セキュアなプライベート アクセス(ZPA)
Disabling Password Expiration for STIG-Hardened ZPA Private Service Edge Images
This article applies to Security Technical Implementation Guide (STIG) images that were released on November 24, 2024, and December 12, 2024. STIG images released after these dates are not affected.
If you're using an affected STIG image, passwords automatically expire every 60 days for Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure, or 95 days (60 days + a 35-day grace period) for VMware.
If the password expires without changing it or disabling expiration, admin access to a ZPA Private Service Edge is no longer available. When admin access expires, the only recovery method is to deploy a new ZPA Private Service Edge.
STIG-hardened prebuilt Private Service Edge images affected by password expiration were released on:
- AWS and GCP: November 24, 2024
- Azure and VMware: December 12, 2024
To verify if an image is STIG-hardened:
- Go to the Private Service Edge page in the ZPA Admin Portal.
- Expand the row for a Private Service Edge in the table.
- Under Private Service Edge Host Platform, if you see
ZSIVersion: 2024.11
orZSIVersion: 2024.12
for the ZSIVersion, the image is STIG-hardened.
Zscaler recommends using one of these methods for passwords:
- Disable or set a password for AWS, GCP, and Azure.
- Disable the password expiration:
Enter the following command (replacing
admin
with your admin username):[admin@zpa-service-edge ~]$ sudo chage -M -1 adm
inVerify that the password is set to never expire.
[admin@zpa-service-edge ~]$ sudo chage -l adm
inLast password change : Feb 18, 20
25Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 1 Maximum number of days between password change : -1 Number of days of warning before password expires : 7
- Set a password when creating a new instance using
passwd admin
(replacingadmin
with your admin username) and renew it every 60 days.
- Disable the password expiration:
- Disable or set a password for VMware.
Disable the password expiration by entering the following command (replacing
admin
with your admin username):$ sudo chage -M -1 admin
- Set a password when creating a new instance using
passwd admin
(replacingadmin
with your admin username) and renew it every 60 or 95 days.