Layer7 API Management Reviews

The primary use case is we are using the API Management Suite. It has the Gateway and Portal, and we are using the Gateway to front all the APIs in FedEx.

The Gateway is performing very well. The Portal is not.

We can get more visibility into our data.

The benefit of the Gateway is that it provides security, authorization authentication, and analytics. These are the main benefits which we are using it for. 

The most valuable, for the Gateway, is it can front our APIs very easily, and it can integrate with FedEx easily, so those are good. 

For the Portal, we are able to manage with APIs and documentation. However, there are a lot of improvements, which could be done on the Portal side.

For additional features, I would like to see how it can be deployed into the cloud platform out-of-the-box and not having to do a lot of the initial setup. If it can be done out-of-the-box, that will make customer's life very easy.

Their upgrade solutions are not straightforward. Therefore, we are running the older version. We wanted to go to the latest and greatest. However, it is really complex going from where we are to the next one. 

It is fairly stable for the Gateway side. However, not for the Portal side.

We have seen that it can scale both vertically and horizontally. 

We have used technical support quite often, and they are really good. We have opened multiple tickets, and they are very responsive, especially for the Severity 1 tickets. 

The initial setup was very complex.

CA Service was helping me with the implementation. 

Initially we were looking into different options. We looked into Apigee, Axway, and CA. We did the whole evaluation, and CA come out to be the winner, because CA is the market industry leader.

From CA's new technologies, it looks like CA is moving in the right direction.

Look to your performance matrix and your benchmarks. What are you interested in? If you are looking for support, this is definitely the best solution. 

Most important criteria when selecting a vendor: Performance is one of the major ones. Security is another. 

Our primary use case is for API management. We use it as a security gateway in our DMZ and ESB and our trusted zone.

It works great. We haven't had any problems, it just runs.

Day to day functionality. It just works and it's easy to use, that's the best part of it.

Most valuable features are 

• the ease of use
• a very nice UI
• you can navigate through the screens
• a very good search feature.

I would like to see it work better with one of our back-end databases, DB2 UDB. Other than that, I really don't have any complaints so far. It's doing everything we need it do.

Stability is great. We run a high resilient load balance configuration. We haven't had any problems with it.

It scales.

We have not used technical support yet. We have not run into any problems yet.

We had API gateways before, we just divested from IBM and went with CA.

We bought 16 gateways earlier this year and we're setting them up right now. It's good. Straightforward.

When choosing a company to work with and buy from, they need to be industry-rated, they need to be one of the upper-right companies for strength, vision, and performance.

If I were advising a colleague at another company who's searching for a similar product I would tell them to talk to CA.

We use the API Gateway as a front door to access our APIs that we host internally, to enable us to get involved in the digitalization.

It has performed very well, actually. It's given us new capabilities that we never had before and gives us more confidence in increasing the number of APIs that we actually have.

I think the flexibility. It's very configurable. Each policy is very customizable, where we can accommodate different capabilities that our trading partners actually have. Even though from a textbook standpoint, there's always a certain ideal pattern that you want to apply, that's rarely the case with our trading partners. That flexibility is very important.

And the main point of the Gateway is the security aspect of it. It's very good from that standpoint. It has met all of our expectations. We're very happy with that.

It gave us new capabilities that we really didn't have before. We didn't have a good way of exposing APIs to the internet in a reliable, secure way. It gave us that ability. 

It also gives us a focal point where it's allowing us to consolidate our portfolio. Where before - Cargill is a very large company - from one business unit to the next, they didn't necessarily know what we actually have. This product enables us to consolidate that, so there's one place to look.

The tool itself, I think, could be better. Along with the flexibility it does have, I wish it had a little more modern user interface. For troubleshooting, debugging, that kind of thing, it could definitely be better. I would like to see improvements in the user interface, for sure for Policy Manager. That's the developer's tool. 

Debugging seems a little bit archaic by modern standards. I would like to see that improved. 

I would like to see better documentation for the development language itself. I think they took a step backwards, actually, when they published all their documentation online. Accessibility is better because it's on the web. But the content seems to me to have taken a step backwards. Not enough details, more difficult to find specifics. And you would almost think that would be the opposite, but the feedback I've gotten from our developers, and my own experience, is that it's not the case.

But in terms of the structure of how the language works, it's pretty good. It gives you a lot of flexibility and allows you to accomplish a lot quickly.

So, in general, improvements in the UI, usability. Like I said, it seems dated in terms of how it works, by modern standards. I think they could go a long way to refurbishing the whole UI.

It's been very good. 

We have had some issues. Technically it's like a database replication issue, where our operations people tell me that the audit logs have been quite large, and that has caused some replication issues between the two nodes in our cluster. 

But outside of that, it's been very good.

We're relatively new to this so I don't think we're taxing the capacity of our gateway at all. In the business that we're in, I don't think that we're going to get to huge volumes anyways. Our goal is to leverage it more. So far, that hasn't been an issue at all.

The biggest thing for us would be that currently it is deployed in one region. We're a global company, so that technically is a little bit of a constraint for us. We haven't been able to deploy more gateways in other regions mainly due to cost of licensing.

Overall it's been very good. 

There are two perspectives. We've used our technical sales contacts. They have been very responsive and very good. We're lucky that we have a couple of them local in our city. They've actually come on-premise to help us. That's been very helpful, very good. Professional services has been really good too. I've spent a lot of time with them. Again, their expertise has been very valuable. 

From a ticket support point of view, where we submit a ticket, I would say that's been a little bit less helpful, in terms of responsiveness, and conveying the actual issue to the person. Once you get them on the phone, and have a one on one working session - which they have been willing to do - that's been very good. But through the ticketing system and the support website, it could be better.

It was a gap in our company. We knew we had APIs that we wanted to leverage and work with our trading partners, for them to access it. But working with our security team, we knew that we didn't have a good way of exposing them securely. That was a roadblock for our business. We couldn't make them accessible because of polices. API Gateway filled that gap and enabled us to use best practices to expose our APIs.

I have been involved more from the development standpoint. We're set up in two groups, an operational side which sets up the infrastructure, does actual server software; I haven't been involved too much from that standpoint. It's more in the development side, to get initial templates together and patterns that we're going to apply. And just coming up with some standards for our developers to use.

I would say it's complex. But I think part of it is just the nature of what this stuff is, when you're dealing with security and the variety of approaches that there can be. That makes it complex. For us, it was relatively new, so there were a lot of challenges there to just learn all the different aspects of it. 

We did consider other vendors. I wasn't part of the original selection, but it came down to two different vendors, CA being one of them - at the time it was Layer 7. Then we did a proof of concept, so I was involved in that. 

In the end, it was really no contest. I tell our other people about this: That it was a week long proof of concept and the other vendor, it couldn't complete one use case. In one week, they had three people that they brought on-premise to work on our use cases for the proof of concept, and they couldn't complete any of them. Layer 7, they completed all of the use cases in one afternoon. It was pretty convincing.

What's important to us when selecting a vendor, besides the product, the vendor needs to be of significant size to be able to continue to evolve the product. It needs to be able to provide enterprise-level support. We're a large company, so we expect the vendor to provide that backing of their product and SLAs. When we choose a product we don't want it to be a product that comes and goes. We want there to be a clear vision of where it's going, that's important to us. CA was able to demonstrate that to us.

It's very good in terms of what we wanted out of the product, initially. But now that we've explored and had the product for a while, we expect more. I think it definitely has room for improvement. Some of those things we're seeing here today, or in this week, at the CA World conference, give me some hope that that improvement is going to happen.

I would advise taking a look at what's available. Clearly, we've had good success with CA API Gateway, but this is a very quickly evolving space. I would encourage them to look at what's out there, what's available. They should prioritize what's important to them, what they're looking for out of the product. Then do a proof of concept to make sure that they feel comfortable, that the product is what they need. Also work with the technical support staff, to make sure that they're comfortable working with them too.

In our context, we have a number of REST APIs that we had to expose, a number of partners, internal users, as well as external partners who wanted to basically integrate cleanly and quickly, but didn't want to do five independent integrations into each API, so the CA tool allows us to effectively wrap those APIs into a common interface, so you can make one call and then the gateway will go away and make the other calls for you. That is the primary goal was that and the tool does that for us.

What it allows us to do is it's more time to market than the value, actually, so a lot of our affiliate marketing teams, they go and engage with the vendor's affiliates, effectively, and they want a very quick, clean solution to get a lot of customers in, place a bet, see their bet history and then log out and tap on and move on to do something else. What this allows us to do is that, whereas previously, I would have had to a specific project team, they would take two or three months to do an integration, now you can do that in a matter of weeks. You can realize the value of a commercial relationship very quickly.

Once it goes live, it's very stable, clearly, it's as stable as your infrastructure or authority or testing is, but once it goes live, as long as you sort of adhere to all the policy management, and make sure you're progressing code, you're testing it correctly, once it goes live it's pretty stable. We've not had any failures with it in the year and a half that it's been live, and it's very stable. From a performance perspective, it's great. You can throttle, you can do rate limiting, so it's very flexible for us.

It's been very good as we need them, thankfully we haven't had much call to call them up, because it's been stable, but we call them up for platform upgrades, when we went from version 7 to 8 and 8 now through to 9. As we need assistance, we raise a ticket. They're very responsive, they're very thorough in what they come back to us with, so they've been a really good partner for us.

The trigger, effectively, was that we had a partner, we'd done a commercial deal. The partner wanted to integrate, we wanted to integrate with the partner, but the partner had a legacy sort of application that they weren't able to do this integrating to five APIs. They wanted one interface, and they didn't want to on-board any of the logic, they wanted that to be done somewhere else, hence the CA API Management tool that does that for us. They make one call, it goes away, does all the connections, all the session affinity, with all the underlying APIs, and that partner can just make the calls as they want. They deployed it on desktop, on tablet, mobile's coming as well now, and we use it for other partners as well.

We had a very short time for it to get it done, so I dealt with CA, we managed to do the deal for the software. They put us in touch with a partner called Smart, Smart421 in the UK. We had a very high-level discussion about what my requirement was, the platform that we have, what I needed to wrap, which calls, so we did a lot of preparation in advance, and then they came on-site, and within two weeks we had a working API. We'd wired together the underlying platforms to build this API that was then sent to the first vendor. Very clean, very slick. As with any IT project, as long as you are prepared, you've done your homework, you know exactly how to lead the implementation, what to take the vendor through, then it works very well.

Partly it's obviously the reputation of the vendor, it's the support structures, it's the partners that they deal with. If they put you in touch with a partner to install the software, what is the calibre of the partner that they're dealing, and that reflects on them as an organization. Their licensing structures, how flexible they are to deal with you, these sorts of things. We also looked at Mashery and Apigee.

We chose CA API Management as it was better licensing model, it was better cost model for us. I wanted that product. I'd previously worked in an organization with they'd bought what was in the Layer 7 product, and so I had an understanding of the product, I had an understanding that it had been used in my industry. I knew that it would work, because I'd seen it done before, so those things were quite key for us.

Break it into small chunks, so what we did was we had a very defined use case, and we could have gone to a much larger project, but the ideas was to focus on the component that we were after, what we had to go and deliver, break that down, get it working, and then that gives the business more confidence to then invest in it further, future phases, and we just broke it down to that. We were able to very quickly deliver something of value, and that then allows you to move on from there, as opposed to doing the full solution first up, and then we could have failed on the way through, the requirements could have changed, but it was better for us, and it's something I recommend that you just break it down.

I give it a nine. It's a great tool, it's a great product. It's good for us because it does specifically what I need it to do. The only area I'd say there could be some improvement is some of the documentation perhaps, some of the release notes are not the best. I think they're trying to brush things up and make it better, so it's improving all the time, but initially when we first started seeing some of the interface and some of the documentation it was quite confusing, but then we have a partner that takes the pain, I suppose, for that. Buy the tool. It's fantastic.

What are the key digital priorities and initiatives in your company?
The key things for us is on-boarding affiliates, partners, as quickly as possible, for their customers, or our customers who bet through them, to leverage those relationships, leverage those customers to allow them to bet with us. API Management for us at the minute has been around in having a clean interface for these guys to be able to quickly integrate with us, and then we can very quickly get them up and running, and it's a commercially beneficial arrange for us.

Are you considering upgrading in the future?
We're investigating options as with most industries, omni channel is the big thing now, so we're investigating how we could use this in an omni channel perspective to wire up our other parts of the business, so that's something we may consider. Part of the show, there are developer portals to making it easier for developers, third parties, to actually interact with us. The current product, the gateway product, doesn't have a portal, so effectively I have to document how to integrate, and then every time I make a change, I have to then email the document out to all of my development partners, whereas if I had the developer portal, they can then just go log in themselves, register themselves, they get their own API keys, all that stuff's taken care of, so those things are quite interesting for me and for our partners.

We modified our architecture to focus on microservices. This allows us to have a front door where we can separate and abstract services from APIs. We can use the API Gateway as the entry point to our enterprise. We can actually monetize our services, our APIs, and build a generic integration architecture using RESTful APIs.

It allows us to centralize the triple A functions: authentication, authorization, and audit. It gives us scalability. We can focus on delivery in a hybrid cloud model without exposing any of our back-end services to the market. It's very secure, very powerful, and has a great deal of complex functions that are native in the solution so that we don’t need to write code to do it.

They are getting there. Docker-based containers are there now, but it is not completed, I think. There are still some gaps between what we currently have and what the Docker model is. We are going for a pure cloud solution, so I want more emphasis on the hybrid model; deployment strategies that allow me to have on-prem and in-the-cloud interactions using the API Gateway, possibly even defining extended VIPs that we can load balance across the two platforms.

They are moving forward, of course, as they go away from the virtual clients and get to Hazelcast. The roadmap could be a little clear for us because I'm making decisions now for the next generation of architecture. It's a little hard to discern where they're headed.

The stability is excellent. The product is very good.

Their capacity is a lot bigger than we are. We haven't reached a limit or even challenged it yet.

The support has been excellent for us. We had quite a bit of hand holding to get started as you’d expect with any new technology, especially in an organization like ours, which isn't on the leading edge. We have moved from behind center to the leading edge of technology, as we are using this tool set in the cloud. We are using it with open-source software. We are using virtual machines. There are lots of opportunity here to learn things, and they helped us every step of the way.

We were using a Delphi application.

I wasn't involved. I worked with the technician who adopted the technology. I conducted our schedule and attended all the sessions. I selected the technology for the enterprise. It is complex. It's a complex scenario but it's not cumbersome or overbearing. Anytime you adopt a new architectural model, you are going to have challenges. It's as good as things get when you start dealing with something this complex.

I was actually brought into my company to define an architecture that takes them forward because they had a very large ball of mud application that was a compiled executable, and they dumped it on file servers all around the country.

We’re the largest company in our market and the application we have been using is old. I came in and defined a forward-looking architecture. An API Gateway is the centerpiece of any microservices solution.

We looked at Axway, Forum Systems, and CA API Management. We also looked at IBM DataPower, which really wasn't for us. We had ruled out CA because it was too expensive. Then they came to the table and said, "Why not us?" Then we had that whole conversation. I asked if they could make it affordable, and they did.

Our most important criteria when choosing a vendor is their ability to carry the feature set, to support its implementation. Clearly price made a difference. They reached out to us with a number we couldn't refuse; so they made it attractive. We were about to pull the trigger on another API solution, and CA met us more than halfway.

We knew that this technology, which I've used before, was the best in the world. We just didn't think we could afford it. They made it affordable. How could we pass that up? It's absolutely the best technology in this space. There is no doubt about that. That's why we really wanted it, but we didn't think we could afford it. It has been the market dominator forever, and the API Gateway has the most features. It’s the most stable. CA has taken that to the next step. They know how to use the product. Every time we call, somebody's got an answer for us.

Clearly this is the solution to have, but you need to have an internal appetite for the upcoming technology. It's not a keep-the-lights-on kind of tool set that would enable you to just turn it on and let it do its own thing. You need to have an administrator who understands it. There are so many opportunities to let it help you that don't come right out-of-the-box and grab you. You need to learn how it enables some of the tips, tricks and traps. Put a good engineer on it and give them the education they need. The device does so much.

We use the API Management tool mostly for the portal application and managing the APIs.

CA has a portal where we can expose the public and private APIs across the globe. We use it as a gateway for security and exposing the internal applications through that layer.

For us, it acts like a proxy as it passes through the API layer. We use it to transmit data from one format to another format, especially to route the data based on the content. This is a seamless process. There are little challenges in regards to the AWS integration but we were able to get through that and CA helped us move towards AWS.

The problem was that it was slow. This product was initially built as an in-house product, but later on they converted it to a pilot product. It was not ready at that time but now it is. We are fine-tuning it to make it available on AWS; so, it's good.

We're moving towards microservices. We do have around 358 to 400 APIs, i.e., monolithic APIs, and we want to convert them into lightweight microservices. We want to deploy them in a container, use the gateway and then expose those microservices to the external world. That’s our main goal and we are using CA API Gateway for this purpose.

I want a more loosely coupled migration utility.

Now they provide a DMU for migration of the code or APIs for continuous delivery. But it's not robust, so I want to see what CA is going to come up with regards to that.

In terms of using the tool itself, it is not user-friendly. You can use the product with ease, but once it starts developing the code, there are a lot of APIs and functions that are not readily available for you. You need to refer to a document to learn about that. They should provide some APIs which will drop down the list of all the functions and that are available and ready to use. The world is changing now; we don't want to be stuck in the 80s or 70s, where we need to search for everything and then try to write a code for it one-by-one. It needs be a good tool; easy for the customers to use it.

The main missing aspect from this tool is that although continuous delivery is available, it is not that straightforward and we have to work on that.

The stability is good except when we went live with AWS; that's when we had initial hiccups but slowly it improved. We are good at this point.

The good thing about McCloud being on AWS is scalability which you get by default. Hence, you don't have to worry about how you want to manage your infrastructure. By default, it will look at your load and there are some alarms set on that and then it will act. When you see the peak, it automatically scales to a new instance and when the load is too low, it will kill that new instance that it has created. AWS will help us with that.

We have used technical support. We had a few bugs in the code, i.e., bugs in the product code for which we had to talk to CA central customer service; they were good and responsive.

Previously, we were using OAG - Oracle Application Gateway. The CDCI was not that good with that. The continuous delivery and continuous integration are not readily available and there are a lot of bugs in the code, in the product. In comparison to that, the CA tool is less buggy.

There were a few reasons for choosing this vendor. The first being the continuous delivery and continuous integration, which was one of the major things we were looking for. Next, we wanted to look at the portal and the API itself; how do you manage the APIs, giving access, access control and all those aspects. The third thing we were looking at was security. So, these are 3 different things that we were considering whilst selecting a vendor.

I was part of the initial setup but CA was there with us to help through the implementation process. It's not complex.

We did do some research and tried to explore some of the API products available in the market. We did speak to all the different product owners, assessed it and then finally we came up with this solution.

Some of the vendors we looked at were Apigee and Amazon API Gateway.

Overall, this is a good product. Those who are interested in a similar product should try to do a PoC first and then see what you want from it.

The most valuable feature is that the API gateway is very strong in security. Most of the enterprises have exposed their back-end services as APIs and everything is okay if the APIs are accessed internally within the enterprise. However, now with all kinds of mobile channels and omnichannel customer experience, the APIs get exposed to the outer world; at such a time, you need something so that you can secure your data. You don't want to be in the news that something bad has happened. Thus, API gateway acts like a security gateway.

It has the ability to enforce security policies on APIs so that the user transaction is secured. Thus making sure that the transaction is a real one and not an unauthorized/hacked transaction.

Whenever there is a new API development our organization does not need to worry about the security aspects in regards to the API because it's already in place.

In my opinion, the policies need to be simplified so that developers are able to understand and taking that into consideration they can build their APIs. The support and maintenance needs to be simpler.

They need to provide more knowledge and it should not be that only CA is able to provide that service. There is need to pass on the knowledge to the enterprise users.

At our organization, we're still not into production but we have some references from other industries like the telecom industry. What we have seen is that there are some initial hiccups, as you encounter with any new technology.

However, once you have proper organizational structure in place to support and manage API gateway appliance, things become smoother.

We have used the technical support and it is excellent. CA is accessible since they have dedicated resources. They provide access to the engineering team and their service is good.

I was involved in the decision-making process to adopt the solution. Initially, we had a normal NetScaler load balancer. However, the challenge with that tool was once your APIs get exposed to the internet/the mobile phone, how to pass the username and password from your mobile phone to your back-ends.

The mobile experience demands that you don't want users to authenticate every time they want to use the application. For example, the Facebook user experience is such that once you enter your username and password you are logged in and whenever you come next time, the token gets refreshed. A similar kind of experience is what we were looking for and that demands API management.

I was not involved in the setup of this product. Since I was an architect, I brought the product in our organization, made people aware of it, socialized it within the enterprise with different stakeholders and now they're leveraging it.

We considered other vendors like IBM DataPower and also looked into Apigee, which is now taken over by Google.

We came up with a reference architecture, so there's got to be some standardization in regards to how you want to build APIs, expose the APIs, naming conventions and so on.

The way to manage the policies needs to be simplified and developers need to be trained. In my opinion, CA API Gateway in that security space is very ideal and it's one of the best out there.

We acquired this platform to give more agility to inter-development. We are using this platform, for example, to deliver a fast integration between our back-end platform and our front end. CA API Management enables us to very quickly create and manage the business rules, and do the integration. After this implementation, we reduced our lead-time in integration and development by approximately 50%.

It standardized all processes during development with the integration between platforms.

CA can provide more features to help with performing tests, for example, to create a month of simulated data to perform stress tests using the CA. In the past, we had to pay our client to create a database for us to perform tests using credit card information with simulated customers. We want the CA API management platform to include a specific module for creating this test database.

I started my challenge there in March 2016, but the platform was implemented 2015. I received all the benefits of this platform.

It is extremely stable.

It is perfect on scalability. Today, I can say we are performing at a rate of five million requests, or five million transactions, per day using this platform.

We are using local support in Brazil to help us during some specific integration between platforms; but it's very, very specific cases.

This API management software platform is great for us. We are extremely satisfied with the platform.