Layer7 API Management Reviews

Our primary use case is basic encryption/decryption using symmetric assertions and then, gradually, SOAP signatures, SOAP encryption, non-SOAP XML encryption, and signing that. In the last six months or so, I have been working on JWT (JSON Web Tokens).

Using this solution, the deployment and development processes become easier when compared to before, when complete Java development was necessary. Now, the encryption part is very easy and our clients don't have to continuously depend on logic. On this platform, it's very easy for them to understand and to do testing. It saves them time.

I haven't found that there are any most-valuable features. I'm not using any feature most often in any of my use cases. The use cases depend upon the customers' requirements.

In terms of protecting APIs against threats and vulnerabilities, there are a few assertions which are built-in for threat protection. I have used them for vulnerabilities, like for DDoS attacks, XML schema validation, IP restriction, and for cross-domain.

There are old algorithms that the tool does not support - and it shouldn't, in my opinion. But sometimes customers need old algorithms, from old use cases and old applications, migrated to the platform. At those times, there are hiccups that happen. It's a bit of a challenge to make the customer understand that we should not be going with these old applications.

We have not faced many issues with its stability.

Scalability is a bit tough if it is a production environment. If you are planning to scale it and increase the number of servers within one to two years, that can be challenging. Up until now, if I have installed four servers, I haven't been given requirements to add more than that.

We have contacted support. There were two cases where there wasn't support for old algorithms, the assertions weren't supporting them, and we reached out to the support team. They were very helpful. It depends on the problem you are asking them about. If it's easy, they give you solutions quickly. If there is a requirement for the engineering team to be involved, then it takes time. But they're very helpful.

The setup is straightforward. If I'm doing it on a local machine, it takes 20 to 30 minutes for a single client. I don't have any implementation strategies. It's a straightforward process where you just need to select the options, click enter, enter, enter, and provide whatever input is required.

Before starting the implementation with a customer, we give them the prerequisites that are required. If those prerequisites are met, it doesn't take much time to do the deployment. They have to provide the IP, the hostnames, and the port openings.

In our last deployment, it took me two days to install all the port services. There was one replication and there were two persisting nodes. I did the complete installation and was initially involved in the API development. After that, my colleagues were involved in the development of APIs.

It requires a minimum of two people for maintenance, once it's up and running.

The tool is very powerful so if you are looking to go with an API platform I would recommend CA.

The number of users among our clients is growing, although I don't have an actual number I can give you. Initially, it takes time to get people to understand the platform, but once they understand it, everyone wants to use the platform and have their application exposed to this platform only.

Overall, I would rate the solution at nine out of ten. 

Our primary use case is for API management. We use it as a security gateway in our DMZ and ESB and our trusted zone.

It works great. We haven't had any problems, it just runs.

Day to day functionality. It just works and it's easy to use, that's the best part of it.

Most valuable features are 

• the ease of use
• a very nice UI
• you can navigate through the screens
• a very good search feature.

I would like to see it work better with one of our back-end databases, DB2 UDB. Other than that, I really don't have any complaints so far. It's doing everything we need it do.

Stability is great. We run a high resilient load balance configuration. We haven't had any problems with it.

It scales.

We have not used technical support yet. We have not run into any problems yet.

We had API gateways before, we just divested from IBM and went with CA.

We bought 16 gateways earlier this year and we're setting them up right now. It's good. Straightforward.

When choosing a company to work with and buy from, they need to be industry-rated, they need to be one of the upper-right companies for strength, vision, and performance.

If I were advising a colleague at another company who's searching for a similar product I would tell them to talk to CA.

One valuable feature is the ease of development of the policies for the product. It's very easy to have a brand new developer come in and develop a policy to expose our APIs.

It's benefited us greatly in allowing us to expose our APIs to external third-party vendors in a secure fashion.

I would like to see the GMU, the automated deployment framework, available in some sort of graphical interface. This would allow options, outside of automation, so you could see things graphically.

The product is becoming more stable as the product has become more mature. At this point, it's a pretty stable product.

On the scalability perspective, the product has no issues. It's able to scale out horizontally and vertically and has posed no problem for us. We have a pretty large implementation.

I have absolutely used technical support. They have been pretty good, especially when more complex issues are escalated. They've got some resources that do a wonderful job in helping us come to a resolution.

We didn't have a previous solution specific to this. We had some other products where there was some overlap with this product, but none of the products accomplished what this did. We had a specific need.

There were multiple products that were specialized in different things, but they could do some of the stuff that this product could do. This solution is very narrowly focused on API management.

I was involved in the installation and implementation. I think it was lacking some documentation around performance tuning and getting the product operationalized so that it could maintain itself. The documentation is still a little bit lacking in those areas. The documentation is available on demand, or on informal places like community chat groups where you can get information, but as far as in the product documentation itself, it's lacking in those areas.

When selecting a vendor, look at the partnership with the company. See if they're able to listen to you about your needs. See if they are able to respond quickly. See that the product provides good value. Work closely with the vendor to make sure you get things set up correctly. If you don't, you'll be very disappointed.

We primarily use Layer7 API Management to monitor stuff. I'm the one who installs it. They sent me a TAR file, I unloaded it to TAR, brought it up, and made everything work. I gave it the three different network configurations to talk to the three different domains, and then I turn it over to the guys, and they do what they got to do with it.

The best part about it is that it doesn't stop if something is missing during the installation. It looks for it on its own. I don't have to be there to do it physically.

I've been using Layer7 API Management for about three months.

Layer7 API Management appears to be stable. No one has called me to say that it's not working.

Layer7 API Management is a scalable solution.

The initial setup wasn't that hard. You got all the Postgres and all those other little add-ons. It makes sure you've got this installed and that installed. There are prerequisites for what it needs before it gets up and running, but that's a piece of cake.

It all depends on how good your developers are. I know Nutanix and VMware. If you want to do a quick setup with VMware, they have everything preloaded, everything comes in one package, and everything needed for your application to work is already loaded into the bundle.

With SolarWinds, everything is configured for their SolarWinds app, and it's like having a Windows disc with the little features you can add. It's like, if you install the software for Windows or some of these other applications, you can break it down to where you can add in features as needed.

I'd rate it an eight out of 10, no solution is perfect.

We use the API Gateway as a front door to access our APIs that we host internally, to enable us to get involved in the digitalization.

It has performed very well, actually. It's given us new capabilities that we never had before and gives us more confidence in increasing the number of APIs that we actually have.

I think the flexibility. It's very configurable. Each policy is very customizable, where we can accommodate different capabilities that our trading partners actually have. Even though from a textbook standpoint, there's always a certain ideal pattern that you want to apply, that's rarely the case with our trading partners. That flexibility is very important.

And the main point of the Gateway is the security aspect of it. It's very good from that standpoint. It has met all of our expectations. We're very happy with that.

It gave us new capabilities that we really didn't have before. We didn't have a good way of exposing APIs to the internet in a reliable, secure way. It gave us that ability. 

It also gives us a focal point where it's allowing us to consolidate our portfolio. Where before - Cargill is a very large company - from one business unit to the next, they didn't necessarily know what we actually have. This product enables us to consolidate that, so there's one place to look.

The tool itself, I think, could be better. Along with the flexibility it does have, I wish it had a little more modern user interface. For troubleshooting, debugging, that kind of thing, it could definitely be better. I would like to see improvements in the user interface, for sure for Policy Manager. That's the developer's tool. 

Debugging seems a little bit archaic by modern standards. I would like to see that improved. 

I would like to see better documentation for the development language itself. I think they took a step backwards, actually, when they published all their documentation online. Accessibility is better because it's on the web. But the content seems to me to have taken a step backwards. Not enough details, more difficult to find specifics. And you would almost think that would be the opposite, but the feedback I've gotten from our developers, and my own experience, is that it's not the case.

But in terms of the structure of how the language works, it's pretty good. It gives you a lot of flexibility and allows you to accomplish a lot quickly.

So, in general, improvements in the UI, usability. Like I said, it seems dated in terms of how it works, by modern standards. I think they could go a long way to refurbishing the whole UI.

It's been very good. 

We have had some issues. Technically it's like a database replication issue, where our operations people tell me that the audit logs have been quite large, and that has caused some replication issues between the two nodes in our cluster. 

But outside of that, it's been very good.

We're relatively new to this so I don't think we're taxing the capacity of our gateway at all. In the business that we're in, I don't think that we're going to get to huge volumes anyways. Our goal is to leverage it more. So far, that hasn't been an issue at all.

The biggest thing for us would be that currently it is deployed in one region. We're a global company, so that technically is a little bit of a constraint for us. We haven't been able to deploy more gateways in other regions mainly due to cost of licensing.

Overall it's been very good. 

There are two perspectives. We've used our technical sales contacts. They have been very responsive and very good. We're lucky that we have a couple of them local in our city. They've actually come on-premise to help us. That's been very helpful, very good. Professional services has been really good too. I've spent a lot of time with them. Again, their expertise has been very valuable. 

From a ticket support point of view, where we submit a ticket, I would say that's been a little bit less helpful, in terms of responsiveness, and conveying the actual issue to the person. Once you get them on the phone, and have a one on one working session - which they have been willing to do - that's been very good. But through the ticketing system and the support website, it could be better.

It was a gap in our company. We knew we had APIs that we wanted to leverage and work with our trading partners, for them to access it. But working with our security team, we knew that we didn't have a good way of exposing them securely. That was a roadblock for our business. We couldn't make them accessible because of polices. API Gateway filled that gap and enabled us to use best practices to expose our APIs.

I have been involved more from the development standpoint. We're set up in two groups, an operational side which sets up the infrastructure, does actual server software; I haven't been involved too much from that standpoint. It's more in the development side, to get initial templates together and patterns that we're going to apply. And just coming up with some standards for our developers to use.

I would say it's complex. But I think part of it is just the nature of what this stuff is, when you're dealing with security and the variety of approaches that there can be. That makes it complex. For us, it was relatively new, so there were a lot of challenges there to just learn all the different aspects of it. 

We did consider other vendors. I wasn't part of the original selection, but it came down to two different vendors, CA being one of them - at the time it was Layer 7. Then we did a proof of concept, so I was involved in that. 

In the end, it was really no contest. I tell our other people about this: That it was a week long proof of concept and the other vendor, it couldn't complete one use case. In one week, they had three people that they brought on-premise to work on our use cases for the proof of concept, and they couldn't complete any of them. Layer 7, they completed all of the use cases in one afternoon. It was pretty convincing.

What's important to us when selecting a vendor, besides the product, the vendor needs to be of significant size to be able to continue to evolve the product. It needs to be able to provide enterprise-level support. We're a large company, so we expect the vendor to provide that backing of their product and SLAs. When we choose a product we don't want it to be a product that comes and goes. We want there to be a clear vision of where it's going, that's important to us. CA was able to demonstrate that to us.

It's very good in terms of what we wanted out of the product, initially. But now that we've explored and had the product for a while, we expect more. I think it definitely has room for improvement. Some of those things we're seeing here today, or in this week, at the CA World conference, give me some hope that that improvement is going to happen.

I would advise taking a look at what's available. Clearly, we've had good success with CA API Gateway, but this is a very quickly evolving space. I would encourage them to look at what's out there, what's available. They should prioritize what's important to them, what they're looking for out of the product. Then do a proof of concept to make sure that they feel comfortable, that the product is what they need. Also work with the technical support staff, to make sure that they're comfortable working with them too.

We have many use cases. We are doing an enterprise install for all CA API management tool searches which are covered under the ELA, Enterprise License Agreement. We have close to a 100 plus use cases that we want to deploy, the next is over a six months to one year timeline.

There are many things, which are really good, like the Gateway. That's really great and pretty useful. The Mobile API Gateway is also great.

We have not tested it to the extent that we should. Maybe six months down the line we will have a better picture.

At a high level, I would say the portal is a pain. CA double up portal is a pain. It is something that we are struggling with right now. That is just one of the products which is probably not sufficiently satisfactory. We are struggling to get it installed to be used now.

It is not a fully-baked product as a whole. So, individual solutions may be good, but they are evolving in their silos. There needs to be wholistic thinking about how each one of these products functions. Each one of these CA products under API management needs to work in synergy, and evolve in a more cohesive, coherent way so we as enterprise we can take it seamlessly without much pain. 

We have not used technical support yet.

We have ELA with other product vendors, like IBM and Oracle. However, we thought CA might be a good option based on their support within the account. The CA folks who are working, partnering with us within the account and our organization, they have been very reachable and very cooperative.

So even though we have licenses with IBM and Oracle for the same kind of products, API management, we are going ahead with CA just because of the trust that they were able to build. 

It was probably not that straightforward, because the vendor team (CA Services) struggled a bit. 

We implemented using CA Services to come and install the software.

I felt there was a lack of expertise on CA's part, because there are many things within the API management. Maybe the consultant from CA services who came to our organization did not have the experience on all the tools that CA was releasing, which was why the initial setup may not have been straightforward for him. He was good with Gateway, but with the other pieces, he was struggling a bit. It took sometime for him.

We already have ELA with multiple product vendors. It is a matter of using which one we want and moving forward. 

CA is worth trying. It is definitely a key contender in the API management space.

Most important criteria when selecting a vendor: size and brand value.

The most valuable features are reliability and scalability; it's just easy to deploy across our environment. We like those features.

It certainly filled the API management needs of our organization. For example, we were in the process of designing a patient portal for the hospital, and we were able to quickly leverage the UAR tool kit that’s available. The developers didn't really have to think about security, even though in the healthcare industry, security is a big concern. And that was all leveraged from the robust tool kit available in API Management. Taking that heavy lifting away from the developers so they could focus on functionality and we could focus on delivering the secure access they needed, was great.

It's a great product. Just expand on it. I think CA has done a good job bringing the UI component to macOS; that’s good. And I think they're also doing a web UI version where you can create policies. I believe in the past, they had some limitations of what you could or couldn't do, but they are solving some of those issues.

CA is the leader in this space. So we look toward them for coming up with best practices to adopt. I'm not really an expert in that area.

We've had it working for about 4 or 5 years

We've had it working for about 4 or 5 years now and apart from upgrades, we have never had a problem with outages or components breaking down.

We began with just one appliance. Then, as our needs grew, we put in a load balancer. It had multiple VMs talking together, which was fairly easy to do and we never had a problem with that either. From time to time, when we needed to take one server out of the load, it was an easy process; the other servers automatically absorbed the workload. That's a benefit for us.

We had API Management from when it was still Layer 7. Their people were certainly filling a lot of shoes because it was a smaller company at that point and you would see the eagerness for technical support to jump in, be hands on, and help you all the way through. Now, they try to push us towards the solutions and the consultants a little more. In a bigger organization, getting POs signed is not an easy process and when you want something that could take an hour or two hours to fix, now becomes a bigger hassle.

When we looked at this emerging API management need seven years ago, we looked at the Gartner recommendations and then looked at our organization’s needs at that time and kind of picked CA right from the beginning.

I jumped in to the second or third upgrade, not at the initial setup.

I would certainly recommend using this product. We've had a wonderful success story. And we've not had any issues with it. Even when the consultants do come out, they are very knowledgeable. They know the product inside and out and can implement it right on site. That is a plus.

When selecting a vendor, the interoperability between their different products that we have is important, as well as expandability. Additionally, we want to be able to configure the product to our liking. That helps us adopt it.

We use this as a Cyber security appliance and also as a centralised API management platform for partners.

We've got all sorts of threat protection in the API Gateway, from DDoS through to SQL injection and things like that. These are standard features that we use within policies that we drive out the Gateway.

We've got a security policy fragment that we know is consistent across all the APIs we expose via the gateway. Also, as it's a fragment, we can add to it at any point, as new vulnerabilities are discovered, which will then secure all the services/apis that use it. This gives us greater agility and confidence that our APIs are secure.

Security is the fundamental use of the gateway so the security assertions are heavily used and are consistent. We also use it to broker asynchronous messaging across DCs transforming between messaging technologies to provide real time updates for customers in a really secure way.

Also, the actual management of APIs is fundamental to us, as we're a heavy API user/provider. So, obviously, a centralised management platform is important.

We have cases open around the SQL injection capabilities that need improvement. Cross-origin resource sharing policies need to be made a common assertion in the Gateway, that's not there at the moment out of the box (although it is available as a policy fragment). 

The developer portal needs to fully supported SOAP services (including WSDL publication with security), it would certainly push adoption for us.

Verbose logging in production has caused us a couple of issues, never enable this in production! In addition pay attention to name servers for DNS.

Scalabillity, like most things, is in the hands of your own business to implement. The gateway is flexible and can be scaled to the level you see fit. Be aware though, verbos logging will bring your platform down in seconds, so only use in non-production environments.

We have a few cases open. I'd say I'd give an average rating of around 7/10 for technical support. Some people have been very helpful and others not quite so.

We use Microsoft IIS in other areas to expose services against a load-balanced cluster. So we have these bulk security components within it. They've never been compromised but we thought we'd would add an off-the-shelf security appliance to add an additional layer that also comes with API management capabilities.

The setup was complex, definitely complex. As above, don't underestimate the effort required to build a HA/FT instance of this for both the Gateway and the Developer Portal. Be aware of additional licenses for your warm standby. Ensure you get plenty of non-production licenses.

Both. The vendor team seemed technical enough. Note: Ensure that your in-house teams and the vendor supplied staff are fully aligned to make deployment efficient. Deploying the gateway platform is a full project and would need managing as such.

There has a been a lot of confusion with pricing and licenses, especially around the number of cores. In addition, don't underestimate the effort required to build a HA/FT/DR instance of this for both the Gateway and the Developer Portal. Be aware of additional licenses for your warm standby. Ensure you get plenty of non-production licenses.

I don't remember all the evaluated options. We reviewed, it must have been six or seven, maybe more, API management vendors.

I would say that, although the Gateway is geared up for managing SOAP services, the developer portal isn't. It's a gap for us, which means the developer portal isn't quite as good as we thought it was going to be for managing SOAP services ( which we have quite a lot of). They're not discoverable in the portal, as are RESTful services.