What is our primary use case?
Previously, we don't have a security for our web or mobile applications. In a scenario where I have an application that gives APIs to everyone in the world, they can directly access that particular application. However, this allows for different types of attacks on that particular application too. This becomes a problem if a number of users access it, whether they are valid or invalid users, they will see performance issues. If a number of attacks are happening on a particular application, it goes down. So, from a security perspective, CA API Management acts like a reserve proxy.
It makes the end user feel like it is a real system. It does not show the back-end and what the API tool does. CA API management will not let people know that there is an original server running behind the tool. That is the security point of it.
For use cases, there are databases that some people have to query on. With the help of CA API Management tool, we can give APIs to the end user, and with the help of those APIs, they can access the data instead of the database.
How has it helped my organization?
APIs can be developed to provide security. We can show them in one single pane of glass, such as the CA API Management API Developer Portal. It is there that we can provide the monetization for their APIs and what is happening on third-party applications, like Paytm or BookMyShow.
Customers go to the portal and register there. It is there that they chose their APIs from a list. Based on the registration of the APIs, the customer will be charged.
Our customers will purchase these APIs and give to their application users. The functionality provided by the CA API Management tool is about the work framework, and the API Gateway also provides work functionalities. In the API Gateway, there are features called Solution Kits. These provides work protocol functionalities and the framework.
In order to develop an API, we'll face so many problems:
- What method we should use?
- What is the data it should return?
- If I give this API data to the browser, how will it be processed?
There are so many problems from the perspective of designing an API. However, the CA API Management tool, along with the CA API Gateway, eliminate all our issues.
As an organization grow, you can use CA API Management for authentication purposes through the CA API Gateway. It allows for multiple identity providers with different Active Directories.
What is most valuable?
It takes an existing service, like JSON or SOAP, and converts it for use on the application (e.g., REST services).
From a security point of view, there are different types of attacks: cross-origin resource sharing, SQL injection, shell scripting, and code injection. These type of attacks can be eliminated with the help of this tool because they are built-in with rules. If I drag and drop one rule called cross-origin resource sharing to the website I want to allow it on, only that website can contact CA API Management regarding this assertion.
For an OAuth perspective, the application needs to be registered at my API Gateway. Once the application is registered, every time a user requests access to my API Gateway, I have to capture whether it is a valid application or not. Once it is getting validated, only then will it show them the access page for the login page to the application.
What needs improvement?
Based on the method an API, we need to be able to access that particular API.
They need a workflow for the API Developer Portal, where the process only allows requests to go to the correct person.
The CA Mobile API Gateway (MAG) for mobiles has too much latency.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
If an entire cluster fails, we have disaster recovery with this solution. It provides an exact replica.
Because it contains Java, the heap memory needs to be cleaned constantly or problems will occur.
For day-to-day maintenance, two people are enough staff, e.g., checking the logs.
What do I think about the scalability of the solution?
CA API Management is okay when it comes to supporting a large number of APIs or large number of transactions. It has high availability. With the help of a load balancer, we distribute the load among all the API Gateways. In this way, we provide high-availability for all the API Gateways.
We have scaled the product out to different countries, like China and Australia.
Which solution did I use previously and why did I switch?
Previously, there was only SOAP services. When you are making an API call with SOAP services, It has a lot of impact on the application by taking too much of the bandwidth.
Now, all the users are filling our their forms in the back-end with form data into JSON, and sending the information to the REST services.
People want the REST services. There are already existing applications which are running on the SOAP services. Rather than losing their businesses, with the help of CA API management, they can have both their REST and SOAP services in the back-end.
How was the initial setup?
The initial setup is straightforward, like creating and deploying an API. Everything happens in one single loop.
If you install the CA API gateway, it takes about 15 minutes, as it is available in OVA format. If you go with the OVA format, you don't need to do much configuration. Then, it comes up in an internal MySQL database.
The API Developer Portal takes easily an hour to set up.
What about the implementation team?
When we introduce the solution to a new organization, it's not a complicated process. If we describe to them how an API can reduce work in their regular life, then they can easily understand that. When we give this to the customers, they become happy.
We use two people for deployments.
What's my experience with pricing, setup cost, and licensing?
CA API Management has a licensing path. If you want more features, it requires more licenses and more installation time.
Which other solutions did I evaluate?
Compared to other tools, like Apigee, this is the best tool that I have used.
What other advice do I have?
This product is available on-premise, in the cloud, and Docker.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.