Shadow Credentials
Shadow credentials stand ready to take over for credentials that expires. You define when the shadow credential takes effect.
You can assign a shadow credential to any private key or certificate if all the following criterias are met:
- The valid time period for the shadow and base credentials overlap
- Shadow and base credentials are both valid at the time you assign the shadow
- Both credentials are still valid at the time when the shadow credential is to take effect
TIBCO BusinessConnect Conatiner Edition supports shadow credentials to be on standby whenever the primary configured credential is about to expire. The activation of shadow credential can be set at the participant level, and it takes effect on the date that is specified.
The following terms and definitions are used to describe when shadow credential gets picked for different usages:
- Original credential period
- The period between the date when the original credential was uploaded to the date before the activation date was set for the shadow credential.
- Overlay period
- This definition is applicable only when the shadow credential is associated with the original credential. It is defined as the period between the activation date of the shadow credential and the end of the original credential’s expiration time
- Shadow credential period
- This period starts when the original certificate expires and lasts until the shadow credential expires.
To uderstand which credentials get picked for different operations, see the following table:
Usage Description | Message Flow Direction |
Type of Credential Used During Different Periods |
||
---|---|---|---|---|
Original Credential Period | Overlay Period | Shadow Credential Period | ||
Message signing, encryption | Outbound to Partner | Original credential used | Shadow credential used only | Shadow credential only |
Message authentication and decryption | Inbound message from partner | Original credential used | Shadow credential used first, if it fails the original credential is tried | Shadow credential only |
This behavior is valid for protocols that support plain Email/AS1/AS2 SMIME messaging. Check the appropriate protocol documentation for behavior of SMIME message processing other than plain Email/AS1/AS2.