A definitive guide for IT, procurement, and legal leaders navigating Oracle's employee-based Java licensing, OpenJDK distribution selection, migration execution, and audit defence. Oracle JDK and OpenJDK are built from the same source code. The only difference is cost. This guide shows you how to eliminate that cost.
This guide is part of our Java licensing advisory coverage. See also: Decoding Oracle Java Licensing | Java SE Universal Subscription Pricing | Embedded Java & OEM Agreements | Java Advisory Services
Three years after Oracle's seismic shift to employee-based Java licensing in January 2023, the financial and operational impact on enterprises has become undeniable. What was once a routine infrastructure component has become a seven-figure compliance liability for any organisation with more than a few thousand employees.
Oracle's Java SE Universal Subscription, priced at $15.00 per employee per month, means that a 5,000-employee organisation faces approximately $630,000 in annual Java licensing costs. A 20,000-employee enterprise faces over $1.6 million. Regardless of how few employees actually use Java.
The response from the enterprise market has been decisive: migration to OpenJDK. By early 2026, the majority of Fortune 500 organisations have either completed or are actively executing Java migration programmes. The technical case is straightforward. Oracle JDK and OpenJDK are built from the same source code and deliver identical functionality. The financial case is overwhelming. OpenJDK is free. The operational case is compelling. A mature ecosystem of OpenJDK distributions provides enterprise-grade support, long-term security updates, and professional services.
Yet many enterprises remain partially or fully exposed. Some have not completed their migration due to application compatibility concerns. Others are locked into Oracle contracts that include Java as a bundled component. Oracle's audit activity targeting Java compliance has intensified significantly through 2025 and into 2026, with Java now one of Oracle's primary audit focus areas.
A single Oracle JDK installation on a single server can trigger the employee-based licensing obligation for your entire organisation. If you have not already migrated to OpenJDK, every day you wait increases your retroactive liability. The migration is a planning exercise, not a coding project. Start now.
The employee-based model explained. Under the Java SE Universal Subscription, any organisation using Oracle JDK in production, development, or testing must licence every employee. Not just the individuals who use Java, and not just the servers running Java. The metric is total employee count (including full-time, part-time, and temporary workers), and it covers all uses of Oracle Java SE, including the JDK, JRE, Java Web Start, JavaFX, and associated tools. If a single developer downloads Oracle JDK to compile code, or a single production server runs Oracle JRE, the entire organisation's headcount is in scope.
Pricing and cost escalation. The base price is $15.00 per employee per month ($180 per employee per year). Oracle offers volume discounts at very large scale, but the effective discount for most enterprises is modest. The pricing includes all Oracle Java SE products, all versions, and all environments. The cost relative to what enterprises paid previously (often nothing, or a small Named User Plus licence fee) represents a 5 to 50x increase in Java-related costs.
The compliance trap: retroactive exposure. Oracle's licence terms include provisions for retroactive compliance. If an organisation used Oracle JDK without a valid subscription during the period since January 2023, Oracle can assert a claim for the full subscription cost for the entire back period. For an organisation that has been using Oracle JDK without a subscription since 2023, the retroactive liability by early 2026 could be three full years of employee-based licensing. Potentially millions of dollars.
| Organisation Size | Annual Oracle JDK Cost | 3-Year Retroactive Exposure | OpenJDK Cost |
|---|---|---|---|
| 100 employees | $18,000/year | $54,000 | $0 |
| 500 employees | $90,000/year | $270,000 | $0 |
| 2,000 employees | $324,000/year | $972,000 | $0 |
| 5,000 employees | $630,000/year | $1,890,000 | $0 |
| 10,000 employees | $1,080,000/year | $3,240,000 | $0 |
| 20,000 employees | $1,620,000/year | $4,860,000 | $0 |
A persistent misconception continues to delay enterprise migration decisions: the belief that Oracle JDK is somehow superior to OpenJDK. This is false.
Same source code, same functionality. Oracle JDK and OpenJDK are built from the same source code base. Since Java 11 (released in 2018), Oracle has contributed virtually all of its previously proprietary Java features to the OpenJDK project. The commercial Oracle JDK and the open-source OpenJDK reference implementation pass the same Technology Compatibility Kit (TCK) tests and are functionally equivalent. Any Java application that runs on Oracle JDK will run identically on OpenJDK of the same major version.
What Oracle JDK includes beyond OpenJDK. The differences in 2026 are cosmetic and commercial, not technical. Oracle JDK includes Oracle's commercial licence terms (which create the cost obligation), Oracle's branded installer and packaging, access to Oracle's My Oracle Support portal, and Oracle Flight Recorder and Mission Control (which are also available as open-source components in OpenJDK builds from other vendors). There is no proprietary runtime feature, performance optimisation, or security capability in Oracle JDK that is unavailable in OpenJDK distributions.
Performance comparison. Independent benchmarks consistently show no meaningful performance difference between Oracle JDK and major OpenJDK distributions on the same Java version. Organisations migrating from Oracle JDK 17 to Eclipse Temurin 17, Amazon Corretto 17, or Azul Zulu 17 should expect identical application performance.
| Characteristic | Oracle JDK | OpenJDK (Any Major Distribution) | Difference? |
|---|---|---|---|
| Source code base | OpenJDK (same) | OpenJDK | None. Identical source. |
| Java SE APIs | Full Java SE specification | Full Java SE specification | None |
| TCK certification | Certified | Certified (Temurin, Corretto, Zulu, etc.) | None. Both pass same tests. |
| Runtime performance | Equivalent | Equivalent | None (within benchmark variance) |
| Security updates | Quarterly (Critical Patch Updates) | Quarterly (aligned with Oracle's schedule) | Same patches, same cadence |
| Flight Recorder / Mission Control | Included | Included (open-source since Java 11) | None |
| Licence | Commercial: $15/employee/month | GPL v2 + Classpath Exception: free | Oracle JDK costs $180 to $1.6M+/year |
| Audit exposure | Subject to Oracle licence audits | No licence. No audit exposure. | Oracle JDK creates compliance risk |
While OpenJDK is a single open-source project, multiple vendors produce enterprise-ready distributions with different support models, LTS policies, and value-added features.
Eclipse Temurin (Adoptium). The community-driven, vendor-neutral OpenJDK distribution produced by the Eclipse Adoptium project. Temurin is the default recommendation for organisations seeking a completely vendor-independent OpenJDK. It provides TCK-certified binaries for all LTS versions (8, 11, 17, 21) with community-driven security updates aligned with Oracle's quarterly patch schedule. Best suited for organisations with strong internal Java expertise.
Amazon Corretto. Amazon's free OpenJDK distribution with long-term support. Corretto is Amazon's production JDK, used internally across AWS services, which provides a high degree of confidence in reliability and performance. Amazon commits to supporting LTS versions for at least four years beyond upstream end-of-life. Best suited for organisations with significant AWS investment.
Azul Zulu. Azul Systems' TCK-certified OpenJDK distribution, available in both free (Community) and commercial (Enterprise) tiers. Azul's differentiator is its breadth of Java version support, including extended support for legacy versions (Java 6, 7, 8) well beyond other vendors' timelines. Azul's commercial support is competitively priced (per-system or per-core, not per-employee). Best suited for organisations needing commercial support with SLAs or legacy Java 6/7 applications.
IBM Semeru. IBM's OpenJDK distribution, built on the Eclipse OpenJ9 JVM (rather than HotSpot). OpenJ9 offers faster startup times and lower memory footprint. Best suited for organisations with existing IBM middleware estates (WebSphere, Liberty) or containerised microservices where memory efficiency matters.
Red Hat OpenJDK. Red Hat's build of OpenJDK, included with Red Hat Enterprise Linux (RHEL) subscriptions at no additional cost. Red Hat actively leads maintenance of OpenJDK 8 and 11 LTS streams upstream. Best suited for organisations already running RHEL. Java support is effectively bundled into your existing Red Hat subscription.
| Distribution | Free? | Commercial Support? | LTS Versions | Best For |
|---|---|---|---|---|
| Eclipse Temurin | Yes | Via partners (Azul, etc.) | 8, 11, 17, 21 | Vendor-neutral default choice |
| Amazon Corretto | Yes | Via AWS support | 8, 11, 17, 21 | AWS-heavy environments |
| Azul Zulu | Community: Yes | Enterprise: Yes (per-system) | 6, 7, 8, 11, 17, 21 | Commercial support; legacy Java |
| IBM Semeru | Yes | Via IBM support | 8, 11, 17, 21 | IBM middleware; containers |
| Red Hat OpenJDK | Yes (with RHEL) | Included in RHEL subscription | 8, 11, 17, 21 | RHEL environments |
| Oracle JDK | No: $15/emp/mo | Yes (included in subscription) | 8, 11, 17, 21 | Only if contractually required |
Default to Eclipse Temurin unless you have a specific reason to choose another distribution. It is the most widely adopted, vendor-neutral, and TCK-certified option. Use Amazon Corretto for AWS workloads. Evaluate Azul Zulu Enterprise if you need commercial support with SLAs. If you run RHEL, Java is already covered under your existing subscription.
Migration from Oracle JDK to OpenJDK is not a coding project. It is a planning, coordination, and governance project. The Java runtime is a drop-in replacement. The work is in finding every Oracle JDK instance, validating application compatibility, executing the swap, and ensuring no Oracle JDK remains.
Phase 1: Discovery and inventory (Weeks 1 to 3). Conduct a comprehensive scan of all environments: production servers, development workstations, CI/CD pipelines, container images, virtual machines, and cloud instances. Identify every Oracle JDK and JRE installation. Document each installation: server name, Java version, installation path, and the applications that depend on it.
Phase 2: Exposure assessment (Weeks 3 to 4). Calculate the financial exposure: total employee count x $15/month x number of months since January 2023. Present this to finance and legal leadership to secure executive sponsorship and budget.
Phase 3: Application compatibility analysis (Weeks 3 to 6). For each application running on Oracle JDK, determine whether the application vendor certifies or supports OpenJDK. Most enterprise software vendors officially support OpenJDK. For applications where vendor documentation specifies "Oracle Java SE only," contact the vendor directly. The majority have tested on OpenJDK and will confirm compatibility.
Phase 4: Distribution selection and standardisation (Weeks 4 to 5). Select one or two OpenJDK distributions as your enterprise standard. Create internal documentation specifying the approved distributions, approved versions (align with LTS releases: 17 and 21 for new deployments), approved download sources, and patch management procedures.
Phase 5: Pilot migration (Weeks 5 to 8). Select 3 to 5 representative applications spanning different Java versions, deployment types, and criticality levels. Replace Oracle JDK with the chosen OpenJDK distribution. Run full regression testing. Monitor for any behavioural differences (there will be very few, if any).
Phase 6: Phased production rollout (Weeks 8 to 16). Migrate remaining applications in waves, prioritised by risk (low-risk first). Each wave: swap the JDK, run smoke tests, monitor for 48 to 72 hours, then move to the next wave. Update CI/CD pipelines, container base images, and VM templates to use OpenJDK.
Phase 7: Remediation of remaining Oracle JDK (Weeks 14 to 18). Address the hardest cases: applications that genuinely require Oracle JDK (rare), applications where the vendor refuses to support OpenJDK (escalate or consider alternatives), and Oracle JDK installations bundled with other Oracle products. For genuinely unavoidable Oracle JDK usage, isolate it on specific systems.
Phase 8: Verification and ongoing governance (Weeks 16 to 20+). Conduct a final comprehensive scan to verify that no Oracle JDK remains. Implement ongoing monitoring (automated scans monthly) to catch any reintroduction. Update IT policies to prohibit Oracle JDK downloads without explicit approval. Block Oracle JDK download URLs at the network level.
Application compatibility is the single most cited reason for delaying migration. In the vast majority of cases, the concern is unfounded.
The 99% reality. Across our advisory engagements involving hundreds of enterprise Java environments, we consistently find that 95 to 99% of applications migrate from Oracle JDK to OpenJDK with zero code changes and zero behavioural differences. The Java specification ensures that any conformant JDK implementation will run the same bytecode identically.
Vendor documentation says "Oracle Java SE required." Contact the vendor. In most cases, the documentation is outdated and the vendor supports OpenJDK. Get written confirmation.
Application uses Java Web Start (JNLP). Java Web Start was removed from Oracle JDK in Java 11 and is not part of OpenJDK. Open-source alternatives (IcedTea-Web, OpenWebStart) provide equivalent functionality.
Application uses JavaFX. JavaFX was separated from the JDK in Java 11 and is now available as an independent open-source project (OpenJFX). Add it as a dependency to your application.
Application uses internal Sun/Oracle APIs. Some legacy applications use internal APIs (com.sun.*, sun.misc.Unsafe) that are not part of the public Java SE specification. These APIs exist in OpenJDK as well (they are part of the shared source code), so migration does not break them. But they may be removed in future Java versions.
| Compatibility Concern | Frequency | Actual Risk | Resolution |
|---|---|---|---|
| Application runs identically on OpenJDK | 95 to 99% of cases | None | Swap JDK, run regression tests, deploy |
| Vendor docs say "Oracle JDK only" | Common (but misleading) | Low | Contact vendor; get written OpenJDK confirmation |
| Java Web Start dependency | Legacy only | Medium | Deploy OpenWebStart or IcedTea-Web |
| JavaFX dependency | Moderate | Low | Add OpenJFX as application dependency |
| Internal Sun/Oracle API usage | Legacy only | Low for migration | APIs exist in OpenJDK; plan refactoring for future versions |
For many enterprises, the migration is complicated not by technical barriers but by commercial and contractual constraints.
Java bundled in Oracle Enterprise Agreements. Some enterprises have Oracle Java SE included in their ULA, EA, or Oracle cloud contract. In these cases, the Java licence may be "free" during the agreement term. But it is not free at renewal. When the agreement expires, Java becomes a separate cost item at the employee-based subscription rate unless the enterprise has eliminated Oracle JDK usage. Begin the OpenJDK migration well before the renewal date so that Java is not a leverage point for Oracle during renegotiation.
Oracle audit dynamics. Oracle's licence audit activity targeting Java has increased substantially since 2023. If your organisation receives an audit notification, the Java estate is almost certainly in scope. Oracle's approach is to quantify the retroactive exposure and use this as the opening position in settlement negotiation. Organisations that have already migrated to OpenJDK and can demonstrate a clean environment are in a fundamentally stronger position.
Third-party software requiring Oracle JDK. A small number of third-party products include Oracle JDK as a bundled or required component. The Oracle JDK licence may be covered under the vendor's OEM agreement with Oracle. This OEM coverage applies only to that specific product's use of Java, not to any other Java usage. Verify the OEM licence scope carefully.
Review all Oracle contracts for Java clauses. Complete OpenJDK migration before Oracle contract renewal. If audited, do not concede retroactive liability prematurely. Oracle's opening position is always the maximum theoretical exposure. The actual settlement is typically 30 to 60% of that figure with proper negotiation, and zero if you can demonstrate a clean environment. Engage independent advisory before responding to any Oracle audit.
Oracle's Java-focused audit activity has intensified through 2025 and into 2026.
Oracle's typical audit approach for Java. Oracle initiates contact through either a formal audit letter or an informal "licence review" invitation from your account manager. They request deployment data: number of systems running Oracle JDK, Java versions, employee count. They calculate theoretical maximum exposure (all employees x $15/month x all months since January 2023) and present this as the compliance gap. The resolution proposal is typically a multi-year Java SE Universal Subscription commitment.
Defence strategy. The most effective defence is a clean environment: complete removal of Oracle JDK with documented evidence (scan results, migration records, policy changes). If you have already migrated to OpenJDK and can demonstrate that no Oracle JDK is present, Oracle's Java claim collapses. If you have partially migrated, the defence involves minimising the scope of remaining Oracle JDK usage, challenging Oracle's retroactive pricing methodology, negotiating a settlement based on actual usage rather than theoretical employee-based exposure, and accelerating the remaining migration.
Common Oracle audit tactics. Oracle may argue that Java downloaded for "testing" or "development" triggers the full employee-based subscription. Oracle may claim that Java bundled within other Oracle products (Database, WebLogic) counts as separate Java usage. Oracle may pressure for rapid settlement before you complete your migration. All of these tactics are negotiable.
| Audit Scenario | Oracle's Position | Typical Defence | Likely Outcome |
|---|---|---|---|
| Complete Oracle JDK removal (verified) | Claims retroactive exposure for prior usage | Demonstrate clean environment; dispute retroactive scope | No ongoing obligation; limited or no back payment |
| Partial migration (some Oracle JDK remains) | Full employee-based exposure for all months | Minimise scope; negotiate based on actual installations | Reduced settlement + accelerated migration |
| No migration (full Oracle JDK environment) | Maximum retroactive + multi-year forward commitment | Challenge methodology; negotiate settlement; begin emergency migration | Settlement required; typically 40 to 60% of theoretical maximum |
| Oracle JDK bundled in third-party software | Claims separate Java licence required | Verify OEM licence from third-party vendor | Excluded from claim if OEM licence confirmed |
Completing the migration is only half the battle. The most common cause of renewed Oracle Java exposure is re-contamination: Oracle JDK being reintroduced into the environment after migration is complete. This occurs through developers downloading Oracle JDK for convenience, new applications deployed with Oracle JDK bundled in container images, third-party vendors deploying Oracle JDK as part of their installation, and IT automation scripts referencing Oracle JDK repositories.
Policy. Publish an enterprise-wide policy designating OpenJDK as the approved Java standard. Explicitly prohibit Oracle JDK downloads and installations without written approval from IT governance.
Technical controls. Block access to Oracle JDK download URLs at the corporate firewall or proxy level. Remove Oracle JDK from approved software catalogues, container registries, and VM templates. Configure CI/CD pipelines to fail builds that reference Oracle JDK.
Monitoring. Schedule automated scans (monthly at minimum) across all environments: servers, desktops, VMs, containers. Alert immediately if Oracle JDK is detected and trigger a remediation workflow.
Vendor management. Include OpenJDK requirements in vendor onboarding and software procurement processes. When evaluating new third-party software, verify that it does not require or bundle Oracle JDK.
Continuous: Oracle JDK URL blocking at firewall/proxy. CI/CD pipeline enforcement rejecting Oracle JDK references.
Monthly: Automated environment scanning across all servers, desktops, VMs, and containers. Container image audit for Oracle JDK base images.
Every purchase: Java requirement check in software procurement workflow for all new vendor software.
Annual: Enterprise Java standard policy review.
| # | Action | Owner | Timeline |
|---|---|---|---|
| 1 | Discovery scan. Comprehensive scan across all environments for Oracle JDK/JRE installations. | IT / Infrastructure | Weeks 1 to 3 |
| 2 | Exposure calculation. Employee count x $15/mo x months since Jan 2023. Executive briefing. | Finance / Legal | Weeks 3 to 4 |
| 3 | Distribution selection. Standardise on OpenJDK distribution(s). Temurin default; Corretto for AWS; Zulu for commercial support. | IT Architecture | Weeks 4 to 5 |
| 4 | Compatibility analysis. Contact vendors, build application compatibility matrix. | IT / App Teams | Weeks 3 to 6 |
| 5 | Pilot migration. 3 to 5 representative applications with full regression testing. | IT / QA | Weeks 5 to 8 |
| 6 | Production rollout. Migrate in waves. Low-risk first, then mission-critical. | IT / App Teams | Weeks 8 to 16 |
| 7 | Remediation. Resolve exception cases: legacy apps, vendor dependencies, Oracle-bundled installations. | IT / Procurement | Weeks 14 to 18 |
| 8 | Verification scan. Confirm zero Oracle JDK in all environments. | IT Security | Weeks 16 to 18 |
| 9 | Governance controls. Policy, URL blocking, automated scanning, CI/CD enforcement. | IT Governance | Weeks 18 to 20 |
| 10 | Contract alignment. Remove Java from Oracle renewal; prepare audit defence position. | Procurement / Legal | Before next renewal |
Enterprises that follow this structured approach typically complete the full migration within 16 to 20 weeks. The migration effort, typically 200 to 500 person-hours for a mid-size enterprise, pays for itself within the first month of eliminated licensing costs. Annual savings range from $100K to $1.6M+ depending on organisation size.
Yes, completely. OpenJDK is licenced under the GNU General Public Licence v2 with the Classpath Exception, which permits unrestricted use, including commercial production, with no licensing fees, no per-employee charges, and no usage restrictions. All major distributions (Eclipse Temurin, Amazon Corretto, Azul Zulu Community, IBM Semeru, Red Hat OpenJDK) are free for production use.
No. Oracle JDK and OpenJDK of the same major version are built from the same source code and pass the same TCK certification tests. In our experience migrating hundreds of enterprise Java environments, 95 to 99% of applications require zero code changes. The rare exceptions involve Oracle-proprietary tools (Java Web Start, JavaFX) that have open-source replacements, not the Java runtime itself.
All major OpenJDK distributions receive quarterly security updates aligned with Oracle's Critical Patch Update schedule. The patches are contributed to the OpenJDK project by Oracle, Red Hat, and other vendors. You receive the same security fixes, on the same cadence, at no cost. Distributions like Azul Zulu Enterprise also offer commercial support contracts with guaranteed SLAs for patch delivery if your organisation requires that level of assurance.
If you have completely removed Oracle JDK from all environments and can demonstrate this with documented scan results, Oracle has no basis for a Java compliance claim going forward. Oracle may still assert a retroactive claim for the period when Oracle JDK was in use. The strength of that claim depends on your contract terms, whether you had a valid licence during that period, and the documentation you can produce. Engage independent advisory before responding to any Oracle audit request.
It is a planning and coordination effort, not a coding project. The Java runtime is a drop-in replacement. You are not rewriting applications, you are swapping the JDK installation. A typical enterprise with 200 to 500 applications completes the migration in 16 to 20 weeks. The effort is 200 to 500 person-hours, concentrated in discovery, compatibility verification, and phased rollout coordination.
Oracle products like Oracle Database, WebLogic Server, and Oracle Middleware include a bundled JRE/JDK that is licenced under the host product's licence terms, not the Java SE Universal Subscription. This means using Java within Oracle Database does not trigger the employee-based Java subscription. However, any Oracle JDK usage outside those specific products does trigger the subscription. Verify the scope carefully and document which Java installations are covered under product licences versus which are standalone.
Eclipse Temurin is the recommended default for most organisations. It is vendor-neutral, TCK-certified, and the most widely adopted. Use Amazon Corretto for AWS-heavy environments. Consider Azul Zulu Enterprise if you need commercial support with SLAs, particularly for legacy Java versions (6/7/8). If you run RHEL, Red Hat OpenJDK is included in your subscription at no additional cost.
Yes, Oracle can and does assert retroactive claims for the period since January 2023 when the employee-based subscription model took effect. The theoretical maximum exposure is total employees x $15/month x number of months. In practice, these claims are negotiable. With strong documentation and independent advisory support, settlements typically range from 30 to 60% of the theoretical maximum, and organisations that migrated promptly and can document the timeline often negotiate significantly better outcomes.
Implement a four-layer governance framework: policy (enterprise standard designating OpenJDK; prohibiting Oracle JDK without approval), technical controls (block Oracle JDK download URLs, remove from software catalogues), monitoring (monthly automated scans across all environments), and vendor management (require OpenJDK compatibility in procurement processes). The most common re-contamination source is developers downloading Oracle JDK for convenience.
In nearly all cases, migration to OpenJDK is the superior option. The annual cost of Oracle's Java subscription ($180/employee/year) continues indefinitely and escalates at renewal, while OpenJDK is free forever. The one-time migration cost (200 to 500 person-hours) is a fraction of a single year's subscription. The only scenario where an Oracle subscription might be justified is if your environment has a genuinely unavoidable Oracle JDK dependency that cannot be resolved. Even then, negotiate aggressively on scope and pricing.
Our Java advisory team has helped enterprises across financial services, healthcare, manufacturing, and technology eliminate millions in Oracle Java exposure while maintaining full operational capability on OpenJDK. Independent. Fixed-fee. No Oracle bias.
Java Compliance AssessmentIndependent Java licensing advisory. Compliance assessment, migration strategy, audit defence. Fixed-fee. Vendor-independent.