icon-unified.svg
Experience Center

Disabling Password Expiration for STIG-Hardened Private Service Edge Images

If you're using an image that supports Security Technical Implementation Guide (STIG) compliance, passwords automatically expire every 60 days for Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure, or 95 days (60 days + a 35-day grace period) for VMware.

If the password expires without changing it or disabling expiration, admin access to a Private Service Edge for Private Applications is no longer available. When admin access expires, the only recovery method is to deploy a new Private Service Edge.

The STIG-hardened prebuilt Private Service Edge image release dates are:

  • AWS and GCP: November 24, 2024
  • Azure and VMware: December 12, 2024

To verify if an image is STIG-hardened:

  1. Go to the Private Service Edges page in the Admin Portal.
  2. Expand the row for a Private Service Edge in the table.
  3. Under Private Service Edge Host Platform, if you see ZSIVersion: 2024.11 or ZSIVersion: 2024.12 for the ZSIVersion, the image is STIG-hardened.

Example STIG-hardened image with ZSIVersion: 2024.11.

Verify STIG-hardened image on a ZPA Private Service Edge

Close

Zscaler recommends using one of these methods for passwords:

    • Disable the password expiration:
      1. Enter the following command (replacing admin with your admin username):

        [admin@zpa-service-edge ~]$ sudo chage -M -1 admin
      2. Verify that the password is set to never expire.

        [admin@zpa-service-edge ~]$ sudo chage -l admin
        Last password change                               : Feb 18, 2025
        Password expires                                   : never
        Password inactive                                  : never
        Account expires                                    : never
        Minimum number of days between password change     : 1
        Maximum number of days between password change     : -1
        Number of days of warning before password expires  : 7
    • Set a password when creating a new instance using passwd admin (replacing admin with your admin username) and renew it every 60 days.
    Close
    • Disable the password expiration by entering the following command (replacing admin with your admin username):

      $ sudo chage -M -1 admin
    • Set a password when creating a new instance using passwd admin (replacing admin with your admin username) and renew it every 60 or 95 days.
    Close

Related Articles
About Deploying Private Service Edges for Private ApplicationsPrivate Service Edge Deployment Prerequisites for Private ApplicationsPrivate Service Edge Software by PlatformPrivate Service Edge Deployment Guide for Amazon Web ServicesPrivate Service Edge Deployment Guide for DockerPrivate Service Edge Deployment Guide for Google Cloud PlatformPrivate Service Edge Deployment Guide for LinuxPrivate Service Edge Deployment Guide for Microsoft AzurePrivate Service Edge Deployment Guide for VMware PlatformsRed Hat Enterprise Linux 9 Migration for Private Service EdgesDisabling Password Expiration for STIG-Hardened Private Service Edge ImagesNetworking Deployed Private Service Edges