Layer7 API Management Reviews

It’s a way for us to secure our externally-sourced API calls that come into the organization. The two things are 1) protocol translation where we can let a REST call come in and get converted to some legacy protocol, and 2) security token translation support because we need to convert a standard industry token to something an internal system will understand.

It provides a simple endpoint for applications to call and for customers to call, so it reduces a lot of the complications of API services. Most of these APIs the user never sees, like a mobile app that does something below the water line, or another partner is calling our application – such as an order purchasing system at another customer, whose app calls our app. It eliminates the need to deal with users in a lot of cases, so if users don’t have to deal with the system it’s convenient for them. It helps us automate as well.

One item that we’ve had discussions – and they’ve fixed some of it – you had to buy extra products, specifically the CA Mobile API Gateway, to get certain types of token support even though you didn’t need that product for anything else.

So, foundational token support should be part of the base product and you shouldn’t have to buy the mobile feature to get those features. For example, in order to get OAUTH we had to buy the MAG product, but I think they’ve fixed that now. But we’re not sure they’ve fixed everything.

I think it’s a solid product. We’ve had some issues with the proprietary hardware that we’re running it on, but we’re getting rid of that and going to VMs, so the issue will probably go away. At one point in order to do certain types of upgrades to not only do it through a web interface, but we had to get deep into the system – multiple things we had to do in order to upgrade so it wasn’t as seamless as we had hoped.

It's not been an issue.

I think they’ve got really sharp people. When there’s a serious problem, they’re quick to triage and get an authoritative person to respond quickly.

Pretty straightforward; the biggest issue was the initial hardware that we purchased. CA sold the product on a certain kind of UNIX box, but those boxes weren’t appropriate for the solution – it was well before CA took over.

We knew we needed some kind of API security gateway to basically sit on the edge of our network and police what could get in, and do other things like translate API calls. We wanted a simple API call to be translatable to multiple backend system. Before we were just using traditional web proxy servers, not really API focused.

We knew we needed some kind of API security gateway to basically sit on the edge of our network and police what could get in, and do other things like translate API calls. We wanted a simple API call to be translatable to multiple backend system. Before we were just using traditional web proxy servers, not really API focused.

We used IBM DataPower at the time. Both HP and Oracle were OEMing the Layer7 product at the time, and the fact that HP was OEMing it was certainly a factor. We were looking for someone that’s innovative; someone we can trust to be a long-term partner.

It fits in well with our other security middleware. We’re also a SiteMinder customer so there are some synergies there. When CA bought Layer 7, that was a good thing for us, and we sort of fell into those kinds of synergies.

They should make sure they find a product that supports industry security standards, and has good management capabilities, good manageability.

It serves our development purposes, enabling the connection of both external and internal clients, for example.

It's a comprehensive tool that allows us to perform all the necessary tasks in one place. With other middleware API management tools, we might need multiple tools and layers to achieve the same results. This tool provides a single platform for managing security, real transformation, connectivity, and development, eliminating the need for additional add-ons.

It's quite satisfactory. However, I don't focus much on the cost perspective, but I understand that clients are often concerned about costs. They might be exploring other options due to the high cost associated with our current package.

Currently, we don't have any major issues, and any past issues we encountered were promptly resolved. Perhaps in terms of improvement, we could explore more robust connectivity options, but for our current needs, it's been solid. As for my company, we might consider migration, and there are tools like GMU migration, provided by the same vendor, which could potentially help us in that regard.

I have been using Layer7 API Management for the past eight years.

It is stable, as per our observations.

I've been primarily utilizing the on-premises version, and it has proven to be scalable as we've added more clients. However, I haven't yet ventured into the cloud aspect, so there's potential for further exploration in that regard.

It's not overly challenging. The documentation is quite comprehensive, and the support from the dot command is also reliable. Overall, it's a comfortable experience, and I haven't encountered any significant issues or concerns.

I would rate it an eight out of ten.

My company is a CA partner. We do implementations for end-customers, using CA API Management. So my company doesn't use the product, but we install, configure, and implement the product for our end-customers.

Primary use for the solution is to have access to APIs that are generally difficult and not available. An example would be critical APIs that should be available 24/7 but they are not available most of the time, because of one or another constraint. That is where the API Management solution is used to the maximum by end-customers.

Let me give you an example from one of my customers, a tier-two telco in the UK. This customer was getting an API that was available to their developers for only two hours a day, and because of this restriction, they had to plan everything precisely for their developers to access the API in those two hours.

Now, with the CA API Management implementation, the third-party API is available to this customer 24/7. It's available any time the development team requires access to the data or the information. This result has quickened the development pace and the testing cycle, and it has saved a lot of our dollars for my end-customer.

Security is the most important parameter of the solution, for me, because whenever you are exposing your APIs to third-parties, it is critical that the data remains anonymous and that data is retained within the system, that it is not leaked. CA API Management provides good security features and that is very critical.

The CA API Management solution has good security features, but when it comes to being used in areas like enterprise integration, where it is being used as middleware for all the IT environments, that particular feature is quite limited. It doesn't support as many protocols as an industry standard, competing product should.

No issues with stability.

I have never had any issues with scalability.

I would rate tech support at nine out of 10.

I still use multiple solutions. I use some open-source solutions, I use some of the competing enterprise solutions, and I use CA as well. It really depends on what my end-customer really wants. It depends on the use.

The initial setup was quite straightforward.

I feel the product's pricing is a good value.

In terms of licensing, currently, they are available for as perpetual from CA. What is really important is that they offer the solution as a service, on a subscription or monthly basis,  which will make it more attractive. That is where the market is headed. There are competitors within the industry that are doing that currently. I would encourage CA to do that.

The options that I had were Apigee and Mulesoft.

My advice would be, if it is a really complex integration with multiple protocols, multiple APIs, where security is the key, I think you should look at the CA solution. That is where it fits best. If it is you're looking at it more as an enterprise integrator, that you need to integrate internally within an organization and its IT functions, then I would suggest that you talk to CA and see how best the product can be used; you will consultation.

It's a very stable, scalable product with good security features. It does the job well.

Our primary use case is as an API gateway for authentication and authorization, and then lightweight transformation or lightweight mediation. But it's mostly, authentication and authorization, mostly security-based.

We mostly use this product for our internal customers, so it's not a revenue generator for us. We use it for internal customers to contact the IT systems. In terms of benefits, it's not for external customer satisfaction. It's not that kind of a usage here. The benefit that IT sees is, it is a single developer portal for IT; it has helped us provide an API platform to our customers.

• The lightweight mediation
• Transformation from JSON to XML and XML to JSON
• API portal and API key management
• The Developer Portal
• Some of the key SSL sessions, inside the gateway
  
• Circuit Breaker is a cool feature, too

One area where it certainly needs to improve is the way it allocates requests, in terms of rate limiting. Let's say I have set the rate-limiting to 1000 requests per second and I have four nodes in a cluster. It divides the request into four, that is 250 per node. If I have a node-balancer in front which has the least connection mechanism it sends the first request to a node. It has to improve in terms of API rate-limiting.

Also, there is no native Kafka connectivity. If they provided native Kafka connectivity, that would be good.

We found a lot of stability issues in the 8.3 version. But even after reaching out to the CA engineering team, they were not able to diagnose the issue, so we upgraded it to 9.2. Most of the stability issues have been resolved and we're not seeing that many issues now. So the stability issues have calmed down but we faced a lot of them in 8.3.

The scalability is always an issue, as we cannot add gateways on the fly because there are a lot of moving parts; endpoint connectivity is one of them. If we add more nodes then the rate-limiting feature is affected. This kind of gateway always has the scalability issue. But, I think CA is coming up with its Microgateway, which is in Beta. If they stabilize their Microgateway platform, we could do very well in terms of scalability.

Their tech support is pretty good and their documentation is also good. The community's support is also good, so I would rate them pretty well here.

The setup itself is not that complicated since we used a VM form factor. The software setup, obviously, is a different story. But the network part that goes in, the firewall connection that goes in, and then, the load-balancers, the global traffic managers, all these things are not really that complicated. The gateway setup itself is not that complicated.

It's my manager who takes care of the pricing. But I keep on hearing that it's a little pricey, it's on the higher side. That is what he says. We have around 20 licenses so for that, the pretty is pretty high. That's what he says.

This product existed here before I started with this team so it has been here for last six or seven years. I've only been here for two and a half years. I'm not sure what kind of evaluation took place, what the criteria were for the evaluation. But, I'm pretty sure that they would have evaluated two or three products before choosing CA API Gateway. Our company itself already has two gateways.

I think the main criteria here were in terms of software security, mostly securing the APIs in terms of SQL insertion attacks or XML structure attacks. They were looking more at securing the APIs and CA was probably the best at it.

My advice would depend on the use case. If it's just a proxy solution that you are looking for, I would say don't go for CA API Gateway because API Gateway is much more than that. If you're looking for a complete API developer platform and securing your APIs, then CA API Gateway is a good product.

I give this solution an eight out of 10 because, as an end customer, in terms of managing my API lifecycle, end-to-end, it is pretty good.

The most valuable features are definitely the security it provides and the ability to code to the roles, so that way, when the people come in, they actually have their roles identified and then, we're able to actually distribute the data through the message, to them. Role usage has really been important for us.

I think the device itself has helped us quite a bit. We're able to do things a lot faster, because of the device. Because we identify the policies, we're able to layer the policies that are already written. People don't have to rewrite code multiple times. We write a policy one time, and then we're just able to just drag it over and reuse it for other things.

I've used the device since it was the Layer 7 device, and it's come a long way. I think from a mobility standpoint, there's a lot of things that we do, and we have to create our own policies.

I think the product's getting better every iteration, and they're adding more and more functionality to it, that allows us more reuse.

I would just like to see where it's going to go through the roadmap, and I think it's got great, great potential.

We have been using it 8-10 months.

It's been very stable for us. We're using it as an appliance, so whenever we need to put new ones in, we just download it, implement it, and then just pull over the configuration files for it. It's been very, very stable for us, and the patching's been fantastic.

It's definitely a scalable solution, so you can create clusters in production. What we've done is, we got a cluster on our main data center, and then we've got one in our backup data center. Then we can add on to that as we need to, and use the load balancing functionality to scale it indefinitely, as much as we need for our load.

The support that we've received has been fantastic. We've been able to talk to people everywhere from pre-sales, actual technical people, whenever we need it. Literally, the support team has been 100% behind us. We get stuck on something for a very, very short period of time before they're there to help us.

They've been easy to contact, not only via the normal contact through the phone number, but even through emails, they're very, very responsive to us.

I'd used it before, so when we created our mobility team, with me as the manager, I knew that this is the device I was going to have to put in front of all my services in order to make them reusable.

It was once we'd actually standardized and built everything out, then we made room for the device, so it was just no more than procuring the device, and putting it in place at that point.

When I’m selecting a vendor, I want to look for somebody who cares about me as a customer. I want to find somebody who actually wants our solution to work. I think the team has been fantastic at that. I look at what other customers think about the support and, have they gotten anything good from their support teams? I look at that.

I think the last thing that I would look at would be price, to be honest, because I care more about the solution. Is it going to work for us? It's a partnership. When I meet a vendor, and we're actually going to put in one of their tools, or we're going to use a tool, or an appliance or whatever, to help us, then that to me is a partnership, and we're in this solution together. That's what I really, really got from CA.

The setup was very easy. We just downloaded the actual VM appliance; implemented that. There are six or seven steps that you do to configure it for the environment. Once we set up our load balancer and stuff, it was up and running and ready for us to use. It's very, very simple.

The patch process is the same way. All you do is you download the newest version, put it out there, and then just do those six or seven steps, and we're up and running. We can replace it very quickly.

I did some due diligence. I think you always have to do some due diligence, and I looked at some other products. I don't think any of them met my needs, not as good as this product did.

I think it can get better, and it has over the different versions. 9.1 came out, and it offered some more functionality. They've added more products around the solution to make it better, so I think there's always room for improvement. I think it's been very, very stable for us. It's worked every time we've needed it, and it's allowed us to do a lot better for as a company.

We are using Layer7 API Management as an enterprise service bus, ESB, and B2B security gateway.

There is not a comparable solution on the market to Layer7 API Management. It has been useful for our organization.

The most valuable feature of Layer7 API Management is that their policy is really easy to develop and it is flexible.

The UI design could be improved in the next release.

I have been using Layer7 API Management for approximately six years.

The solution is stable.

Layer7 API Management is scalable.

We have two people in my company that uses this solution. We are will need to train more people.

We are attempting to expand usage but because we cannot find resources, we will try to change to some other product. We were using it for a long time. It's a little difficult to transfer every feature that we have, but we are still open to finding another product, such as NGINX. We are on the POC of NGINX, but it keeps changing. The organization is trying to stop using this product as we have a lack of resources, but right now we found that some of the features cannot transform easily. Then we want to expand, I'm confused as well about what we are doing.

The initial installation was straightforward. We split the release and the patching takes a few minutes with a few mouse clicks. We automate most of the process.

We have an in-house team that does the implementation.

There is an annual license for the use of this solution. I think we are paying for some support maintenance fees, included in that license. I don't know how it works. They should provide more information.

We have been evaluating NGINX. I have found NGINX has a better UI than Layer7 API Management. Most of the features that NGINX has are already supported in Layer7 API Management.

We have found it's really difficult to find the right resource in our Canadian market. It is more difficult to hire new developers who can support Layer7 API Management.

My advice to those wanting to implement this solution is if they have the right resource, this is a really nice product and I recommend it because it's really flexible and that they can build and customize with the vendor directly. I really am with this product.

I rate Layer7 API Management a nine out of ten.

In our context, we have a number of REST APIs that we had to expose, a number of partners, internal users, as well as external partners who wanted to basically integrate cleanly and quickly, but didn't want to do five independent integrations into each API, so the CA tool allows us to effectively wrap those APIs into a common interface, so you can make one call and then the gateway will go away and make the other calls for you. That is the primary goal was that and the tool does that for us.

What it allows us to do is it's more time to market than the value, actually, so a lot of our affiliate marketing teams, they go and engage with the vendor's affiliates, effectively, and they want a very quick, clean solution to get a lot of customers in, place a bet, see their bet history and then log out and tap on and move on to do something else. What this allows us to do is that, whereas previously, I would have had to a specific project team, they would take two or three months to do an integration, now you can do that in a matter of weeks. You can realize the value of a commercial relationship very quickly.

Once it goes live, it's very stable, clearly, it's as stable as your infrastructure or authority or testing is, but once it goes live, as long as you sort of adhere to all the policy management, and make sure you're progressing code, you're testing it correctly, once it goes live it's pretty stable. We've not had any failures with it in the year and a half that it's been live, and it's very stable. From a performance perspective, it's great. You can throttle, you can do rate limiting, so it's very flexible for us.

It's been very good as we need them, thankfully we haven't had much call to call them up, because it's been stable, but we call them up for platform upgrades, when we went from version 7 to 8 and 8 now through to 9. As we need assistance, we raise a ticket. They're very responsive, they're very thorough in what they come back to us with, so they've been a really good partner for us.

The trigger, effectively, was that we had a partner, we'd done a commercial deal. The partner wanted to integrate, we wanted to integrate with the partner, but the partner had a legacy sort of application that they weren't able to do this integrating to five APIs. They wanted one interface, and they didn't want to on-board any of the logic, they wanted that to be done somewhere else, hence the CA API Management tool that does that for us. They make one call, it goes away, does all the connections, all the session affinity, with all the underlying APIs, and that partner can just make the calls as they want. They deployed it on desktop, on tablet, mobile's coming as well now, and we use it for other partners as well.

We had a very short time for it to get it done, so I dealt with CA, we managed to do the deal for the software. They put us in touch with a partner called Smart, Smart421 in the UK. We had a very high-level discussion about what my requirement was, the platform that we have, what I needed to wrap, which calls, so we did a lot of preparation in advance, and then they came on-site, and within two weeks we had a working API. We'd wired together the underlying platforms to build this API that was then sent to the first vendor. Very clean, very slick. As with any IT project, as long as you are prepared, you've done your homework, you know exactly how to lead the implementation, what to take the vendor through, then it works very well.

Partly it's obviously the reputation of the vendor, it's the support structures, it's the partners that they deal with. If they put you in touch with a partner to install the software, what is the calibre of the partner that they're dealing, and that reflects on them as an organization. Their licensing structures, how flexible they are to deal with you, these sorts of things. We also looked at Mashery and Apigee.

We chose CA API Management as it was better licensing model, it was better cost model for us. I wanted that product. I'd previously worked in an organization with they'd bought what was in the Layer 7 product, and so I had an understanding of the product, I had an understanding that it had been used in my industry. I knew that it would work, because I'd seen it done before, so those things were quite key for us.

Break it into small chunks, so what we did was we had a very defined use case, and we could have gone to a much larger project, but the ideas was to focus on the component that we were after, what we had to go and deliver, break that down, get it working, and then that gives the business more confidence to then invest in it further, future phases, and we just broke it down to that. We were able to very quickly deliver something of value, and that then allows you to move on from there, as opposed to doing the full solution first up, and then we could have failed on the way through, the requirements could have changed, but it was better for us, and it's something I recommend that you just break it down.

I give it a nine. It's a great tool, it's a great product. It's good for us because it does specifically what I need it to do. The only area I'd say there could be some improvement is some of the documentation perhaps, some of the release notes are not the best. I think they're trying to brush things up and make it better, so it's improving all the time, but initially when we first started seeing some of the interface and some of the documentation it was quite confusing, but then we have a partner that takes the pain, I suppose, for that. Buy the tool. It's fantastic.

What are the key digital priorities and initiatives in your company?
The key things for us is on-boarding affiliates, partners, as quickly as possible, for their customers, or our customers who bet through them, to leverage those relationships, leverage those customers to allow them to bet with us. API Management for us at the minute has been around in having a clean interface for these guys to be able to quickly integrate with us, and then we can very quickly get them up and running, and it's a commercially beneficial arrange for us.

Are you considering upgrading in the future?
We're investigating options as with most industries, omni channel is the big thing now, so we're investigating how we could use this in an omni channel perspective to wire up our other parts of the business, so that's something we may consider. Part of the show, there are developer portals to making it easier for developers, third parties, to actually interact with us. The current product, the gateway product, doesn't have a portal, so effectively I have to document how to integrate, and then every time I make a change, I have to then email the document out to all of my development partners, whereas if I had the developer portal, they can then just go log in themselves, register themselves, they get their own API keys, all that stuff's taken care of, so those things are quite interesting for me and for our partners.

The primary use case is we are using the API Management Suite. It has the Gateway and Portal, and we are using the Gateway to front all the APIs in FedEx.

The Gateway is performing very well. The Portal is not.

We can get more visibility into our data.

The benefit of the Gateway is that it provides security, authorization authentication, and analytics. These are the main benefits which we are using it for. 

The most valuable, for the Gateway, is it can front our APIs very easily, and it can integrate with FedEx easily, so those are good. 

For the Portal, we are able to manage with APIs and documentation. However, there are a lot of improvements, which could be done on the Portal side.

For additional features, I would like to see how it can be deployed into the cloud platform out-of-the-box and not having to do a lot of the initial setup. If it can be done out-of-the-box, that will make customer's life very easy.

Their upgrade solutions are not straightforward. Therefore, we are running the older version. We wanted to go to the latest and greatest. However, it is really complex going from where we are to the next one. 

It is fairly stable for the Gateway side. However, not for the Portal side.

We have seen that it can scale both vertically and horizontally. 

We have used technical support quite often, and they are really good. We have opened multiple tickets, and they are very responsive, especially for the Severity 1 tickets. 

The initial setup was very complex.

CA Service was helping me with the implementation. 

Initially we were looking into different options. We looked into Apigee, Axway, and CA. We did the whole evaluation, and CA come out to be the winner, because CA is the market industry leader.

From CA's new technologies, it looks like CA is moving in the right direction.

Look to your performance matrix and your benchmarks. What are you interested in? If you are looking for support, this is definitely the best solution. 

Most important criteria when selecting a vendor: Performance is one of the major ones. Security is another.