Layer7 API Management Reviews

We have more than 50 applications in the backend. We monitor the infrastructure through a database monitoring tool. Our daily tasks involve working on P1 incidents, managing change requests, conducting patching updates, working on P2 tickets, backend server certificate renewals, etc. 

Layer7 API Management should improve the quota policy for the number of API calls. 

I have been working with the solution for six years. 

Layer7 API Management is stable. 

The solution provides good support, but sometimes, time is taken to solve issues. 

Positive

Layer7 API Management is easy to maintain. 

The product is moderately priced. 

We have large enterprise customers for Layer7 API Management, and I rate it a nine out of ten. 

Our primary use case is basic encryption/decryption using symmetric assertions and then, gradually, SOAP signatures, SOAP encryption, non-SOAP XML encryption, and signing that. In the last six months or so, I have been working on JWT (JSON Web Tokens).

Using this solution, the deployment and development processes become easier when compared to before, when complete Java development was necessary. Now, the encryption part is very easy and our clients don't have to continuously depend on logic. On this platform, it's very easy for them to understand and to do testing. It saves them time.

I haven't found that there are any most-valuable features. I'm not using any feature most often in any of my use cases. The use cases depend upon the customers' requirements.

In terms of protecting APIs against threats and vulnerabilities, there are a few assertions which are built-in for threat protection. I have used them for vulnerabilities, like for DDoS attacks, XML schema validation, IP restriction, and for cross-domain.

There are old algorithms that the tool does not support - and it shouldn't, in my opinion. But sometimes customers need old algorithms, from old use cases and old applications, migrated to the platform. At those times, there are hiccups that happen. It's a bit of a challenge to make the customer understand that we should not be going with these old applications.

We have not faced many issues with its stability.

Scalability is a bit tough if it is a production environment. If you are planning to scale it and increase the number of servers within one to two years, that can be challenging. Up until now, if I have installed four servers, I haven't been given requirements to add more than that.

We have contacted support. There were two cases where there wasn't support for old algorithms, the assertions weren't supporting them, and we reached out to the support team. They were very helpful. It depends on the problem you are asking them about. If it's easy, they give you solutions quickly. If there is a requirement for the engineering team to be involved, then it takes time. But they're very helpful.

The setup is straightforward. If I'm doing it on a local machine, it takes 20 to 30 minutes for a single client. I don't have any implementation strategies. It's a straightforward process where you just need to select the options, click enter, enter, enter, and provide whatever input is required.

Before starting the implementation with a customer, we give them the prerequisites that are required. If those prerequisites are met, it doesn't take much time to do the deployment. They have to provide the IP, the hostnames, and the port openings.

In our last deployment, it took me two days to install all the port services. There was one replication and there were two persisting nodes. I did the complete installation and was initially involved in the API development. After that, my colleagues were involved in the development of APIs.

It requires a minimum of two people for maintenance, once it's up and running.

The tool is very powerful so if you are looking to go with an API platform I would recommend CA.

The number of users among our clients is growing, although I don't have an actual number I can give you. Initially, it takes time to get people to understand the platform, but once they understand it, everyone wants to use the platform and have their application exposed to this platform only.

Overall, I would rate the solution at nine out of ten. 

We use this as a Cyber security appliance and also as a centralised API management platform for partners.

We've got all sorts of threat protection in the API Gateway, from DDoS through to SQL injection and things like that. These are standard features that we use within policies that we drive out the Gateway.

We've got a security policy fragment that we know is consistent across all the APIs we expose via the gateway. Also, as it's a fragment, we can add to it at any point, as new vulnerabilities are discovered, which will then secure all the services/apis that use it. This gives us greater agility and confidence that our APIs are secure.

Security is the fundamental use of the gateway so the security assertions are heavily used and are consistent. We also use it to broker asynchronous messaging across DCs transforming between messaging technologies to provide real time updates for customers in a really secure way.

Also, the actual management of APIs is fundamental to us, as we're a heavy API user/provider. So, obviously, a centralised management platform is important.

We have cases open around the SQL injection capabilities that need improvement. Cross-origin resource sharing policies need to be made a common assertion in the Gateway, that's not there at the moment out of the box (although it is available as a policy fragment). 

The developer portal needs to fully supported SOAP services (including WSDL publication with security), it would certainly push adoption for us.

Verbose logging in production has caused us a couple of issues, never enable this in production! In addition pay attention to name servers for DNS.

Scalabillity, like most things, is in the hands of your own business to implement. The gateway is flexible and can be scaled to the level you see fit. Be aware though, verbos logging will bring your platform down in seconds, so only use in non-production environments.

We have a few cases open. I'd say I'd give an average rating of around 7/10 for technical support. Some people have been very helpful and others not quite so.

We use Microsoft IIS in other areas to expose services against a load-balanced cluster. So we have these bulk security components within it. They've never been compromised but we thought we'd would add an off-the-shelf security appliance to add an additional layer that also comes with API management capabilities.

The setup was complex, definitely complex. As above, don't underestimate the effort required to build a HA/FT instance of this for both the Gateway and the Developer Portal. Be aware of additional licenses for your warm standby. Ensure you get plenty of non-production licenses.

Both. The vendor team seemed technical enough. Note: Ensure that your in-house teams and the vendor supplied staff are fully aligned to make deployment efficient. Deploying the gateway platform is a full project and would need managing as such.

There has a been a lot of confusion with pricing and licenses, especially around the number of cores. In addition, don't underestimate the effort required to build a HA/FT/DR instance of this for both the Gateway and the Developer Portal. Be aware of additional licenses for your warm standby. Ensure you get plenty of non-production licenses.

I don't remember all the evaluated options. We reviewed, it must have been six or seven, maybe more, API management vendors.

I would say that, although the Gateway is geared up for managing SOAP services, the developer portal isn't. It's a gap for us, which means the developer portal isn't quite as good as we thought it was going to be for managing SOAP services ( which we have quite a lot of). They're not discoverable in the portal, as are RESTful services.

Our primary use case is for API management. We use it as a security gateway in our DMZ and ESB and our trusted zone.

It works great. We haven't had any problems, it just runs.

Day to day functionality. It just works and it's easy to use, that's the best part of it.

Most valuable features are 

• the ease of use
• a very nice UI
• you can navigate through the screens
• a very good search feature.

I would like to see it work better with one of our back-end databases, DB2 UDB. Other than that, I really don't have any complaints so far. It's doing everything we need it do.

Stability is great. We run a high resilient load balance configuration. We haven't had any problems with it.

It scales.

We have not used technical support yet. We have not run into any problems yet.

We had API gateways before, we just divested from IBM and went with CA.

We bought 16 gateways earlier this year and we're setting them up right now. It's good. Straightforward.

When choosing a company to work with and buy from, they need to be industry-rated, they need to be one of the upper-right companies for strength, vision, and performance.

If I were advising a colleague at another company who's searching for a similar product I would tell them to talk to CA.

The Gateway is most important because it is our strategic front door into the company for all APIs.

The API Gateway for us is now, or is about to be, our central one way in. We have many, many partners who resell our communications services. They provision those services through our systems.

Previously, we would just host it on a number of different application servers, uncontrolled if you like, not as secure as they should have been.

You probably don't know, 18 months ago we had a large security breach, which turned into a large issue with the national press. We now use the Gateway for that single point of entry for all of our API traffic.

As well as the SOA Gateway - that is, the API Gateway; we call it the SOA Gateway - we also are now deploying the developer portal component of the SOA Gateway. That has limitations.

There are two main ways to offer web services to the outside world at the moment. One is RESTful services and one is SOAP-based services. We are predominantly a SOAP service company and the support for SOAP-based services are very limited, almost poor, in the developer portal. All CA's investment is around RESTful services, which is a problem for us.

I would also simplify threat protection, I would improve SOAP support, and I would reduce Professional Services rates. Apart from that, everything's pretty good.

We've been using the solution for two and a half years.

It is very good in terms of stability and functionality, it just lacks a little bit in terms of SOAP services.

We're only receiving 200,000 calls a day at the moment, and we're increasing that to about 1,000,000 calls a day, which is a lot of traffic compared to some customers but I'm sure it's not much compared to others. The performance is fine.

We raised a couple of tickets which just went through the standard process and we got a really poor response. But then I contacted the account manager and we got an excellent response and service.

In terms of the ultimate outcome and the service we receive now, I'd rate it really high, you know, 8 or 9 out of 10. But there's been one incident in particular which I would rate down at 2 or 3 out of 10. The way I feel now, I would rate it at an eight or a nine, mostly a nine. There was one incident which did not go through the account management team, which was not optimal.

The one incident which I would rate very low was just a really unprofessional, incorrect response. As soon as the account manager saw it, he was very apologetic. He got it all sorted out, no problem. They know about it and our account guys know about it. I think the support team know about it. I don't really think it's worth bringing it up again.

We introduced the API Gateway. I wasn't here at the time, by the way, but we didn't use anything in terms of that. We bought it really for our protection and security capabilities. So the main thing is the API, the whole API management piece. We did go out to tender; we invited about six, or evaluated about six, different solutions and selected CA.

I wasn't here for the setup.

I would say CA are a good company to work for. I would say that the Professional Services people are fairly expensive but pretty good. I would say that the Gateway is a good tool but you need to be careful of the limitations for SOAP services. Also try and get over to CA World because that's good fun.

• Time to market
• Ease of use
• Strong support

We were able to market our mobile app products with their strong security features.

There is a need for the migration of policies, better reporting, and monitoring integration.

I have used this solution for two years.

There were no stability issues so far.

I did encounter scalability issues. I wish they could extend the MySQL replication to multiple nodes.

The technical support provided is the best.

Initially we were using MuleSoft Enterprise Service Bus (ESB) before we switched to CA API Management.

The setup was straightforward.

CA has great pricing for gateways, so negotiate with your sales team.

Make sure you involve networking, security, and other infrastructure teams for the implementation.

The product has a user-friendly interface. There are customization options, unlike the previous version, where we had to do manual coding. We use the configuration wizard to set it up. It saves us a lot of time.

There could be more integration options included in the product. It needs active connections added in the present version.

We have been using Layer7 API Management for three months. At present, we are using the latest version.

It is a stable product.

We have 12 Layer7 API Management users in our organization.

The initial setup process is easy. The deployment time depends on the custom applications. It takes time to integrate configuration to explain the process to small business vendors.

There are various licensing models for Layer7 API Management. We have to buy additional licenses to get new versions.

I rate Layer7 API Management an eight out of ten. It takes time to learn and understand the product.

The most valuable features of Layer7 API Management are integration, ease of use, building APIs easily, and portal straightforward.

The overall cost of Layer7 API Management is high, they can improve it by making it less expensive. It is a stable platform, but Layer7 API vision and future are not clear

We have been using and implementing Layer7 API Management for approximately 10 years.

Layer7 API Management is a highly stable solution.

The support from Layer7 API Management could improve. We do not have a strong Latin American support. The support over the last two years has been poor. The vendor of Layer7 API Management, Broadcom, used to have approximately 500 employees here in Latin America but now they only have approximately 20.

You as customer has to find someone with a lot of experience in API Management so the users can take advantage of all the value the solution has.

The price of Layer7 API Management is too high and should be reduced. However, it is a good solution in the market.

I rate Layer7 API Management an eight out of ten.