Layer7 API Management Reviews

Our primary use case is for API management. We use it as a security gateway in our DMZ and ESB and our trusted zone.

It works great. We haven't had any problems, it just runs.

Day to day functionality. It just works and it's easy to use, that's the best part of it.

Most valuable features are 

• the ease of use
• a very nice UI
• you can navigate through the screens
• a very good search feature.

I would like to see it work better with one of our back-end databases, DB2 UDB. Other than that, I really don't have any complaints so far. It's doing everything we need it do.

Stability is great. We run a high resilient load balance configuration. We haven't had any problems with it.

It scales.

We have not used technical support yet. We have not run into any problems yet.

We had API gateways before, we just divested from IBM and went with CA.

We bought 16 gateways earlier this year and we're setting them up right now. It's good. Straightforward.

When choosing a company to work with and buy from, they need to be industry-rated, they need to be one of the upper-right companies for strength, vision, and performance.

If I were advising a colleague at another company who's searching for a similar product I would tell them to talk to CA.

To protect the web services, security, authentication; protect against any kind of attacks from external sites.

We have been using API Gateway for four years and we have huge class actions, like 600 parts per second, and we have not seen any issues as of now. It's stable.

Security.

We get a lot of class actions, payloads, which have real security requirements, like personal identification information. So we need to protect all of this information, make sure it is secure. 

Also, we can handle the huge class actions we get from different clients.

It really benefits us a lot because, since we are maintaining financial information, personal identification information, we need to protect the customers' data as well as the clients' information. We can encrypt the payloads and decrypt the payloads and do SSL authentication. We can also store the files in the Amazon bucket with the encryption file.

We're integrating the cloud. I would like some more integration of cloud capabilities.

Regarding stability, we have not seen any issues as of now. It's a more stable product.

Scalability is very good.

We haven't had any issues. It's more stable. We didn't even have to touch anything.

It's a more stable product and we have very good support from technical point of view, but not from a professional point of view. We have some issues with Profession Services. But technical are always good, they support us as quickly as they. They give us solutions for customers, which is really helpful.

We were using an IBM product. We switched because we had some constraints, technical issues, support issues, and some other issues like use cases.

I developed the PoC and then moved it to production.

The setup is not complex, and we got very good support from CA technical support and Professional Services. I felt the technical support was really good compared to the Professional Services.

We did evaluate other vendors but we finally chose API Gateway.

In general when we are picking vendors, the most important criterion is support. When they can really help us we feel more confident.

I give it a 10 out of 10 compared to other products. I would definitely recommend CA API Gateway.

We use the API Gateway as a front door to access our APIs that we host internally, to enable us to get involved in the digitalization.

It has performed very well, actually. It's given us new capabilities that we never had before and gives us more confidence in increasing the number of APIs that we actually have.

I think the flexibility. It's very configurable. Each policy is very customizable, where we can accommodate different capabilities that our trading partners actually have. Even though from a textbook standpoint, there's always a certain ideal pattern that you want to apply, that's rarely the case with our trading partners. That flexibility is very important.

And the main point of the Gateway is the security aspect of it. It's very good from that standpoint. It has met all of our expectations. We're very happy with that.

It gave us new capabilities that we really didn't have before. We didn't have a good way of exposing APIs to the internet in a reliable, secure way. It gave us that ability. 

It also gives us a focal point where it's allowing us to consolidate our portfolio. Where before - Cargill is a very large company - from one business unit to the next, they didn't necessarily know what we actually have. This product enables us to consolidate that, so there's one place to look.

The tool itself, I think, could be better. Along with the flexibility it does have, I wish it had a little more modern user interface. For troubleshooting, debugging, that kind of thing, it could definitely be better. I would like to see improvements in the user interface, for sure for Policy Manager. That's the developer's tool. 

Debugging seems a little bit archaic by modern standards. I would like to see that improved. 

I would like to see better documentation for the development language itself. I think they took a step backwards, actually, when they published all their documentation online. Accessibility is better because it's on the web. But the content seems to me to have taken a step backwards. Not enough details, more difficult to find specifics. And you would almost think that would be the opposite, but the feedback I've gotten from our developers, and my own experience, is that it's not the case.

But in terms of the structure of how the language works, it's pretty good. It gives you a lot of flexibility and allows you to accomplish a lot quickly.

So, in general, improvements in the UI, usability. Like I said, it seems dated in terms of how it works, by modern standards. I think they could go a long way to refurbishing the whole UI.

It's been very good. 

We have had some issues. Technically it's like a database replication issue, where our operations people tell me that the audit logs have been quite large, and that has caused some replication issues between the two nodes in our cluster. 

But outside of that, it's been very good.

We're relatively new to this so I don't think we're taxing the capacity of our gateway at all. In the business that we're in, I don't think that we're going to get to huge volumes anyways. Our goal is to leverage it more. So far, that hasn't been an issue at all.

The biggest thing for us would be that currently it is deployed in one region. We're a global company, so that technically is a little bit of a constraint for us. We haven't been able to deploy more gateways in other regions mainly due to cost of licensing.

Overall it's been very good. 

There are two perspectives. We've used our technical sales contacts. They have been very responsive and very good. We're lucky that we have a couple of them local in our city. They've actually come on-premise to help us. That's been very helpful, very good. Professional services has been really good too. I've spent a lot of time with them. Again, their expertise has been very valuable. 

From a ticket support point of view, where we submit a ticket, I would say that's been a little bit less helpful, in terms of responsiveness, and conveying the actual issue to the person. Once you get them on the phone, and have a one on one working session - which they have been willing to do - that's been very good. But through the ticketing system and the support website, it could be better.

It was a gap in our company. We knew we had APIs that we wanted to leverage and work with our trading partners, for them to access it. But working with our security team, we knew that we didn't have a good way of exposing them securely. That was a roadblock for our business. We couldn't make them accessible because of polices. API Gateway filled that gap and enabled us to use best practices to expose our APIs.

I have been involved more from the development standpoint. We're set up in two groups, an operational side which sets up the infrastructure, does actual server software; I haven't been involved too much from that standpoint. It's more in the development side, to get initial templates together and patterns that we're going to apply. And just coming up with some standards for our developers to use.

I would say it's complex. But I think part of it is just the nature of what this stuff is, when you're dealing with security and the variety of approaches that there can be. That makes it complex. For us, it was relatively new, so there were a lot of challenges there to just learn all the different aspects of it. 

We did consider other vendors. I wasn't part of the original selection, but it came down to two different vendors, CA being one of them - at the time it was Layer 7. Then we did a proof of concept, so I was involved in that. 

In the end, it was really no contest. I tell our other people about this: That it was a week long proof of concept and the other vendor, it couldn't complete one use case. In one week, they had three people that they brought on-premise to work on our use cases for the proof of concept, and they couldn't complete any of them. Layer 7, they completed all of the use cases in one afternoon. It was pretty convincing.

What's important to us when selecting a vendor, besides the product, the vendor needs to be of significant size to be able to continue to evolve the product. It needs to be able to provide enterprise-level support. We're a large company, so we expect the vendor to provide that backing of their product and SLAs. When we choose a product we don't want it to be a product that comes and goes. We want there to be a clear vision of where it's going, that's important to us. CA was able to demonstrate that to us.

It's very good in terms of what we wanted out of the product, initially. But now that we've explored and had the product for a while, we expect more. I think it definitely has room for improvement. Some of those things we're seeing here today, or in this week, at the CA World conference, give me some hope that that improvement is going to happen.

I would advise taking a look at what's available. Clearly, we've had good success with CA API Gateway, but this is a very quickly evolving space. I would encourage them to look at what's out there, what's available. They should prioritize what's important to them, what they're looking for out of the product. Then do a proof of concept to make sure that they feel comfortable, that the product is what they need. Also work with the technical support staff, to make sure that they're comfortable working with them too.

The primary use case would be services for APIs that we are going to expose either internally, within the enterprise, or at the outside edge of the enterprise.

Most valuable might be the security assertions, the policy assertions that are able to be bound somehow to the APIs.

We are a company with a rather complex process when it comes to integration of applications. Our expectation - we are only about to get this product into  a productive state so we are not using it productively at the moment - so the expectation is that it will simplify the on-boarding of either internal or external developers when they are using our APIs.

The solution is divided into their Gateway and to their Developer Portal components. For the Gateway component, our expectation was that it is provided as a Docker image, but it turned out that it was not supported in production up to the version that we are currently using. But the next version is obviously provided as a complete containerized version for production, which is quite good.

On the other hand, the Portal provides some questions so to speak, at the moment, because as we decided on the product last year, at the end of 2016, and it turned out that CA completely rewrote the Portal solution and the current version of it is not at the level of the functionality of the previous 3.5 version. That's quite a problem for us because we expected some functions in the Portal which are currently not available. Unfortunately, the new version is also not being introduced here at CA World, so I'm somewhat doubtful as to whether it will be provided this year. So it will probably be available only next year.

We are not in the production state at the moment so I cannot say anything about its stability.

We have quite good support by the guys from sales support so far but, as I said, as we are not in production yet, we cannot evaluate the normal support services.

It's a completely new solution for us as we were not dealing with REST-based APIs up to that point, and internally we are used to using SOAP Vitsa-based web services instead, as the major application technology. Now it's more and more moving to the REST-based approach with some kind of mircrosource architecture concepts that are being introduced, so we need to look for another solution or some kind of add-on to a existing integration infrastructure.

I was not directly involved but I was on the side getting feedback from the guys who were doing the real set up. It was a mixture out of straightforward implementation or installation and rather complex stuff. We're dealing with a specific installation image that was due to the fact that we were using specific combination of hardware, software and operating system.

Without naming them, they are the top contenders in the well-known ratings, so the ones that you find there were used as a basis for evaluation and, from then on, we did some deep-dives into the functional capabilities of these products and then decided on a shortlist. Those vendors were then were evaluated by our procurement concerning the financial aspect of the old stuff.

When considering the most important criteria when selecting a vendor, of course there are all kinds of functional criteria according to the product that we are evaluating. On the other hand, it's important, of course, that the vendor is stable. And because we are a large company, it is for us important that the vendor also provide some kind of stability due to its size and its footprint internationally.

Brand name isn't a big consideration for us. On the other hand, you have different analysts' reports that are quite important for us, as we don't have time and budget, from an architecture point of view, to evaluate all existing solutions in detail. So we have to have a starting point, which of course is the analysts' ratings and then, with some products, we usually do some kind of PoC and workshops to find out if they match our requirements.

I would actually divide my rating into two parts. The CA Gateway solution I would rate at nine out of 10, based on its mature capabilities in all the areas that are relevant for us. On the Portal, I would give only four out of 10 because I actually I don't quite understand the CA market strategy in that area, and the fact that the current version doesn't provide the same capabilities that they used to have with 3.5. There are some major capabilities that we miss there and which have not been introduced in the current 4.x version schemes; we're waiting for that to happen.

I would advise you plan a thorough PoC with the top two or three contenders on the list to find out about not only the functional criteria on the paper, but also how the product works and looks and feels in real life.

Primary user case is producing APIs as products, essentially, and creating the environment for developers to sign up to use APIs. 

It has performed well so far. We just got a test instance installed, and did a PoC earlier in the year. We are more or less just getting started with it. 

• For developers to be able to come, sign up, or find APIs. 
• Sign up for the API and start using it in their applications without a Gateway developer having to get involved. 

The benefit of it is being able to create a sense of the API marketplace. It has improved the way our company functions by streamlining the effort and getting people out of the process.

I would like to be able to see the publisher role be able to be organized within organizations, so somebody within that role can only manipulate their particular policies.

We had some problems getting it installed, but it has been running fine ever since.

It is all docker containers. So, it seems to be pretty good.

The technical support is good, knowledgeable, and responsive.

They are all friendly to work with and really seem to care about us being successful.

We were using the API Gateway before. 

The industry is moving is to be more API-oriented and more self-service oriented, which is why we invested in a new solution.

The initial setup was complex. It ran into a lot of problems. It was a new release. It was a 4.1 release. We spent the first day or so, probably almost two days, getting it to accept the proper IP from the DNS name. We ran into certificate problems. Mainly, just the installation script in our particular environment did not work very well. So, instead of what should have taken us a couple hours, or what we planned for a few hours, it ended up taking about three and a half days.

I did a PoC in the earlier part of the year. We built out some APIs on that, then we just installed the test instance a couple weeks ago. 

Purchase 4.0 now and wait until they flush out the 4.1 problems.

We evaluated CA and Google. We chose CA because we already had an embedded solution with them and a good relationship. Pricing was also a factor.

Most important criteria when selecting a vendor:

• Reliability
• Support
• Pricing.

CA is a large company. It is not like they are going to go upside down tomorrow. You want to make sure that the company is going to be around for awhile if you are investing in them. 

We have many use cases. We are doing an enterprise install for all CA API management tool searches which are covered under the ELA, Enterprise License Agreement. We have close to a 100 plus use cases that we want to deploy, the next is over a six months to one year timeline.

There are many things, which are really good, like the Gateway. That's really great and pretty useful. The Mobile API Gateway is also great.

We have not tested it to the extent that we should. Maybe six months down the line we will have a better picture.

At a high level, I would say the portal is a pain. CA double up portal is a pain. It is something that we are struggling with right now. That is just one of the products which is probably not sufficiently satisfactory. We are struggling to get it installed to be used now.

It is not a fully-baked product as a whole. So, individual solutions may be good, but they are evolving in their silos. There needs to be wholistic thinking about how each one of these products functions. Each one of these CA products under API management needs to work in synergy, and evolve in a more cohesive, coherent way so we as enterprise we can take it seamlessly without much pain. 

We have not used technical support yet.

We have ELA with other product vendors, like IBM and Oracle. However, we thought CA might be a good option based on their support within the account. The CA folks who are working, partnering with us within the account and our organization, they have been very reachable and very cooperative.

So even though we have licenses with IBM and Oracle for the same kind of products, API management, we are going ahead with CA just because of the trust that they were able to build. 

It was probably not that straightforward, because the vendor team (CA Services) struggled a bit. 

We implemented using CA Services to come and install the software.

I felt there was a lack of expertise on CA's part, because there are many things within the API management. Maybe the consultant from CA services who came to our organization did not have the experience on all the tools that CA was releasing, which was why the initial setup may not have been straightforward for him. He was good with Gateway, but with the other pieces, he was struggling a bit. It took sometime for him.

We already have ELA with multiple product vendors. It is a matter of using which one we want and moving forward. 

CA is worth trying. It is definitely a key contender in the API management space.

Most important criteria when selecting a vendor: size and brand value.

Web services authentication. 

So far so good, in terms of performance.

Quick response to the setup authentication for web services. That's important to us because we generally don't have a lot of time.

It's separating web services versus web applications, single sign-on. I would say that is the main benefit.

• More throughput
• More scalability
• Better built-in monitoring

So far stability is pretty good. We haven't experienced lag time or crashes.

Scalability is very good.

I think we have used tech support but the response has been so-so. They need more knowledgeable people.

We didn't have a previous solution.

When selecting a vendor the most important factors for us are 

• cost
• validity of the product
• stable product

It's a very good product to use to initially set up single sign-on for web services authentication.

Our primary use case is to enable our customers who are on the Internet. We want them to access our protective web series behind a corporate firewall. To do that, we like to use the OAuth ToolKit within the CA API. It can minimize the password exposure by generating a token using the ToolKit, then use the token to make the web services calls to our protected back-end services.

• The ToolKit with OAuth Manager
• The Policy Manager
• The Gateway Migration Utility (GMU) is a pretty good tool to use.

We are still evaluating it, so I cannot comment much on this. 

I would like to see more documentation. The current documentation is there, but we do not find it very useful. For example, we wanted to integrate with PingFederate TV provider and there was not enough information to customize the way we wanted. It took a lot of effort and we had to reach out to the Gateway folks to help us out on how to do that customization. Thus, it is not easy to integrate with other solutions.

It is pretty stable. We have not seen any issues, anywhere, where we need to restart.

We are still doing a PSA, so we will have to see how it scales once we ramp up volume and we roll out to the production with real life traffic.

We engaged an architect from CA. They were pretty good.

We use it for security.

So far so good. We have our own challenges - some monitoring and some performance related things - but at the same time, I think it's pretty good.

The security that it provides, actually. Being in the financial services industry, obviously security is very important for us.

I'm part of an engineering team so this product coming with out-of-the-box security, that is valuable to our organization.

We are evaluating the next release, actually. We would like to see more stability.

It needs to be a bit more stable. I think they see that, as Support is working on that. We have our own challenges related to the stability. For example, the log space filling up the entire disk because of gateway went down. CA is aware of this issue.

But otherwise, as I said, we have had a pretty good experience with the product.

We do not use it on a massive scale at this point, so it's pretty good.

It's pretty good. It's been a fruitful experience so far.

We were transitioning from another product, DataPower. We switched because of the native support for APIs in API Management.

We didn't consider any other vendors.

What's important to us when selecting a vendor, support is the most important factor.

I would tell anyone who is researching this type of solution to go for API Management.

Our primary use case is to host a handful of different API services for the consumers of our customer. We build and maintain several of those APIs right on the Gateway using their policies. We use it to kind of proxy request through to Java services and other things that we have created.

The extensibility of it. It can do a lot of things. You can create little, custom Java assertions that you can insert to do your business logic, which might not be covered by the commercial product out-of-the-box. 

I like the extensibility of it. It can do a lot of things. You can create little, custom Java assertions which you can insert into your business logic. This might not be covered by the commercial product out-of-the-box. 

More developer focused tools. They have a nice debugger inside of the program, but when you are developing code with their policies, it is tough to visualize that sometimes as a developer. So, tools that are a little more focused on rapidly creating those policies would be beneficial.  

We actually started with this product a few years back. It is definitely improved significantly since then. I think the amount of releases and bug fixes that they have pushed out have really helped.

The scalability has been great for us. We have consumers that range from 10 to 20 users upwards to 1000s of users. Thus, it scales really well. It does a lot of load balancing and other nice, little technical tricks that help smooth out requests which come in.

They have come in sometimes to do onsite training when we requested it. For the most part, when we have technical problems, they are very responsive. They get it down to the developers quickly, who understand the problems and they work with us to get those fixes in their next release if it is something that is a bug or help us work around it. 

When we first started on the Gateway, it was a different company, then CA bought it. The difference from that other company, which might have been a smaller company, from there to CA has just been the responsiveness and that extra level of training and other support that we are getting from CA. 

I have been involved in deploying this product in several of our different environments from the ground up as well as in the upgrade process. From the CA part of it, everything has gone smooth. The problems are always on our side with our environments. I think the Gateway itself is a very simple product to get up and running and their upgrade process is good as well. There are a few little tricky things here and there like with everything, but for the most part, they continue to work to adjust it. 

It is better than similar Gateway products that I have used in the past. Again, that flexibility really lends itself to us, and our program, a lot. However, there are certainly some areas for continued improvement and it seems like they are going in the right direction, so hopefully that continues.