Shadow Credentials
Shadow credentials stand ready to take over for credentials that expire. You define when the shadow credential takes effect.
You can assign a shadow credential to any private key or certificate if all the following standards are met:
- The valid time period for the shadow and base credentials overlap
- Shadow and base credentials are both valid at the time you assign the shadow
- Both credentials are still valid at the time when the shadow credential is to take effect
TIBCO BusinessConnect Container Edition supports shadow credentials to be on standby whenever the primary configured credential is about to expire. The activation of shadow credential can be set at the participant level, and it takes effect on the date that is specified.
The following terms and definitions are used to describe when shadow credential gets picked for different usages:
To understand which credentials get picked for different operations, see the following table:
Usage Description | Message Flow Direction |
Type of Credential Used During Different Periods |
||
---|---|---|---|---|
Original Credential Period | Overlay Period | Shadow Credential Period | ||
Message signing, encryption | Outbound to Partner | Original credential used | Shadow credential used only | Shadow credential only |
Message authentication and decryption | Inbound message from partner | Original credential used | Shadow credential used first, if it fails the original credential is tried | Shadow credential only |
This behavior is valid for protocols that support plain Email/AS1/AS2 SMIME messaging. Check the appropriate protocol documentation for behavior of SMIME message processing other than plain Email/AS1/AS2.