Experience Center
Disabling Password Expiration for STIG-Hardened Private Service Edge Images
If you're using an image that supports Security Technical Implementation Guide (STIG) compliance, passwords automatically expire every 60 days for Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure, or 95 days (60 days + a 35-day grace period) for VMware.
If the password expires without changing it or disabling expiration, admin access to a Private Service Edge for Private Applications is no longer available. When admin access expires, the only recovery method is to deploy a new Private Service Edge.
The STIG-hardened prebuilt Private Service Edge image release dates are:
- AWS and GCP: November 24, 2024
- Azure and VMware: December 12, 2024
To verify if an image is STIG-hardened:
- Go to the Private Service Edges page in the Admin Portal.
- Expand the row for a Private Service Edge in the table.
- Under Private Service Edge Host Platform, if you see
ZSIVersion: 2024.11
orZSIVersion: 2024.12
for the ZSIVersion, the image is STIG-hardened.
Zscaler recommends using one of these methods for passwords:
- Disable or set a password for AWS, GCP, and Azure.
- Disable the password expiration:
Enter the following command (replacing
admin
with your admin username):[admin@zpa-service-edge ~]$ sudo chage -M -1 adm
inVerify that the password is set to never expire.
[admin@zpa-service-edge ~]$ sudo chage -l adm
inLast password change : Feb 18, 20
25Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 1 Maximum number of days between password change : -1 Number of days of warning before password expires : 7
- Set a password when creating a new instance using
passwd admin
(replacingadmin
with your admin username) and renew it every 60 days.
- Disable the password expiration:
- Disable or set a password for VMware.
Disable the password expiration by entering the following command (replacing
admin
with your admin username):$ sudo chage -M -1 admin
- Set a password when creating a new instance using
passwd admin
(replacingadmin
with your admin username) and renew it every 60 or 95 days.