Layer7 API Management Reviews

It’s central to our mobile-first strategy. The API layer is becoming the interface to all of our legacy back-end and all of our new app development is being built on top of our API layer.

Key features – integration with SiteMinder and its ability provide security in general, content-based routing, and ability to turn our existing SOAP service back-ends into new REST-JSON APIs.

As the APIs are built and published and made available to developers, we can build applications on top of those APIs in days and weeks as opposed to months.

In a traditional web application you’re building your UI, your integration layer, your back end, all at the same time, and there are dependencies – you can’t built the UI until you have database access, etc.

With the API model, all that access to the backend is already available so all you have to concentrate on is building a good user experience.

They have really stabilized the API gateway in the last couple of releases. There’s a developer portal that is used to document your APIs that is woefully behind the times, in terms of being able to provide a really good robust experience for the developers consuming your APIs. You can’t document all of the details you need in the current developer portal and really need a separate web site just to document your API.

You need to understand what you want from an enterprise API, what your vision, what your plans are for rolling out an enterprise API, before you just go out and buy a product.

It’s been rock-solid. When we’ve had problems with a gateway – we have a whole group of them – we typically get very good support from CA and production downtime has not happened.

Because it’s a clustered environment, we can scale horizontally as many as we need to go. So far two production gateways that are in a cluster and they’re processing transactions for one of our APIs at 30 calls a second and there’s barely a blip on CPU.

In general, I’d give them about a 7/10 or 8/10. They’re good – sometimes it can take a little while to get to the right person. They tend to come back to us with obvious suggestions, which we try before we call tech support. When we get to the right person we get an answer immediately.

It was an architecture decision to move towards a mobile-first API strategy. We realized that in order to meet the requirements of an API of a really good, strong enterprise API we needed to centralize that. That started us looking at APIM technologies. We scored a number of different vendors and brought in some to do POCs.

Nothing in IS is ever simple. However, the install went very smoothly. The OVA files that you install into your VMware infrastructure -- configuration and getting them set up in the clusters went smoothly (respecting internal processes). The setup and config wasn’t that difficult. There was much more of a learning curve on our end to leverage and learn how to use the API gateway. It’s sort of like a Swiss army knife in that you have to learn how to use which tools and when.

I look for stability in the vendor. I look for their ability to understand our needs. We get a lot of vendors who are not used to working with a Fortune 500 company and the size and complexity of our operation is big and complex. We need vendors that are flexible and who understand that their solution might solve a problem, but that might not solve it the way we need it solve. The flexible vendor that is able to provide multiple solutions typically ends up winning.

It’s a way for us to secure our externally-sourced API calls that come into the organization. The two things are 1) protocol translation where we can let a REST call come in and get converted to some legacy protocol, and 2) security token translation support because we need to convert a standard industry token to something an internal system will understand.

It provides a simple endpoint for applications to call and for customers to call, so it reduces a lot of the complications of API services. Most of these APIs the user never sees, like a mobile app that does something below the water line, or another partner is calling our application – such as an order purchasing system at another customer, whose app calls our app. It eliminates the need to deal with users in a lot of cases, so if users don’t have to deal with the system it’s convenient for them. It helps us automate as well.

One item that we’ve had discussions – and they’ve fixed some of it – you had to buy extra products, specifically the CA Mobile API Gateway, to get certain types of token support even though you didn’t need that product for anything else.

So, foundational token support should be part of the base product and you shouldn’t have to buy the mobile feature to get those features. For example, in order to get OAUTH we had to buy the MAG product, but I think they’ve fixed that now. But we’re not sure they’ve fixed everything.

I think it’s a solid product. We’ve had some issues with the proprietary hardware that we’re running it on, but we’re getting rid of that and going to VMs, so the issue will probably go away. At one point in order to do certain types of upgrades to not only do it through a web interface, but we had to get deep into the system – multiple things we had to do in order to upgrade so it wasn’t as seamless as we had hoped.

It's not been an issue.

I think they’ve got really sharp people. When there’s a serious problem, they’re quick to triage and get an authoritative person to respond quickly.

Pretty straightforward; the biggest issue was the initial hardware that we purchased. CA sold the product on a certain kind of UNIX box, but those boxes weren’t appropriate for the solution – it was well before CA took over.

We knew we needed some kind of API security gateway to basically sit on the edge of our network and police what could get in, and do other things like translate API calls. We wanted a simple API call to be translatable to multiple backend system. Before we were just using traditional web proxy servers, not really API focused.

We knew we needed some kind of API security gateway to basically sit on the edge of our network and police what could get in, and do other things like translate API calls. We wanted a simple API call to be translatable to multiple backend system. Before we were just using traditional web proxy servers, not really API focused.

We used IBM DataPower at the time. Both HP and Oracle were OEMing the Layer7 product at the time, and the fact that HP was OEMing it was certainly a factor. We were looking for someone that’s innovative; someone we can trust to be a long-term partner.

It fits in well with our other security middleware. We’re also a SiteMinder customer so there are some synergies there. When CA bought Layer 7, that was a good thing for us, and we sort of fell into those kinds of synergies.

They should make sure they find a product that supports industry security standards, and has good management capabilities, good manageability.

It serves our development purposes, enabling the connection of both external and internal clients, for example.

It's a comprehensive tool that allows us to perform all the necessary tasks in one place. With other middleware API management tools, we might need multiple tools and layers to achieve the same results. This tool provides a single platform for managing security, real transformation, connectivity, and development, eliminating the need for additional add-ons.

It's quite satisfactory. However, I don't focus much on the cost perspective, but I understand that clients are often concerned about costs. They might be exploring other options due to the high cost associated with our current package.

Currently, we don't have any major issues, and any past issues we encountered were promptly resolved. Perhaps in terms of improvement, we could explore more robust connectivity options, but for our current needs, it's been solid. As for my company, we might consider migration, and there are tools like GMU migration, provided by the same vendor, which could potentially help us in that regard.

I have been using Layer7 API Management for the past eight years.

It is stable, as per our observations.

I've been primarily utilizing the on-premises version, and it has proven to be scalable as we've added more clients. However, I haven't yet ventured into the cloud aspect, so there's potential for further exploration in that regard.

It's not overly challenging. The documentation is quite comprehensive, and the support from the dot command is also reliable. Overall, it's a comfortable experience, and I haven't encountered any significant issues or concerns.

I would rate it an eight out of ten.

My company is a CA partner. We do implementations for end-customers, using CA API Management. So my company doesn't use the product, but we install, configure, and implement the product for our end-customers.

Primary use for the solution is to have access to APIs that are generally difficult and not available. An example would be critical APIs that should be available 24/7 but they are not available most of the time, because of one or another constraint. That is where the API Management solution is used to the maximum by end-customers.

Let me give you an example from one of my customers, a tier-two telco in the UK. This customer was getting an API that was available to their developers for only two hours a day, and because of this restriction, they had to plan everything precisely for their developers to access the API in those two hours.

Now, with the CA API Management implementation, the third-party API is available to this customer 24/7. It's available any time the development team requires access to the data or the information. This result has quickened the development pace and the testing cycle, and it has saved a lot of our dollars for my end-customer.

Security is the most important parameter of the solution, for me, because whenever you are exposing your APIs to third-parties, it is critical that the data remains anonymous and that data is retained within the system, that it is not leaked. CA API Management provides good security features and that is very critical.

The CA API Management solution has good security features, but when it comes to being used in areas like enterprise integration, where it is being used as middleware for all the IT environments, that particular feature is quite limited. It doesn't support as many protocols as an industry standard, competing product should.

No issues with stability.

I have never had any issues with scalability.

I would rate tech support at nine out of 10.

I still use multiple solutions. I use some open-source solutions, I use some of the competing enterprise solutions, and I use CA as well. It really depends on what my end-customer really wants. It depends on the use.

The initial setup was quite straightforward.

I feel the product's pricing is a good value.

In terms of licensing, currently, they are available for as perpetual from CA. What is really important is that they offer the solution as a service, on a subscription or monthly basis,  which will make it more attractive. That is where the market is headed. There are competitors within the industry that are doing that currently. I would encourage CA to do that.

The options that I had were Apigee and Mulesoft.

My advice would be, if it is a really complex integration with multiple protocols, multiple APIs, where security is the key, I think you should look at the CA solution. That is where it fits best. If it is you're looking at it more as an enterprise integrator, that you need to integrate internally within an organization and its IT functions, then I would suggest that you talk to CA and see how best the product can be used; you will consultation.

It's a very stable, scalable product with good security features. It does the job well.

API management, for security.

One of the features that the tool provides is the ability to simply onboard new APIs to an existing security platform. We build all the policies for security upfront, and then we can add those policies pretty simply and straightforwardly to any new API that gets developed in the enterprise. That has been the quickest and easiest thing. 

We're rolling it out across the enterprise as we speak, after that six months or so of heavy usage, and we're finding that the amount of time it takes to secure new APIs has gone down substantially.

The security features are the most important because that's what we're using the application for, specifically.

There is a thick client for configuration that is not as easy to use as you might like. So I would say the design and user experience, from an administrative standpoint, is a little clunky.

There are some really very granular kinds of issues that I've found and they're more related to very specific technical components of the application itself. Aside from these individual complaints that are very bound up with our use cases, I don't have any specific recommendations.

No issues with stability.

In terms of scalability, we haven't encountered any issues. Scalability has been something that we're starting to explore a little bit more now - automated scalability - responding to increases in capacity in the environment. But we haven't had any issues, and I don't necessarily anticipate any issues. CA provides certain containerized versions of their components that are very easy to deploy and scale.

CA has been extremely responsive to any request that we've had for assistance, for support, and for new features. I haven't been able to evaluate the newer version that has recently been released, so we haven't evaluated it yet in terms of feature completeness.

The initial setup was pretty straightforward. They provided us with a container and we got it up and running, and then we just started working on it. You can follow the instructions pretty easily.

We did not have a previous solution, but we did evaluate Mulesoft as an alternative and, possibly, Informatica. We ultimately decided that our relationship with CA, and the type integration with some of the other applications that we had deployed in the enterprise, made the API Gateway a much better option for us.

I would suggest you take a look at all of the components. The API Management Suite that CA offers is broader than simply the API Management Gateway. The Suite has some features, extra components, that really make for a much easier and more accessible way a way of doing API management within the enterprise. There are components like the Mobile API Gateway and Live API Creator. These additional components really expand what the products can do, in a way that makes your value proposition easier to present to the business.

I would say this solution is a solid eight. It does everything that it says that it does. It would get a higher rating if it had a little cleaner interface and was easier to administer, but I think that's a pretty solid rating for a product like this.

Our primary use case is as an API gateway for authentication and authorization, and then lightweight transformation or lightweight mediation. But it's mostly, authentication and authorization, mostly security-based.

We mostly use this product for our internal customers, so it's not a revenue generator for us. We use it for internal customers to contact the IT systems. In terms of benefits, it's not for external customer satisfaction. It's not that kind of a usage here. The benefit that IT sees is, it is a single developer portal for IT; it has helped us provide an API platform to our customers.

• The lightweight mediation
• Transformation from JSON to XML and XML to JSON
• API portal and API key management
• The Developer Portal
• Some of the key SSL sessions, inside the gateway
  
• Circuit Breaker is a cool feature, too

One area where it certainly needs to improve is the way it allocates requests, in terms of rate limiting. Let's say I have set the rate-limiting to 1000 requests per second and I have four nodes in a cluster. It divides the request into four, that is 250 per node. If I have a node-balancer in front which has the least connection mechanism it sends the first request to a node. It has to improve in terms of API rate-limiting.

Also, there is no native Kafka connectivity. If they provided native Kafka connectivity, that would be good.

We found a lot of stability issues in the 8.3 version. But even after reaching out to the CA engineering team, they were not able to diagnose the issue, so we upgraded it to 9.2. Most of the stability issues have been resolved and we're not seeing that many issues now. So the stability issues have calmed down but we faced a lot of them in 8.3.

The scalability is always an issue, as we cannot add gateways on the fly because there are a lot of moving parts; endpoint connectivity is one of them. If we add more nodes then the rate-limiting feature is affected. This kind of gateway always has the scalability issue. But, I think CA is coming up with its Microgateway, which is in Beta. If they stabilize their Microgateway platform, we could do very well in terms of scalability.

Their tech support is pretty good and their documentation is also good. The community's support is also good, so I would rate them pretty well here.

The setup itself is not that complicated since we used a VM form factor. The software setup, obviously, is a different story. But the network part that goes in, the firewall connection that goes in, and then, the load-balancers, the global traffic managers, all these things are not really that complicated. The gateway setup itself is not that complicated.

It's my manager who takes care of the pricing. But I keep on hearing that it's a little pricey, it's on the higher side. That is what he says. We have around 20 licenses so for that, the pretty is pretty high. That's what he says.

This product existed here before I started with this team so it has been here for last six or seven years. I've only been here for two and a half years. I'm not sure what kind of evaluation took place, what the criteria were for the evaluation. But, I'm pretty sure that they would have evaluated two or three products before choosing CA API Gateway. Our company itself already has two gateways.

I think the main criteria here were in terms of software security, mostly securing the APIs in terms of SQL insertion attacks or XML structure attacks. They were looking more at securing the APIs and CA was probably the best at it.

My advice would depend on the use case. If it's just a proxy solution that you are looking for, I would say don't go for CA API Gateway because API Gateway is much more than that. If you're looking for a complete API developer platform and securing your APIs, then CA API Gateway is a good product.

I give this solution an eight out of 10 because, as an end customer, in terms of managing my API lifecycle, end-to-end, it is pretty good.

The most valuable features are definitely the security it provides and the ability to code to the roles, so that way, when the people come in, they actually have their roles identified and then, we're able to actually distribute the data through the message, to them. Role usage has really been important for us.

I think the device itself has helped us quite a bit. We're able to do things a lot faster, because of the device. Because we identify the policies, we're able to layer the policies that are already written. People don't have to rewrite code multiple times. We write a policy one time, and then we're just able to just drag it over and reuse it for other things.

I've used the device since it was the Layer 7 device, and it's come a long way. I think from a mobility standpoint, there's a lot of things that we do, and we have to create our own policies.

I think the product's getting better every iteration, and they're adding more and more functionality to it, that allows us more reuse.

I would just like to see where it's going to go through the roadmap, and I think it's got great, great potential.

We have been using it 8-10 months.

It's been very stable for us. We're using it as an appliance, so whenever we need to put new ones in, we just download it, implement it, and then just pull over the configuration files for it. It's been very, very stable for us, and the patching's been fantastic.

It's definitely a scalable solution, so you can create clusters in production. What we've done is, we got a cluster on our main data center, and then we've got one in our backup data center. Then we can add on to that as we need to, and use the load balancing functionality to scale it indefinitely, as much as we need for our load.

The support that we've received has been fantastic. We've been able to talk to people everywhere from pre-sales, actual technical people, whenever we need it. Literally, the support team has been 100% behind us. We get stuck on something for a very, very short period of time before they're there to help us.

They've been easy to contact, not only via the normal contact through the phone number, but even through emails, they're very, very responsive to us.

I'd used it before, so when we created our mobility team, with me as the manager, I knew that this is the device I was going to have to put in front of all my services in order to make them reusable.

It was once we'd actually standardized and built everything out, then we made room for the device, so it was just no more than procuring the device, and putting it in place at that point.

When I’m selecting a vendor, I want to look for somebody who cares about me as a customer. I want to find somebody who actually wants our solution to work. I think the team has been fantastic at that. I look at what other customers think about the support and, have they gotten anything good from their support teams? I look at that.

I think the last thing that I would look at would be price, to be honest, because I care more about the solution. Is it going to work for us? It's a partnership. When I meet a vendor, and we're actually going to put in one of their tools, or we're going to use a tool, or an appliance or whatever, to help us, then that to me is a partnership, and we're in this solution together. That's what I really, really got from CA.

The setup was very easy. We just downloaded the actual VM appliance; implemented that. There are six or seven steps that you do to configure it for the environment. Once we set up our load balancer and stuff, it was up and running and ready for us to use. It's very, very simple.

The patch process is the same way. All you do is you download the newest version, put it out there, and then just do those six or seven steps, and we're up and running. We can replace it very quickly.

I did some due diligence. I think you always have to do some due diligence, and I looked at some other products. I don't think any of them met my needs, not as good as this product did.

I think it can get better, and it has over the different versions. 9.1 came out, and it offered some more functionality. They've added more products around the solution to make it better, so I think there's always room for improvement. I think it's been very, very stable for us. It's worked every time we've needed it, and it's allowed us to do a lot better for as a company.

We are using Layer7 API Management as an enterprise service bus, ESB, and B2B security gateway.

There is not a comparable solution on the market to Layer7 API Management. It has been useful for our organization.

The most valuable feature of Layer7 API Management is that their policy is really easy to develop and it is flexible.

The UI design could be improved in the next release.

I have been using Layer7 API Management for approximately six years.

The solution is stable.

Layer7 API Management is scalable.

We have two people in my company that uses this solution. We are will need to train more people.

We are attempting to expand usage but because we cannot find resources, we will try to change to some other product. We were using it for a long time. It's a little difficult to transfer every feature that we have, but we are still open to finding another product, such as NGINX. We are on the POC of NGINX, but it keeps changing. The organization is trying to stop using this product as we have a lack of resources, but right now we found that some of the features cannot transform easily. Then we want to expand, I'm confused as well about what we are doing.

The initial installation was straightforward. We split the release and the patching takes a few minutes with a few mouse clicks. We automate most of the process.

We have an in-house team that does the implementation.

There is an annual license for the use of this solution. I think we are paying for some support maintenance fees, included in that license. I don't know how it works. They should provide more information.

We have been evaluating NGINX. I have found NGINX has a better UI than Layer7 API Management. Most of the features that NGINX has are already supported in Layer7 API Management.

We have found it's really difficult to find the right resource in our Canadian market. It is more difficult to hire new developers who can support Layer7 API Management.

My advice to those wanting to implement this solution is if they have the right resource, this is a really nice product and I recommend it because it's really flexible and that they can build and customize with the vendor directly. I really am with this product.

I rate Layer7 API Management a nine out of ten.