This article outlines the required steps to grant Calix access to your gaiia environment. It covers Calix SMx, Calix Cloud access, API configuration, IP allowlisting, and SSL requirements.
You will need to complete several configuration steps on your side and provide specific information to gaiia.
Overview
To enable the Calix integration, you must:
- Configure access to your Calix SMx system.
- Grant Partner access to your Calix Cloud instance.
- Create and configure a dedicated API user.
- Allowlist gaiia public IP addresses.
- Deploy a publicly trusted SSL certificate with a full certificate chain.
Each section below describes the required steps.
Configuring Calix SMx access
You must prepare your SMx environment so gaiia can securely connect.
1. Create credentials for gaiia
- Create a dedicated username and password for gaiia.
2. Open required ports
- Open ports 18443 and 3443.
- Restrict access to the gaiia public IP allowlist provided in this article.
3. Configure SSL
- Configure the system for SSL.
- Install a certificate issued by a publicly trusted certificate authority.
- Ensure the server presents the full SSL certificate chain, including intermediate certificates.
To test the SSL connection, run:
openssl s_client -connect <smx_URL>:18443 -brief
4. Provide required information to gaiia
You must provide:
- The external DNS name of the SMx system.
- A list of all ONT, RG, and mesh router models that must be certified.
- Dedicated test devices in gaiia for each model.
- The software version number running on SMx.
Granting Calix Cloud instance access
You must grant Partner access to your Calix Cloud instance.
- Follow the Calix documentation to allow Partner access to your cloud instance.
- Approve the Calix resident expert account with the following details:
- Name: Jared Naquin
- Email: jared@gaiia.com
- Phone: +1 581-814-7740
Configuring Calix Cloud API access
You must create and configure a dedicated API user for gaiia.
1. Create a dedicated email account
- Create a new email account on your domain.
- Set it to forward to
integrations+<company-name>@gaiia.com.
Example:
integrations+my-isp@gaiia.com
gaiia will:
- Set the password.
- Configure 2FA.
- Register the gaiia integration in the Calix Developer Portal.
2. Assign the correct role
- Add the newly created account to your Calix Cloud instance.
- Assign the “API User” role.
Reference: Calix best practice for API User role setup
Allowlisting gaiia public IP addresses
You must allowlist the following IP addresses in your firewall.
Staging
- 3.210.85.72
- 3.81.237.51
Production
- 3.215.70.188
- 3.228.90.246
Disaster recovery
- 3.131.170.31
- 3.14.2.120
Access should be restricted to these IP addresses only.
Meeting SSL certificate requirements
To comply with SOC2 security requirements, you must use a certificate issued by a publicly trusted certificate authority. The server must present the full SSL certificate chain, including intermediate certificates.
Examples of trusted certificate authorities
- GoDaddy
- Let’s Encrypt
- SSL.com
- Google Certificate Authority
- Amazon Certificate Authority
Building the full certificate chain
- Gather your SSL certificate and intermediate certificate(s).
- Concatenate the certificate with the intermediate bundle.
cat certificate.crt gd_bundle-g2.crt > fullchain.crt
- Deploy the
fullchain.crtcertificate to your server.
Calix SMx certificate documentation: SMx certificate documentation
Verifying the certificate chain
Run the following command:
openssl s_client -connect <smx_URL>:18443 -showcerts
In the output, locate the Certificate chain section. You should see:
- The leaf (server) certificate first.
- Intermediate certificate(s) next.
- The root certificate last.
Verify the Subject and Issuer fields to confirm the chain is complete and in the correct order.