Layer7 API Management Reviews

Mainly for our API gateway. We use it for onboarding APIs and then getting those internally. We have them through the B-to-B channel, we have them through a member channel, and then internally as well, to service our APIs.

It has performed pretty well. We've had an issued with scaling, internally, when we slammed it one time with a very, very high rate of transactions; we're talking like 65 million an hour. Whenever we did that we weren't ready for it yet, so we had to back out, but it's been good.

It's pretty easy to use, and once we have templating set up we can add new APIs, at least through the gateway, and apply the security to them; it takes a minute. 

We actually have it automated in our Dev environment, where developers can come in and fill out a form with an internal tool. They specify their API, the endpoint they want, this is what they want, and boom, it creates it in Dev and then they can move it up to test and then put in a request to get it to product.

We've used it for so long that I really can't say that it's improved the way our company works, but it works very well for us.

I'm mostly involved in using the OTK for OAuth security. We use the OAuth for all of our reactive APIs, for B-to-B to come in, and we're starting to onboard those now. 

It's been pretty easy to use so we enjoy that, other than a couple of challenges we're having with it currently.

It would be nice if we could create APIs directly from Swagger files. We're doing that ourselves with a middle layer. But if you could integrate with open API Swagger specs, and then just create a Swagger and upload it to the gateway and it would create all my API template policy, and would apply the OAuth restrictions, the types of security restrictions I have on there, that would be pretty cool.

Stability has been fine for us in tests. We have a challenge around some log rolling and it bringing it down in tests, but in production it's been great.

The scalability has been good. We haven't had to scale up a whole lot, even with all the extra transactions we're running through it. We're in the area of about 2 and 1/2 million OAuth tokens issued per hour, and it's performing fine with that.

It seems to work pretty well. Sometimes it takes a little longer to get answers than we would like, especially to some low-level ticket where we just had some questions about why this thing is working that way or that way, not high priority stuff. It would be great if we could get those answered in a day or three, instead of two weeks.

I was not involved in the initial setup but I am involved in the OTK upgrades.

Well when we went from 9.1 to 9.2 it was pretty straightforward. The OTK, however, is a complex upgrade. They tend to change the schemas on the database behind it, between the versions, which can be a pain to have to migrate all of our existing clients from one database schema to the other. It also means working with the DBAs to set up side by side schemas so we can get them moved and switched over in a fully available.

I don't really select the vendors, but my most important criteria would be

• available support
• industry use of the tool
• that it can solve all the problems I need it to solve, as many out-of-the-box without customizing it as possible.

CA is great. It depends on your use case of course, how much you want to go with that, because it can get pricey and depends on the size of your company. I've got a bunch of friends with little start-ups, so it's nothing they would be able to onboard, but I would definitely tell them to check it out.

The most valuable features are definitely the security it provides and the ability to code to the roles, so that way, when the people come in, they actually have their roles identified and then, we're able to actually distribute the data through the message, to them. Role usage has really been important for us.

I think the device itself has helped us quite a bit. We're able to do things a lot faster, because of the device. Because we identify the policies, we're able to layer the policies that are already written. People don't have to rewrite code multiple times. We write a policy one time, and then we're just able to just drag it over and reuse it for other things.

I've used the device since it was the Layer 7 device, and it's come a long way. I think from a mobility standpoint, there's a lot of things that we do, and we have to create our own policies.

I think the product's getting better every iteration, and they're adding more and more functionality to it, that allows us more reuse.

I would just like to see where it's going to go through the roadmap, and I think it's got great, great potential.

We have been using it 8-10 months.

It's been very stable for us. We're using it as an appliance, so whenever we need to put new ones in, we just download it, implement it, and then just pull over the configuration files for it. It's been very, very stable for us, and the patching's been fantastic.

It's definitely a scalable solution, so you can create clusters in production. What we've done is, we got a cluster on our main data center, and then we've got one in our backup data center. Then we can add on to that as we need to, and use the load balancing functionality to scale it indefinitely, as much as we need for our load.

The support that we've received has been fantastic. We've been able to talk to people everywhere from pre-sales, actual technical people, whenever we need it. Literally, the support team has been 100% behind us. We get stuck on something for a very, very short period of time before they're there to help us.

They've been easy to contact, not only via the normal contact through the phone number, but even through emails, they're very, very responsive to us.

I'd used it before, so when we created our mobility team, with me as the manager, I knew that this is the device I was going to have to put in front of all my services in order to make them reusable.

It was once we'd actually standardized and built everything out, then we made room for the device, so it was just no more than procuring the device, and putting it in place at that point.

When I’m selecting a vendor, I want to look for somebody who cares about me as a customer. I want to find somebody who actually wants our solution to work. I think the team has been fantastic at that. I look at what other customers think about the support and, have they gotten anything good from their support teams? I look at that.

I think the last thing that I would look at would be price, to be honest, because I care more about the solution. Is it going to work for us? It's a partnership. When I meet a vendor, and we're actually going to put in one of their tools, or we're going to use a tool, or an appliance or whatever, to help us, then that to me is a partnership, and we're in this solution together. That's what I really, really got from CA.

The setup was very easy. We just downloaded the actual VM appliance; implemented that. There are six or seven steps that you do to configure it for the environment. Once we set up our load balancer and stuff, it was up and running and ready for us to use. It's very, very simple.

The patch process is the same way. All you do is you download the newest version, put it out there, and then just do those six or seven steps, and we're up and running. We can replace it very quickly.

I did some due diligence. I think you always have to do some due diligence, and I looked at some other products. I don't think any of them met my needs, not as good as this product did.

I think it can get better, and it has over the different versions. 9.1 came out, and it offered some more functionality. They've added more products around the solution to make it better, so I think there's always room for improvement. I think it's been very, very stable for us. It's worked every time we've needed it, and it's allowed us to do a lot better for as a company.

The most valuable features of the solution is the gateway and the power of the gateway. The CA solution, as far as how it rates with other products in the marketplace, gives you one of the most robust sets of gateway functionality and security capabilities out of the box in a configurable fashion. Instead of having to actually write code to achieve those things, the CA Layer 7 product gives you the ability to actually configure a very broad range of capabilities and policies directly out of the box.

If it's implemented correctly and you take advantage of some of the capabilities, like the ability to use APIM on the side and integrate that in with policies, it removes a lot of the weight of building all of those rules into the underlying services. It allows you to escalate that up and put that into policy management that can be managed in real time, which creates a faster move to market with capabilities.

Based on a lot of the other tools in the marketplace, the user interface itself is more linear and programmatic based. For a developer it seems to be a very natural interface, but for someone that you'd like to get in there, just doing more configuration, I think there's an opportunity there.

It's enterprise class software. It gives you the ability to scale and load balance, and based on how the technology is being managed today using a database as an underlying component that allows you to synchronize multiple gateways to the database. And then the ability to cluster the data technology. It can scale as much as you need to scale.

The initial setup and the configuration is relatively straightforward. I think the more challenging aspect of it is, like any solution that's an enterprise scale solution, is just getting the base infrastructure agreed upon, configured and implemented. Once that's accomplished it's very easy to configure and set up.

Looking at broad capabilities, looking at stability of the company, today you need to look at vendors that are staying up with the demands of the market and where the market is heading, and making sure that the improvements being made to the software are in line with that. I think it's important to look at vendors that are releasing more than twice a year so that you can see rapid deployment of technology.

It depends on the customer and the industry. Typically, the customers are choosing CA because of the broad capabilities of the gateway, the performance of the gateway; the gateway is one of the top performing gateways in the market, and security. It's absolutely the best security product in the market from a gateway perspective.

I give it a 9, because everybody's got room for improvement. I would definitely recommend the product. As you start looking at releasing APIs, some of the biggest concerns that we have are performance, because consumption is based on how usable the API is. When you start looking at the architecture that CA has put together in giving you the ability to cache information from the front side request, cache information from the back side request, and then create your own caching capabilities to improve that performance, that is a huge benefit and a huge consideration in making a product determination.

We have many use cases. We are doing an enterprise install for all CA API management tool searches which are covered under the ELA, Enterprise License Agreement. We have close to a 100 plus use cases that we want to deploy, the next is over a six months to one year timeline.

There are many things, which are really good, like the Gateway. That's really great and pretty useful. The Mobile API Gateway is also great.

We have not tested it to the extent that we should. Maybe six months down the line we will have a better picture.

At a high level, I would say the portal is a pain. CA double up portal is a pain. It is something that we are struggling with right now. That is just one of the products which is probably not sufficiently satisfactory. We are struggling to get it installed to be used now.

It is not a fully-baked product as a whole. So, individual solutions may be good, but they are evolving in their silos. There needs to be wholistic thinking about how each one of these products functions. Each one of these CA products under API management needs to work in synergy, and evolve in a more cohesive, coherent way so we as enterprise we can take it seamlessly without much pain. 

We have not used technical support yet.

We have ELA with other product vendors, like IBM and Oracle. However, we thought CA might be a good option based on their support within the account. The CA folks who are working, partnering with us within the account and our organization, they have been very reachable and very cooperative.

So even though we have licenses with IBM and Oracle for the same kind of products, API management, we are going ahead with CA just because of the trust that they were able to build. 

It was probably not that straightforward, because the vendor team (CA Services) struggled a bit. 

We implemented using CA Services to come and install the software.

I felt there was a lack of expertise on CA's part, because there are many things within the API management. Maybe the consultant from CA services who came to our organization did not have the experience on all the tools that CA was releasing, which was why the initial setup may not have been straightforward for him. He was good with Gateway, but with the other pieces, he was struggling a bit. It took sometime for him.

We already have ELA with multiple product vendors. It is a matter of using which one we want and moving forward. 

CA is worth trying. It is definitely a key contender in the API management space.

Most important criteria when selecting a vendor: size and brand value.

• Time to market
• Ease of use
• Strong support

We were able to market our mobile app products with their strong security features.

There is a need for the migration of policies, better reporting, and monitoring integration.

I have used this solution for two years.

There were no stability issues so far.

I did encounter scalability issues. I wish they could extend the MySQL replication to multiple nodes.

The technical support provided is the best.

Initially we were using MuleSoft Enterprise Service Bus (ESB) before we switched to CA API Management.

The setup was straightforward.

CA has great pricing for gateways, so negotiate with your sales team.

Make sure you involve networking, security, and other infrastructure teams for the implementation.

It’s central to our mobile-first strategy. The API layer is becoming the interface to all of our legacy back-end and all of our new app development is being built on top of our API layer.

Key features – integration with SiteMinder and its ability provide security in general, content-based routing, and ability to turn our existing SOAP service back-ends into new REST-JSON APIs.

As the APIs are built and published and made available to developers, we can build applications on top of those APIs in days and weeks as opposed to months.

In a traditional web application you’re building your UI, your integration layer, your back end, all at the same time, and there are dependencies – you can’t built the UI until you have database access, etc.

With the API model, all that access to the backend is already available so all you have to concentrate on is building a good user experience.

They have really stabilized the API gateway in the last couple of releases. There’s a developer portal that is used to document your APIs that is woefully behind the times, in terms of being able to provide a really good robust experience for the developers consuming your APIs. You can’t document all of the details you need in the current developer portal and really need a separate web site just to document your API.

You need to understand what you want from an enterprise API, what your vision, what your plans are for rolling out an enterprise API, before you just go out and buy a product.

It’s been rock-solid. When we’ve had problems with a gateway – we have a whole group of them – we typically get very good support from CA and production downtime has not happened.

Because it’s a clustered environment, we can scale horizontally as many as we need to go. So far two production gateways that are in a cluster and they’re processing transactions for one of our APIs at 30 calls a second and there’s barely a blip on CPU.

In general, I’d give them about a 7/10 or 8/10. They’re good – sometimes it can take a little while to get to the right person. They tend to come back to us with obvious suggestions, which we try before we call tech support. When we get to the right person we get an answer immediately.

It was an architecture decision to move towards a mobile-first API strategy. We realized that in order to meet the requirements of an API of a really good, strong enterprise API we needed to centralize that. That started us looking at APIM technologies. We scored a number of different vendors and brought in some to do POCs.

Nothing in IS is ever simple. However, the install went very smoothly. The OVA files that you install into your VMware infrastructure -- configuration and getting them set up in the clusters went smoothly (respecting internal processes). The setup and config wasn’t that difficult. There was much more of a learning curve on our end to leverage and learn how to use the API gateway. It’s sort of like a Swiss army knife in that you have to learn how to use which tools and when.

I look for stability in the vendor. I look for their ability to understand our needs. We get a lot of vendors who are not used to working with a Fortune 500 company and the size and complexity of our operation is big and complex. We need vendors that are flexible and who understand that their solution might solve a problem, but that might not solve it the way we need it solve. The flexible vendor that is able to provide multiple solutions typically ends up winning.

The most valuable feature is security, which is the most important to our company. Then comes performance, scalability, and I see tremendous performance value without compromising the security. It gives us peace of mind, for example there are so many penetration attacks happening, DDoS kind of attacks happen in our API infrastructure if you don't have the security. With the out of the box security features from CA API Management, I can focus on the business logic to deliver the real value to the consumers, without worrying about the security. It's very stable, we've been in production for the last year and we didn't have a single production incident because of the API Management solution. I'm really happy with that actually. It's very stable and very reliable.

I see a lot in the developer portal. It's not that flexible the way we want it to be, so it's kind of out of the box and we can only do the standard features that they have. If you want to customize, it's a little bit hard for us, so I really want to see some flexibility in the developer portal. For the monitoring module, I also want to see some stability in the ESM module.

Scalability is really good and they could do an average transaction size of probably 50-100KB with around 20,000 transactions per second, which is really impressive. Initially we thought we needed many licenses, but we ended up using only one part of the licenses.

Technical support is really good. Their level 1 and level 2 support is really good. Sometimes when we try to add new features, when the team really gets stuck and we open the ticket, we usually get a response within a few hours.

We were using the ESB solution, we were using SOAP services and then we wanted to move to REST based services so that we could open up our internal assets to our customers directly.

Initial setup is good. It's straightforward. It's not that tough and it's an appliance, so that kind of took away wireless installation and base installation time, so our IT infrastructure team really loved it.

We looked at Apigee, Axway, Intel Mashery and a few more vendors.

The main thing is whether the product is really good. Look at the Forester and Gartner reports and how the support is, because a lot of good products are out there but we have seen in the past that we don't get good support. These are the major criteria I look at.

Rating: for CA API Management I would give it a 9 out of 10, but for the developer portal I would give it a 6 out of 7. ESM I would give a 5 out of 6.

It's definitely a great product, I would ask to have an open mind and check out the features. I haven't seen any problems, and I have seen so many problems in my previous product, with ESB, so it's definitely a top notch product.

I have used this tool for my customers, as I am a service provider, not an end user. I have dealt with implementations and configurations for CA API Management.

We implemented the API versioning for software services and REST services.

Mostly, it can identify client IT and user accounts to give them a lot of business logic. It can also provide API versioning. It can provide different versions to different customers, but the original API are the same.

Controlling microservices for my customers.

It provides a good user interface and is easy to use.

It is not user-friendly because you have to know so many programming languages.

It is a stable product. I have had no issue with it.

The scalability is good.

When it comes to supporting a large number of APIs or transactions, the performance is not bad, because it is in staging. We have not moved it to production.

Our client's environment has four CA API Gateways.

The technical support responds very quickly by email. The last time that I communicated with the technical support, I asked them, "If MariaDB, instead of SQL, is compatible with CA API Gateway?"

However, now CA's entire product service is poor in Taiwan, as there is no local support.

The implementation of CA API Management was complex. It took us (my colleague and me) six months to implement with two people. My colleague was responsible for implementing the API Gateway. 

My colleague is a system engineer. Because I am a programmer, I am in charge of the design and customizability. It is a complicated solution. You have to know so much IT knowledge to do the implementation.

The solution helped us to quickly publish and monetize APIs. I have used versioning responses to publish or send APIs to different customers with different versions.

It has a reasonable pricing model by instance.

I would not recommend the product based on how it has performed to implement it. I did not like working with the product.

We have not used it to modernize legacy systems via microservices, APIs, or developing a new platform for mobile. We also did not use it for connecting data to apps via APIs.

I am not familiar with the security aspects of the solution.

We stopped offering the product as a service a month ago since the product no longer belongs to CA. In Taiwan, I believe no one will buy CA products anymore because it is no longer trustworthy as a company, since the products are no longer supported.