Layer7 API Management Reviews

Our primary use case is for API management. We use it as a security gateway in our DMZ and ESB and our trusted zone.

It works great. We haven't had any problems, it just runs.

Day to day functionality. It just works and it's easy to use, that's the best part of it.

Most valuable features are 

• the ease of use
• a very nice UI
• you can navigate through the screens
• a very good search feature.

I would like to see it work better with one of our back-end databases, DB2 UDB. Other than that, I really don't have any complaints so far. It's doing everything we need it do.

Stability is great. We run a high resilient load balance configuration. We haven't had any problems with it.

It scales.

We have not used technical support yet. We have not run into any problems yet.

We had API gateways before, we just divested from IBM and went with CA.

We bought 16 gateways earlier this year and we're setting them up right now. It's good. Straightforward.

When choosing a company to work with and buy from, they need to be industry-rated, they need to be one of the upper-right companies for strength, vision, and performance.

If I were advising a colleague at another company who's searching for a similar product I would tell them to talk to CA.

One valuable feature is the ease of development of the policies for the product. It's very easy to have a brand new developer come in and develop a policy to expose our APIs.

It's benefited us greatly in allowing us to expose our APIs to external third-party vendors in a secure fashion.

I would like to see the GMU, the automated deployment framework, available in some sort of graphical interface. This would allow options, outside of automation, so you could see things graphically.

The product is becoming more stable as the product has become more mature. At this point, it's a pretty stable product.

On the scalability perspective, the product has no issues. It's able to scale out horizontally and vertically and has posed no problem for us. We have a pretty large implementation.

I have absolutely used technical support. They have been pretty good, especially when more complex issues are escalated. They've got some resources that do a wonderful job in helping us come to a resolution.

We didn't have a previous solution specific to this. We had some other products where there was some overlap with this product, but none of the products accomplished what this did. We had a specific need.

There were multiple products that were specialized in different things, but they could do some of the stuff that this product could do. This solution is very narrowly focused on API management.

I was involved in the installation and implementation. I think it was lacking some documentation around performance tuning and getting the product operationalized so that it could maintain itself. The documentation is still a little bit lacking in those areas. The documentation is available on demand, or on informal places like community chat groups where you can get information, but as far as in the product documentation itself, it's lacking in those areas.

When selecting a vendor, look at the partnership with the company. See if they're able to listen to you about your needs. See if they are able to respond quickly. See that the product provides good value. Work closely with the vendor to make sure you get things set up correctly. If you don't, you'll be very disappointed.

We primarily use Layer7 API Management to monitor stuff. I'm the one who installs it. They sent me a TAR file, I unloaded it to TAR, brought it up, and made everything work. I gave it the three different network configurations to talk to the three different domains, and then I turn it over to the guys, and they do what they got to do with it.

The best part about it is that it doesn't stop if something is missing during the installation. It looks for it on its own. I don't have to be there to do it physically.

I've been using Layer7 API Management for about three months.

Layer7 API Management appears to be stable. No one has called me to say that it's not working.

Layer7 API Management is a scalable solution.

The initial setup wasn't that hard. You got all the Postgres and all those other little add-ons. It makes sure you've got this installed and that installed. There are prerequisites for what it needs before it gets up and running, but that's a piece of cake.

It all depends on how good your developers are. I know Nutanix and VMware. If you want to do a quick setup with VMware, they have everything preloaded, everything comes in one package, and everything needed for your application to work is already loaded into the bundle.

With SolarWinds, everything is configured for their SolarWinds app, and it's like having a Windows disc with the little features you can add. It's like, if you install the software for Windows or some of these other applications, you can break it down to where you can add in features as needed.

I'd rate it an eight out of 10, no solution is perfect.

We use the API Gateway as a front door to access our APIs that we host internally, to enable us to get involved in the digitalization.

It has performed very well, actually. It's given us new capabilities that we never had before and gives us more confidence in increasing the number of APIs that we actually have.

I think the flexibility. It's very configurable. Each policy is very customizable, where we can accommodate different capabilities that our trading partners actually have. Even though from a textbook standpoint, there's always a certain ideal pattern that you want to apply, that's rarely the case with our trading partners. That flexibility is very important.

And the main point of the Gateway is the security aspect of it. It's very good from that standpoint. It has met all of our expectations. We're very happy with that.

It gave us new capabilities that we really didn't have before. We didn't have a good way of exposing APIs to the internet in a reliable, secure way. It gave us that ability. 

It also gives us a focal point where it's allowing us to consolidate our portfolio. Where before - Cargill is a very large company - from one business unit to the next, they didn't necessarily know what we actually have. This product enables us to consolidate that, so there's one place to look.

The tool itself, I think, could be better. Along with the flexibility it does have, I wish it had a little more modern user interface. For troubleshooting, debugging, that kind of thing, it could definitely be better. I would like to see improvements in the user interface, for sure for Policy Manager. That's the developer's tool. 

Debugging seems a little bit archaic by modern standards. I would like to see that improved. 

I would like to see better documentation for the development language itself. I think they took a step backwards, actually, when they published all their documentation online. Accessibility is better because it's on the web. But the content seems to me to have taken a step backwards. Not enough details, more difficult to find specifics. And you would almost think that would be the opposite, but the feedback I've gotten from our developers, and my own experience, is that it's not the case.

But in terms of the structure of how the language works, it's pretty good. It gives you a lot of flexibility and allows you to accomplish a lot quickly.

So, in general, improvements in the UI, usability. Like I said, it seems dated in terms of how it works, by modern standards. I think they could go a long way to refurbishing the whole UI.

It's been very good. 

We have had some issues. Technically it's like a database replication issue, where our operations people tell me that the audit logs have been quite large, and that has caused some replication issues between the two nodes in our cluster. 

But outside of that, it's been very good.

We're relatively new to this so I don't think we're taxing the capacity of our gateway at all. In the business that we're in, I don't think that we're going to get to huge volumes anyways. Our goal is to leverage it more. So far, that hasn't been an issue at all.

The biggest thing for us would be that currently it is deployed in one region. We're a global company, so that technically is a little bit of a constraint for us. We haven't been able to deploy more gateways in other regions mainly due to cost of licensing.

Overall it's been very good. 

There are two perspectives. We've used our technical sales contacts. They have been very responsive and very good. We're lucky that we have a couple of them local in our city. They've actually come on-premise to help us. That's been very helpful, very good. Professional services has been really good too. I've spent a lot of time with them. Again, their expertise has been very valuable. 

From a ticket support point of view, where we submit a ticket, I would say that's been a little bit less helpful, in terms of responsiveness, and conveying the actual issue to the person. Once you get them on the phone, and have a one on one working session - which they have been willing to do - that's been very good. But through the ticketing system and the support website, it could be better.

It was a gap in our company. We knew we had APIs that we wanted to leverage and work with our trading partners, for them to access it. But working with our security team, we knew that we didn't have a good way of exposing them securely. That was a roadblock for our business. We couldn't make them accessible because of polices. API Gateway filled that gap and enabled us to use best practices to expose our APIs.

I have been involved more from the development standpoint. We're set up in two groups, an operational side which sets up the infrastructure, does actual server software; I haven't been involved too much from that standpoint. It's more in the development side, to get initial templates together and patterns that we're going to apply. And just coming up with some standards for our developers to use.

I would say it's complex. But I think part of it is just the nature of what this stuff is, when you're dealing with security and the variety of approaches that there can be. That makes it complex. For us, it was relatively new, so there were a lot of challenges there to just learn all the different aspects of it. 

We did consider other vendors. I wasn't part of the original selection, but it came down to two different vendors, CA being one of them - at the time it was Layer 7. Then we did a proof of concept, so I was involved in that. 

In the end, it was really no contest. I tell our other people about this: That it was a week long proof of concept and the other vendor, it couldn't complete one use case. In one week, they had three people that they brought on-premise to work on our use cases for the proof of concept, and they couldn't complete any of them. Layer 7, they completed all of the use cases in one afternoon. It was pretty convincing.

What's important to us when selecting a vendor, besides the product, the vendor needs to be of significant size to be able to continue to evolve the product. It needs to be able to provide enterprise-level support. We're a large company, so we expect the vendor to provide that backing of their product and SLAs. When we choose a product we don't want it to be a product that comes and goes. We want there to be a clear vision of where it's going, that's important to us. CA was able to demonstrate that to us.

It's very good in terms of what we wanted out of the product, initially. But now that we've explored and had the product for a while, we expect more. I think it definitely has room for improvement. Some of those things we're seeing here today, or in this week, at the CA World conference, give me some hope that that improvement is going to happen.

I would advise taking a look at what's available. Clearly, we've had good success with CA API Gateway, but this is a very quickly evolving space. I would encourage them to look at what's out there, what's available. They should prioritize what's important to them, what they're looking for out of the product. Then do a proof of concept to make sure that they feel comfortable, that the product is what they need. Also work with the technical support staff, to make sure that they're comfortable working with them too.

We have many use cases. We are doing an enterprise install for all CA API management tool searches which are covered under the ELA, Enterprise License Agreement. We have close to a 100 plus use cases that we want to deploy, the next is over a six months to one year timeline.

There are many things, which are really good, like the Gateway. That's really great and pretty useful. The Mobile API Gateway is also great.

We have not tested it to the extent that we should. Maybe six months down the line we will have a better picture.

At a high level, I would say the portal is a pain. CA double up portal is a pain. It is something that we are struggling with right now. That is just one of the products which is probably not sufficiently satisfactory. We are struggling to get it installed to be used now.

It is not a fully-baked product as a whole. So, individual solutions may be good, but they are evolving in their silos. There needs to be wholistic thinking about how each one of these products functions. Each one of these CA products under API management needs to work in synergy, and evolve in a more cohesive, coherent way so we as enterprise we can take it seamlessly without much pain. 

We have not used technical support yet.

We have ELA with other product vendors, like IBM and Oracle. However, we thought CA might be a good option based on their support within the account. The CA folks who are working, partnering with us within the account and our organization, they have been very reachable and very cooperative.

So even though we have licenses with IBM and Oracle for the same kind of products, API management, we are going ahead with CA just because of the trust that they were able to build. 

It was probably not that straightforward, because the vendor team (CA Services) struggled a bit. 

We implemented using CA Services to come and install the software.

I felt there was a lack of expertise on CA's part, because there are many things within the API management. Maybe the consultant from CA services who came to our organization did not have the experience on all the tools that CA was releasing, which was why the initial setup may not have been straightforward for him. He was good with Gateway, but with the other pieces, he was struggling a bit. It took sometime for him.

We already have ELA with multiple product vendors. It is a matter of using which one we want and moving forward. 

CA is worth trying. It is definitely a key contender in the API management space.

Most important criteria when selecting a vendor: size and brand value.

The most valuable features are reliability and scalability; it's just easy to deploy across our environment. We like those features.

It certainly filled the API management needs of our organization. For example, we were in the process of designing a patient portal for the hospital, and we were able to quickly leverage the UAR tool kit that’s available. The developers didn't really have to think about security, even though in the healthcare industry, security is a big concern. And that was all leveraged from the robust tool kit available in API Management. Taking that heavy lifting away from the developers so they could focus on functionality and we could focus on delivering the secure access they needed, was great.

It's a great product. Just expand on it. I think CA has done a good job bringing the UI component to macOS; that’s good. And I think they're also doing a web UI version where you can create policies. I believe in the past, they had some limitations of what you could or couldn't do, but they are solving some of those issues.

CA is the leader in this space. So we look toward them for coming up with best practices to adopt. I'm not really an expert in that area.

We've had it working for about 4 or 5 years

We've had it working for about 4 or 5 years now and apart from upgrades, we have never had a problem with outages or components breaking down.

We began with just one appliance. Then, as our needs grew, we put in a load balancer. It had multiple VMs talking together, which was fairly easy to do and we never had a problem with that either. From time to time, when we needed to take one server out of the load, it was an easy process; the other servers automatically absorbed the workload. That's a benefit for us.

We had API Management from when it was still Layer 7. Their people were certainly filling a lot of shoes because it was a smaller company at that point and you would see the eagerness for technical support to jump in, be hands on, and help you all the way through. Now, they try to push us towards the solutions and the consultants a little more. In a bigger organization, getting POs signed is not an easy process and when you want something that could take an hour or two hours to fix, now becomes a bigger hassle.

When we looked at this emerging API management need seven years ago, we looked at the Gartner recommendations and then looked at our organization’s needs at that time and kind of picked CA right from the beginning.

I jumped in to the second or third upgrade, not at the initial setup.

I would certainly recommend using this product. We've had a wonderful success story. And we've not had any issues with it. Even when the consultants do come out, they are very knowledgeable. They know the product inside and out and can implement it right on site. That is a plus.

When selecting a vendor, the interoperability between their different products that we have is important, as well as expandability. Additionally, we want to be able to configure the product to our liking. That helps us adopt it.

We use this as a Cyber security appliance and also as a centralised API management platform for partners.

We've got all sorts of threat protection in the API Gateway, from DDoS through to SQL injection and things like that. These are standard features that we use within policies that we drive out the Gateway.

We've got a security policy fragment that we know is consistent across all the APIs we expose via the gateway. Also, as it's a fragment, we can add to it at any point, as new vulnerabilities are discovered, which will then secure all the services/apis that use it. This gives us greater agility and confidence that our APIs are secure.

Security is the fundamental use of the gateway so the security assertions are heavily used and are consistent. We also use it to broker asynchronous messaging across DCs transforming between messaging technologies to provide real time updates for customers in a really secure way.

Also, the actual management of APIs is fundamental to us, as we're a heavy API user/provider. So, obviously, a centralised management platform is important.

We have cases open around the SQL injection capabilities that need improvement. Cross-origin resource sharing policies need to be made a common assertion in the Gateway, that's not there at the moment out of the box (although it is available as a policy fragment). 

The developer portal needs to fully supported SOAP services (including WSDL publication with security), it would certainly push adoption for us.

Verbose logging in production has caused us a couple of issues, never enable this in production! In addition pay attention to name servers for DNS.

Scalabillity, like most things, is in the hands of your own business to implement. The gateway is flexible and can be scaled to the level you see fit. Be aware though, verbos logging will bring your platform down in seconds, so only use in non-production environments.

We have a few cases open. I'd say I'd give an average rating of around 7/10 for technical support. Some people have been very helpful and others not quite so.

We use Microsoft IIS in other areas to expose services against a load-balanced cluster. So we have these bulk security components within it. They've never been compromised but we thought we'd would add an off-the-shelf security appliance to add an additional layer that also comes with API management capabilities.

The setup was complex, definitely complex. As above, don't underestimate the effort required to build a HA/FT instance of this for both the Gateway and the Developer Portal. Be aware of additional licenses for your warm standby. Ensure you get plenty of non-production licenses.

Both. The vendor team seemed technical enough. Note: Ensure that your in-house teams and the vendor supplied staff are fully aligned to make deployment efficient. Deploying the gateway platform is a full project and would need managing as such.

There has a been a lot of confusion with pricing and licenses, especially around the number of cores. In addition, don't underestimate the effort required to build a HA/FT/DR instance of this for both the Gateway and the Developer Portal. Be aware of additional licenses for your warm standby. Ensure you get plenty of non-production licenses.

I don't remember all the evaluated options. We reviewed, it must have been six or seven, maybe more, API management vendors.

I would say that, although the Gateway is geared up for managing SOAP services, the developer portal isn't. It's a gap for us, which means the developer portal isn't quite as good as we thought it was going to be for managing SOAP services ( which we have quite a lot of). They're not discoverable in the portal, as are RESTful services.

We have the API Gateway deployed in production. The primary use case is for the API Gateway to provide API access, and authentication, and authorization for the APIs we expose through our product. 

I am also looking forward to having the API developer portal deploy as well so we get a bit more insights into the analytics part, and also some of the API lifecycle management associated with it.

I love the API Gateway, especially the architecture, in terms of the composability of the policies. We approach it from a very software-engineering approach.We build on the policies, like legal blocks, and we deploy them throughout different environments. It's been working out great for us.

It definitely helps a lot with the DevOps and the support. Reliability is one thing, and having visibility into who is using which APIs. 

Some of the performance matrix that API Gateway gives off - we monitor them via SNMP traps - and then we tie them into our monitoring system. You can actually monitor some of the latencies and some of the performance aspects of both API Gateways, as well back end services. So having that line of sight surely helps in terms DevOps.

The most valuable feature, as I mentioned, is the composability, because we use a lot of functionalities. 

Also, right now we're looking into the Dockerized version of API Gateway because that would allow us to flow nicely into our Microservice Architecture.

The more automation the better. I think CA is stepping in the right direction. I went through the micro API Gateway presentations here at the CA World conference, on how you can automate more of the policy deployment via the JSON format, so you don't even having to touch the Policy Manager. Because every time you touch something in the Policy Manager you think, "Well, that's a GUI, humans need to go in and do something with it." So if we can automate everything with the APIs, that helps a lot in the DevOps lifecycle, where we want to automate everything.

I've always been a fan of API Gateway. In the past we've used various API Gateways, some of them are open source. It's definitely very reliable and robust. The three years that we have them in production, not a single instance of downtime due to the API Gateway. We have issues, but it's mostly because of API backend issues or low balance issues and such, but API Gateway has been pretty reliable for us.

The scalability has been good. Now we have exposed the APIs, we have a four-node cluster of API Gateways in production. It's been scaling out well for us. I haven't had any issue yet.

I have ended up using technical support several times. I think it's fantastic. I've been working with a particular technical person in CA and he's been really, really helpful. He's been very busy, but the support that he gives me is above and beyond the call of duty.

Even going through the 24/7 support I usually get the answer back within 24 hours.

It was three years back, and at that time there wasn't a lot of automation going on with the API Gateway. It was a lot manuals, so we're using the OVA version of the API Gateway. As time went on, with the API Gateway you can pretty much auto-provision things. But two years back at least, I wasn't aware of that, so there was some manual steps. But even manual it was still quite painless to get it done.

We did do some evaluations against other products. Just to name a few, we looked at Mulesoft, WS02. We went with CA because the solution is simple to implement, it fits our use case well, and in terms of price point it also chimes well with our VPs.

I like that CA is continuing to improve the product, looking for new solutions using the API Gateway. That's something that we're familiar with. And that they're trying to make it work for different types of architectures. As I mentioned, we are moving toward Microservice Architecture and having the Docker form and the micro API Gateway to help with those kind of architectures is really helpful.

I'm an engineer, so from my perspective things have to be simple. If things get way too complicated then maybe you don't have the right solution, or you're not using the right solution to solve the right problem. In that case you may want to look for a different solution.

When selecting a vendor, as an engineer the solution that's offered by the vendor needs to be simple enough to solve my problem in an efficient way. Of course, I don't worry too much about cost because I'm not paying for it, but certainly cost does play a part in terms of licensing scheme.

The solution you choose depends a lot on the use case, so without really understanding a colleague's use case it would be hard for me to recommend anything at all. Definitely, if they want functionality like API management, I would recommend looking at CA to see it fits their use case or not.