Shadow Credentials

Shadow credentials stand ready to take over for credentials that expires. You define when the shadow credential takes effect.

You can assign a shadow credential to any private key or certificate if all the following criterias are met:

  • The valid time period for the shadow and base credentials overlap
  • Shadow and base credentials are both valid at the time you assign the shadow
  • Both credentials are still valid at the time when the shadow credential is to take effect
Note: You cannot assign a shadow credential to another shadow credential. After the shadow credential takes effect, it is still a shadow credential. You have to remove or update the original credential and remove or promote the shadow credential. A shadow credential is used during overlay and shadowcredential period for HTTPS and HTTPSCA transport level handshake of SSL/TLS and for client authentication.

TIBCO BusinessConnect Conatiner Edition supports shadow credentials to be on standby whenever the primary configured credential is about to expire. The activation of shadow credential can be set at the participant level, and it takes effect on the date that is specified.

The following terms and definitions are used to describe when shadow credential gets picked for different usages:

Original credential period
The period between the date when the original credential was uploaded to the date before the activation date was set for the shadow credential.
Overlay period
This definition is applicable only when the shadow credential is associated with the original credential. It is defined as the period between the activation date of the shadow credential and the end of the original credential’s expiration time
Shadow credential period
This period starts when the original certificate expires and lasts until the shadow credential expires.

To uderstand which credentials get picked for different operations, see the following table:

Usage Description Message Flow Direction

Type of Credential Used During Different Periods

Original Credential Period Overlay Period Shadow Credential Period
Message signing, encryption Outbound to Partner Original credential used Shadow credential used only Shadow credential only
Message authentication and decryption Inbound message from partner Original credential used Shadow credential used first, if it fails the original credential is tried Shadow credential only

This behavior is valid for protocols that support plain Email/AS1/AS2 SMIME messaging. Check the appropriate protocol documentation for behavior of SMIME message processing other than plain Email/AS1/AS2.