icon-zpa.svg
セキュアなプライベート アクセス(ZPA)

Disabling Password Expiration for STIG-Hardened ZPA Private Service Edge Images

This article applies to Security Technical Implementation Guide (STIG) images that were released on November 24, 2024, and December 12, 2024. STIG images released after these dates are not affected.

If you're using an affected STIG image, passwords automatically expire every 60 days for Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure, or 95 days (60 days + a 35-day grace period) for VMware.

If the password expires without changing it or disabling expiration, admin access to a ZPA Private Service Edge is no longer available. When admin access expires, the only recovery method is to deploy a new ZPA Private Service Edge.

STIG-hardened prebuilt Private Service Edge images affected by password expiration were released on:

  • AWS and GCP: November 24, 2024
  • Azure and VMware: December 12, 2024

To verify if an image is STIG-hardened:

  1. Go to the Private Service Edge page in the ZPA Admin Portal.
  2. Expand the row for a Private Service Edge in the table.
  3. Under Private Service Edge Host Platform, if you see ZSIVersion: 2024.11 or ZSIVersion: 2024.12 for the ZSIVersion, the image is STIG-hardened.

Example STIG-hardened image with ZSIVersion: 2024.11.

Verify STIG-hardened image on a ZPA Private Service Edge

閉じる

Zscaler recommends using one of these methods for passwords:

    • Disable the password expiration:

      1. Enter the following command (replacing admin with your admin username):

        [admin@zpa-service-edge ~]$ sudo chage -M -1 admin

      2. Verify that the password is set to never expire.

        [admin@zpa-service-edge ~]$ sudo chage -l admin
Last password change                               : Feb 18, 2025
Password expires                                   : never
Password inactive                                  : never
Account expires                                    : never
Minimum number of days between password change     : 1
Maximum number of days between password change     : -1
Number of days of warning before password expires  : 7
    • Set a password when creating a new instance using passwd admin (replacing admin with your admin username) and renew it every 60 days.
    閉じる

    • Disable the password expiration by entering the following command (replacing admin with your admin username):

      $ sudo chage -M -1 admin
    • Set a password when creating a new instance using passwd admin (replacing admin with your admin username) and renew it every 60 or 95 days.
    閉じる

関連記事s
ZPA Private Service Edgeの展開についてプラットフォーム別のZPA Private Service EdgeソフトウェアZPA Private Service Edgeの展開の前提条件Amazon Web Services用Private Service Edgeの展開ガイドDocker用のPrivate Service Edgeの展開ガイドGoogle Cloud PlatformのPrivate Service Edge展開ガイドLinux用のPrivate Service Edgeの展開ガイドMicrosoft Azure用Private Service Edge展開ガイドVMwareプラットフォーム用のPrivate Service Edge展開ガイドPrivate Service Edge用Red Hat Enterprise Linux 9の移行Disabling Password Expiration for STIG-Hardened ZPA Private Service Edge Images展開済みZPA Private Service Edgeのネットワーク設定