403 is shown in FIG. 5 (that is, the push server receives the authorization file sent by the authorization file server), the method in the embodiment of the present invention may further include S411:
S411、推送服务器根据推送服务器中保存的EID与推送服务器为用户终端中的LPA生成的口令的对应关系,确定与授权文件对应的EID对应的口令。S411. The push server determines a password corresponding to the EID corresponding to the authorization file according to the correspondence between the EID stored in the push server and the password generated by the push server for the LPA in the user terminal.
示例性的,以上述表1为例,假设与授权文件对应的EID为EID-b,推送服务器则可以根据表1所示的口令与EID的对应关系,确定出与即EID-b对应的口令为口令2。Exemplarily, taking the above Table 1 as an example, assuming that the EID corresponding to the authorization file is EID-b, the push server may determine the password corresponding to the EID-b according to the correspondence between the password and the EID shown in Table 1. For password 2.
相应的,由于用户终端是LPA通过用户终端中的推送客户端注册到推送服务器的,因此,推送服务器在通过推送客户端向用户终端发送授权文件时,携带确定出的口令(如上述口令2),推送客户端根据该口令2确定出该推送消息应推送到LPA应用。具体的,如图8所示,图4中的S406可以替换为S406b,相应的,S407可以替换为S407b:Correspondingly, since the user terminal is the LPA registered to the push server through the push client in the user terminal, the push server carries the determined password (such as the password 2 above) when sending the authorization file to the user terminal through the push client. The push client determines, based on the password 2, that the push message should be pushed to the LPA application. Specifically, as shown in FIG. 8, S406 in FIG. 4 may be replaced by S406b, and correspondingly, S407 may be replaced by S407b:
S406b、推送服务器向用户终端发送授权文件和与授权文件对应的EID对应的口令。S406b: The push server sends the authorization file and the password corresponding to the EID corresponding to the authorization file to the user terminal.
S407b、用户终端接收推送服务器发送的授权文件和与授权文件对应的EID对应的口令。S407b: The user terminal receives the authorization file sent by the push server and the password corresponding to the EID corresponding to the authorization file.
其中,用户终端可以通过推送客户端接收推送服务器发送的授权文件和与该授权文件对应的EID对应的口令。The user terminal may receive, by the push client, an authorization file sent by the push server and a password corresponding to the EID corresponding to the authorization file.
可选的,如图9所示,如图8所示的S410之后,本发明实施例的方法还可以包括S412-S413:Optionally, as shown in FIG. 9, after the S410 shown in FIG. 8, the method of the embodiment of the present invention may further include S412-S413:
S412、推送服务器向用户终端发送注册请求的响应消息,该注册请求的响应消息中携带有推送服务器为LPA标识所指示的LPA分配的口令。S412. The push server sends a response message of the registration request to the user terminal, where the response message of the registration request carries a password allocated by the push server for the LPA indicated by the LPA identifier.
S413、用户终端接收推送服务器发送的注册请求的响应消息。S413. The user terminal receives a response message of the registration request sent by the push server.
其中,用户终端可以通过推送客户端接收推送服务器发送的注 册请求的响应消息。The user terminal can receive the note sent by the push server by pushing the client. The response message of the request.
可以想到的是,在用户终端接收推送服务器发送的授权文件和与授权文件对应的EID对应的口令之后,用户终端可以采用与授权文件对应的EID对应的口令对比推送服务器为LPA分配的口令。其中,若与授权文件对应的EID对应的口令与推送服务器为LPA分配的口令相同,用户终端则通过LPA在eUICC中保存授权文件;或者,若与授权文件对应的EID对应的口令与推送服务器为LPA分配的口令相同,用户终端则通过LPA采用授权文件更新eUICC中保存的授权文件。It is conceivable that after the user terminal receives the authorization file sent by the push server and the password corresponding to the EID corresponding to the authorization file, the user terminal may use the password corresponding to the EID corresponding to the authorization file to compare the password allocated by the push server to the LPA. If the password corresponding to the EID corresponding to the authorization file is the same as the password assigned by the push server to the LPA, the user terminal saves the authorization file in the eUICC through the LPA; or, if the password corresponding to the EID corresponding to the authorization file and the push server are The password assigned by the LPA is the same, and the user terminal updates the authorization file saved in the eUICC through the LPA using the authorization file.
可以想到的是,用户终端在通过推送客户端接收到推送服务器发送的注册请求的响应消息后,可以确定该注册请求的响应消息中携带的口令为推送服务器为上述注册请求中携带的LPA标识所指示的LPA分配的口令(简称为配置口令),即推送服务器为注册到该推送服务器的LPA分配的口令。如此,用户终端在通过推送客户端接收到推送服务器发送的授权文件和与授权文件对应的EID对应的口令(即S407a)后,推送客户端对比该配置口令与推送服务器发送的与授权文件对应的EID对应的口令,若该配置口令与推送服务器发送的与该授权文件对应的EID对应的口令相同,则可以通过推送客户端将该授权文件推送至对应LPA。It is conceivable that after receiving the response message of the registration request sent by the push server by the push client, the user terminal may determine that the password carried in the response message of the registration request is the push server is the LPA identifier carried in the registration request. The indicated LPA assigned password (referred to as the configuration password), that is, the password that the push server assigns to the LPA registered to the push server. In this way, after the user terminal receives the authorization file sent by the push server and the password corresponding to the EID corresponding to the authorization file (ie, S407a), the push client compares the configuration password with the authorization file sent by the push server. The password corresponding to the EID may be pushed to the corresponding LPA by the push client if the configuration password is the same as the password corresponding to the EID corresponding to the authorization file sent by the push server.
进一步的,在第二种应用场景的一种实现方式中,用户终端可以在从SM-DP获取到第一策略规则,无论用户终端中保存的授权文件中是否包含第一运营商的策略规则,用户终端可以等待预定时间以从推送服务器获得授权文件。具体的,如图10所示,在用户终端获得SM-DP地址并向SM-DP请求下载profile之后,本发明实施例的方法还可以包括S414和S407b′以及后续流程:Further, in an implementation manner of the second application scenario, the user terminal may obtain the first policy rule from the SM-DP, whether the authorization file saved in the user terminal includes the policy rule of the first operator, The user terminal can wait for a predetermined time to obtain an authorization file from the push server. Specifically, as shown in FIG. 10, after the user terminal obtains the SM-DP address and requests the SM-DP to download the profile, the method in the embodiment of the present invention may further include S414 and S407b' and subsequent processes:
S414、用户终端接收SM-DP发送的第一策略规则。S414. The user terminal receives the first policy rule sent by the SM-DP.
其中,上述SM-DP可以为第一运营商的SM-DP,上述第一策略规则为第一运营商设置的与第一签约信息集关联的策略规则,该第一运营商为上述第一签约信息集所属的运营商。 The SM-DP may be the SM-DP of the first carrier, and the first policy rule is a policy rule that is set by the first operator and is associated with the first subscription information set, where the first carrier is the first subscription. The operator to which the information set belongs.
可以想到的是,用户设备可以与第一运营商的SM-DP建立连接并相互认证,并请求获取第一签约信息集,SM-DP可以在接收到用户设备用于请求获取第一签约信息集的消息后,先向用户终端发送第一运营商的第一签约信息集的元数据,该元数据中包含第一策略规则,从而用户终端可以接收SM-DP发送的第一运营商的第一签约信息集的元数据中的第一策略规则。It is conceivable that the user equipment can establish a connection with the first operator's SM-DP and authenticate each other, and request to obtain the first subscription information set, and the SM-DP can receive the user equipment for requesting to acquire the first subscription information set. After the message, the metadata of the first subscription information set of the first carrier is sent to the user terminal, where the metadata includes the first policy rule, so that the user terminal can receive the first carrier of the first carrier sent by the SM-DP. The first policy rule in the metadata of the contracted information set.
S407b′、用户终端在接收到第一策略规则后,启动定时器,并在定时器的定时时间内等待接收推送服务器发送的授权文件。S407b', after receiving the first policy rule, the user terminal starts a timer, and waits to receive the authorization file sent by the push server within the time limit of the timer.
其中,第一签约信息集的元数据中包含第一策略规则,第一运营商为第一签约信息集所属的运营商。The metadata of the first subscription information set includes a first policy rule, and the first operator is an operator to which the first subscription information set belongs.
可以想到的是,若用户终端在定时器的定时时间内可以接收到推送服务器发送的授权文件,则可以在接收到推送服务器发送的授权文件后,继续执行S408a或者S408b;若用户终端在定时器的定时时间内没有接收到推送服务器发送的授权文件,则表示推送服务器可能并未接收到授权文件服务器发送的授权文件。It is conceivable that if the user terminal can receive the authorization file sent by the push server within the time limit of the timer, the user terminal may continue to execute S408a or S408b after receiving the authorization file sent by the push server; if the user terminal is in the timer If the authorization file sent by the push server is not received within the time limit, it indicates that the push server may not receive the authorization file sent by the authorized file server.
优选的,在第二种应用场景的第二种实现方式中,为了避免用户终端重复从SM-DS获取授权文件,用户终端可以仅在确定该用户终端上保存的授权文件中允许设置策略规则的运营商的信息中不包含第一运营商的信息时,才启动定时器,并在定时器的定时时间内等待接收推送服务器发送的授权文件。具体的,如图11所示,图10中的S407b′可以替换为S407b〞:Preferably, in the second implementation manner of the second application scenario, in order to prevent the user terminal from repeatedly obtaining the authorization file from the SM-DS, the user terminal may only allow the setting of the policy rule in the authorization file saved on the user terminal. When the information of the first carrier is not included in the information of the operator, the timer is started, and the authorization file sent by the push server is waiting to be received within the time limit of the timer. Specifically, as shown in FIG. 11, S407b' in FIG. 10 can be replaced with S407b〞:
S407b〞、用户终端在接收到第一策略规则后,若授权文件中允许设置策略规则的运营商的信息中不包含第一运营商的信息,则启动定时器,并在定时器的定时时间内等待接收推送服务器发送的授权文件。After receiving the first policy rule, if the information of the operator that allows the policy rule to be set in the authorization file does not include the information of the first carrier, the timer is started, and the timer is started. Waiting to receive the authorization file sent by the push server.
具体的,用户终端可以在接收到第一策略规则后,若确定授权文件中包含的第一策略规则对应的、允许设置第一策略规则的运营商的信息中不包含第一运营商的信息,用户终端则启动定时器,并在定时器的定时时间内等待接收推送服务器发送的授权文件。 Specifically, after receiving the first policy rule, the user terminal may determine that the information of the operator that is allowed to set the first policy rule corresponding to the first policy rule included in the authorization file does not include the information of the first operator. The user terminal starts a timer and waits to receive the authorization file sent by the push server within the timer time.
第一签约信息集的元数据中包含第一策略规则。本发明实施例中的“用户终端上保存的授权文件”可以为保存在该用户终端的存储空间(如内存或者磁盘)中的授权文件,或者可以为保存在该用户终端上的eUICC中的授权文件。上述“允许设置策略规则的运营商的信息中不包含第一运营商的信息”可以为授权文件中至少一个策略规则的允许设置策略规则的运营商中不包含第一运营商的信息,其中,授权文件中至少一个策略规则的允许设置策略规则的运营商可以为所有运营商。The first policy rule is included in the metadata of the first subscription information set. The "authorization file saved on the user terminal" in the embodiment of the present invention may be an authorization file stored in a storage space (such as a memory or a disk) of the user terminal, or may be an authorization stored in the eUICC on the user terminal. file. The information of the operator that allows the setting of the policy rule does not include the information of the first carrier. The operator that can set the policy rule for the at least one policy rule in the authorization file does not include the information of the first carrier. The operator of at least one policy rule in the authorization file that allows the policy rule to be set can be for all operators.
本发明实施例中,用户设备在从SM-DP下载第一签约信息集的元数据,即用户设备接收SM-DP发送的第一策略规则后,先判断该用户终端上保存的授权文件中是否包含第一策略规则,并仅在该用户终端上保存的授权文件中允许设置策略规则的运营商的信息中不包含第一运营商的信息时,才启动定时器,并在定时器的定时时间内等待接收推送服务器发送的授权文件,可以避免用户终端重复从推送服务器获取授权文件。In the embodiment of the present invention, after the user equipment downloads the metadata of the first subscription information set from the SM-DP, that is, after the user equipment receives the first policy rule sent by the SM-DP, it determines whether the authorization file saved on the user terminal is The first policy rule is included, and the timer is started only when the information of the operator that allows the policy rule to be set in the authorization file saved on the user terminal does not include the information of the first carrier, and is in the timer time. Waiting to receive the authorization file sent by the push server, the user terminal can be prevented from repeatedly obtaining the authorization file from the push server.
可选的,在上述实施例中,用户终端在接收第一策略规则的同时,还可以接收该第一策略规则的有效时间,该第一策略规则的有效时间用于限定所述第一策略规则的生效时间。Optionally, in the above embodiment, the user terminal may receive the first policy rule, and may also receive the validity time of the first policy rule, where the effective time of the first policy rule is used to define the first policy rule. Effective time.
当用户终端成功安装第一签约信息集或者用户终端激活第一签约信息集后,向用户提示第一策略规则和该第一策略规则的有效时间。After the user terminal successfully installs the first subscription information set or the user terminal activates the first subscription information set, the user is prompted with the first policy rule and the valid time of the first policy rule.
可以想到的是,在用户终端向用户提示第一策略规则和该第一策略规则的有效时间内,可以根据签约信息集不允许删除、签约信息集不允许去激活以及签约信息集去激活后应删除中的至少一项,限制用户对第一签约信息集的管理操作。It is conceivable that, when the user terminal prompts the user for the first policy rule and the validity time of the first policy rule, the subscription information set may not be deleted, the subscription information set is not allowed to be deactivated, and the subscription information set is deactivated. At least one of the deletions restricts the user's management operation on the first subscription information set.
本发明实施例中的授权文件中除包含至少一个策略规则和与至少一个策略规则中每个策略规则对应的、允许设置该策略规则的运营商的信息之外,还可以包含允许运营商设置至少一个策略规则的有效时间,允许运营商设置至少一个策略规则中任一策略规则的有 效时间用于限定运营商具备设置任一策略规则的权限的时间。运营商设置该运营商的策略规则的有效时间可以用于运营商激活策略规则时,只能够在上述有效时间内运营商才能设置该策略规则。相应的,本发明实施例的方法还可以包括:当用户终端激活第一策略规则时,用户终端判断当前时间是否在授权文件中包含的允许第一运营商设置第一策略规则的有效时间内;若当前时间超过允许第一运营商设置第一策略规则的有效时间,用户终端则禁止激活第一策略规则。通过本方案,不仅可以通过授权文件限制运营商对策略规则的设置权限,还可以规定允许运营商设置策略规则的有效时间。The authorization file in the embodiment of the present invention may include at least one policy rule and information corresponding to each of the at least one policy rule that allows the operator to set the policy rule, and may also include allowing the operator to set at least The effective time of a policy rule, allowing the operator to set any of the at least one policy rule. The time is used to limit the time that the operator has permission to set any of the policy rules. When the operator sets the effective time of the operator's policy rule, the carrier can activate the policy rule. Only when the carrier can set the policy rule within the valid time. Correspondingly, the method of the embodiment of the present invention may further include: when the user terminal activates the first policy rule, the user terminal determines whether the current time is within a valid time period allowed in the authorization file to allow the first operator to set the first policy rule; If the current time exceeds the valid time allowed for the first operator to set the first policy rule, the user terminal prohibits activation of the first policy rule. Through this scheme, not only the authorization file can be used to restrict the operator's permission to set policy rules, but also the effective time for allowing the operator to set policy rules.
进一步的,用户终端还可以根据运营商的功能实体(如运营商服务器)发送的策略规则解除请求,删除用户终端中保存的授权文件中的部分内容。其中,本发明实施例中的运营商服务器可以为空中下载(英文:Over The Air,简称:OTA)服务器。具体的,在用户终端接收服务器(SM-DS或者推送服务器)发送的授权文件之后,本发明实施例的方法还可以包括S501:Further, the user terminal may also cancel the request according to the policy rule sent by the function entity (such as the operator server) of the operator, and delete part of the content of the authorization file saved in the user terminal. The carrier server in the embodiment of the present invention may be an over-the-air (English: Over The Air, OTA for short) server. Specifically, after the user terminal receives the authorization file sent by the server (SM-DS or the push server), the method of the embodiment of the present invention may further include S501:
S501、用户终端接收第一运营商的功能实体发送的策略规则解除请求,该策略规则解除请求中携带有第一运营商的信息和待解除的策略规则。S501: The user terminal receives the policy rule release request sent by the function entity of the first operator, where the policy rule release request carries the information of the first operator and the policy rule to be released.
其中,第一运营商可以为当前通信网络中的任一运营商,第一运营商的信息可以为第一运营商的标识信息,如MNC。The first operator may be any operator in the current communication network, and the information of the first operator may be identification information of the first operator, such as an MNC.
S502、若该用户终端上保存的授权文件中包含的待解除的策略规则对应的、允许设置该待解除的策略规则的运营商的信息中包含第一运营商的信息,用户终端则删除授权文件中包含的待解除的策略规则对应的、允许设置该待解除的策略规则的运营商的信息中的第一运营商的信息。S502. If the information of the operator that is allowed to set the policy rule to be released corresponding to the policy rule to be released included in the authorization file saved on the user terminal, the information of the first carrier is included, and the user terminal deletes the authorization file. The information of the first operator in the information of the operator that is allowed to set the policy rule to be released corresponding to the policy rule to be released.
示例性的,若允许设置待解除的策略规则的运营商的信息包括第一运营商的信息和第二运营商的信息,那么用户终端则可以删除该允许设置待解除的策略规则的运营商的信息中的第一运营商的信息。 Exemplarily, if the information of the operator that is allowed to set the policy rule to be released includes the information of the first operator and the information of the second operator, the user terminal may delete the operator that allows the policy rule to be released to be set. Information of the first carrier in the information.
可以想到的是,若该用户终端上保存的授权文件中包含多个策略规则,当任一策略规则中仅有第一运营商的信息时,那么用户终端则删除该任一策略规则;若该用户终端上保存的授权文件中仅有一个策略规则,该策略规则中仅有第一运营商的信息,那么用户终端则删除该用户终端上保存的授权文件。It is conceivable that if the authorization file saved on the user terminal includes multiple policy rules, when there is only information of the first operator in any of the policy rules, the user terminal deletes any one of the policy rules; There is only one policy rule in the authorization file saved on the user terminal. Only the information of the first operator is included in the policy rule, and the user terminal deletes the authorization file saved on the user terminal.
通过本方案,不仅可以实时的对用户终端中保存的授权文件进行整体的更新,还可以根据运营商的设备发送的策略规则解除请求消息,删除用户终端中保存的授权文件中的部分内容。With this solution, not only the authorization file saved in the user terminal can be updated in real time, but also the request message can be released according to the policy rule sent by the operator's device, and part of the content of the authorization file saved in the user terminal is deleted.
可选的,用户终端在成功下载并安装第一签约信息集后,用户终端删除用户终端中保存的授权文件中的部分内容。具体的,本发明实施例的方法还可以包括S601-S602:Optionally, after the user terminal successfully downloads and installs the first subscription information set, the user terminal deletes part of the content of the authorization file saved in the user terminal. Specifically, the method of the embodiment of the present invention may further include S601-S602:
S601、用户终端安装第一签约信息集。S601. The user terminal installs the first subscription information set.
S602、用户终端删除用户终端中保存的授权文件中包含的第一策略规则对应的、允许设置第一策略规则的运营商的信息中的第一运营商的信息,或者删除用户终端中保存的第一运营商的信息的授权文件。S602. The user terminal deletes the information of the first operator in the information of the operator that is allowed to set the first policy rule corresponding to the first policy rule included in the authorization file saved in the user terminal, or deletes the information saved in the user terminal. An authorization file for an operator's information.
可以想到的是,若该用户终端上保存的授权文件中包含多个策略规则,当任一策略规则中仅有第一运营商的信息时,那么用户终端则删除该授权文件,即删除用户终端中保存的第一运营商的信息的授权文件。It is conceivable that if the authorization file saved on the user terminal includes multiple policy rules, when only the information of the first operator is included in any of the policy rules, the user terminal deletes the authorization file, that is, deletes the user terminal. An authorization file for saving the information of the first carrier.
进一步的,用户终端在成功下载并安装第二签约信息集后,激活第二签约信息集。其中,第二签约信息集所属的运营商为第二运营商,第二签约信息集与第一签约信息集可以相同也可以不同。当用户终端成功安装第二签约信息集后,用户终端可以通过LPA的UI检测用户触发的第二签约信息集的激活指令,并在检测到该激活指令后激活第二签约信息集。具体的,本发明实施例的方法还可以包括S603-S604:Further, after successfully downloading and installing the second subscription information set, the user terminal activates the second subscription information set. The operator to which the second subscription information set belongs is the second operator, and the second subscription information set and the first subscription information set may be the same or different. After the user terminal successfully installs the second subscription information set, the user terminal may detect an activation instruction of the second subscription information set triggered by the user through the UI of the LPA, and activate the second subscription information set after detecting the activation instruction. Specifically, the method of the embodiment of the present invention may further include S603-S604:
S603、在用户终端激活用户终端安装的第二签约信息集之前,若确定第二策略规则为签约信息集不允许去激活,用户终端则检查 授权文件。S603. Before the user terminal activates the second subscription information set installed by the user terminal, if the second policy rule is determined that the subscription information set is not allowed to be deactivated, the user terminal checks Authorization file.
其中,第二签约信息集归属于第二运营商,第二策略规则为第二运营商设置的与第二签约信息集关联的策略规则。The second subscription information set belongs to the second operator, and the second policy rule is a policy rule that is set by the second operator and is associated with the second subscription information set.
S604、若用户终端中保存的授权文件中包含的第二策略规则对应的、允许设置第二策略规则的运营商的信息中包含第三运营商的信息,用户终端则发出提示信息。S604. If the information of the operator that is allowed to set the second policy rule corresponding to the second policy rule included in the authorization file saved in the user terminal includes the information of the third carrier, the user terminal sends the prompt message.
其中,上述第三运营商包括除第二运营商之外的任一运营商。上述提示信息至少可以包括:“激活该第二签约信息集将无法下载第三运营商的签约信息集”或者“激活该第二签约信息集将无法下载第三运营商的签约信息集和第三运营商的信息”。The third operator includes any operator other than the second operator. The foregoing prompt information may at least include: “Activating the second subscription information set will not be able to download the third operator's subscription information set” or “Activating the second subscription information set will not be able to download the third operator's subscription information set and the third. Carrier's information."
本发明实施例提供的获取授权文件的方法,不仅可以实时更新该用户终端中保存的授权文件,还可以根据授权文件限制运营商对授权文件中的策略规则的设置,可以限制运营商随意设置策略规则;同时,还可以在用户安装任一运营商的签约信息集时,根据授权文件的信息向用户提示安装该运营商的签约信息集时对其它运营商的授权文件所造成的影响。The method for obtaining an authorization file provided by the embodiment of the present invention can not only update the authorization file saved in the user terminal in real time, but also limit the setting of the policy rule in the authorization file by the operator according to the authorization file, and can restrict the operator to set the policy arbitrarily. At the same time, when the user installs the contract information set of any operator, the user may be prompted according to the information of the authorization file to the user to influence the authorization file of the other operator when installing the contract information set of the operator.
本发明上述实施例主要从授权文件服务器、服务器与用户终端交互的角度对本发明实施例提供的方案进行了介绍。可以理解的是,服务器与用户终端为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的服务器与用户终端及算法步骤,本发明能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。The foregoing embodiment of the present invention mainly introduces the solution provided by the embodiment of the present invention from the perspective of the interaction between the authorization file server and the server and the user terminal. It can be understood that the server and the user terminal include corresponding hardware structures and/or software modules for performing the respective functions in order to implement the above functions. Those skilled in the art will readily appreciate that the present invention can be implemented in a combination of hardware or hardware and computer software in combination with the server and user terminal and algorithm steps of the various examples described in the embodiments disclosed herein. Whether a function is implemented in hardware or computer software to drive hardware depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
本发明实施例可以根据上述方法示例对服务器与用户终端进行功能模块或者功能单元的划分,例如,可以对应各个功能划分各个功能模块或者功能单元,也可以将两个或两个以上的功能集成在一 个处理模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块或者功能单元的形式实现。其中,本发明实施例中对模块或者单元的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。The embodiment of the present invention may perform the division of the function module or the function unit between the server and the user terminal according to the foregoing method example. For example, each function module or function unit may be divided according to each function, or two or more functions may be integrated in the function. One In the processing module. The above integrated modules can be implemented in the form of hardware or in the form of software functional modules or functional units. The division of a module or a unit in the embodiment of the present invention is schematic, and is only a logical function division. In actual implementation, there may be another division manner.
图12示出了上述实施例中所涉及的服务器的一种可能的结构示意图。该服务器1200可以包括:获取单元1201和发送单元1202。其中,获取单元1201,用于获得授权文件。例如,获取单元1201,用于支持上述实施例中的S403,和/或用于本文所描述的技术的其它过程。发送单元1202,用于向用户终端发送授权文件。例如,发送单元1202,用于支持上述实施例中的S406、S406a、S406b和S412,和/或用于本文所描述的技术的其它过程。FIG. 12 shows a possible structural diagram of a server involved in the above embodiment. The server 1200 can include an obtaining unit 1201 and a sending unit 1202. The obtaining unit 1201 is configured to obtain an authorization file. For example, the acquisition unit 1201 is for supporting S403 in the above embodiments, and/or other processes for the techniques described herein. The sending unit 1202 is configured to send an authorization file to the user terminal. For example, the transmitting unit 1202 is configured to support S406, S406a, S406b, and S412 in the above embodiments, and/or other processes for the techniques described herein.
进一步的,如图13所示,服务器可以为SM-DS或者推送服务器,该服务器1200还可以包括:接收单元1203、确定单元1204、分配单元1205和保存单元1206。Further, as shown in FIG. 13, the server may be an SM-DS or a push server, and the server 1200 may further include: a receiving unit 1203, a determining unit 1204, an allocating unit 1205, and a saving unit 1206.
接收单元1203,用于接收授权文件服务器发送的授权文件。例如,接收单元1203,用于支持上述实施例中的S403和S405,和/或用于本文所描述的技术的其它过程。确定单元1204,用于确定对应于用户终端上的eUICC的授权文件。例如,确定单元1204,用于支持上述实施例中的S406,和/或用于本文所描述的技术的其它过程。The receiving unit 1203 is configured to receive an authorization file sent by the authorization file server. For example, receiving unit 1203 is for supporting S403 and S405 in the above embodiments, and/or other processes for the techniques described herein. The determining unit 1204 is configured to determine an authorization file corresponding to the eUICC on the user terminal. For example, determining unit 1204 is for supporting S406 in the above-described embodiments, and/or other processes for the techniques described herein.
其中,当服务器为SM-DS时,接收单元1203,还用于接收用户终端发送的轮询消息。例如,接收单元1203,还用于支持上述实施例中的S405a,和/或用于本文所描述的技术的其它过程。The receiving unit 1203 is further configured to receive a polling message sent by the user terminal, when the server is an SM-DS. For example, receiving unit 1203 is also used to support S405a in the above-described embodiments, and/or other processes for the techniques described herein.
当服务器为推送服务器时,接收单元1203,还用于接收用户终端发送的注册请求。例如,接收单元,还用于支持上述实施例中的S405b,和/或用于本文所描述的技术的其它过程。确定单元1204,还用于确定与授权文件对应的EID对应的口令。例如,确定单元1204,还用于支持上述实施例中的S406和S411,和/或用于本文所描述的技术的其它过程。分配单元1205,用于为注册请求中携 带的LPA标识所指示的LPA分配口令。例如,分配单元1205,用于支持上述实施例中的S410,和/或用于本文所描述的技术的其它过程。保存单元1206,用于保存推送服务器为LPA标识所指示的LPA分配的口令与注册请求中携带的EID的对应关系。例如,保存单元1206,用于支持上述实施例中的S410,和/或用于本文所描述的技术的其它过程。When the server is a push server, the receiving unit 1203 is further configured to receive a registration request sent by the user terminal. For example, the receiving unit is also used to support S405b in the above embodiments, and/or other processes for the techniques described herein. The determining unit 1204 is further configured to determine a password corresponding to the EID corresponding to the authorization file. For example, determining unit 1204 is also used to support S406 and S411 in the above-described embodiments, and/or other processes for the techniques described herein. The allocating unit 1205 is configured to carry the request for registration The LPA assigned password indicated by the LPA tag. For example, allocation unit 1205 is used to support S410 in the above-described embodiments, and/or other processes for the techniques described herein. The saving unit 1206 is configured to save a correspondence between a password allocated by the push server for the LPA indicated by the LPA identifier and an EID carried in the registration request. For example, save unit 1206 is used to support S410 in the above-described embodiments, and/or other processes for the techniques described herein.
在采用集成的单元的情况下,上述获取单元1201、确定单元1204、分配单元1205和保存单元1206等可以集成在一个处理单元中实现,该处理单元可以是处理器或控制器,例如可以是CPU,通用处理器,数字信号处理器(英文:Digital Signal Processor,简称:DSP),专用集成电路(英文:Application-Specific Integrated Circuit,简称:ASIC),现场可编程门阵列(英文:Field Programmable Gate Array,简称:FPGA)或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本发明公开内容所描述的各种举例说明逻辑方框,模块和电路。所述处理单元也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等。所述发送单元1202和接收单元1203可以集成在一个通信单元中实现,该通信单元可以是通信接口、收发电路或收发器等。存储单元可以是存储器。In the case of adopting an integrated unit, the above-mentioned obtaining unit 1201, determining unit 1204, allocating unit 1205 and saving unit 1206, etc. may be implemented in one processing unit, which may be a processor or a controller, for example, may be a CPU. , general purpose processor, digital signal processor (English: Digital Signal Processor, referred to as: DSP), ASIC (English: Application-Specific Integrated Circuit, referred to as: ASIC), field programmable gate array (English: Field Programmable Gate Array , abbreviated as: FPGA) or other programmable logic device, transistor logic device, hardware component or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure. The processing unit may also be a combination of computing functions, such as one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like. The transmitting unit 1202 and the receiving unit 1203 may be implemented by being integrated in one communication unit, and the communication unit may be a communication interface, a transceiver circuit or a transceiver, or the like. The storage unit can be a memory.
当上述处理单元为处理器,存储单元为存储器,通信单元为收发器时,本发明实施例所涉及的服务器1200可以为图14所示的服务器1400。When the processing unit is a processor, the storage unit is a memory, and the communication unit is a transceiver, the server 1200 according to the embodiment of the present invention may be the server 1400 shown in FIG.
参阅图14所示,所述服务器1400包括:一个或多个处理器1401、存储器1402、收发器1403以及总线1404。其中,一个或多个处理器1401、存储器1402和收发器1403通过总线1404相互连接。其中,总线1404可以是外设部件互连标准(英文:Peripheral Component Interconnect,简称:PCI)总线或扩展工业标准结构(英文:Extended Industry Standard Architecture,简称: EISA)总线等。所述总线1404可以分为地址总线、数据总线、控制总线等。为便于表示,图14中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。Referring to FIG. 14, the server 1400 includes one or more processors 1401, a memory 1402, a transceiver 1403, and a bus 1404. The one or more processors 1401, the memory 1402, and the transceiver 1403 are connected to one another via a bus 1404. The bus 1404 may be a Peripheral Component Interconnect (PCI) bus or an extended industry standard architecture (English: Extended Industry Standard Architecture, referred to as: EISA) bus and so on. The bus 1404 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 14, but it does not mean that there is only one bus or one type of bus.
本发明实施例还提供一种非易失性存储介质,该非易失性存储介质中存储有一个或多个程序代码,当服务器1400的处理器1401执行该程序代码时,该服务器1400执行图4-图11中任一附图中的相关方法步骤。The embodiment of the present invention further provides a non-volatile storage medium having one or more program codes stored therein. When the processor 1401 of the server 1400 executes the program code, the server 1400 executes the map. 4- related method steps in any of the figures of FIG.
其中,本发明实施例提供的所述服务器1400中各个模块或单元的详细描述以及各个模块或单元执行图4-图11中任一附图中的相关方法步骤后所带来的技术效果可以参考本发明方法实施例中的相关描述,此处不再赘述。The detailed description of each module or unit in the server 1400 provided by the embodiment of the present invention and the technical effects brought by each module or unit performing the related method steps in any of the figures in FIG. 4 can be referred to. The related description in the method embodiment of the present invention is not described herein again.
图15示出了上述实施例中所涉及的用户终端的一种可能的结构示意图。该用户终端1500可以包括:发送单元1501、接收单元1502和控制单元1503。其中,发送单元1501,用于向服务器发送用户终端上的eUICC的EID、轮询消息和注册请求。例如,发送单元1501,用于支持上述实施例中的S404、S404a、S404a′、S404a〞和S404b,和/或用于本文所描述的技术的其它过程。接收单元1502,用于接收服务器发送的授权文件;接收单元1502,还用于接收SM-DS发送的轮询消息的响应消息;接收单元1502,还用于接收推送服务器发送的注册请求的响应消息;接收单元1502,还用于接收第一运营商的SM-DP发送的第一策略规则;接收单元1502,还用于在定时器的定时时间内等待接收推送服务器发送的授权文件;接收单元1502,还用于接收第一策略规则的有效时间;接收单元1502,还用于接收第一运营商的功能实体发送的策略规则解除请求消息。例如,接收单元1502,用于支持上述实施例中的S407、S407a、S409、S407b、S413、S414、S407b′、S407b〞和S501,和/或用于本文所描述的技术的其它过程。控制单元1503,用于在eUICC中保存授权文件,或者,采用授权文件更新eUICC中保存的授权文件。例如,控制单元1503,用于支持上述实施例中的 S408a、S408b,和/或用于本文所描述的技术的其它过程。FIG. 15 is a schematic diagram showing a possible structure of a user terminal involved in the above embodiment. The user terminal 1500 may include a transmitting unit 1501, a receiving unit 1502, and a control unit 1503. The sending unit 1501 is configured to send, to the server, an EID, a polling message, and a registration request of the eUICC on the user terminal. For example, the transmitting unit 1501 is configured to support S404, S404a, S404a', S404a, and S404b in the above embodiments, and/or other processes for the techniques described herein. The receiving unit 1502 is configured to receive the sending by the server. The receiving unit 1502 is further configured to receive a response message of the polling message sent by the SM-DS, and the receiving unit 1502 is further configured to receive a response message of the registration request sent by the push server, and the receiving unit 1502 is further configured to receive the first The first policy rule sent by the SM-DP of the operator; the receiving unit 1502 is further configured to wait for receiving the authorization file sent by the push server during the timing of the timer; the receiving unit 1502 is further configured to receive the first policy rule. The receiving unit 1502 is further configured to receive the policy rule release request message sent by the function entity of the first operator. For example, the receiving unit 1502 is configured to support S407, S407a, S409, S407b, and S413 in the foregoing embodiment. S414, S407b', S407b and S501, and/or other processes for the techniques described herein. The control unit 1503 is configured to save the authorization file in the eUICC, or update the authorization file saved in the eUICC by using the authorization file. For example, the control unit 1503 is configured to support the above embodiments. S408a, S408b, and/or other processes for the techniques described herein.
进一步的,如图16所示,该用户终端1500还可以包括:启动单元1504、安装单元1505、第一激活单元1506、第一提示单元1507、第二激活单元1508、判断单元1509、禁止单元1510、删除单元1511、检查单元1512、第二提示单元1513和对比单元1514。Further, as shown in FIG. 16 , the user terminal 1500 may further include: an activation unit 1504, an installation unit 1505, a first activation unit 1506, a first prompt unit 1507, a second activation unit 1508, a determination unit 1509, and a prohibition unit 1510. The deleting unit 1511, the checking unit 1512, the second prompting unit 1513, and the comparing unit 1514.
其中,启动单元1504,用于启动定时器。例如,启动单元1504,用于支持上述实施例中的S407b′和S407b〞,和/或用于本文所描述的技术的其它过程。安装单元1505,用于安装第一签约信息集或者第二签约信息集。例如,安装单元1505,用于支持上述实施例中的S601,和/或用于本文所描述的技术的其它过程。第一激活单元1506,用于激活第一签约信息集或者第二签约信息集。第一提示单元1507,用于向用户提示第一运营商的策略规则的策略信息和该策略信息的有效时间。第二激活单元1508,用于激活第一运营商的策略规则。判断单元1509,用于当激活第一运营商的策略规则时,判断当前时间是否在授权文件中包括的、允许第一运营商设置第一运营商的策略规则的有效时间内。禁止单元1510,用于若判断当前时间超过允许第一运营商设置第一运营商的策略规则的有效时间,则禁止激活第一运营商的策略规则。删除单元1511,用于删除待解除的策略规则对应的运营商的信息中第一运营商的信息、删除用户终端中保存的授权文件中的允许设置策略规则的运营商的信息中第一运营商的信息,或者删除用户终端中保存的第一运营商对应的授权文件。例如,删除单元1511,用于支持上述实施例中的S502和S602,和/或用于本文所描述的技术的其它过程。检查单元1512,用于检查用户终端中保存的授权文件。例如,检查单元1512,用于支持上述实施例中的S603,和/或用于本文所描述的技术的其它过程。第二提示单元1513,用于发出提示信息。例如,第二提示单元1513,用于支持上述实施例中的S604,和/或用于本文所描述的技术的其它过程。对比单元1514,用于采用与授权文件对应的EID对应的口令对比推送服务器为LPA分配的口令。 The startup unit 1504 is configured to start a timer. For example, the activation unit 1504 is configured to support S407b' and S407b〞 in the above embodiments, and/or other processes for the techniques described herein. The installation unit 1505 is configured to install the first subscription information set or the second subscription. An information set, for example, an installation unit 1505 for supporting S601 in the above embodiments, and/or other processes for the techniques described herein. A first activation unit 1506 for activating a first subscription information set or a second The first information unit 1507 is configured to prompt the user of the policy information of the first operator's policy rule and the effective time of the policy information. The second activation unit 1508 is configured to activate the policy rule of the first operator. The determining unit 1509 is configured to determine, when the policy rule of the first operator is activated, whether the current time is within the validity time of the policy rule included in the authorization file that allows the first operator to set the first operator. The prohibiting unit 1510, If it is determined that the current time exceeds the valid time of the first operator to set the first operator's policy rule, the first operator's policy rule is prohibited from being activated. The deleting unit 1511 is configured to delete the information of the first operator in the information of the operator corresponding to the policy rule to be released, and delete the first operation in the information of the operator that allows the setting of the policy rule in the authorization file saved in the user terminal. The information of the quotient, or the authorization file corresponding to the first operator saved in the user terminal. For example, the deleting unit 1511 is used to support S502 and S602 in the above embodiment, and/or other technologies used in the techniques described herein. The checking unit 1512 is configured to check the authorization file saved in the user terminal. For example, the checking unit 1512 is configured to support S603 in the above embodiment, and/or other processes for the techniques described herein. The unit 1513 is configured to issue prompt information. For example, the second prompting unit 1513 is configured to support S604 in the above embodiment, and/or other processes for the techniques described herein. The comparing unit 1514 is configured to adopt and authorize The password corresponding to the EID corresponding to the file is compared with the password assigned by the push server to the LPA.
在采用集成的单元的情况下,上述控制单元1503、启动单元1504、安装单元1505、第一激活单元1506、第一提示单元1507、第二激活单元1508、判断单元1509、禁止单元1510、删除单元1511、检查单元1512和第二提示单元1513等功能单元可以集成在一个处理单元中实现,处理单元可以是处理器或控制器,例如可以是CPU,通用处理器,DSP,ASIC,FPGA或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本发明公开内容所描述的各种举例说明逻辑方框,模块和电路。处理单元也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等等。发送单元1501和接收单元1502可以集成在一个通信单元中实现,该通信单元可以是通信接口、收发电路或收发器等。存储单元可以是存储器。In the case of employing an integrated unit, the above-described control unit 1503, activation unit 1504, installation unit 1505, first activation unit 1506, first prompt unit 1507, second activation unit 1508, determination unit 1509, inhibition unit 1510, deletion unit 1511, the function unit such as the checking unit 1512 and the second prompting unit 1513 may be integrated and implemented in one processing unit, and the processing unit may be a processor or a controller, such as a CPU, a general-purpose processor, a DSP, an ASIC, an FPGA or the like. Programming logic devices, transistor logic devices, hardware components, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure. The processing unit may also be a combination of computing functions, such as one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like. The transmitting unit 1501 and the receiving unit 1502 may be implemented by being integrated in one communication unit, which may be a communication interface, a transceiver circuit or a transceiver, or the like. The storage unit can be a memory.
当上述处理单元为处理器,存储单元为存储器,通信单元为收发器时,本发明实施例所涉及的用户终端1500可以为图17所示的用户终端1700。When the processing unit is a processor, the storage unit is a memory, and the communication unit is a transceiver, the user terminal 1500 according to the embodiment of the present invention may be the user terminal 1700 shown in FIG.
参阅图17所示,用户终端1700包括:一个或多个处理器1701、存储器1702、收发器1702以及总线1704。其中,一个或多个处理器1701、存储器1702和收发器1703通过总线1704相互连接。其中,总线1704可以是PCI总线或EISA总线等。总线1704可以分为地址总线、数据总线、控制总线等。为便于表示,图17中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。Referring to FIG. 17, the user terminal 1700 includes one or more processors 1701, a memory 1702, a transceiver 1702, and a bus 1704. Among them, one or more processors 1701, a memory 1702, and a transceiver 1703 are connected to each other through a bus 1704. The bus 1704 can be a PCI bus or an EISA bus. The bus 1704 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 17, but it does not mean that there is only one bus or one type of bus.
本发明实施例还提供一种非易失性存储介质,该非易失性存储介质中存储有一个或多个程序代码,当用户终端1700的处理器1701执行该程序代码时,用户终端1700执行图4-图11中任一附图中的相关方法步骤。The embodiment of the present invention further provides a non-volatile storage medium having one or more program codes stored therein. When the processor 1701 of the user terminal 1700 executes the program code, the user terminal 1700 executes Related method steps in any of Figures 4-11.
其中,本发明实施例提供的用户终端1700中各个模块的详细描述以及各个模块执行图4-图11中任一附图中的相关方法步骤后所带来的技术效果可以参考本发明方法实施例中的相关描述,此处不再赘述。 The detailed description of each module in the user terminal 1700 provided by the embodiment of the present invention and the technical effects of each module performing the related method steps in any of the figures in FIG. 4 can refer to the method embodiment of the present invention. The related descriptions are not repeated here.
通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Through the description of the above embodiments, those skilled in the art can clearly understand that for the convenience and brevity of the description, only the division of the above functional modules is illustrated. In practical applications, the above functions can be allocated according to needs. It is completed by different functional modules, that is, the internal structure of the device is divided into different functional modules to complete all or part of the functions described above. For the specific working process of the system, the device and the unit described above, reference may be made to the corresponding process in the foregoing method embodiments, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述模块或单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the modules or units is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be used. Combinations can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用 以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或处理器(processor)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:存储卡,SIM卡,U盘、移动硬盘、只读存储器(ROM)、随机存取存储器(RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, or all or part of the technical solution, may be embodied in the form of a software product stored in a storage medium. , including several instructions All or part of the steps of the method of the various embodiments of the present invention are performed by a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor. The foregoing storage medium includes: a memory card, a SIM card, a U disk, a removable hard disk, a read only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以所述权利要求的保护范围为准。 The above is only a specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the appended claims.

Claims (44)

  1. 一种获取授权文件的方法,其特征在于,包括:A method for obtaining an authorization file, comprising:
    用户终端向服务器发送所述用户终端上的嵌入式通用集成电路卡eUICC的eUICC标识EID;Transmitting, by the user terminal, an eUICC identifier EID of the embedded universal integrated circuit card eUICC on the user terminal to the server;
    所述用户终端接收所述服务器发送的授权文件,所述授权文件与所述用户终端上的eUICC的EID对应,所述授权文件中包含至少一个策略规则和与所述至少一个策略规则中每个策略规则对应的、允许设置该策略规则的运营商的信息;Receiving, by the user terminal, an authorization file sent by the server, where the authorization file corresponds to an EID of an eUICC on the user terminal, where the authorization file includes at least one policy rule and each of the at least one policy rule Information corresponding to the operator of the policy rule that allows the policy rule to be set;
    所述用户终端在所述eUICC中保存所述授权文件,或者,所述用户终端采用所述授权文件更新所述eUICC中保存的授权文件。The user terminal saves the authorization file in the eUICC, or the user terminal updates the authorization file saved in the eUICC by using the authorization file.
  2. 根据权利要求1所述的方法,其特征在于,所述服务器为签约管理-业务发现服务器SM-DS,The method according to claim 1, wherein the server is a subscription management-service discovery server SM-DS,
    所述用户终端向服务器发送所述用户终端上的eUICC的eUICC标识EID,包括:Sending, by the user terminal, the eUICC identifier EID of the eUICC on the user terminal to the server, including:
    所述用户终端向所述SM-DS发送轮询消息,所述轮询消息中携带有所述用户终端上的eUICC的EID,The user terminal sends a polling message to the SM-DS, where the polling message carries the EID of the eUICC on the user terminal,
    所述用户终端接收所述服务器发送的授权文件,包括:Receiving, by the user terminal, the authorization file sent by the server, including:
    所述用户终端接收所述SM-DS发送的所述轮询消息的响应消息,所述轮询消息的响应消息中携带有所述授权文件。The user terminal receives the response message of the polling message sent by the SM-DS, and the response message of the polling message carries the authorization file.
  3. 根据权利要求1所述的方法,其特征在于,所述服务器为推送服务器,The method of claim 1 wherein said server is a push server.
    所述用户终端向服务器发送所述用户终端上的eUICC的eUICC标识EID,包括:Sending, by the user terminal, the eUICC identifier EID of the eUICC on the user terminal to the server, including:
    所述用户终端向所述推送服务器发送注册请求,所述注册请求中携带有所述用户终端上的eUICC的EID。The user terminal sends a registration request to the push server, where the registration request carries an EID of the eUICC on the user terminal.
  4. 根据权利要求3所述的方法,其特征在于,所述注册请求中还携带有所述用户终端中的本地文件助手LPA的LPA标识;The method according to claim 3, wherein the registration request further carries an LPA identifier of a local file assistant LPA in the user terminal;
    在所述用户终端向所述推送服务器发送注册请求之后,所述方法还包括: After the user terminal sends a registration request to the push server, the method further includes:
    所述用户终端接收所述推送服务器发送的所述注册请求的响应消息,所述注册请求的响应消息中携带有所述推送服务器为所述注册请求中携带的LPA标识所指示的LPA分配的口令;The user terminal receives the response message of the registration request sent by the push server, and the response message of the registration request carries the password allocated by the push server for the LPA indicated by the LPA identifier carried in the registration request. ;
    其中,所述用户终端接收所述服务器发送的授权文件,包括:The user terminal receives the authorization file sent by the server, including:
    所述用户终端接收所述推送服务器发送的所述授权文件和与所述授权文件对应的EID对应的口令;The user terminal receives the authorization file sent by the push server and a password corresponding to the EID corresponding to the authorization file;
    在所述用户终端接收所述推送服务器发送的所述授权文件和与所述授权文件对应的EID对应的口令之后,所述方法还包括:After the user terminal receives the authorization file sent by the push server and the password corresponding to the EID corresponding to the authorization file, the method further includes:
    所述用户终端采用所述与所述授权文件对应的EID对应的口令对比所述推送服务器为所述LPA分配的口令;The user terminal compares the password corresponding to the EID corresponding to the authorization file with a password allocated by the push server for the LPA;
    其中,所述用户终端在所述eUICC中保存所述授权文件,包括:The user terminal saves the authorization file in the eUICC, including:
    若所述与所述授权文件对应的EID对应的口令与所述推送服务器为所述LPA分配的口令相同,所述用户终端则通过所述LPA在所述eUICC中保存所述授权文件,If the password corresponding to the EID corresponding to the authorization file is the same as the password allocated by the push server for the LPA, the user terminal saves the authorization file in the eUICC through the LPA.
    或者,所述用户终端采用所述授权文件更新所述eUICC中保存的授权文件,包括:Alternatively, the user terminal uses the authorization file to update the authorization file saved in the eUICC, including:
    若所述与所述授权文件对应的EID对应的口令与所述推送服务器为所述LPA分配的口令相同,所述用户终端则通过所述LPA采用所述授权文件更新所述eUICC中保存的授权文件。If the password corresponding to the EID corresponding to the authorization file is the same as the password allocated by the push server for the LPA, the user terminal updates the authorization saved in the eUICC by using the authorization file by the LPA. file.
  5. 根据权利要求1-4中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 4, wherein the method further comprises:
    用户终端接收第一运营商的签约管理-数据准备服务器SM-DP发送的第一策略规则,所述第一策略规则为所述第一运营商设置的与第一签约信息集关联的策略规则,所述第一运营商为所述第一签约信息集所属的运营商。The user terminal receives the first policy rule that is sent by the first operator's subscription management-data preparation server SM-DP, and the first policy rule is a policy rule that is set by the first operator and is associated with the first subscription information set. The first operator is an operator to which the first subscription information set belongs.
  6. 根据权利要求5所述的方法,其特征在于,所述服务器为所述SM-DS,所述方法还包括:The method of claim 5, wherein the server is the SM-DS, the method further comprising:
    所述用户终端在接收到所述第一策略规则后,向所述SM-DS发 送所述轮询消息,所述轮询消息中携带有所述用户终端上的eUICC的EID,所述轮询消息用于请求所述SM-DS向所述用户终端发送与所述用户终端上的eUICC的EID对应的授权文件。After receiving the first policy rule, the user terminal sends the SM-DS to the SM-DS. Sending the polling message, where the polling message carries the EID of the eUICC on the user terminal, where the polling message is used to request the SM-DS to send to the user terminal and the user terminal The authorization file corresponding to the EID of the eUICC.
  7. 根据权利要求6所述的方法,其特征在于,所述用户终端在接收到所述第一策略规则后,向所述SM-DS发送所述轮询消息,包括:The method according to claim 6, wherein the user terminal sends the polling message to the SM-DS after receiving the first policy rule, including:
    所述用户终端在接收到所述第一策略规则后,若所述授权文件中允许设置策略规则的运营商的信息中不包含所述第一运营商的信息,所述用户终端则向所述SM-DS发送所述轮询消息。After receiving the first policy rule, the user terminal does not include the information of the first operator in the information of the operator that is allowed to set the policy rule in the authorization file, and the user terminal goes to the The SM-DS sends the polling message.
  8. 根据权利要求5所述的方法,其特征在于,所述服务器为所述推送服务器,所述方法还包括:The method of claim 5, wherein the server is the push server, the method further comprising:
    所述用户终端在接收到所述第一策略规则后,启动定时器,并在所述定时器的定时时间内等待接收所述推送服务器发送的授权文件。After receiving the first policy rule, the user terminal starts a timer, and waits to receive an authorization file sent by the push server within a timing time of the timer.
  9. 根据权利要求8所述的方法,其特征在于,所述用户终端在接收到所述第一策略规则后,启动定时器,并在所述定时器的定时时间内等待接收所述推送服务器发送的授权文件,包括:The method according to claim 8, wherein the user terminal starts a timer after receiving the first policy rule, and waits to receive the sending by the push server within a timing time of the timer. Authorization documents, including:
    所述用户终端在接收到所述第一策略规则后,若所述授权文件中允许设置策略规则的运营商的信息中不包含所述第一运营商的信息,所述用户终端则启动所述定时器,并在所述定时器的定时时间内等待接收所述推送服务器发送的授权文件。After the user terminal receives the first policy rule, if the information of the operator that allows the policy rule to be set in the authorization file does not include the information of the first operator, the user terminal starts the a timer, and waiting to receive an authorization file sent by the push server within a timing time of the timer.
  10. 根据权利要求5-9中任一项所述的方法,其特征在于,所述至少一个策略规则至少包括:签约信息集不允许删除、签约信息集不允许去激活以及签约信息集去激活后应删除中的至少一项;The method according to any one of claims 5-9, wherein the at least one policy rule comprises at least: the subscription information set is not allowed to be deleted, the subscription information set is not allowed to be deactivated, and the subscription information set is deactivated. At least one of the deletions;
    其中,所述至少一个策略规则包括所述第一策略规则。The at least one policy rule includes the first policy rule.
  11. 根据权利要求5-9中任一项所述的方法,其特征在于,所述方法还包括:The method of any of claims 5-9, wherein the method further comprises:
    所述用户终端接收所述第一策略规则的有效时间,所述第一策略规则的有效时间用于限定所述第一策略规则的生效时间。 The user terminal receives the validity time of the first policy rule, and the effective time of the first policy rule is used to limit the effective time of the first policy rule.
  12. 根据权利要求11所述的方法,其特征在于,还包括:The method of claim 11 further comprising:
    当所述用户终端成功安装所述第一签约信息集或者所述用户终端激活所述第一签约信息集后,向用户提示所述第一策略规则和所述第一策略规则的有效时间。After the user terminal successfully installs the first subscription information set or the user terminal activates the first subscription information set, the user prompts the user of the validity time of the first policy rule and the first policy rule.
  13. 根据权利要求5-9中任一项所述的方法,其特征在于,所述授权文件中还包含允许运营商设置所述至少一个策略规则的有效时间,允许运营商设置所述至少一个策略规则中任一策略规则的有效时间用于限定运营商具备设置所述任一策略规则的权限的时间;The method according to any one of claims 5-9, wherein the authorization file further includes an effective time for allowing the operator to set the at least one policy rule, allowing the operator to set the at least one policy rule. The effective time of any one of the policy rules is used to limit the time when the operator has the right to set any of the above policy rules;
    所述方法还包括:The method further includes:
    当所述用户终端激活所述第一策略规则时,所述用户终端判断当前时间是否在所述授权文件中包含的允许所述第一运营商设置所述第一策略规则的有效时间内;When the user terminal activates the first policy rule, the user terminal determines whether the current time is within a valid time period in the authorization file that allows the first operator to set the first policy rule.
    若所述当前时间超过允许所述第一运营商设置所述第一策略规则的有效时间,所述用户终端则禁止激活所述第一策略规则。If the current time exceeds a valid time that allows the first operator to set the first policy rule, the user terminal prohibits activation of the first policy rule.
  14. 根据权利要求5-9中任一项所述的方法,其特征在于,在所述用户终端接收所述服务器发送的授权文件之后,所述方法还包括:The method according to any one of claims 5-9, wherein after the user terminal receives the authorization file sent by the server, the method further includes:
    所述用户终端接收所述第一运营商的功能实体发送的策略解除请求,所述策略解除请求中携带有所述第一运营商的信息和待解除的策略规则;The user terminal receives the policy release request sent by the function entity of the first operator, where the policy release request carries the information of the first operator and the policy rule to be released;
    若所述授权文件中包含的所述待解除的策略规则对应的、允许设置所述待解除的策略规则的运营商的信息中包含所述第一运营商的信息,所述用户终端则删除所述授权文件中包含的所述待解除的策略规则对应的、允许设置所述待解除的策略规则的运营商的信息中的所述第一运营商的信息。If the information of the operator that is allowed to set the policy rule to be released corresponding to the to-be-released policy rule included in the authorization file includes the information of the first carrier, the user terminal deletes the The information of the first operator in the information of the operator that is allowed to set the policy rule to be released corresponding to the policy rule to be released, which is included in the authorization file.
  15. 根据权利要求5-9中任一项所述的方法,其特征在于,在所述用户终端接收所述服务器发送的授权文件之后,所述方法还包括:The method according to any one of claims 5-9, wherein after the user terminal receives the authorization file sent by the server, the method further includes:
    所述用户终端在成功安装所述第一签约信息集后,删除所述授 权文件中包含的所述第一策略规则对应的、允许设置所述第一策略规则的运营商的信息中的所述第一运营商的信息;After the user terminal successfully installs the first subscription information set, the user terminal deletes the grant Information of the first operator in the information of the operator that is allowed to set the first policy rule corresponding to the first policy rule that is included in the rights file;
    或者,or,
    所述用户终端在成功安装所述第一签约信息集后,删除所述用户终端中保存的包含所述第一运营商的信息的授权文件。After successfully installing the first subscription information set, the user terminal deletes an authorization file that is stored in the user terminal and includes information about the first carrier.
  16. 根据权利要求1-9中任一项所述的方法,其特征在于,所述方法还包括:The method of any of claims 1-9, wherein the method further comprises:
    在所述用户终端激活所述用户终端中安装的第二签约信息集之前,若确定第二策略规则为签约信息集不允许去激活,所述用户终端则检查所述授权文件,所述第二签约信息集归属于第二运营商,所述第二策略规则为所述第二运营商设置的与所述第二签约信息集关联的策略规则;Before the user terminal activates the second subscription information set installed in the user terminal, if it is determined that the second policy rule is that the subscription information set is not allowed to be deactivated, the user terminal checks the authorization file, and the second The subscription information set belongs to the second operator, and the second policy rule is a policy rule that is set by the second operator and is associated with the second subscription information set;
    若所述授权文件中包含的所述第二策略规则对应的、允许设置所述第二策略规则的运营商的信息中包含第三运营商的信息,所述用户终端则发出提示信息,所述第三运营商包括除所述第二运营商之外的任一运营商;If the information of the operator that allows the setting of the second policy rule that is included in the second policy rule that is included in the authorization file includes the information of the third carrier, the user terminal sends a prompt message, The third operator includes any operator other than the second operator;
    其中,所述提示信息至少包括:激活所述第二签约信息集将无法下载所述第三运营商的签约信息集或者激活所述第二签约信息集将无法下载所述第三运营商的签约信息集和所述第三运营商的信息。The prompt information at least includes: the activation of the second subscription information set will not be able to download the subscription information set of the third operator or the activation of the second subscription information set will not be able to download the subscription of the third operator. Information set and information of the third operator.
  17. 一种获取授权文件的方法,其特征在于,包括:A method for obtaining an authorization file, comprising:
    服务器获得授权文件,所述授权文件与用户终端上的嵌入式通用集成电路卡eUICC的EID对应,所述授权文件中包含所述eUICC的eUICC标识EID、至少一个策略规则和与所述至少一个策略规则中每个策略规则对应的、允许设置该策略规则的运营商的信息;Obtaining an authorization file, where the authorization file corresponds to an EID of an embedded universal integrated circuit card eUICC on the user terminal, where the authorization file includes an eUICC identifier EID of the eUICC, at least one policy rule, and the at least one policy Information corresponding to each policy rule in the rule that allows the operator to set the policy rule;
    所述服务器向所述用户终端发送所述授权文件。The server sends the authorization file to the user terminal.
  18. 根据权利要求17所述的方法,其特征在于,所述服务器为签约管理-业务发现服务器SM-DS;The method according to claim 17, wherein the server is a subscription management-service discovery server SM-DS;
    所述服务器向所述用户终端发送所述授权文件,包括: Sending, by the server, the authorization file to the user terminal, including:
    所述SM-DS接收所述用户终端发送的轮询消息,所述轮询消息中携带有所述用户终端上的eUICC的EID;The SM-DS receives a polling message sent by the user terminal, where the polling message carries an EID of an eUICC on the user terminal;
    所述SM-DS向所述用户终端发送所述轮询消息的响应消息,所述轮询消息的响应消息中携带有与所述轮询消息中携带的EID对应的授权文件。The SM-DS sends a response message of the polling message to the user terminal, where the response message of the polling message carries an authorization file corresponding to the EID carried in the polling message.
  19. 根据权利要求17所述的方法,其特征在于,所述服务器为推送服务器;The method of claim 17, wherein the server is a push server;
    在所述服务器获得授权文件之后,所述方法还包括:After the server obtains the authorization file, the method further includes:
    所述推送服务器根据所述推送服务器中保存的EID与所述推送服务器为所述用户终端中的本地文件助手LPA生成的口令的对应关系,确定与所述授权文件对应的EID对应的口令,所述用户终端中包含至少一个LPA;The push server determines a password corresponding to the EID corresponding to the authorization file according to the correspondence between the EID saved in the push server and the password generated by the push server for the local file assistant LPA in the user terminal. The user terminal includes at least one LPA;
    所述服务器向所述用户终端发送所述授权文件,包括:Sending, by the server, the authorization file to the user terminal, including:
    所述推送服务器向用户终端发送所述授权文件和所述与所述授权文件对应的EID对应的口令。The push server sends the authorization file and the password corresponding to the EID corresponding to the authorization file to the user terminal.
  20. 根据权利要求19所述的方法,其特征在于,在所述服务器向所述用户终端发送所述授权文件之前,所述方法还包括:The method according to claim 19, wherein before the sending the authorization file to the user terminal, the method further comprises:
    所述推送服务器接收所述用户终端发送的注册请求,所述注册请求中携带有LPA标识和所述用户终端上的eUICC的EID;The push server receives the registration request sent by the user terminal, where the registration request carries an LPA identifier and an EID of the eUICC on the user terminal;
    所述推送服务器为所述注册请求中携带的LPA标识所指示的LPA分配口令,并保存所述推送服务器为所述LPA标识所指示的LPA分配的口令与所述注册请求中携带的EID的对应关系。The push server allocates a password for the LPA indicated by the LPA identifier carried in the registration request, and saves the correspondence between the password allocated by the push server for the LPA indicated by the LPA identifier and the EID carried in the registration request. relationship.
  21. 根据权利要求20所述的方法,其特征在于,在所述推送服务器为所述注册请求中携带的LPA标识所指示的LPA分配口令之后,所述方法还包括:The method according to claim 20, wherein after the push server assigns a password to the LPA indicated by the LPA identifier carried in the registration request, the method further includes:
    所述推送服务器向所述用户终端发送所述注册请求的响应消息,所述注册请求的响应消息中携带有所述推送服务器为所述LPA标识所指示的LPA分配的口令。The push server sends a response message of the registration request to the user terminal, where the response message of the registration request carries a password allocated by the push server for the LPA indicated by the LPA identifier.
  22. 一种用户终端,其特征在于,包括: A user terminal, comprising:
    发送单元,用于向服务器发送所述用户终端上的嵌入式通用集成电路卡eUICC的eUICC标识EID;a sending unit, configured to send, to the server, an eUICC identifier EID of the embedded universal integrated circuit card eUICC on the user terminal;
    接收单元,用于接收所述服务器发送的授权文件,所述授权文件与所述用户终端上的eUICC的EID对应,所述授权文件中包含至少一个策略规则和与所述至少一个策略规则中每个策略规则对应的、允许设置该策略规则的运营商的信息;a receiving unit, configured to receive an authorization file sent by the server, where the authorization file corresponds to an EID of an eUICC on the user terminal, where the authorization file includes at least one policy rule and each of the at least one policy rule Information of the operator corresponding to the policy rule that allows the policy rule to be set;
    控制单元,用于在所述eUICC中保存所述接收单元接收到的所述授权文件,或者,采用所述接收单元接收到的所述授权文件更新所述eUICC中保存的授权文件。And a control unit, configured to save the authorization file received by the receiving unit in the eUICC, or update the authorization file saved in the eUICC by using the authorization file received by the receiving unit.
  23. 根据权利要求22所述的用户终端,其特征在于,所述服务器为签约管理-业务发现服务器SM-DS,The user terminal according to claim 22, wherein the server is a subscription management-service discovery server SM-DS,
    所述发送单元,具体用于:The sending unit is specifically configured to:
    向所述SM-DS发送轮询消息,所述轮询消息中携带有所述用户终端上的eUICC的EID,Sending a polling message to the SM-DS, where the polling message carries an EID of an eUICC on the user terminal,
    所述接收单元,具体用于:The receiving unit is specifically configured to:
    接收所述SM-DS发送的所述轮询消息的响应消息,所述轮询消息的响应消息中携带有所述授权文件。Receiving a response message of the polling message sent by the SM-DS, where the response message of the polling message carries the authorization file.
  24. 根据权利要求22所述的用户终端,其特征在于,所述服务器为推送服务器,The user terminal according to claim 22, wherein the server is a push server.
    所述发送单元,具体用于:The sending unit is specifically configured to:
    向所述推送服务器发送注册请求,所述注册请求中携带有所述用户终端上的eUICC的EID。Sending a registration request to the push server, where the registration request carries an EID of the eUICC on the user terminal.
  25. 根据权利要求24所述的用户终端,其特征在于,所述服务器为所述推送服务器,所述发送单元发送的所述注册请求中还携带有所述用户终端中的本地文件助手LPA的LPA标识;The user terminal according to claim 24, wherein the server is the push server, and the registration request sent by the sending unit further carries an LPA identifier of a local file assistant LPA in the user terminal. ;
    所述接收单元,还用于在所述发送单元向所述推送服务器发送注册请求之后,接收所述推送服务器发送的所述注册请求的响应消息,所述注册请求的响应消息中携带有所述推送服务器为所述注册请求中携带的LPA标识所指示的LPA分配的口令; The receiving unit is further configured to: after the sending unit sends a registration request to the push server, receive a response message of the registration request sent by the push server, where the response message of the registration request carries the The password allocated by the push server to the LPA indicated by the LPA identifier carried in the registration request;
    所述接收单元,具体用于:The receiving unit is specifically configured to:
    接收所述推送服务器发送的所述授权文件和与所述授权文件对应的EID对应的口令;Receiving, by the push server, the authorization file and a password corresponding to the EID corresponding to the authorization file;
    在所述接收单元接收所述推送服务器发送的所述授权文件和与所述授权文件对应的EID对应的口令之后,所述用户终端还包括:After the receiving unit receives the authorization file sent by the push server and the password corresponding to the EID corresponding to the authorization file, the user terminal further includes:
    对比单元,用于采用所述与所述授权文件对应的EID对应的口令对比所述推送服务器为所述LPA分配的口令;a comparison unit, configured to compare, by using the password corresponding to the EID corresponding to the authorization file, a password assigned by the push server to the LPA;
    其中,所述控制单元,具体用于:The control unit is specifically configured to:
    若所述与所述授权文件对应的EID对应的口令与所述推送服务器为所述LPA分配的口令相同,则通过所述LPA在所述eUICC中保存所述授权文件,And if the password corresponding to the EID corresponding to the authorization file is the same as the password allocated by the push server for the LPA, saving the authorization file in the eUICC by using the LPA,
    或者,所述控制单元,具体用于:Alternatively, the control unit is specifically configured to:
    若所述与所述授权文件对应的EID对应的口令与所述推送服务器为所述LPA分配的口令相同,则通过所述LPA采用所述授权文件更新所述eUICC中保存的授权文件。And if the password corresponding to the EID corresponding to the authorization file is the same as the password allocated by the push server for the LPA, the authorization file saved in the eUICC is updated by using the authorization file by the LPA.
  26. 根据权利要求22-25中任一项所述的用户终端,其特征在于,所述服务器为所述SM-DS;The user terminal according to any one of claims 22-25, wherein the server is the SM-DS;
    所述接收单元,还用于接收第一运营商的签约管理-数据准备服务器SM-DP发送的第一策略规则,所述第一策略规则为所述第一运营商设置的与第一签约信息集关联的策略规则;所述第一运营商为所述第一签约信息集所属的运营商。The receiving unit is further configured to receive a first policy rule sent by the subscription management-data preparation server SM-DP of the first operator, where the first policy rule is the first subscription information set by the first operator The associated policy rule is set; the first operator is an operator to which the first subscription information set belongs.
  27. 根据权利要求26所述的用户终端,其特征在于,所述服务器为所述SM-DS;The user terminal according to claim 26, wherein the server is the SM-DS;
    所述发送单元,还用于在所述接收单元接收到所述第一策略规则后,向所述SM-DS发送所述轮询消息,所述轮询消息中携带有所述用户终端上的eUICC的EID,所述轮询消息用于请求所述SM-DS向所述用户终端发送与所述用户终端上的eUICC的EID对应的授权文件。The sending unit is further configured to: after the receiving, by the receiving unit, the first policy rule, send the polling message to the SM-DS, where the polling message carries the user terminal The EID of the eUICC, the polling message is used to request the SM-DS to send an authorization file corresponding to the EID of the eUICC on the user terminal to the user terminal.
  28. 根据权利要求27所述的用户终端,其特征在于,所述发送 单元,具体用于:The user terminal according to claim 27, wherein said transmitting Unit, specifically for:
    在所述接收单元接收到所述第一策略规则后,若所述授权文件中允许设置策略规则的运营商的信息中不包含所述第一运营商的信息,则向所述SM-DS发送所述轮询消息。After the receiving, by the receiving unit, the first policy rule, if the information of the operator that allows the setting of the policy rule in the authorization file does not include the information of the first carrier, the information is sent to the SM-DS. The polling message.
  29. 根据权利要求26所述的用户终端,其特征在于,所述服务器为所述推送服务器;The user terminal according to claim 26, wherein the server is the push server;
    所述用户终端,还包括:The user terminal further includes:
    启动单元,用于在所述接收单元接收到所述第一策略规则后,启动定时器;a starting unit, configured to start a timer after the receiving unit receives the first policy rule;
    所述接收单元,还用于在所述启动单元启动的所述定时器的定时时间内等待接收所述推送服务器发送的授权文件。The receiving unit is further configured to wait to receive an authorization file sent by the push server within a timing time of the timer that is initiated by the startup unit.
  30. 根据权利要求29所述的用户终端,其特征在于,所述启动单元,具体用于:The user terminal according to claim 29, wherein the activation unit is specifically configured to:
    在所述接收单元接收到所述第一策略规则后,若所述授权文件中允许设置策略规则的运营商的信息中不包含所述第一运营商的信息,则启动所述定时器;After the receiving, by the receiving unit, the first policy rule, if the information of the operator that allows the setting of the policy rule in the authorization file does not include the information of the first carrier, the timer is started;
    所述接收单元,还用于在所述启动单元启动的所述定时器的定时时间内等待接收所述推送服务器发送的授权文件。The receiving unit is further configured to wait to receive an authorization file sent by the push server within a timing time of the timer that is initiated by the startup unit.
  31. 根据权利要求26-30中任一项所述的用户终端,其特征在于,所述至少一个策略规则至少包括:签约信息集不允许删除、签约信息集不允许去激活以及签约信息集去激活后应删除中的至少一项;The user terminal according to any one of claims 26 to 30, wherein the at least one policy rule comprises at least: the subscription information set is not allowed to be deleted, the subscription information set is not allowed to be deactivated, and the subscription information set is deactivated. At least one of them should be deleted;
    其中,所述至少一个策略规则包括所述第一策略规则。The at least one policy rule includes the first policy rule.
  32. 根据权利要求26-30中任一项所述的用户终端,其特征在于,所述接收单元,还用于接收所述第一策略规则的有效时间,所述第一策略规则的有效时间用于限定所述第一策略规则的生效时间。The user terminal according to any one of claims 26 to 30, wherein the receiving unit is further configured to receive a valid time of the first policy rule, where a valid time of the first policy rule is used The effective time of the first policy rule is defined.
  33. 根据权利要求32所述的用户终端,其特征在于,还包括:The user terminal according to claim 32, further comprising:
    安装单元,用于在所述用户终端安装所述第一签约信息集; An installation unit, configured to install the first subscription information set on the user terminal;
    第一激活单元,用于激活所述安装单元安装的所述第一签约信息集;a first activation unit, configured to activate the first subscription information set installed by the installation unit;
    第一提示单元,用于当所述安装单元成功安装所述第一签约信息集或者所述第一激活单元激活所述第一签约信息集后,向用户提示所述第一策略规则和所述第一策略规则的有效时间。a first prompting unit, configured to: when the installation unit successfully installs the first subscription information set or the first activation unit activates the first subscription information set, prompting the user with the first policy rule and the The effective time of the first policy rule.
  34. 根据权利要求26-30中任一项所述的用户终端,其特征在于,所述授权文件中还包含允许运营商设置所述至少一个策略规则的有效时间,允许运营商设置所述至少一个策略规则中任一策略规则的有效时间用于限定运营商具备设置所述任一策略规则的权限的时间;The user terminal according to any one of claims 26 to 30, wherein the authorization file further includes an effective time for allowing the operator to set the at least one policy rule, allowing the operator to set the at least one policy. The effective time of any policy rule in the rule is used to limit the time when the operator has the right to set any of the above policy rules;
    所述用户终端,还包括:The user terminal further includes:
    第二激活单元,用于激活所述第一策略规则;a second activation unit, configured to activate the first policy rule;
    判断单元,用于当所述第二激活单元激活所述第一策略规则时,判断当前时间是否在所述授权文件中包含的允许所述第一运营商设置所述第一策略规则的有效时间内;a determining unit, configured to determine, when the second activation unit activates the first policy rule, whether the current time is in a valid time that is allowed in the authorization file to allow the first operator to set the first policy rule Inside;
    禁止单元,用于若所述判断单元判断所述当前时间超过允许所述第一运营商设置所述第一策略规则的有效时间,则禁止激活所述第一策略规则。The prohibiting unit is configured to prohibit activation of the first policy rule if the determining unit determines that the current time exceeds a valid time for allowing the first operator to set the first policy rule.
  35. 根据权利要求26-30中任一项所述的用户终端,其特征在于,所述接收单元,还用于在接收到所述服务器发送的授权文件之后,接收所述第一运营商的功能实体发送的策略规则解除请求消息,所述策略规则解除请求消息中携带有所述第一运营商的信息和待解除的策略规则;The user terminal according to any one of claims 26 to 30, wherein the receiving unit is further configured to: after receiving the authorization file sent by the server, receive the functional entity of the first operator a policy rule release request message that is sent, where the policy rule release request message carries the information of the first operator and the policy rule to be released;
    所述用户终端,还包括:The user terminal further includes:
    删除单元,用于若所述授权文件中包含的所述待解除的策略规则对应、允许设置所述待解除的策略规则的运营商的信息中包含所述第一运营商的信息,则删除所述授权文件中包含的所述待解除的策略规则对应的、允许设置所述待解除的策略规则的运营商的信息中的所述第一运营商的信息。 a deleting unit, configured to delete, if the information of the operator that is to be released from the policy rule that is to be released in the authorization file is The information of the first operator in the information of the operator that is allowed to set the policy rule to be released corresponding to the policy rule to be released, which is included in the authorization file.
  36. 根据权利要求26-30中任一项所述的用户终端,其特征在于,在所述接收单元接收到所述服务器发送的授权文件之后,所述删除单元,还用于在所述安装单元成功安装所述第一签约信息集后,删除所述授权文件中包含的所述第一策略规则对应的、允许设置所述第一策略规则的运营商的信息中的所述第一运营商的信息;The user terminal according to any one of claims 26 to 30, wherein after the receiving unit receives the authorization file sent by the server, the deleting unit is further used to succeed in the installing unit. After the first contract information set is installed, the information of the first operator in the information of the operator that is allowed to set the first policy rule corresponding to the first policy rule that is included in the authorization file is deleted. ;
    或者,or,
    在所述安装单元成功安装所述第一签约信息集后,删除所述用户终端中保存的包含所述第一运营商的信息的授权文件。After the installation unit successfully installs the first subscription information set, the authorization file stored in the user terminal and containing the information of the first operator is deleted.
  37. 根据权利要求22-30中任一项所述的用户终端,其特征在于,所述安装单元,还用于在所述用户终端中安装所述第二签约信息集;The user terminal according to any one of claims 22 to 30, wherein the installation unit is further configured to install the second subscription information set in the user terminal;
    所述第一激活单元,还用于激活所述安装单元安装的所述第二签约信息集;The first activation unit is further configured to activate the second subscription information set installed by the installation unit;
    所述用户终端,还包括:The user terminal further includes:
    检查单元,用于在所述第一激活单元激活所述第二签约信息集之前,若确定第二策略规则为签约信息集不允许去激活,则检查所述授权文件,所述第二签约信息集归属于第二运营商,所述第二策略规则为所述第二运营商设置的与所述第二签约信息集关联的策略规则;a checking unit, configured to check the authorization file, the second subscription information, if it is determined that the second policy rule does not allow deactivation of the subscription information set before the first activation unit activates the second subscription information set The set belongs to the second operator, and the second policy rule is a policy rule that is set by the second operator and is associated with the second subscription information set;
    第二提示单元,用于若所述授权文件中包含的所述第二策略规则对应的、允许设置所述第二策略规则的运营商的信息中包含第三运营商的信息,则发出提示信息,所述第三运营商包括除所述第二运营商之外的任一运营商;a second prompting unit, configured to send a prompt message if the information of the operator that is required to set the second policy rule corresponding to the second policy rule included in the authorization file includes information of the third carrier The third operator includes any operator other than the second operator;
    其中,所述提示信息至少包括:激活所述第二签约信息集将无法下载所述第三运营商的签约信息集或者激活所述第二签约信息集将无法下载所述第三运营商的签约信息集和所述第三运营商的信息。The prompt information at least includes: the activation of the second subscription information set will not be able to download the subscription information set of the third operator or the activation of the second subscription information set will not be able to download the subscription of the third operator. Information set and information of the third operator.
  38. 一种服务器,其特征在于,包括:A server, comprising:
    获取单元,用于获得授权文件,所述授权文件与用户终端上的 嵌入式通用集成电路卡eUICC的EID对应,所述授权文件中包含所述eUICC的eUICC标识EID、至少一个策略规则和与所述至少一个策略规则中每个策略规则对应的、允许设置该策略规则的运营商的信息;An obtaining unit, configured to obtain an authorization file, and the authorization file and the user terminal Corresponding to the EID of the embedded universal integrated circuit card (eUICC), the authorization file includes an eUICC identifier EID of the eUICC, at least one policy rule, and a policy rule corresponding to each of the at least one policy rule. Carrier information;
    发送单元,用于向所述用户终端发送所述获取单元获得的所述授权文件。And a sending unit, configured to send, to the user terminal, the authorization file obtained by the acquiring unit.
  39. 根据权利要求38所述的服务器,其特征在于,所述服务器为签约管理-业务发现服务器SM-DS;The server according to claim 38, wherein the server is a subscription management-service discovery server SM-DS;
    所述服务器,还包括:The server further includes:
    接收单元,用于接收所述用户终端发送的轮询消息,所述轮询消息中携带有所述用户终端上的eUICC的EID;a receiving unit, configured to receive a polling message sent by the user terminal, where the polling message carries an EID of an eUICC on the user terminal;
    所述发送单元,具体用于:The sending unit is specifically configured to:
    向所述用户终端发送所述轮询消息的响应消息,所述轮询消息的响应消息中携带有与所述轮询消息中携带的EID对应的授权文件。Sending a response message of the polling message to the user terminal, where the response message of the polling message carries an authorization file corresponding to the EID carried in the polling message.
  40. 根据权利要求38所述的服务器,其特征在于,所述服务器为推送服务器;The server according to claim 38, wherein said server is a push server;
    所述服务器,还包括:The server further includes:
    确定单元,用于在所述获取单元获得所述授权文件之后,根据所述推送服务器中保存的EID与所述推送服务器为所述用户终端中的本地文件助手LPA生成的口令的对应关系,确定与所述授权文件对应的EID对应的口令,所述用户终端中包含至少一个LPA;a determining unit, configured to determine, according to the correspondence between the EID saved in the push server and the password generated by the push server for the local file assistant LPA in the user terminal, after the obtaining unit obtains the authorization file a password corresponding to the EID corresponding to the authorization file, the user terminal includes at least one LPA;
    所述发送单元,具体用于:The sending unit is specifically configured to:
    向用户终端发送所述获取单元获得的所述授权文件和所述确定单元确定的所述与所述授权文件对应的EID对应的口令。Sending, to the user terminal, the authorization file obtained by the obtaining unit and the password corresponding to the EID corresponding to the authorization file determined by the determining unit.
  41. 根据权利要求40所述的服务器,其特征在于,所述接收单元,还用于在所述发送单元向所述用户终端发送所述获取单元获得的所述授权文件之前,接收所述用户终端发送的注册请求,所述注册请求中携带有LPA标识和所述用户终端上的eUICC的EID; The server according to claim 40, wherein the receiving unit is further configured to: before the sending unit sends the authorization file obtained by the acquiring unit to the user terminal, receive the sending by the user terminal a registration request, the registration request carrying an LPA identifier and an EID of the eUICC on the user terminal;
    所述服务器,还包括:The server further includes:
    分配单元,用于为所述接收单元接收到的所述注册请求中携带的LPA标识所指示的LPA分配口令;An allocating unit, configured to allocate a password for the LPA indicated by the LPA identifier carried in the registration request received by the receiving unit;
    保存单元,用于保存所述分配单元为所述LPA标识所指示的LPA分配的口令与所述接收单元接收到的所述注册请求中携带的EID的对应关系。And a saving unit, configured to save a correspondence between a password allocated by the allocation unit for the LPA indicated by the LPA identifier and an EID carried in the registration request received by the receiving unit.
  42. 根据权利要求41所述的服务器,其特征在于,所述发送单元,还用于在所述分配单元为所述接收单元接收到的所述注册请求中携带的LPA标识所指示的LPA分配口令之后,向所述用户终端发送所述注册请求的响应消息,所述注册请求的响应消息中携带有所述推送服务器为所述LPA标识所指示的LPA分配的口令。The server according to claim 41, wherein the sending unit is further configured to: after the assigning unit allocates a password to the LPA indicated by the LPA identifier carried in the registration request received by the receiving unit Sending, by the user terminal, a response message of the registration request, where the response message of the registration request carries a password allocated by the push server for the LPA indicated by the LPA identifier.
  43. 一种用户终端,其特征在于,所述用户终端包括:一个或多个处理器、存储器、总线和收发器;A user terminal, characterized in that the user terminal comprises: one or more processors, a memory, a bus and a transceiver;
    所述存储器用于存储计算机执行指令,所述处理器与所述存储器通过所述总线连接,当所述用户终端运行时,所述处理器执行所述存储器存储的所述计算机执行指令,以使所述用户终端执行如权利要求1-16任意一项所述的获取授权文件的方法。The memory is configured to store a computer execution instruction, the processor is connected to the memory through the bus, and when the user terminal is running, the processor executes the computer execution instruction stored in the memory, so that The user terminal performs the method of obtaining an authorization file according to any one of claims 1-16.
  44. 一种服务器,其特征在于,所述服务器包括:一个或多个处理器、存储器、总线和收发器;A server, comprising: one or more processors, a memory, a bus, and a transceiver;
    所述存储器用于存储计算机执行指令,所述处理器与所述存储器通过所述总线连接,当所述服务器运行时,所述处理器执行所述存储器存储的所述计算机执行指令,以使所述服务器执行如权利要求17-21任意一项所述的获取授权文件的方法。 The memory is configured to store a computer execution instruction, the processor is connected to the memory through the bus, and when the server is running, the processor executes the computer execution instruction stored in the memory to make The server performs the method of obtaining an authorization file according to any one of claims 17-21.
PCT/CN2016/108094 2016-11-30 2016-11-30 Method and device for acquiring authorization file WO2018098713A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201680058539.XA CN108235821B (en) 2016-11-30 2016-11-30 Method and device for obtaining authorization file
PCT/CN2016/108094 WO2018098713A1 (en) 2016-11-30 2016-11-30 Method and device for acquiring authorization file

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/108094 WO2018098713A1 (en) 2016-11-30 2016-11-30 Method and device for acquiring authorization file

Publications (1)

Publication Number Publication Date
WO2018098713A1 true WO2018098713A1 (en) 2018-06-07

Family

ID=62240973

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/108094 WO2018098713A1 (en) 2016-11-30 2016-11-30 Method and device for acquiring authorization file

Country Status (2)

Country Link
CN (1) CN108235821B (en)
WO (1) WO2018098713A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112561542A (en) * 2020-12-21 2021-03-26 华帝股份有限公司 Equipment accessory authenticity identification method and system
CN112954694A (en) * 2019-11-26 2021-06-11 上海华为技术有限公司 Method, device and equipment for processing subscription information
CN113541965A (en) * 2021-01-27 2021-10-22 支付宝(杭州)信息技术有限公司 Block chain-based communication authorization method, device, equipment and storage medium

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109688576B (en) * 2018-11-13 2022-05-27 东信和平科技股份有限公司 Method and system for intelligently downloading Profile
CN110856160B (en) * 2019-09-30 2021-08-27 恒宝股份有限公司 Method and device for expanding application of embedded universal integrated circuit card
CN111935697B (en) * 2020-08-06 2022-08-19 中国联合网络通信集团有限公司 eSIM discovery service method, discovery server and eSIM terminal

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104703170A (en) * 2013-12-05 2015-06-10 华为终端有限公司 Methods and equipment for downloading file of operator
CN104823408A (en) * 2012-12-06 2015-08-05 高通股份有限公司 Management of network devices utilizing authorization token
US20150303966A1 (en) * 2014-04-22 2015-10-22 Samsung Electronics Co., Ltd. Method and apparatus for provisioning profiles
WO2016004570A1 (en) * 2014-07-07 2016-01-14 华为技术有限公司 Authorization method and apparatus for management of embedded universal integrated circuit card

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1277383C (en) * 2003-10-24 2006-09-27 华为技术有限公司 Refresh method for authorizing information in radio local area network
US20150381597A1 (en) * 2005-01-31 2015-12-31 Unisys Corporation Enterprise management for secure network communications over ipsec
US20140141746A1 (en) * 2012-11-20 2014-05-22 Khiam Yong Tan Subscriber identity systems, servers, methods for controlling a subscriber identity system, and methods for controlling a server
CN104703199B (en) * 2013-12-05 2018-05-11 华为终端(东莞)有限公司 Management method, relevant device and the system of universal embedded integrated circuit card
US20160352698A1 (en) * 2013-12-05 2016-12-01 Huawei Device Co., Ltd. Security control method for euicc and euicc
CN105516219B (en) * 2014-09-24 2018-12-18 中国电信股份有限公司 Method, system and the card management server of embedded smart card security deactivation
CN105188049B (en) * 2015-09-30 2017-12-12 宇龙计算机通信科技(深圳)有限公司 A kind of virtual SIM card service authorizing method, terminal, server and system
CN105792178A (en) * 2016-04-29 2016-07-20 宇龙计算机通信科技(深圳)有限公司 Method of generating and acquiring authorization used for deleting ISD-P domain and apparatus thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104823408A (en) * 2012-12-06 2015-08-05 高通股份有限公司 Management of network devices utilizing authorization token
CN104703170A (en) * 2013-12-05 2015-06-10 华为终端有限公司 Methods and equipment for downloading file of operator
US20150303966A1 (en) * 2014-04-22 2015-10-22 Samsung Electronics Co., Ltd. Method and apparatus for provisioning profiles
WO2016004570A1 (en) * 2014-07-07 2016-01-14 华为技术有限公司 Authorization method and apparatus for management of embedded universal integrated circuit card

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112954694A (en) * 2019-11-26 2021-06-11 上海华为技术有限公司 Method, device and equipment for processing subscription information
CN112561542A (en) * 2020-12-21 2021-03-26 华帝股份有限公司 Equipment accessory authenticity identification method and system
CN113541965A (en) * 2021-01-27 2021-10-22 支付宝(杭州)信息技术有限公司 Block chain-based communication authorization method, device, equipment and storage medium
CN113541965B (en) * 2021-01-27 2024-04-09 支付宝(杭州)信息技术有限公司 Communication authorization method, device, equipment and storage medium based on blockchain

Also Published As

Publication number Publication date
CN108235821A (en) 2018-06-29
CN108235821B (en) 2020-05-08

Similar Documents

Publication Publication Date Title
WO2018098713A1 (en) Method and device for acquiring authorization file
US10425818B2 (en) Enforcing service policies in embedded UICCs
USRE49585E1 (en) Certificate based profile confirmation
US9043898B2 (en) Access management system
US11689575B2 (en) Network access by applications in an enterprise managed device system
US10645557B2 (en) Transferable ownership tokens for discrete, identifiable devices
US20160048688A1 (en) Restricting System Calls using Protected Storage
US10187386B2 (en) Native enrollment of mobile devices
WO2018094581A1 (en) Method for installing subscription profile, terminal and server
WO2019237542A1 (en) Application login method and apparatus for electronic device, and electronic device and medium
CN115203653A (en) Associating user accounts with enterprise workspaces
CN109196891B (en) Method, terminal and server for managing subscription data set
US9858400B2 (en) Information processing system, terminal, and authentication method
JP5667817B2 (en) Application management system
CN104969176B (en) Method, device and medium for managing access of application to certificate and secret key
CN110474945B (en) Data downloading and managing method and terminal
CN106576239B (en) Method and device for managing content in security unit
CN109076126A (en) Permission update method and terminal device
CN111046383B (en) Terminal attack defense method and device, terminal and cloud server
WO2021073440A1 (en) Access control method and device for embedded universal integrated circuit card, and storage medium
US20220182385A1 (en) Cross-endpoint enterprise application authorization and management
CN113032750A (en) Authority management method, device, electronic equipment and medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16922713

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16922713

Country of ref document: EP

Kind code of ref document: A1