Layer7 API Management Reviews

We use Layer7 API Management to manage API gateway and customize policy scripts.

The product works well from an implementation perspective.

Layer7 API Management’s price could be reduced.

I rate the product’s stability an eight out of ten.

We can create multiple gateways using the product. It has good scalability. It is suitable for enterprise customers who have many APIs and microservices.

We have used WSO2, Kong, MuleSoft, and other open-source products.

The initial setup process is easy and flexible.

Our customers found the product’s cost a little higher. They are looking for open-source solutions.

We evaluated Salesforce.

I rate Layer7 API Management an eight out of ten.

I sell this solution to a variety of clients in digital banking, insurance, and health care.

There are many security policies within this solution that help to prevent attacks. We are also able to implement MTLS to allow us to lock a channel from the application from the backend. There are authentication flows inside of the gateway that help us a lot to implement customers improved user experience. 

I would also like the next release to support FAPI-CIBA because there are laws in Brazil that require companies that operate in a digital manner to support CIBA and FAPI. This is more for authentication flows.

I have been a partner with Layer7 since CA Acquisition 

I have never had any concerns in regards to the scalability of the solution as it is able to handle more than 25,000 transactions per gate. We currently have seventy people working with the solution but for one simple gate implementation, only one engineer/technician is required.

The support that is available is only for technical issues, they are not able to help you with your use case.

The initial setup is a piece of cake.

Most of my customers have been able to see an ROI.

Be sure to research this product and its functionalities well prior to moving forward with the solution. Many of my clients will have issues with the solution in regards to their use cases.

This solution is easy to deploy and view data in API but you must have a solid plan to manage the environment.

I would rate it a ten out of ten. 

This product is used to expose some internal APIs to help us automate different activities.

It is helpful to have a central API that is hosted and managed.  It reduces costs and customers, suppliers, and vendors receive a uniform interface.

The license model and the cost of licensing can be improved. Especially given that we are in a stable operational mode.

We have been using Layer7 API Management for five or six years, and we have been actively using it this year.

It has been working quite well for a long time.

It's been working for us, from a scalability perspective. It's implemented within a central group, so there are just a couple of roles that run it. The APIs we host are stable.

We are in a stable maintenance mode, so we haven't had to engage customer service/technical support for some time.

We did not use another similar solution prior to this one.

It's a complex product, but I would say that the initial setup is straightforward.

Our in-house team handled the deployment.

We have a handful of IT admins and app admins who specialize in maintaining Layer 7 

It is a pricey product, although priced to the market. 

Overall, this is a good product. It's been stable and working for us, and our main difficultly is people calling out the price point on it.

Previously, we don't have a security for our web or mobile applications. In a scenario where I have an application that gives APIs to everyone in the world, they can directly access that particular application. However, this allows for different types of attacks on that particular application too. This becomes a problem if a number of users access it, whether they are valid or invalid users, they will see performance issues. If a number of attacks are happening on a particular application, it goes down. So, from a security perspective, CA API Management acts like a reserve proxy.

It makes the end user feel like it is a real system. It does not show the back-end and what the API tool does. CA API management will not let people know that there is an original server running behind the tool. That is the security point of it. 

For use cases, there are databases that some people have to query on. With the help of CA API Management tool, we can give APIs to the end user, and with the help of those APIs, they can access the data instead of the database.

APIs can be developed to provide security. We can show them in one single pane of glass, such as the CA API Management API Developer Portal. It is there that we can provide the monetization for their APIs and what is happening on third-party applications, like Paytm or BookMyShow. 

Customers go to the portal and register there. It is there that they chose their APIs from a list. Based on the registration of the APIs, the customer will be charged.

Our customers will purchase these APIs and give to their application users. The functionality provided by the CA API Management tool is about the work framework, and the API Gateway also provides work functionalities. In the API Gateway, there are features called Solution Kits. These provides work protocol functionalities and the framework. 

In order to develop an API, we'll face so many problems: 

• What method we should use?
• What is the data it should return?
• If I give this API data to the browser, how will it be processed? 

There are so many problems from the perspective of designing an API. However, the CA API Management tool, along with the CA API Gateway, eliminate all our issues.

As an organization grow, you can use CA API Management for authentication purposes through the CA API Gateway. It allows for multiple identity providers with different Active Directories.

It takes an existing service, like JSON or SOAP, and converts it for use on the application (e.g., REST services).

From a security point of view, there are different types of attacks: cross-origin resource sharing, SQL injection, shell scripting, and code injection. These type of attacks can be eliminated with the help of this tool because they are built-in with rules. If I drag and drop one rule called cross-origin resource sharing to the website I want to allow it on, only that website can contact CA API Management regarding this assertion. 

For an OAuth perspective, the application needs to be registered at my API Gateway. Once the application is registered, every time a user requests access to my API Gateway, I have to capture whether it is a valid application or not. Once it is getting validated, only then will it show them the access page for the login page to the application.

Based on the method an API, we need to be able to access that particular API.

They need a workflow for the API Developer Portal, where the process only allows requests to go to the correct person.

The CA Mobile API Gateway (MAG) for mobiles has too much latency.

If an entire cluster fails, we have disaster recovery with this solution. It provides an exact replica.

Because it contains Java, the heap memory needs to be cleaned constantly or problems will occur.

For day-to-day maintenance, two people are enough staff, e.g., checking the logs.

CA API Management is okay when it comes to supporting a large number of APIs or large number of transactions. It has high availability. With the help of a load balancer, we distribute the load among all the API Gateways. In this way, we provide high-availability for all the API Gateways.

We have scaled the product out to different countries, like China and Australia.

Previously, there was only SOAP services. When you are making an API call with SOAP services, It has a lot of impact on the application by taking too much of the bandwidth. 

Now, all the users are filling our their forms in the back-end with form data into JSON, and sending the information to the REST services.

People want the REST services. There are already existing applications which are running on the SOAP services. Rather than losing their businesses, with the help of CA API management,  they can have both their REST and SOAP services in the back-end.

The initial setup is straightforward, like creating and deploying an API. Everything happens in one single loop.

If you install the CA API gateway, it takes about 15 minutes, as it is available in OVA format. If you go with the OVA format, you don't need to do much configuration. Then, it comes up in an internal MySQL database.

The API Developer Portal takes easily an hour to set up.

When we introduce the solution to a new organization, it's not a complicated process. If we describe to them how an API can reduce work in their regular life, then they can easily understand that. When we give this to the customers, they become happy.

We use two people for deployments.

CA API Management has a licensing path. If you want more features, it requires more licenses and more installation time.

Compared to other tools, like Apigee, this is the best tool that I have used.

This product is available on-premise, in the cloud, and Docker.

The security checking authentication is our primary use case for this solution.

The API gateway is good. 

We have experienced technical difficulties with the product in the past. 

Tech support is helpful. I would give it an 8 out of 10 rating. 

I do not have any experience with the pricing or licensing of the product.

Primary user case is producing APIs as products, essentially, and creating the environment for developers to sign up to use APIs. 

It has performed well so far. We just got a test instance installed, and did a PoC earlier in the year. We are more or less just getting started with it. 

• For developers to be able to come, sign up, or find APIs. 
• Sign up for the API and start using it in their applications without a Gateway developer having to get involved. 

The benefit of it is being able to create a sense of the API marketplace. It has improved the way our company functions by streamlining the effort and getting people out of the process.

I would like to be able to see the publisher role be able to be organized within organizations, so somebody within that role can only manipulate their particular policies.

We had some problems getting it installed, but it has been running fine ever since.

It is all docker containers. So, it seems to be pretty good.

The technical support is good, knowledgeable, and responsive.

They are all friendly to work with and really seem to care about us being successful.

We were using the API Gateway before. 

The industry is moving is to be more API-oriented and more self-service oriented, which is why we invested in a new solution.

The initial setup was complex. It ran into a lot of problems. It was a new release. It was a 4.1 release. We spent the first day or so, probably almost two days, getting it to accept the proper IP from the DNS name. We ran into certificate problems. Mainly, just the installation script in our particular environment did not work very well. So, instead of what should have taken us a couple hours, or what we planned for a few hours, it ended up taking about three and a half days.

I did a PoC in the earlier part of the year. We built out some APIs on that, then we just installed the test instance a couple weeks ago. 

Purchase 4.0 now and wait until they flush out the 4.1 problems.

We evaluated CA and Google. We chose CA because we already had an embedded solution with them and a good relationship. Pricing was also a factor.

Most important criteria when selecting a vendor:

• Reliability
• Support
• Pricing.

CA is a large company. It is not like they are going to go upside down tomorrow. You want to make sure that the company is going to be around for awhile if you are investing in them. 

It's a purveyor of tools for managing and securing APIs. It is flexible in how it creates custom policies and uses builds with impressive methods.

We implemented few Layer7 project to various organizations. Most of them just use it as a 'proxy' for policy checking. For example, limit the number of access attempts on specific page from the same IP for a specific duration.

Other clients use it for logic flow, to create a workflow integrated with the Australian government's MyGov framework, which is beyond just security checks.

Some of the common useful functions/assertions (e.g., JWT encoding/decoding) are only available in other CA products. The client needs to purchase and install those products in order to make it available for Layer 7. I don't think it is justified to maintain another product that is not really needed, in order to have just one function. If those common, useful functions could be part of the core Layer7 product, that would be great.

Provide complete documentation with examples of usage on its build in assertion/function.

Easier to find documents (e.g., cluster setup).

We have been using this solution for two years.

• When more than one developer is working on separate policies, it is hard to export, import, and merge the policies to other parties
• When migrating to different environments
• When integrating with SVN/Git: This is not well documented

There were no stability issues. It is a very stable and mature product. So far, there have not been many complaints from clients regarding the stability.

Scalability performance has always been an issue. It behaves slowly when communicating with Windows-based servers (e.g., F5 load balancer or DB server, as compared to when communicating with a UNIX server.)

Customer service provides good and fast responses. They help a lot when problems occur. They always respond in a timely fashion.

Technical support provides good and fast responses. They help a lot when problems occur. By the way, the forum is also helpful for self-service.

We didn't use other solutions before this one.

The setup was simple, as it comes with the OVA file. It reduced a lot of time and problems in the deployment. The main focus is on integration with client's exiting infrastructure, instead of setting up Layer 7.

We are the vendor. I have worked on this product for more than two years and implemented it in at least three organizations.

We are the vendor and we implemented it for clients. We do not use it for ourselves. We are not aware of the ROI.

The pricing and licensing issues are done by other staff members. I have no idea on how much it costs or what the pricing structures look like.

I believe the company already did a lot evaluations with other similar products.

The Mobile SSO and Developer functions are the most valuable features. The Mobile SSO functionality is not available with most similar products in the market, which makes this a unique product. The Developer function helped the developers to be self-sufficient meaning they did not need a lot of training and they could do things on their own.

API security was another important feature in terms of how you are able to control usage of digital assets and access your systems from the outside world. Thus, security was a good feature.

Lastly, the monetization part was also important. We have not started off yet but monetization was one more thing that we were very happy and keen about when we saw this product.

We have recently implemented it so it is too early for us to say how this product has improved the working of our organization. We wanted it as a feature and capability for the organization so we have invested in it. In the future, it shall proceed in the direction of how we would like to shape-up our organization.

We would want to see the monetization feature to be a standard function. At the moment, it is a third-party solution. This feature helps you to carry out API billings, so as the APIs are consumed from the outside world, you can charge your users for using them. Currently, it is not a standard feature and is more like an add-on where they have worked out ISV pricing with others. So, if it is made as a standard feature of the product it will be really good because it will take the promise of app economy to a true level; thus, it will be truly monetized.

Another improvement we would like to see is that the product should be more relevant with the public cloud infrastructure that is pervasive nowadays. So, the ability to host and run these solutions on Amazon, Azure or Google Cloud should be a standard feature for this product. From what we have been told it is going to be a part of the product’s roadmap.

This product is stable.

We did our own test to verify scalability and found it was quite scalable. We had no issues.

We had done a load test on the application on our own and it was able to scale to a significant number of transactions per second. Based on our architecture and solution that we have, we are comfortable with the level of volume that it can handle.

We have not used any technical support.

We were not using a different solution before. We were looking in the markets for solutions which would help us give this level of scalability, based on the nature of business that we have.

We never had a product like this because API management was always a discussion and we never knew how to implement it. When we saw this product and figured out that they had the features we wanted, then we took our time to perform due diligence and figured out this was the right product for us.

We were involved in the initial setup and found it to be a little difficult. The reason being, we implemented this product on Microsoft Azure and the product features on Microsoft Azure were not updated at that time. So, there were some initial hiccups. However, CA professional services and my team were involved extensively to get it rectified. CA services did play their part in making sure that whatever the shortcomings, if any, were addressed. It was a good involvement from their end.

We did shortlist other usual vendors namely Apigee, Axway, Mashery that are the other competing products in the market. The number one criteria for selecting this product was CA’s pricing policy as well as its presence in that part of the world from where we come from; it is significantly big compared to all the other companies. In Asia where we come from, not all the companies are present to that extent and you need a level of comfort when you're investing in such a magnitude. You would want the organization to be very strongly present there.

Just do your own homework and make sure your own metrics are ready, specific to your organization. Every organization is different and make sure that you maximize the value of the investment that you are putting in.

The roadmap of the product is the most important criteria while selecting a vendor. In addition, another important factor is the ability to invest in continuous releases/new releases that are coming up in the product. In short, how much the vendor is willing to invest in the product to keep it updated.

We had a little bit of mishaps for the installation. Overall, regarding the product features all what we wanted was in there. It's just that we had our share of a little difficulty in implementation, otherwise it is a good product.