It’s a way for us to secure our externally-sourced API calls that come into the organization. The two things are 1) protocol translation where we can let a REST call come in and get converted to some legacy protocol, and 2) security token translation support because we need to convert a standard industry token to something an internal system will understand.
It provides a simple endpoint for applications to call and for customers to call, so it reduces a lot of the complications of API services. Most of these APIs the user never sees, like a mobile app that does something below the water line, or another partner is calling our application – such as an order purchasing system at another customer, whose app calls our app. It eliminates the need to deal with users in a lot of cases, so if users don’t have to deal with the system it’s convenient for them. It helps us automate as well.
One item that we’ve had discussions – and they’ve fixed some of it – you had to buy extra products, specifically the CA Mobile API Gateway, to get certain types of token support even though you didn’t need that product for anything else.
So, foundational token support should be part of the base product and you shouldn’t have to buy the mobile feature to get those features. For example, in order to get OAUTH we had to buy the MAG product, but I think they’ve fixed that now. But we’re not sure they’ve fixed everything.
I think it’s a solid product. We’ve had some issues with the proprietary hardware that we’re running it on, but we’re getting rid of that and going to VMs, so the issue will probably go away. At one point in order to do certain types of upgrades to not only do it through a web interface, but we had to get deep into the system – multiple things we had to do in order to upgrade so it wasn’t as seamless as we had hoped.
It's not been an issue.
I think they’ve got really sharp people. When there’s a serious problem, they’re quick to triage and get an authoritative person to respond quickly.
Pretty straightforward; the biggest issue was the initial hardware that we purchased. CA sold the product on a certain kind of UNIX box, but those boxes weren’t appropriate for the solution – it was well before CA took over.
We knew we needed some kind of API security gateway to basically sit on the edge of our network and police what could get in, and do other things like translate API calls. We wanted a simple API call to be translatable to multiple backend system. Before we were just using traditional web proxy servers, not really API focused.
We knew we needed some kind of API security gateway to basically sit on the edge of our network and police what could get in, and do other things like translate API calls. We wanted a simple API call to be translatable to multiple backend system. Before we were just using traditional web proxy servers, not really API focused.
We used IBM DataPower at the time. Both HP and Oracle were OEMing the Layer7 product at the time, and the fact that HP was OEMing it was certainly a factor. We were looking for someone that’s innovative; someone we can trust to be a long-term partner.
It fits in well with our other security middleware. We’re also a SiteMinder customer so there are some synergies there. When CA bought Layer 7, that was a good thing for us, and we sort of fell into those kinds of synergies.
They should make sure they find a product that supports industry security standards, and has good management capabilities, good manageability.
