Layer7 API Management Reviews

It's a purveyor of tools for managing and securing APIs. It is flexible in how it creates custom policies and uses builds with impressive methods.

We implemented few Layer7 project to various organizations. Most of them just use it as a 'proxy' for policy checking. For example, limit the number of access attempts on specific page from the same IP for a specific duration.

Other clients use it for logic flow, to create a workflow integrated with the Australian government's MyGov framework, which is beyond just security checks.

Some of the common useful functions/assertions (e.g., JWT encoding/decoding) are only available in other CA products. The client needs to purchase and install those products in order to make it available for Layer 7. I don't think it is justified to maintain another product that is not really needed, in order to have just one function. If those common, useful functions could be part of the core Layer7 product, that would be great.

Provide complete documentation with examples of usage on its build in assertion/function.

Easier to find documents (e.g., cluster setup).

We have been using this solution for two years.

• When more than one developer is working on separate policies, it is hard to export, import, and merge the policies to other parties
• When migrating to different environments
• When integrating with SVN/Git: This is not well documented

There were no stability issues. It is a very stable and mature product. So far, there have not been many complaints from clients regarding the stability.

Scalability performance has always been an issue. It behaves slowly when communicating with Windows-based servers (e.g., F5 load balancer or DB server, as compared to when communicating with a UNIX server.)

Customer service provides good and fast responses. They help a lot when problems occur. They always respond in a timely fashion.

Technical support provides good and fast responses. They help a lot when problems occur. By the way, the forum is also helpful for self-service.

We didn't use other solutions before this one.

The setup was simple, as it comes with the OVA file. It reduced a lot of time and problems in the deployment. The main focus is on integration with client's exiting infrastructure, instead of setting up Layer 7.

We are the vendor. I have worked on this product for more than two years and implemented it in at least three organizations.

We are the vendor and we implemented it for clients. We do not use it for ourselves. We are not aware of the ROI.

The pricing and licensing issues are done by other staff members. I have no idea on how much it costs or what the pricing structures look like.

I believe the company already did a lot evaluations with other similar products.

The Mobile SSO and Developer functions are the most valuable features. The Mobile SSO functionality is not available with most similar products in the market, which makes this a unique product. The Developer function helped the developers to be self-sufficient meaning they did not need a lot of training and they could do things on their own.

API security was another important feature in terms of how you are able to control usage of digital assets and access your systems from the outside world. Thus, security was a good feature.

Lastly, the monetization part was also important. We have not started off yet but monetization was one more thing that we were very happy and keen about when we saw this product.

We have recently implemented it so it is too early for us to say how this product has improved the working of our organization. We wanted it as a feature and capability for the organization so we have invested in it. In the future, it shall proceed in the direction of how we would like to shape-up our organization.

We would want to see the monetization feature to be a standard function. At the moment, it is a third-party solution. This feature helps you to carry out API billings, so as the APIs are consumed from the outside world, you can charge your users for using them. Currently, it is not a standard feature and is more like an add-on where they have worked out ISV pricing with others. So, if it is made as a standard feature of the product it will be really good because it will take the promise of app economy to a true level; thus, it will be truly monetized.

Another improvement we would like to see is that the product should be more relevant with the public cloud infrastructure that is pervasive nowadays. So, the ability to host and run these solutions on Amazon, Azure or Google Cloud should be a standard feature for this product. From what we have been told it is going to be a part of the product’s roadmap.

This product is stable.

We did our own test to verify scalability and found it was quite scalable. We had no issues.

We had done a load test on the application on our own and it was able to scale to a significant number of transactions per second. Based on our architecture and solution that we have, we are comfortable with the level of volume that it can handle.

We have not used any technical support.

We were not using a different solution before. We were looking in the markets for solutions which would help us give this level of scalability, based on the nature of business that we have.

We never had a product like this because API management was always a discussion and we never knew how to implement it. When we saw this product and figured out that they had the features we wanted, then we took our time to perform due diligence and figured out this was the right product for us.

We were involved in the initial setup and found it to be a little difficult. The reason being, we implemented this product on Microsoft Azure and the product features on Microsoft Azure were not updated at that time. So, there were some initial hiccups. However, CA professional services and my team were involved extensively to get it rectified. CA services did play their part in making sure that whatever the shortcomings, if any, were addressed. It was a good involvement from their end.

We did shortlist other usual vendors namely Apigee, Axway, Mashery that are the other competing products in the market. The number one criteria for selecting this product was CA’s pricing policy as well as its presence in that part of the world from where we come from; it is significantly big compared to all the other companies. In Asia where we come from, not all the companies are present to that extent and you need a level of comfort when you're investing in such a magnitude. You would want the organization to be very strongly present there.

Just do your own homework and make sure your own metrics are ready, specific to your organization. Every organization is different and make sure that you maximize the value of the investment that you are putting in.

The roadmap of the product is the most important criteria while selecting a vendor. In addition, another important factor is the ability to invest in continuous releases/new releases that are coming up in the product. In short, how much the vendor is willing to invest in the product to keep it updated.

We had a little bit of mishaps for the installation. Overall, regarding the product features all what we wanted was in there. It's just that we had our share of a little difficulty in implementation, otherwise it is a good product.

We use it for public API security.

The governance of the new business models generated by the APIs has been simplified and is improving the daily control over them.

• Current security models which are the focus of the industry. 
• The product documentation helps the client and/or user to evolve quickly while using the tool.
• Support has efficiently combined with the forum.

The portal is an important point in the lifecycle of the APIs. Right now, the portal lacks many features. We hope that the new version will have them and that there will be a quality jump, which is needed.

None.

There is no real problem. However, as the number of instances increases, its complexity of installation increases if you do not use the OVA.

Support through the forum is very good and efficient for partners.

I work in a consultancy, so we do projects with other products. However, our partner product is with CA Technologies.

They have different installation models. Therefore, there are always small drawbacks. Fortunately, if you use the OVA, your installation is direct.

We are a partner with our own prices.

We evaluated the following solutions: IBM, WSO2, and Oracle.

Begin by using the installation offered on an OVA, then in production environments make use of your own installation, e.g., in CentOS.

CA has incredible reach in the market across industries. To have the opportunity to partner with CA has been great for us, a great exposure. They have got a very compelling platform that enables organizations to easily develop and roll out mobile applications. 

A lot of their customers have come and said, "We'd like to be able to enable these mobile applications with biometric authentication capabilities." It is really a nice blend. We are able to provide that capability to enable that platform to deliver that to their client base.

Our solution has been around for several years now. It is FIDO certified. It has got compliance certification from the government, so it is very stable. The underpinnings of Samsung Pay deployed in South Korea. There are five and a half million consumers using that platform. That is one of the largest biometric deployments probably out there today. Then, we are a global organization, so we have deployments throughout the world and across different industries. 

The solution is already supporting about five and a half million consumers in South Korea, so it is scalable. Today, there is a server element to that solution. From the client's side, it is SDK-based, but there is a server element. We can support about two million users on each server, then you can nest servers together. 

We have no concerns about scalability at this point.

We have not gone into production yet. We have not had direct experience with CA's tech support. I can tell you that our development and our technical folks have been working very closely with their development teams. They have teams in India that we work with and teams in Vancouver that we work with. It has been a really good experience for us. Because it is global, you have got to be around the clock to some degree. So far, there have not been any issues. We have a US-based tech support team that as this thing goes into production with clients, we will be leveraging that team as well as the CA team.

There is a server element and a client-side element. The server side installation is fairly straightforward. We don't provide hardware for the server installation, but we provide specifications, then we will help an organization work through it. In pretty much a day or two, you can get a server stood up and working. 

On the client side, it is integrating. You're taking this SDK, and you're integrating into native mobile apps. The complexity of that depends upon what you are trying to accomplish. Certainly, with simple use cases, we have had people spin this up in days. As you get more complex in the use cases, you might be looking at weeks. However, this is not a three to six month type of implementation timeframe. It is more of a three to six-week type of implementation timeframe.

I do not have a lot of competitive information on other mobile access or mobile API gateways. So, it is hard for me to say how it ranks against other competitors. I will say that it seems like it is deployed in dozens, if not, over a hundred different companies. That says for itself that it is a very strong product. 

I would put it up in the eight to nine category out of a 10, if I had pinpoint a number.

Most important criteria when selecting a vendor: CA is extremely appealing because of the reach that they have across industries, and they are pretty deep in many industries. They bring some brand recognition to the table, and obviously Samsung has a very strong brand as well. You combine those two brands, and that just creates a compelling offering which will get the attention of companies out there. 

Obviously, the support piece is important, the product stability, and how robust that product are very important to us. We look at that on a number of different dimensions.

The primary use case would be services for APIs that we are going to expose either internally, within the enterprise, or at the outside edge of the enterprise.

Most valuable might be the security assertions, the policy assertions that are able to be bound somehow to the APIs.

We are a company with a rather complex process when it comes to integration of applications. Our expectation - we are only about to get this product into  a productive state so we are not using it productively at the moment - so the expectation is that it will simplify the on-boarding of either internal or external developers when they are using our APIs.

The solution is divided into their Gateway and to their Developer Portal components. For the Gateway component, our expectation was that it is provided as a Docker image, but it turned out that it was not supported in production up to the version that we are currently using. But the next version is obviously provided as a complete containerized version for production, which is quite good.

On the other hand, the Portal provides some questions so to speak, at the moment, because as we decided on the product last year, at the end of 2016, and it turned out that CA completely rewrote the Portal solution and the current version of it is not at the level of the functionality of the previous 3.5 version. That's quite a problem for us because we expected some functions in the Portal which are currently not available. Unfortunately, the new version is also not being introduced here at CA World, so I'm somewhat doubtful as to whether it will be provided this year. So it will probably be available only next year.

We are not in the production state at the moment so I cannot say anything about its stability.

We have quite good support by the guys from sales support so far but, as I said, as we are not in production yet, we cannot evaluate the normal support services.

It's a completely new solution for us as we were not dealing with REST-based APIs up to that point, and internally we are used to using SOAP Vitsa-based web services instead, as the major application technology. Now it's more and more moving to the REST-based approach with some kind of mircrosource architecture concepts that are being introduced, so we need to look for another solution or some kind of add-on to a existing integration infrastructure.

I was not directly involved but I was on the side getting feedback from the guys who were doing the real set up. It was a mixture out of straightforward implementation or installation and rather complex stuff. We're dealing with a specific installation image that was due to the fact that we were using specific combination of hardware, software and operating system.

Without naming them, they are the top contenders in the well-known ratings, so the ones that you find there were used as a basis for evaluation and, from then on, we did some deep-dives into the functional capabilities of these products and then decided on a shortlist. Those vendors were then were evaluated by our procurement concerning the financial aspect of the old stuff.

When considering the most important criteria when selecting a vendor, of course there are all kinds of functional criteria according to the product that we are evaluating. On the other hand, it's important, of course, that the vendor is stable. And because we are a large company, it is for us important that the vendor also provide some kind of stability due to its size and its footprint internationally.

Brand name isn't a big consideration for us. On the other hand, you have different analysts' reports that are quite important for us, as we don't have time and budget, from an architecture point of view, to evaluate all existing solutions in detail. So we have to have a starting point, which of course is the analysts' ratings and then, with some products, we usually do some kind of PoC and workshops to find out if they match our requirements.

I would actually divide my rating into two parts. The CA Gateway solution I would rate at nine out of 10, based on its mature capabilities in all the areas that are relevant for us. On the Portal, I would give only four out of 10 because I actually I don't quite understand the CA market strategy in that area, and the fact that the current version doesn't provide the same capabilities that they used to have with 3.5. There are some major capabilities that we miss there and which have not been introduced in the current 4.x version schemes; we're waiting for that to happen.

I would advise you plan a thorough PoC with the top two or three contenders on the list to find out about not only the functional criteria on the paper, but also how the product works and looks and feels in real life.

We use it for security.

So far so good. We have our own challenges - some monitoring and some performance related things - but at the same time, I think it's pretty good.

The security that it provides, actually. Being in the financial services industry, obviously security is very important for us.

I'm part of an engineering team so this product coming with out-of-the-box security, that is valuable to our organization.

We are evaluating the next release, actually. We would like to see more stability.

It needs to be a bit more stable. I think they see that, as Support is working on that. We have our own challenges related to the stability. For example, the log space filling up the entire disk because of gateway went down. CA is aware of this issue.

But otherwise, as I said, we have had a pretty good experience with the product.

We do not use it on a massive scale at this point, so it's pretty good.

It's pretty good. It's been a fruitful experience so far.

We were transitioning from another product, DataPower. We switched because of the native support for APIs in API Management.

We didn't consider any other vendors.

What's important to us when selecting a vendor, support is the most important factor.

I would tell anyone who is researching this type of solution to go for API Management.

We had a test version, which was more of an on-prem version, and we also had some on the Docker for a live API creator. 

We are a security service company, and we provide a lot of solutions in that space. We were just trying to have a frictionless authentication product, so we were working on that. We were looking for a Gateway that can serve in an API, and we've already got an open-source solution.

We loved the portal part the most, which had monetization and showed how people were using the stuff. It is a good product as a whole and has a lot of microservices and granular features.

The delivery is bulky in terms of implementation. Its price could also be better. It is a very good product as compared to CA API, Google API, and WSO2 API, but its price is high.

From the cloud-native perspective, some new features need to be added. It could also be made simpler to implement.

We have been using this solution for four to five years.

Technical support was okay. We were getting good support. We had access to the portal, and the support was good enough.

It was a little complex initially. We struggled a bit initially to understand this solution, but later on, it was okay. I do not exactly remember the issues, but initially, our team was facing a lot of problems in terms of virtualization.

It was very high at that time. We are a Broadcom CA partner, and we got it only for testing purposes. We didn't pay anything for it.

I would recommend this solution to others. This is one of the good solutions for microservices and APIs and for people who need to go the digital way. There are a lot of other solutions that are coming into the market, and the infrastructure landscape is changing.

I would rate Layer7 API Management a six out of ten.

This product is used to expose some internal APIs to help us automate different activities.

It is helpful to have a central API that is hosted and managed.  It reduces costs and customers, suppliers, and vendors receive a uniform interface.

The license model and the cost of licensing can be improved. Especially given that we are in a stable operational mode.

We have been using Layer7 API Management for five or six years, and we have been actively using it this year.

It has been working quite well for a long time.

It's been working for us, from a scalability perspective. It's implemented within a central group, so there are just a couple of roles that run it. The APIs we host are stable.

We are in a stable maintenance mode, so we haven't had to engage customer service/technical support for some time.

We did not use another similar solution prior to this one.

It's a complex product, but I would say that the initial setup is straightforward.

Our in-house team handled the deployment.

We have a handful of IT admins and app admins who specialize in maintaining Layer 7 

It is a pricey product, although priced to the market. 

Overall, this is a good product. It's been stable and working for us, and our main difficultly is people calling out the price point on it.