Layer7 API Management Reviews

API Enhanced Portal 4.1 looks very promising. API Gateway policy manager for writing policies is excellent. It is the best in the industry for policy writing.

CA is the first in the market from the time they acquired Layer 7. They deliver the best API Management solutions.

From 2012, our clients evolved a lot from API Management perspective after using CA.

We are able to expose mission critical APIs to the external world, monetize them, and generate revenue from them in the most secure manner.

CA also drastically improved the capabilities from Gateway, Portal, and OAuth perspective in the last couple of years. This adds more value to our API Management wing.

CA API Portal 3.5 does not support Swagger documentation. If they were to support that, it would be great. However, their focus is on a newer, enhanced version of their API Portal 4.1 Release. However, it is not very mature and there is no direct migration available in the near future. It is not possible for clients to migrate to a newer version.

CA might lose clients mainly for this reason (Swagger Support on API Portal 3.5), unless they develop seamless migration utilities from API portal 3.5 to 4.1.

I have used CA API Management from 2011, when Layer 7 had not yet been acquired by CA.

From an API Portal 4.1 perspective, I did encounter multiple issues.

From an API Portal 4.1 perspective, I encountered scalability issues. They confirmed that they are working on it and in the very near future, it will be available.

CA has very good API Management support. They are very helpful.

We didn’t use a solution before this one. CA is the best in the market in terms of stability, scalability, and policy development. They are the best at achieving custom scenarios related to clients (customization) in all perspectives, besides the current API Portal 4.1, as it is not yet matured enough. There is nothing to worry about in the 4.1 portal.

The initial setup was straightforward. CA documentation is pretty clear for anything to do with CA products. They are masters in this industry.

If the CA pricing for API management would be a little lower, they would be able to cover a broader market.

I don’t remember the story from 2011, but very recently I did an analysis of MuleSoft, Google, AWS, Apigee, and WSO2. WSO2 came in first, and CA standards came in second.

Follow CA documentation thoroughly.

Live API Creator.

The simple REST based APIs can now be delivered in hours which took days previously.

The product shouldn’t require to be connected to a server for doing development.

Six months.

No.

No.

Good.

No.

Very easy.

Not sure on that front.

Mashery and IBM.

Go ahead. A very good product and a market leader in its segment.

It's a purveyor of tools for managing and securing APIs. It is flexible in how it creates custom policies and uses builds with impressive methods.

We implemented few Layer7 project to various organizations. Most of them just use it as a 'proxy' for policy checking. For example, limit the number of access attempts on specific page from the same IP for a specific duration.

Other clients use it for logic flow, to create a workflow integrated with the Australian government's MyGov framework, which is beyond just security checks.

Some of the common useful functions/assertions (e.g., JWT encoding/decoding) are only available in other CA products. The client needs to purchase and install those products in order to make it available for Layer 7. I don't think it is justified to maintain another product that is not really needed, in order to have just one function. If those common, useful functions could be part of the core Layer7 product, that would be great.

Provide complete documentation with examples of usage on its build in assertion/function.

Easier to find documents (e.g., cluster setup).

We have been using this solution for two years.

• When more than one developer is working on separate policies, it is hard to export, import, and merge the policies to other parties
• When migrating to different environments
• When integrating with SVN/Git: This is not well documented

There were no stability issues. It is a very stable and mature product. So far, there have not been many complaints from clients regarding the stability.

Scalability performance has always been an issue. It behaves slowly when communicating with Windows-based servers (e.g., F5 load balancer or DB server, as compared to when communicating with a UNIX server.)

Customer service provides good and fast responses. They help a lot when problems occur. They always respond in a timely fashion.

Technical support provides good and fast responses. They help a lot when problems occur. By the way, the forum is also helpful for self-service.

We didn't use other solutions before this one.

The setup was simple, as it comes with the OVA file. It reduced a lot of time and problems in the deployment. The main focus is on integration with client's exiting infrastructure, instead of setting up Layer 7.

We are the vendor. I have worked on this product for more than two years and implemented it in at least three organizations.

We are the vendor and we implemented it for clients. We do not use it for ourselves. We are not aware of the ROI.

The pricing and licensing issues are done by other staff members. I have no idea on how much it costs or what the pricing structures look like.

I believe the company already did a lot evaluations with other similar products.

In our context, we have a number of REST APIs that we had to expose, a number of partners, internal users, as well as external partners who wanted to basically integrate cleanly and quickly, but didn't want to do five independent integrations into each API, so the CA tool allows us to effectively wrap those APIs into a common interface, so you can make one call and then the gateway will go away and make the other calls for you. That is the primary goal was that and the tool does that for us.

What it allows us to do is it's more time to market than the value, actually, so a lot of our affiliate marketing teams, they go and engage with the vendor's affiliates, effectively, and they want a very quick, clean solution to get a lot of customers in, place a bet, see their bet history and then log out and tap on and move on to do something else. What this allows us to do is that, whereas previously, I would have had to a specific project team, they would take two or three months to do an integration, now you can do that in a matter of weeks. You can realize the value of a commercial relationship very quickly.

Once it goes live, it's very stable, clearly, it's as stable as your infrastructure or authority or testing is, but once it goes live, as long as you sort of adhere to all the policy management, and make sure you're progressing code, you're testing it correctly, once it goes live it's pretty stable. We've not had any failures with it in the year and a half that it's been live, and it's very stable. From a performance perspective, it's great. You can throttle, you can do rate limiting, so it's very flexible for us.

It's been very good as we need them, thankfully we haven't had much call to call them up, because it's been stable, but we call them up for platform upgrades, when we went from version 7 to 8 and 8 now through to 9. As we need assistance, we raise a ticket. They're very responsive, they're very thorough in what they come back to us with, so they've been a really good partner for us.

The trigger, effectively, was that we had a partner, we'd done a commercial deal. The partner wanted to integrate, we wanted to integrate with the partner, but the partner had a legacy sort of application that they weren't able to do this integrating to five APIs. They wanted one interface, and they didn't want to on-board any of the logic, they wanted that to be done somewhere else, hence the CA API Management tool that does that for us. They make one call, it goes away, does all the connections, all the session affinity, with all the underlying APIs, and that partner can just make the calls as they want. They deployed it on desktop, on tablet, mobile's coming as well now, and we use it for other partners as well.

We had a very short time for it to get it done, so I dealt with CA, we managed to do the deal for the software. They put us in touch with a partner called Smart, Smart421 in the UK. We had a very high-level discussion about what my requirement was, the platform that we have, what I needed to wrap, which calls, so we did a lot of preparation in advance, and then they came on-site, and within two weeks we had a working API. We'd wired together the underlying platforms to build this API that was then sent to the first vendor. Very clean, very slick. As with any IT project, as long as you are prepared, you've done your homework, you know exactly how to lead the implementation, what to take the vendor through, then it works very well.

Partly it's obviously the reputation of the vendor, it's the support structures, it's the partners that they deal with. If they put you in touch with a partner to install the software, what is the calibre of the partner that they're dealing, and that reflects on them as an organization. Their licensing structures, how flexible they are to deal with you, these sorts of things. We also looked at Mashery and Apigee.

We chose CA API Management as it was better licensing model, it was better cost model for us. I wanted that product. I'd previously worked in an organization with they'd bought what was in the Layer 7 product, and so I had an understanding of the product, I had an understanding that it had been used in my industry. I knew that it would work, because I'd seen it done before, so those things were quite key for us.

Break it into small chunks, so what we did was we had a very defined use case, and we could have gone to a much larger project, but the ideas was to focus on the component that we were after, what we had to go and deliver, break that down, get it working, and then that gives the business more confidence to then invest in it further, future phases, and we just broke it down to that. We were able to very quickly deliver something of value, and that then allows you to move on from there, as opposed to doing the full solution first up, and then we could have failed on the way through, the requirements could have changed, but it was better for us, and it's something I recommend that you just break it down.

I give it a nine. It's a great tool, it's a great product. It's good for us because it does specifically what I need it to do. The only area I'd say there could be some improvement is some of the documentation perhaps, some of the release notes are not the best. I think they're trying to brush things up and make it better, so it's improving all the time, but initially when we first started seeing some of the interface and some of the documentation it was quite confusing, but then we have a partner that takes the pain, I suppose, for that. Buy the tool. It's fantastic.

What are the key digital priorities and initiatives in your company?
The key things for us is on-boarding affiliates, partners, as quickly as possible, for their customers, or our customers who bet through them, to leverage those relationships, leverage those customers to allow them to bet with us. API Management for us at the minute has been around in having a clean interface for these guys to be able to quickly integrate with us, and then we can very quickly get them up and running, and it's a commercially beneficial arrange for us.

Are you considering upgrading in the future?
We're investigating options as with most industries, omni channel is the big thing now, so we're investigating how we could use this in an omni channel perspective to wire up our other parts of the business, so that's something we may consider. Part of the show, there are developer portals to making it easier for developers, third parties, to actually interact with us. The current product, the gateway product, doesn't have a portal, so effectively I have to document how to integrate, and then every time I make a change, I have to then email the document out to all of my development partners, whereas if I had the developer portal, they can then just go log in themselves, register themselves, they get their own API keys, all that stuff's taken care of, so those things are quite interesting for me and for our partners.

Although a lot of features come handy, the most usable feature is that solution kits are customizable. We were able to cater to a large variety of implementation and customizations with ease.

We have developed frameworks around this product set. It provides the ability to customize and has tremendous depth.

The frameworks are configuration driven, which gives the ability to implement micro-services architecture with ease and provides DevOps agility in terms of continuous deployment, etc.

The feature set is quite diverse and community driven, which is a good avenue to promote future features into this product.

The policy manager UI shows signs of aging, but it is not a must.

Policy manager is probably built using Java SWING, it has all the features, but loses some points on the look and feel, compared to some new generation IDEs.

It would be nice to see the PM revamped and some additional features added, such as step debugging for encapsulated assertions etc.

I have been using CA API Management for five years.

We have not had any issues with stability.

We have not had any issues with scalability.

I would give technical support a rating of 10/10.

We did have a previous solution, but the lack of a feature set, only cloud-based implementations, and lack of customizations drove us towards CA.

The setup was very simple and straightforward.

It is definitely competitively priced. Working with your local AM can help you achieve a pricing level that’s suitable to your needs.

It comes with many options, so do discuss your future roadmap with a CA Solution Strategist to advise you on the proper model.

We looked at Apigee, Mashery, IBM, MuleSoft, WSO2, and others.

• The product is feature rich and can solve a myriad of use cases.
• We have noticed that building frameworks on the product set, with the help of a senior architect who drives the adoption early on, is a key. They can help create reference architecture for your organization that pays dividends in the end.
• Aim for CA certified resources or partners for a good quality solution.

• Availability of Security Assertions: Addresses all the industry security standards
• High Flexibility: Allows policy-driven orchestration and security mediation, in a drag-and-drop manner

Thanks to this product, we have successfully secured SOAP and REST APIs and exposed them to international/domestic partners using the standard industry protocols.

The Policy Manager UI is very busy. It lacks a graphical representation for the flow of the assertions that can significantly improve the clarity of the policy. Thus the Policy Manager UI can be improved in terms of usability. For example, instead of policy assertions in the policy being in a line by line form, it could be represented as graphical flow, similar to how Vordel Gateway does it.

I have used this solution for six years.

We have not experienced any stability issues. The product has been very stable.

The CA API Gateway solution is highly scalable. It is very easy to add more nodes to the cluster, which increases the processing power.

The technical support is excellent and very timely. The engineers are extremely knowledgeable, not only in regards to the product, but also in terms of the protocols and standards that are used by the product.

We were using Vordel Gateway, but it lacked the flexibility and integration capabilities that CA API Gateway provided at the time.

The initial setup was very straightforward. CA has clear and concise documentation to walk you through the initial setup process for both simple and complex deployments.

Vordel Gateway and IBM DataPower. Both these solutions were evaluated from our end, before CA API Gateway was selected.

You should read the documentation.

The Gateway is most important because it is our strategic front door into the company for all APIs.

The API Gateway for us is now, or is about to be, our central one way in. We have many, many partners who resell our communications services. They provision those services through our systems.

Previously, we would just host it on a number of different application servers, uncontrolled if you like, not as secure as they should have been.

You probably don't know, 18 months ago we had a large security breach, which turned into a large issue with the national press. We now use the Gateway for that single point of entry for all of our API traffic.

As well as the SOA Gateway - that is, the API Gateway; we call it the SOA Gateway - we also are now deploying the developer portal component of the SOA Gateway. That has limitations.

There are two main ways to offer web services to the outside world at the moment. One is RESTful services and one is SOAP-based services. We are predominantly a SOAP service company and the support for SOAP-based services are very limited, almost poor, in the developer portal. All CA's investment is around RESTful services, which is a problem for us.

I would also simplify threat protection, I would improve SOAP support, and I would reduce Professional Services rates. Apart from that, everything's pretty good.

We've been using the solution for two and a half years.

It is very good in terms of stability and functionality, it just lacks a little bit in terms of SOAP services.

We're only receiving 200,000 calls a day at the moment, and we're increasing that to about 1,000,000 calls a day, which is a lot of traffic compared to some customers but I'm sure it's not much compared to others. The performance is fine.

We raised a couple of tickets which just went through the standard process and we got a really poor response. But then I contacted the account manager and we got an excellent response and service.

In terms of the ultimate outcome and the service we receive now, I'd rate it really high, you know, 8 or 9 out of 10. But there's been one incident in particular which I would rate down at 2 or 3 out of 10. The way I feel now, I would rate it at an eight or a nine, mostly a nine. There was one incident which did not go through the account management team, which was not optimal.

The one incident which I would rate very low was just a really unprofessional, incorrect response. As soon as the account manager saw it, he was very apologetic. He got it all sorted out, no problem. They know about it and our account guys know about it. I think the support team know about it. I don't really think it's worth bringing it up again.

We introduced the API Gateway. I wasn't here at the time, by the way, but we didn't use anything in terms of that. We bought it really for our protection and security capabilities. So the main thing is the API, the whole API management piece. We did go out to tender; we invited about six, or evaluated about six, different solutions and selected CA.

I wasn't here for the setup.

I would say CA are a good company to work for. I would say that the Professional Services people are fairly expensive but pretty good. I would say that the Gateway is a good tool but you need to be careful of the limitations for SOAP services. Also try and get over to CA World because that's good fun.

It provides a simple way to create REST APIs. It provides easy integration with REST and SOAP services. It has its own language, which make it possible to design and implement the complete flow using existing services and databases, and to create and aggregate fine-and coarse-grained APIs.

We have used it as the top layer in physical infrastructure architecture and made that available to mobile, iPad and desktop applications. Basically, it worked as a single point of contact for all applications via HTTP protocol as a communication channel. Underneath, it is aggregating a plethora of REST and SOAP services and connections to LDAP, AuthMinder, RiskMinder and SiteMinder for authorisation and authentication.

With it, we provided an enterprise solution for authentication and authorisation for all internal and external application in a quick and efficient manner using existing SOAP and REST services.

I feel there is a lot to improve in terms of providing plug-and-play functionalities, as at the moment it requires a lot of coding in their specific language for implementing a medium-complexity use case. It needs to improve the user interface for logging and monitoring. There is no test framework for the APIs, which is a setback. And with respect to providing an end-to-end API management solution, where the API will be charged per usage from the client, configuration is not that easy and straightforward.

I have used it for more than a year.

We had a lot of deployment issues, as it does not provide seamless, continuous integration and deployment to different environments.

Not really, Performance wise it is quite competitive .

Satisfactory

I would rate technical support as satisfactory.

Previously, we chose to use CA-provided solutions (AuthMinder and RiskMinder), which includes (JSP-based) user interfaces. Also, because we have to make our own designs (RIA-JavaScript-based), that’s how it came into the picture.

Initial setup wasn’t straightforward.

We implemented it along with a vendor team. I would advise preparing an in-house team by providing it with a week or two of training, and then get an expert from CA for several months to provide the consultancy and solutions to the team and to resolve their issues.

One of the reasons for choosing it was that we were already using CA products, such as SiteMinder. It provides easy integration with SiteMinder, and because both are CA products, we therefore expected better support.

Not really , as we were already using CA products like Siteminder , since layer 7 is also a CA product and provide seamless integration with the product thus we chose Layer 7 in first place .

I would advise also evaluating Apigee API management if you are looking for an end-to-end API management solution. Otherwise, CA API Management is not a bad choice.