Layer7 API Management Reviews

Previously, we don't have a security for our web or mobile applications. In a scenario where I have an application that gives APIs to everyone in the world, they can directly access that particular application. However, this allows for different types of attacks on that particular application too. This becomes a problem if a number of users access it, whether they are valid or invalid users, they will see performance issues. If a number of attacks are happening on a particular application, it goes down. So, from a security perspective, CA API Management acts like a reserve proxy.

It makes the end user feel like it is a real system. It does not show the back-end and what the API tool does. CA API management will not let people know that there is an original server running behind the tool. That is the security point of it. 

For use cases, there are databases that some people have to query on. With the help of CA API Management tool, we can give APIs to the end user, and with the help of those APIs, they can access the data instead of the database.

APIs can be developed to provide security. We can show them in one single pane of glass, such as the CA API Management API Developer Portal. It is there that we can provide the monetization for their APIs and what is happening on third-party applications, like Paytm or BookMyShow. 

Customers go to the portal and register there. It is there that they chose their APIs from a list. Based on the registration of the APIs, the customer will be charged.

Our customers will purchase these APIs and give to their application users. The functionality provided by the CA API Management tool is about the work framework, and the API Gateway also provides work functionalities. In the API Gateway, there are features called Solution Kits. These provides work protocol functionalities and the framework. 

In order to develop an API, we'll face so many problems: 

• What method we should use?
• What is the data it should return?
• If I give this API data to the browser, how will it be processed? 

There are so many problems from the perspective of designing an API. However, the CA API Management tool, along with the CA API Gateway, eliminate all our issues.

As an organization grow, you can use CA API Management for authentication purposes through the CA API Gateway. It allows for multiple identity providers with different Active Directories.

It takes an existing service, like JSON or SOAP, and converts it for use on the application (e.g., REST services).

From a security point of view, there are different types of attacks: cross-origin resource sharing, SQL injection, shell scripting, and code injection. These type of attacks can be eliminated with the help of this tool because they are built-in with rules. If I drag and drop one rule called cross-origin resource sharing to the website I want to allow it on, only that website can contact CA API Management regarding this assertion. 

For an OAuth perspective, the application needs to be registered at my API Gateway. Once the application is registered, every time a user requests access to my API Gateway, I have to capture whether it is a valid application or not. Once it is getting validated, only then will it show them the access page for the login page to the application.

Based on the method an API, we need to be able to access that particular API.

They need a workflow for the API Developer Portal, where the process only allows requests to go to the correct person.

The CA Mobile API Gateway (MAG) for mobiles has too much latency.

If an entire cluster fails, we have disaster recovery with this solution. It provides an exact replica.

Because it contains Java, the heap memory needs to be cleaned constantly or problems will occur.

For day-to-day maintenance, two people are enough staff, e.g., checking the logs.

CA API Management is okay when it comes to supporting a large number of APIs or large number of transactions. It has high availability. With the help of a load balancer, we distribute the load among all the API Gateways. In this way, we provide high-availability for all the API Gateways.

We have scaled the product out to different countries, like China and Australia.

Previously, there was only SOAP services. When you are making an API call with SOAP services, It has a lot of impact on the application by taking too much of the bandwidth. 

Now, all the users are filling our their forms in the back-end with form data into JSON, and sending the information to the REST services.

People want the REST services. There are already existing applications which are running on the SOAP services. Rather than losing their businesses, with the help of CA API management,  they can have both their REST and SOAP services in the back-end.

The initial setup is straightforward, like creating and deploying an API. Everything happens in one single loop.

If you install the CA API gateway, it takes about 15 minutes, as it is available in OVA format. If you go with the OVA format, you don't need to do much configuration. Then, it comes up in an internal MySQL database.

The API Developer Portal takes easily an hour to set up.

When we introduce the solution to a new organization, it's not a complicated process. If we describe to them how an API can reduce work in their regular life, then they can easily understand that. When we give this to the customers, they become happy.

We use two people for deployments.

CA API Management has a licensing path. If you want more features, it requires more licenses and more installation time.

Compared to other tools, like Apigee, this is the best tool that I have used.

This product is available on-premise, in the cloud, and Docker.

I have used this tool for my customers, as I am a service provider, not an end user. I have dealt with implementations and configurations for CA API Management.

We implemented the API versioning for software services and REST services.

Mostly, it can identify client IT and user accounts to give them a lot of business logic. It can also provide API versioning. It can provide different versions to different customers, but the original API are the same.

Controlling microservices for my customers.

It provides a good user interface and is easy to use.

It is not user-friendly because you have to know so many programming languages.

It is a stable product. I have had no issue with it.

The scalability is good.

When it comes to supporting a large number of APIs or transactions, the performance is not bad, because it is in staging. We have not moved it to production.

Our client's environment has four CA API Gateways.

The technical support responds very quickly by email. The last time that I communicated with the technical support, I asked them, "If MariaDB, instead of SQL, is compatible with CA API Gateway?"

However, now CA's entire product service is poor in Taiwan, as there is no local support.

The implementation of CA API Management was complex. It took us (my colleague and me) six months to implement with two people. My colleague was responsible for implementing the API Gateway. 

My colleague is a system engineer. Because I am a programmer, I am in charge of the design and customizability. It is a complicated solution. You have to know so much IT knowledge to do the implementation.

The solution helped us to quickly publish and monetize APIs. I have used versioning responses to publish or send APIs to different customers with different versions.

It has a reasonable pricing model by instance.

I would not recommend the product based on how it has performed to implement it. I did not like working with the product.

We have not used it to modernize legacy systems via microservices, APIs, or developing a new platform for mobile. We also did not use it for connecting data to apps via APIs.

I am not familiar with the security aspects of the solution.

We stopped offering the product as a service a month ago since the product no longer belongs to CA. In Taiwan, I believe no one will buy CA products anymore because it is no longer trustworthy as a company, since the products are no longer supported.

We use it as a gateway for protecting some of our critical infrastructure out on the grid. We have six data centers and it is implemented in each one of them, protecting our grid.

We have several applications that talk to the grid, and they pass through that gateway to get out there, ensuring that we terminate connections from the lower security environment and reestablish credentials for the higher security environment.

Being able to protect our communications protocols, from the back office out to the substations that control the device, is helpful.

We use a pretty simplistic approach and it does what we need it to do for terminating connections and then reestablishing what we needed to do in a DMZ. All of those features are pretty good. We don't really use the full-blown API management solution which they offer, more just the gateway components.

From a security standpoint, it works great. It is the right solution for us. It's lightweight, a software-appliance configuration which was easy to deploy and configure. It is what we need. It does well protecting APIs against vulnerabilities.

It is okay for incorporating identity access control with OAuth.

The entire lifecycle management approach needs improvement: from the API management, development, deployment, some of the settings around the quotas, and some security policy applications, etc. for the APIs. We found the Apigee platform a lot more robust in that area.

The solution is very stable. There have been no issues.

Scalability is fine for what we are doing.

Tech support is pretty good. They're pretty responsive. When we have an issue we give them a call. They jump on, help us find the root cause and provide a solution, or they talk us through configuration items.

We're big CA users, so we have all sorts of their products within our environment. It benefits them to be responsive.

The deployment for CA's API Management, the way we're using it, took a couple of months and then we were operational. Our planning was typical Waterfall-type planning, at the time. We had a problem and targeted the problem with that solution. Our problem concerned security, protecting our grid-control area.

It took three FTEs for what we are doing. We also have a support structure around that. There's a whole team that manages the infrastructure and configurations of the policies. Since it has been up and running, it has required about one FTE to maintain it.

We just worked with CA and our own resources. 

We haven't seen ROI from their gateway solution, other than protecting us from vulnerabilities. In that regard, it's kind of hard to monetize things. We have definitely benefited with cost savings from some of CA's other products.

For what we are after, the pricing is okay. It is competitive.

For an API management solution, we chose the Google Apigee Edge platform. We went a different direction because CA was somewhat limited on some of the lifecycle management things that we were looking for. We use Apigee for modernizing legacy systems and for monetizing APIs, among other things.

We were one of the earlier adopters of the gateway technologies. I don't remember what we compared CA to back then. Lately, it has been between Apigee and MuleSoft and CA. We did that comparison.

We evaluate every five years. We see if we need to stay where we are or go in a different direction. Technology changes quite quickly.

CA API Management is a pretty solid product for what we are using it for. It's been good. It has served our purpose and kept us out of trouble.

Evaluate what's out there in the industry. Make sure that you chose the right product for your use cases.

I would rate this solution at about six out of ten, overall. At the time when we were evaluating it, it was about the complete lifecycle management. We were looking to build APIs to legacy systems, using IDE deployment strategies - all of those things were lacking. Products like MuleSoft and Apigee had better, more robust software development approaches for both mobile as well as web-based or batch processing.

Our primary use case is basic encryption/decryption using symmetric assertions and then, gradually, SOAP signatures, SOAP encryption, non-SOAP XML encryption, and signing that. In the last six months or so, I have been working on JWT (JSON Web Tokens).

Using this solution, the deployment and development processes become easier when compared to before, when complete Java development was necessary. Now, the encryption part is very easy and our clients don't have to continuously depend on logic. On this platform, it's very easy for them to understand and to do testing. It saves them time.

I haven't found that there are any most-valuable features. I'm not using any feature most often in any of my use cases. The use cases depend upon the customers' requirements.

In terms of protecting APIs against threats and vulnerabilities, there are a few assertions which are built-in for threat protection. I have used them for vulnerabilities, like for DDoS attacks, XML schema validation, IP restriction, and for cross-domain.

There are old algorithms that the tool does not support - and it shouldn't, in my opinion. But sometimes customers need old algorithms, from old use cases and old applications, migrated to the platform. At those times, there are hiccups that happen. It's a bit of a challenge to make the customer understand that we should not be going with these old applications.

We have not faced many issues with its stability.

Scalability is a bit tough if it is a production environment. If you are planning to scale it and increase the number of servers within one to two years, that can be challenging. Up until now, if I have installed four servers, I haven't been given requirements to add more than that.

We have contacted support. There were two cases where there wasn't support for old algorithms, the assertions weren't supporting them, and we reached out to the support team. They were very helpful. It depends on the problem you are asking them about. If it's easy, they give you solutions quickly. If there is a requirement for the engineering team to be involved, then it takes time. But they're very helpful.

The setup is straightforward. If I'm doing it on a local machine, it takes 20 to 30 minutes for a single client. I don't have any implementation strategies. It's a straightforward process where you just need to select the options, click enter, enter, enter, and provide whatever input is required.

Before starting the implementation with a customer, we give them the prerequisites that are required. If those prerequisites are met, it doesn't take much time to do the deployment. They have to provide the IP, the hostnames, and the port openings.

In our last deployment, it took me two days to install all the port services. There was one replication and there were two persisting nodes. I did the complete installation and was initially involved in the API development. After that, my colleagues were involved in the development of APIs.

It requires a minimum of two people for maintenance, once it's up and running.

The tool is very powerful so if you are looking to go with an API platform I would recommend CA.

The number of users among our clients is growing, although I don't have an actual number I can give you. Initially, it takes time to get people to understand the platform, but once they understand it, everyone wants to use the platform and have their application exposed to this platform only.

Overall, I would rate the solution at nine out of ten. 

Our primary use case for this solution is opening up our APIs to the development community so they can help us innovate some of our banking products. We've demoed CA API Management and we've done one proof of concept with it, but we are not using it on an ongoing basis.

We are a bank, and any API management tool helps us find the right partners to build new products in new markets. Given that we are going down the path of open banking, this type of tool is, perhaps, going to be one of the integral components of our tech deployment.

• Containerization
• The monetization module 

They're quite unique for an API tool. 

Although we didn't test the monetization, the flexibility of the tool could be quite useful. Right now, we're not looking to monetize any of our open APIs for the next few months, but it will be a focus for banks in a year or so. The nimbleness of the monetization tool is very good, where you can just drag and drop elements that would make up the monetization.

In addition, the development time and rollout time are pretty quick.

This is not specific to CA's tool, but API tools in general. There are two schools of thought: There is the "Apigee" school of thought that says that we don't need hardware to implement security, and there's the "API Connect" school of thought which says some sort of an enterprise service bus would be critical to the success of the API management tool. 

I find this hardware reliance is a bit archaic. The biggest reason I would want to get an API management tool is to get rid of the hardware. If I have to have the hardware and put the tool on top of it, that makes it a bit cumbersome for us because the maintenance of the hardware, for any enterprise service bus, is in hundreds of thousands of dollars per year.

It needs to go into virtualization.

One of the reasons that we chose to go with another tool was because we found that CA API Management was crashing quite often. We called technical support about this, but since the deployment time was so short, we only called them a couple of times before we made a decision.

We didn't take it to scale, but from what I've read and from the literature that was provided to me, it seems that it's built for large transactional orders.

Our interactions with technical support were okay; nothing to write home about.

In terms of using this solution to modernize legacy systems via microservices/APIs or developing a new platform for mobile/IoT, we haven't used CA's API tool, but the API tool we are using right now is helping us replace some of the old, monolithic systems. It's helping bring a more agile approach to our API development, our exposure of microservices to the world.

The setup was a bit complex in the beginning, but I think that's for true for any technology that you want to implement for the first time.

The deployment took six to eight weeks. We had a roadmap that we were following, as an implementation strategy. I can't go into what that process was. For the deployment, we had five FTEs on our side and the implementation team had another two or three, and there was also a manager.

Once it was deployed it took four people to maintain it and for API development. And then we had a team of 40 Intel developers who were using it off and on.

We used a local implementation partner to help set it up.

For the business case that we have, we would have made no money on this within the first 36 months. We would probably have started seeing return on investment when there was traction in the developer community for our APIs. Once we would have a couple of good implementations with the e-commerce companies, then we'd see a return on investment.

I also feel that from a resource-reduction and right-sizing perspective, eventually we would be able to bring that down a little bit because we would need internal product teams to be that active in the long-term.

We weren't comfortable with the pricing of licensing. It was slightly more expensive than its competitors.

We found that API Connect had superior features. The security protocols in CA's product, for financial services, weren't as good as those in API Connect.

With respect to supporting a large number of APIs and/or a large number of transactions, we didn't use it for a large number of transactions. It was a PoC so we only used it for limited connectivity. But from what I've read and from what I've heard from other users, the volume management and traffic flow management is actually pretty good for CA's tool.

I would rate the solution at six out of ten, overall. It didn't meet all of our needs.

The security checking authentication is our primary use case for this solution.

The API gateway is good. 

We have experienced technical difficulties with the product in the past. 

Tech support is helpful. I would give it an 8 out of 10 rating. 

I do not have any experience with the pricing or licensing of the product.

• Digitalization
• API Life Cycle Management

CA API Management powers the next generation of mobile and Internet of Things (IoT) applications by providing reliable connectivity between data, people, apps and devices. You can aggregate and orchestrate data from multiple data sources into modern REST APIs almost instantly. Whether your data is in legacy systems, disparate databases, or the cloud, you will be able to bring it all together to power new digital initiatives at scale in modern apps or SaaS applications.

It improved how we function in the following areas:

• Protecting all enterprise application data from direct access by virtualization.
• Transforming SOAP services to REST services easily on the gateway without impacting existing systems.
• Providing security for all API's exposed through API Gateway at one common location.
• Migration of APIs from one environment to other.
• Providing high availability with horizontal scaling and multi cluster.
• Managing the API lifecycle.
• Exposing enterprise data to the external world.
• Securing Mobile App communication using MAG.
• Integrating easily with other systems.

The most valuable features to me are:

• Different Form Factors: Available as Software, Virtual Appliance, Amazon Machine Image and Hardware.
• API Virtualization: Creating virtual APIs by shielding the actual enterprise resources on API Gateway.
• Security: Enterprise data security and central management in API Gateway.
• API Lifecycle Management: Enable, Disable, Assigning, Deprecating and Deleting APIs on API Portal
• Scalability: API Gateway is easily scalable horizontally and managed easily.
• Mobile SSO is another feature/capability which available.

• The API Development tool can be made more user-friendly by providing folder properties.
• Assertions for common functionalities (like mathematical operations, string manipulations, connecting to non-SQL).
• Masking the user credentials entered in Identity Provider, JDBC based on user role
• Analytics and reporting need to be made better and more user-friendly; add some custom reports both on the Developer Portal and API Gateway; exporting of analytics and an email facility.
• Logging and tracking of changes done by users in the Developer Portal.

CA API Management solution is very stable also scalable.

I did not have any issues with scalability.

Customer Service:

Customer service is good

Technical Support:

The level of technical support is good.

I did not try any other solutions previously.

Initial setup is straightforward. It is simple,easy to do and quick to go to market

Overall cost saving, growth in business

I feel that it is costly for small/medium-sized companies.

I did not evaluate other products, but have read about them and the features they provide.

Check what is required and whether it can be achieved easily without any compromise, see how flexible its to use and maintain.

RESTful API implementation and exposure.

Being a key partner of CA, the strong product has helped us make joint pitches to multiple enterprises and to implement an efficient API gateway for enterprises, enabling them to manage the end-to-end lifecycle of APIs.

API discovery using CA Live API Creator is helpful for integrating with multiple backends, for discovering and kickstarting the API creation process. It is a very good feature.

Mobile app capabilities are good for building mobile apps to consume developed APIs.

API Portal capabilities are very nice, up to and including the ability to do monetization. Security features are exhaustive, with several adapters to all leading identity suites.

The development toolkit used for creating APIs should be more online and user-friendly. 

Deployment and tracking could also be improved. Tools like Apigee provide a complete online experience along with RESTful APIs, to manage all activities. It is a very nice and user-friendly solution compared to CA.

No issues with stability.

No issues with scalability.

Technical support is very good. Response times are very good. As a partner, technical support is available via phone and email as well as in several countries.

As a systems integrator, we use several API management products, with CA being one of our key tools.

Setup was ok. CA was always available for any support issues.

Pricing is competitive. CA is ready to offer attractive discounts.

Apigee, IBM API Connect, and MuleSoft are some of the other key products we have evaluated and used.

CA API suite is a strong solution with very good security capabilities and end-to-end lifecycle management of APIs. It has been proven over the years and is a very good option for implementing the API gateway for an enterprise.