Locations

Resources

Careers

Contact

Contact us

CIO Playbook / Java licensing

Top 15 Things IT Leaders Must Know About Oracle Java SE Licensing and Audits

Top 15 Things IT Leaders Must Know About Oracle Java SE Licensing

Top 15 Things IT Leaders Must Know About Oracle Java SE Licensing and Audits

  1. Java SE Licensing Changes Since 2019 โ€“ Oracleโ€™s Java licensing landscape has dramatically shifted over the past few years. In 2019, Oracle ended the free commercial Java updates era, replacing the old Binary Code License (BCL) with a new Oracle Technology Network (OTN) License for Java SE. This meant businesses had to purchase subscriptions to get updates for Java 8 and newer. The year 2021 saw the introduction of the No-Fee Terms and Conditions (NFTC) license for the latest Java versions (like Java 17), allowing free use in production but only until the next long-term release comes out. Then, inย 2023, Oracle unveiled aย drastic new model: anย employee-based Java SE Universal Subscription, requiring companies to license Java per the total number of employees. These changes aimed to boost Oracleโ€™s Java revenue but have added complexity for customers.
    • Key Evolution: Until 2019, Java SE was freely usable for commercial purposes (with free public updates). After 2019, paid subscriptions became mandatory for business use for Oracle JDK 8 and above. NFTC (2021) temporarily allowed free use of the newest Java (e.g., Java 17), but only during its active period. In 2023, the Universal Subscription (per-employee) model entirely replaced older per-user or per-processor licenses. To avoid compliance surprises, IT leaders must review which license model their Java deployments fall under.
  2. The 2023 Employee-Based Universal Subscription Model โ€“ Oracleโ€™s new Java SE Universal Subscription model (launched Jan 2023) charges a fee for every employee in your organization, a significant shift from licensing just the machines or users running Java. This all-inclusive metric means that if your company uses Oracle Java anywhere, you must count all full-time employees, part-time staff, and even contractors and consultants with access. Older metrics like Processor or Named User Plus (NUP) are no longer sold for Java, forcing renewals into this new scheme.
    • Pricing and Coverage: The Universal Subscription is priced per employee per month. For example, it starts around $15 per employee/month for smaller organizations, with volume discounts (e.g., ~$12 at 1,000+ employees, lower for tens of thousands). In practice, a company of 3,000 might pay over $10.50*3,000 per month for Java SE. The subscription covers Java use across desktops, servers, and cloud โ€“ essentially โ€œuniversalโ€ usage rights. This simplification can help with tracking (there is no need to count individual installs). Still, it often raises costs significantly, especially for firms with many employees but only a fraction actively using Java. IT leaders must budget for these recurring Java fees and explore alternatives if the cost is prohibitive.
  3. What Requires a License (and What Doesnโ€™t) โ€“ Not every use of Java triggers a paid Oracle license, but the rules are specific. Oracleโ€™s licensing distinguishes free use cases versus commercial us,e requiring a subscription. For instance, under the OTN or NFTC license terms, you can freely use Oracle Java for personal use, development, testing, prototyping, or demonstrations. Running Java on Oracle-approved products (like the JDK embedded in Oracle WebLogic or Oracle databases) is also free. Even using Java on Oracle Cloud Infrastructure is included with the cloud service. However, using Oracle Java SE in production for internal business applications typically requires a paid license. You must have an active Java SE subscription if you deploy Oracleโ€™s JDK or JRE on your servers or employee desktops for day-to-day operations (outside of the limited no-fee versions).
    • Free vs. Licensed Use: Oracle Java does not require a license when used for:
      • Personal, hobby, or educational projects on individual machines.
      • Development, testing, or POC (Proof of Concept) within your company โ€“ these non-production uses are permitted under Oracleโ€™s free OTN license.
      • Running Oracle software: No separate Java SE license is needed if Java is only usedย withinย another Oracle product youโ€™ve licensed (e.g., Oracle WebLogicโ€™s internal Java runtime).
      • Oracle Cloud deployments โ€“ Oracle includes Java usage rights if you run your workloads on their cloud.
    • Requires a Paid License:
      • Production use for businessโ€”Any Oracle Java runtime powering business applications or websites in production (outside of the special no-fee period for the latest Java versions) needs a subscription.
      • Older Java versions in use โ€“ if you still run Java SE 8, 11, etc., with updates beyond 2019, you should pay for those (Oracle stopped free public updates, so using updated Oracle JDK 8/11 in production now requires a license).
      • Redistributing Java โ€“ embedding Oracleโ€™s Java in a software product or device you provide to customers (or using it in SaaS offerings) isnโ€™t covered by free use; it requires a commercial agreement.
      • Staying on an old LTS โ€“ Oracleโ€™s no-fee license (NFTC) allows free use of the newest Java (e.g., Java 17, 21) only while itโ€™s the current release. Once Oracleโ€™s free support period ends, continuing to run that version with updates means upgrading to a newer Java or paying for a subscription.
    • Takeaway: Always double-check if a Java installation is under a free-use scenario or if it crosses into โ€œproduction/business useโ€. Many organizations err by assuming an old Java install is free when itโ€™s not or by unknowingly using an Oracle JDK when an OpenJDK (free) could suffice. When in doubt, assume a subscription is required for any commercial deployment of Oracle Java.
  4. Common Java Licensing Compliance Mistakes โ€“ Oracleโ€™s Java licensing can be tricky, and many organizations make similar mistakes that put them out of compliance. One common pitfall is assuming โ€œno one is using Javaโ€ and overlooking installations. Java often creeps into environments via third-party apps or legacy processes, and if those Oracle JREs remain installed without licenses, youโ€™re at risk. Another mistake is misinterpreting Oracleโ€™s license terms โ€“ for example, using Oracle JDK in production thinking itโ€™s free because it was a public download or not realizing that applying a Java security patch from Oracleโ€™s site can carry licensing obligations if youโ€™re beyond the free usage scope.
    • Typical Compliance Errors:
      • Upgrading without a License: Companies update Java (e.g., apply a Java 8 update or install a new JDK) without realizing that moving beyond certain versions (post-2019 updates) means entering a commercial realm.
      • Using Commercial Features inadvertently: Older Java versions had extra features (Java Flight Recorder, Mission Control, etc.) that required separate licensing. Enabling or using these without the proper license is a compliance violation often overlooked.
      • Counting Licenses Incorrectly: Under the older models, a frequent mistake was miscounting Named User Plus licenses (e.g., not meeting Oracleโ€™s minimums per processor or not tracking actual named users) or improperly licensing Java on VMs (Oracleโ€™s partitioning rules can be complex, and using Java on a VMware cluster could be interpreted as requiring licensing of the whole cluster if not careful). Under the new model, the mistake is underestimating the employee count. Some companies licensed Java for, say, 500 employees when they were supposed to count all 600, including part-time and contractors, leading to under-licensing.
      • Assuming Dev/Test = Prod: Companies sometimes use Oracle Java in a โ€œtestโ€ environment that is actually connected to production or used indirectly by end-users. If an environment contributes to production (e.g., a QA server that end-users access or a build server distributing Java apps), Oracle might not consider it exempt under free use. Misunderstanding what qualifies as non-production can lead to unintentional compliance gaps.
      • Ignoring Legacy Installs: Old Java versions (Java 6/7/8) might still lurk on servers or user machines. Their presence can be flagged in an audit even if not actively used. A common scenario is an app that was decommissioned but the Java runtime wasnโ€™t removed, leaving an unlicensed Oracle JRE installed.
    • Note: These mistakes can be avoided with proper software asset management. Regularly audit your Java installations and usage policies. Train developers and IT staff on what they can or cannot do (for example, donโ€™t download Oracle JDK for a quick test on a production server out of habit โ€“ use OpenJDK for that scenario). Small oversights can snowball into big compliance issues during an audit.
  5. What Triggers an Oracle Java Audit โ€“ Oracleโ€™s auditing arm (GLAS โ€“ Global License Advisory Services) has become very proactive with Java. A few red flags almost guarantee attention. The first is Java download activity: Oracle closely monitors those downloading Java installers and updates from its website. If they see your companyโ€™s domain or IP pulling down Oracle JDK updates and you donโ€™t have a matching subscription, expect Oracle to notice. Legacy Java licenses that lapsed are another trigger. For example, if you bought Java SE subscriptions in 2020 but decided not to renew in 2023 under the new model, Oracle assumes you might still be running Java unlicensed. Those customers are prime candidates for an audit outreach shortly after expiration.
    • Top Audit Triggers:
      • Excessive Java Downloads: If your IT team downloaded Java updates or installers (especially for Java 8/11) from Oracleโ€™s site without an active support contract, Oracleโ€™s logs (which go back up to 7 years) will flag your organization. Even downloading critical patch updates can signal unlicensed use.
      • Expired or Pre-2023 Licenses: Organizations with Java licenses under the older models and didnโ€™t renew into the Universal Subscription are closely watched. Oracle knows those Java installations didnโ€™t just vanish. A lapsed subscription is seen as likely continued use without pay.
      • Ignoring Oracleโ€™s Inquiries: If Oracle reaches out with a โ€œJava usage reviewโ€ (soft audit) and you brush it off or refuse to engage, this non-cooperation can escalate to a formal audit trigger. Oracle interprets silence or pushback as a sign of potential non-compliance.
      • Minimal Oracle Footprint: Ironically, companies with little to no Oracle software besides Java are often targeted. Oracle knows an audit wonโ€™t jeopardize a large account (since youโ€™re not a big Oracle database or applications customer), so they have less to lose by enforcing compliance aggressively. They suspect such companies might not be well-versed in Oracleโ€™s licensing and thus have unintentional violations.
      • No Oracle Cloud Adoption: Oracle has been known to use audits as a lever to push its cloud services. If your organization isnโ€™t using Oracle Cloud, Oracle might see an opportunity. In some cases, the lack of an Oracle Cloud strategy is listed among audit triggers. Oracleโ€™s logic is that it can โ€œremedyโ€ compliance issues by upselling you a cloud subscription as part of the settlement.
      • Whistleblowers or Public Info: Though less common, insider tips or even public case studies can sometimes trigger audits. For example, suppose a disgruntled employee hints that your company didnโ€™t buy Java licenses, or you present at a conference about using Java at scale (and Oracle knows youโ€™re not a customer). In that case, it might invite an audit letter.
  6. How Oracle Conducts Java Audits โ€“ Oracleโ€™s audit process follows a two-phase approach: It may start informally (a โ€œsoft auditโ€) and, if unresolved, progress to a formal audit. In a soft audit, Oracleโ€™s reps (often from sales or License Management) send an email requesting a discussion or data about your Java usage. They may reference Oracleโ€™s records (like download logs or the new licensing changes) and ask you to share how many installations you have. This phase feels like a friendly check-in but is an audit-lite. If you cooperate, you might exchange installation spreadsheets and compare them against your entitlements. They can escalate if Oracle finds gaps or if you donโ€™t cooperate.
    • Formal Audit Process: A formal audit is an official, contractual audit triggered by an audit clause (if you have one in a contract with Oracle). Youโ€™ll receive a written notice that Oracle is exercising its audit rights, often giving ~45 days’ notice and citing the contract termsโ€‹. Oracleโ€™s Global Licensing and Advisory Services (GLAS) team or an authorized auditor will then typically:
      • Kick-off Meeting: Initiate an audit kick-off call to explain the scope and timeline. Then, they clarify what they will review (which systems, which Java versions, etc.) and what data they need.
      • Data Collection: Oracle will request detailed data on all your Java deployments. Commonly, they provide an Oracle Server Worksheet (OSW) โ€“ a questionnaire asking about each server, instance, version, etc. โ€“ and may supply scripts or tools to runโ€‹. For Java, they have scripts that scan for installed Java binaries (e.g., java.exe, libjvm.so) on your machines to inventory where Oracle Java is installed. If youโ€™re in a virtualized environment, they might ask you to run a PowerCLI script (for VMware) to identify all VMs with Javaโ€‹. Essentially, they try to build a complete picture of your Java usage.
      • Analysis & Findings: Oracle analyzes data and compiles an audit report after data submission. Theyโ€™ll highlight any unlicensed usage โ€“ for example, Java installations beyond what youโ€™ve paid for. Often, Oracle will assume worst-case scenarios. (One real-world example: Oracle found 800 installs where only 500 were licensed and concluded the company needed to license the entire company retroactively under the new model.) The audit report typically outlines compliance gaps and the licenses/subscriptions Oracle thinks you owe.
      • Resolution: Oracle presents the findings and usually proposes to resolve the issue, such as purchasing a certain number of Java SE subscriptions (sometimes with back support fees for past use) or, in some cases, an alternative such as migrating some workload to Oracle Cloud. There will be negotiation, but Oracle uses the leverage of the audit findings to push for a purchase.
    • Soft vs Formal Audits: Many audits start soft and only become formal if you donโ€™t resolve. Soft audits are not contractual โ€“ you technically donโ€™t have to comply, but ignoring them is risky. Formal audits carry more weight โ€“ if youโ€™ve ever signed any Oracle agreement with an audit clause (even for a different product), Oracle might use that to audit Java. In both cases, Oracleโ€™s goal is the same: find unlicensed Java use and make you pay for it. They will use any data you give (even in a soft audit) as evidence if things turn contentious. Knowing this, managing how you engage when Oracle comes knocking is important.
  7. How to Prepare for an Audit โ€“ The best time to prepare for an Oracle Java audit is before it happens. Proactive preparation can turn an audit from a panicky fire drill into a more manageable project. Start by conducting an internal Java audit of your own. Inventory every instance of Java across your company โ€“ on servers, VMs, desktops, applications, etc. (This can be done via scripts or software inventory tools โ€“ see point #8.) Match each discovered Java instance to a known license or entitlement: is it an Oracle Java installed under a subscription? Was it an old download under OTN terms? Or is it an OpenJDK installation (which would be outside Oracleโ€™s scope)? Having a clear record is invaluable.
    • Audit Readiness Checklist:
      • Maintain a Software Inventory: Keep an up-to-date inventory of all Java installations (including version and vendor). Know where Oracle Java is used versus other distributions. This could involve using configuration management databases (CMDB) or endpoint management tools to track installations.
      • Gather Your Documentation: Compile all Oracle Java licensing documents, contracts, purchase orders, and support renewals. You should be able to prove what licenses (subscriptions) you have and their terms. Also note which Java versions those cover (e.g., if you have an Oracle Java SE Subscription from 2020, it might entitle you to Java 8 and 11 updates through a certain date).
      • Map Usage to Entitlements: Ensure you have a corresponding license for each Oracle Java system. If you find instances that arenโ€™t covered, you can rectify that before Oracle notices โ€“ either by removing Java from that system or by procuring a subscription. Doing this internally is far cheaper and cleaner than doing it under audit pressure.
      • Educate and Alert Teams: Inform your IT staff and developers that Oracle Java is licensed. Teams often install software without considering licenses. A brief policy like โ€œDo not install Oracle Java without approval; use approved OpenJDK builds for general useโ€ can prevent surprises. Ensure everyone knows that an Oracle audit could happen and immediately surface any Oracle communications about Java to management.
      • Establish an Audit Response Plan: Identify who in your organization will handle an Oracle audit if the notice comes. Typically, this combines IT Asset Management, IT operations, and Legal. Assign roles: e.g., the SAM manager will gather data, and legal/procurement will handle communications with Oracle. Having a plan means you wonโ€™t scramble to decide โ€œwho deals with this?โ€ when Oracle sends an email.
      • Dry Run (Self-Audit): Consider performing a mock audit internally. Pretend you have to report to Oracle: run the discovery scripts (or your tools) to simulate what data Oracle would seeโ€‹. This helps identify any weak spots. If, for instance, your internal scan finds Java on 50 servers but you only thought it was on 30, you know you have an exposure to address. Regular self-audits (perhaps annually) are a great practiceโ€‹ and demonstrate due diligence if you ever need to show it.
      • Stay Current on Licensing News: Oracle sometimes changes terms or offers new free options (or rescinds them). Keep an eye on Java licensing announcements or expert blogs. For example, knowing that Java 17โ€™s free period ends in September 2024 lets you plan an upgrade to Java 21 or budget a subscription rather than being caught using Java 17 unlicensed in 2025.
      • Engage Advisors if Needed: If your Java usage is large and complex, or if you lack internal licensing expertise, consider consulting firms specializing in Oracle licensing. They can perform a baseline audit and help you patch compliance gaps confidentially. Itโ€™s much better to have a third party find a problem and fix it than for Oracle to find it and penalize you.
  8. Java Discovery Tools and Internal Self-Auditing โ€“ Discovering where Java is installed in your IT estate is crucial to managing licensing. Java can be present on various systems (from backend Linux servers to Windows laptops). Automated discovery tools can help you identify every instance. Many IT asset management or software inventory tools (e.g., Microsoft SCCM, Flexera, Snow, and OpenAuditor) can scan for installed software and ensure they are configured to detect Java runtime installations. You can also use simpler approaches: script a scan across all servers to run java -version or search for the presence of java.exe/java binary in typical install locations. Oracleโ€™s audit scripts essentially do this kind of search for known file names and registry entries.
    • Implement Internal Discovery: Use your configuration or endpoint management systems to flag any Oracle Java installs. Maintain a registry of systems with Java, including the version and the distribution (Oracle vs. OpenJDK vs. others). This way, at any point, you can say, โ€œWe have Oracle Java on X number of servers and Y desktops,โ€ which should match what youโ€™ve licensed.
    • Leverage SAM Tools: Many Software Asset Management (SAM) tools have specific modules or patterns for Oracle Java. They might detect the Java installation path and even read the release file or registry to determine if itโ€™s an Oracle build. Take advantage of these features to get an accurate count.
    • DIY Scripting: A sysadmin can script a network-wide check if you donโ€™t have a fancy tool. For example, use PowerShell or bash scripts to query machines for installed programs named โ€œJavaโ€ or environment variables, etc. Collate this data in a spreadsheet.
    • Java Usage Tracker: Oracle Java 8 introduced a feature called Java Usage Tracker that logs the usage of the JVM. However, note that the Usage Tracker itself was considered a commercial feature (part of Java SE Advanced), and using it required a license. So, while it can be useful for granular internal monitoring, ensure youโ€™re properly licensed if you enable it. Alternatively, rely on external monitoring (like process monitoring) to see where java processes run.
    • Keep Results Centralized: Whatever method you use, store the inventory results in a central repository and review them periodically. Integrate it with your CMDB. When servers are decommissioned or new ones are built, update this register. This ongoing asset management practice will make any future audit much smoother.
    • Verify and Clean Up: Once youโ€™ve discovered all Java instances, verify if each is truly needed. Uninstall Java from machines that donโ€™t need it to reduce risk. For the remaining ones, ensure you have licenses or a plan to replace them with non-Oracle Java if possible.
  9. The Risks of Assuming โ€œJava Is Freeโ€ โ€“ Many IT leaders make a dangerous assumption that Java (as a programming language and platform) is free across the board. While OpenJDK (the open-source reference implementation of Java) is free and many Java distributions have no cost, Oracleโ€™s Java SEย for commercial use is not free beyond specific conditions. Relying on old knowledge (โ€œJava has always been free, right?โ€) can lead to compliance nightmares. Since 2019, Oracle has required a paid subscription for businesses to use Oracle Java in production. If a company continues to use Oracleโ€™s Java 8 or 11 without realizing this change, it could accumulate years of unlicensed use. The financial risk is significant: Oracleโ€™s audit penalties could include back-dated subscriptions and support fees for each processor or employee, potentially amounting to millions for a large environment.
    • Sticker Shock Examples: Many organizations were caught off guard in 2019 when Java 8 updates suddenly required a support contract. Some ignored the change and kept downloading updates โ€“ essentially โ€œrunning up a tabโ€ with Oracle. Oracle has data on all those downloads and, during audits, can present a bill for all the past usage. One in five companies using Java SE can expect an Oracle audit in the next few years, and non-compliance fines or true-up costs can reach 4- 5x what you might have budgeted. The assumption of โ€œfree Javaโ€ thus creates a large, hidden liability.
    • Clarify OpenJDK vs Oracle JDK: Itโ€™s important to differentiate Java the platform from Oracleโ€™s specific binaries. The open-source OpenJDK is free (under GPL license), and there are other free builds (Adoptium, Corretto, etc.). However, Oracleโ€™s official JDK/JRE downloads from their site often come under licenses that restrict free use to certain purposes. For example, Oracle JDK 17 was free under NFTC for a time, but Oracle JDK 8 updates are not free for commercial use at all post-2019. Simply put: Java is free, but Oracle Java SE is not (for enterprises). Failing to make this distinction is risky.
    • Avoiding the Trap: To avoid trouble, companies should either ensure theyโ€™re using truly free Java distributions wherever possible, or if they need Oracleโ€™s Java, be fully aware of the licensing needs. If you inherited an IT environment, perform a Java license audit (see #8) rather than assuming everything is fine. The cost of a Java SE subscription is far lower than potential audit penalties, so if Oracle Java is needed, itโ€™s better to budget for it upfront than to be hit with an unexpected compliance bill.
  10. How to Reduce Your Java Licensing Scope โ€“ One strategy to manage costs is to minimize the footprint of Oracle Java in your organization. The less Oracle Java you use, the fewer licenses (or smaller subscription tier) you need. Start by analyzing where Java is actually required. Many times Java is installed โ€œjust in caseโ€ or as part of a standard image even if not actively used. By removing Oracle Java from unnecessary places, you can contain your licensing obligations. Another approach is to swap in alternatives for Oracle Java wherever feasible. Because OpenJDK is functionally equivalent to Oracle JDK (they share the same code base for a given version), most applications will run just fine on OpenJDK or another vendorโ€™s build.
  • Prune Unneeded Installations: Do an environment sweep and uninstall Java from machines that donโ€™t need it. Especially on employee PCs โ€“ if only a handful of users or apps actually need Java, donโ€™t have it sitting on every desktop. Fewer installations reduce both security risk and licensing scope.
  • Consolidate Java Workloads: If possible, concentrate Oracle Java usage on specific servers or clusters. For example, instead of running a Java app on 10 different servers, can it be run on 2 larger servers? This might reduce the count of licensed machines (relevant under older metrics, or at least reduce your perceived usage under an employee count model if you can definitively limit where Java is used).
  • Use OpenJDK or Other Distributions: Identify systems where you can replace Oracle JDK with OpenJDK. Many vendors offer free Java builds: Eclipse Adoptium (formerly AdoptOpenJDK), Amazonโ€™s Corretto, Azul Zulu, Red Hat OpenJDK, etc. These are TCK-certified Java SE implementations with no cost. By migrating an application from Oracle JDK to, say, Amazon Corretto 11, you eliminate the need for an Oracle license on that system. Over time, these swaps can dramatically shrink how much Oracle-licensed Java you have.
  • Segment by Criticality: Perhaps you keep Oracle Java for your most critical production systems where you value Oracleโ€™s support, but use OpenJDK for less critical or development systems. This โ€œhybridโ€ usage can reduce your overall license count. Just be careful to segregate them (donโ€™t mix Oracle and non-Oracle JDK on the same system).
  • Stay on Allowed Versions: Another tactic is to leverage Oracleโ€™s free allowances smartly. For instance, Oracle JDK 17 was free (NFTC) for production until late 2024. Some organizations standardized on JDK 17 and planned to upgrade to JDK 21 (also free until 2026) to avoid needing a subscription. This requires discipline in promptly upgrading to each new LTS but can keep you within Oracleโ€™s free-use window. However, this is only viable if you regularly upgrade your applications to the latest JDK.
  • Monitor and Adjust: After reducing scope, continually monitor that Java usage isnโ€™t creeping back. People might reinstall Java, or new projects might bring it in. Maintain governance so that any introduction of Oracle Java triggers a review (โ€œDo we have a license? Can we use OpenJDK instead?โ€).
  1. How to Defend Against Audit Overreach โ€“ During an audit, Oracle might interpret data to maximize compliance issues (and their revenue). โ€œAudit overreachโ€ refers to Oracle pushing claims beyond what you think is fair or accurate โ€“ for example, asserting you need to license every employee because one team used Java or trying to count every virtual machine in a cluster as needing a license even if Java was on just one VM. IT leaders should be prepared to push back and enforce the proper bounds of the audit.
  • Know Your Contractual Rights: Check if and how you agreed to audits. Oracle’s audit rights may be limited if you never signed a Java contract (e.g., you only downloaded under OTN terms and never clicked an audit clause). You are not necessarily obligated to run Oracleโ€™s audit scripts on your network if no contract is requiredโ€‹. In a โ€œsoft auditโ€ scenario, you have more flexibility โ€“ you can provide data in your format rather than running Oracleโ€™s tools.
  • Insist on Scope Clarity: At the outset of an audit, get a clear scope in writing. What exactly is Oracle auditing? Limit it to Java SE usage, specific versions, and a certain time range. Oracle auditors sometimes fish for unrelated issues; donโ€™t let the scope casually expand. If the audit notice was for Java, keep the conversation on Java (not other Oracle products). If Oracle asks for information beyond Java, question its relevance to the agreed scope.
  • Use NDAs and Written Communication: Ensure an NDA (Non-Disclosure Agreement) is signed so any data you provide isnโ€™t shared inappropriately. Try to handle communications via email or written form so you have a record. Verbal discussions should be followed up with an email summary to avoid misunderstandings. When you provide data, label it clearly and, if possible, mark it as โ€œconfidentialโ€. This creates a trail of exactly what you provided and can prevent Oracle from later claiming you admitted to something you didnโ€™t.
  • Validate Oracleโ€™s Findings: If Oracle returns with a compliance claim, scrutinize it. Do their numbers add up? For example, if they say, โ€œWe found Java on 100 servers,โ€ cross-check with your inventory. Itโ€™s possible their scripts misidentified something (e.g., found an OpenJDK instance but assumed it was Oracle or counted an old installation directory thatโ€™s not in use). You have the right to question and require proof of any asserted violation.
  • Challenge Broad Interpretations: Oracleโ€™s stance with the new employee metric is a known point of contention โ€“ they might argue that if you used Oracle Java on a handful of machines, you now need to license the entire company (since thatโ€™s how the subscription works). However, if the usage was all in the past and has stopped or was under a different agreement, you can negotiate so youโ€™re not buying licenses for everyone unnecessarily. Donโ€™t accept an overreach claim at face value; often, Oracleโ€™s initial compliance report is a โ€œworst caseโ€ ask. There may be room to settle for a smaller scope (for example, license only the subset running Java, going forward).
  • Bring in Expert Help: Defending against Oracle in an audit can be daunting. Consider involving a third-party Oracle licensing expert or legal counsel experienced in software audits. They can identify when Oracle is overstepping (e.g., asking for data theyโ€™re not entitled to or misapplying license rules) and help craft a response. These experts might also negotiate directly with Oracle on your behalf to reduce any fees. Remember, Oracle audits are a negotiation โ€“ you can push back and counter-offer. The better your factual data and understanding of your rights, the better your outcome.
  1. Employee-Based Pricing vs Older Licensing Models (NUP, Processor) โ€“ Oracleโ€™s shift to employee-based licensing fundamentally changed how you calculate Java licensing, and itโ€™s important to understand how it compares to the previous models:
    • Named User Plus (NUP) Model: Under NUP (used 2018โ€“2022 for Java SE), you purchased licenses per named user (or per device) that runs Java. Oracle often requires a minimum number of NUPs per processor for server environments. For example, you might buy 50 NUPs to use Java to cover 50 specific developers or PCs. This model allowed targeting only those who needed Java.
    • Processor-Based Model: This model counted CPUs. You bought a license per processor (with multi-core CPUs adjusted by a โ€œcore factorโ€). Each Processor license allowed unlimited Java instances on that processorโ€™s machine. This was suitable for serversโ€”e.g., if you had Java on an 8-core server, you might need 4 processor licenses (with a 0.5 core factor). Again, this targeted the hardware running Java.
    • Employee-Based Model:ย As of 2023, neither NUP nor Processor is sold for Java. Itโ€™s all about the total headcount. If your company uses any Oracle Java, you count all employees (and eligible contractors) and pay a monthly fee per employee. This can be simpler (just one number to base licensing on) but can also mean paying for people who never directly use Java. Oracle eliminated the granular models, claiming simplification, but raising the floor for what many customers must pay.
    • Cost and Flexibility Comparison: Under old models, you could adjust your spend by controlling where Java was installed โ€“ if you reduced Java usage, you could buy fewer licenses at renewal. The new model is less flexible; even if only 10% of employees use Java, 100% are counted. The costs might be similar for a small company, but for a large enterprise with limited Java usage, the new model is often more expensive. For example, consider 5,000 employees, but only 200 use Java actively. Under NUP, you might have bought ~200-300 NUP licenses. Under employee licensing, you pay for all 5,000 employees, which is a huge jump in cost.
    • Renewals and Legacy Contracts: Oracle has allowed some customers to renew existing Java SE subscriptions (NUP/Processor) if their usage hasnโ€™t changed, but they subject these to a compliance check. In practice, many are pushed to transition to the new model. IT leaders should be prepared for the next renewal; Oracle will likely quote the employee-based subscription and discontinue the old agreement. It may be worth modeling the cost difference and exploring alternatives rather than blindly renewing the employee metric.
    • Strategic Note: Some organizations locked in multi-year Java SE subscription deals before 2023 using NUP/Processor. Those deals might temporarily shield them from the impact of the employee metric on their costs. However, budgeting for the employee-based model (or migrating off Oracle Java) becomes critical once those expire. Understanding these models helps explain to executives why Java costs might balloon and why proactive measures (like reducing scope or switching, as noted above) are so important.
  2. When to Stay with Oracle Java vs. Switch to Alternativesโ€”Java is available from many sources besides Oracle, so a key decision for IT leaders is whether to continue with Oracleโ€™s Java SE (with paid support) or migrate to an alternative distribution. The right choice depends on your organizationโ€™s priorities, risk tolerance, and usage patterns.
    • Staying with Oracle Java SE: You might choose to stay on Oracleโ€™s Java if you heavily rely on Oracleโ€™s support and the guaranteed updates. For mission-critical systems where any security patch delay is unacceptable, Oracleโ€™s official patches (which you get with a subscription) might be worth the cost. Also, if you use Oracle enterprise products officially supported on Oracle JDK (for instance, some Oracle Fusion Middleware), you may feel more comfortable staying aligned with Oracle. Another reason to stay is if the effort to switch is too high โ€“ perhaps you have hundreds of applications and no time to test them on a new Java distribution. If the Java subscription cost is relatively small in your IT budget (say youโ€™re a small company), the convenience of one vendor might outweigh the savings from switching.
    • Switching to OpenJDK or Third-Party JDKs: Many companies are reevaluating Oracle now that viable, well-supported alternatives exist. OpenJDK, the foundation of Oracleโ€™s JDK, can be obtained from other providers for free or at a much lower cost. Vendors like Azul, IBM, Red Hat, Amazon (Corretto), Microsoft (OpenJDK), and others provide builds that are essentially Java SE without the Oracle stamp. They often offer paid support too, usually cheaper than Oracleโ€™s, if you need SLAs for updates. Switching makes sense if cost savings are a top priority or if you want to eliminate the risk of Oracle audits. Regarding performance and functionality, thereโ€™s usually no difference for most applications โ€“ code that runs on Oracle JDK runs on OpenJDK.
    • Considerations for Switching: Ensure that any alternative you choose has a robust update policy. For example, AdoptOpenJDK (now Eclipse Adoptium) and Amazon Corretto provide timely updates for Java 8, 11, 17, etc. Red Hat supports OpenJDK in RHEL with long-term updates. Also, verify compatibility โ€“ while standard Java applications should work out of the box, if you have applications that use Oracle-specific features or rely on the Oracle JVMโ€™s behavior, test them on the new JDK. Most organizations find the switch straightforward, but due diligence is needed.
    • Hybrid Strategy: Some organizations adopt a hybrid approach. For instance, continue using Oracle Java for a specific high-value application that might need Oracleโ€™s direct support or where the vendor explicitly requires Oracle JDK, but migrate everything else to OpenJDK. This way, you might reduce the Oracle subscription to a smaller scope (maybe even drop to a lower employee tier or specific server licenses via an Oracle Java SE โ€œAdvancedโ€ agreement if applicable) and handle the rest with free Java. This can be an intermediate step if youโ€™re not ready to drop Oracle fully.
    • Stay-or-Switch Decision Drivers: Ultimately, risk vs cost is the trade-off. Staying with Oracle means guaranteed compliance (no audit fears) but higher ongoing costs. Switching saves cost and avoids dealing with Oracle but puts the onus on you to manage updates (with or without a new support vendor). Also, consider the future roadmap: Oracleโ€™s licensing has been unpredictable (as seen in recent years), and some CIOs prefer not to depend on such vendor behavior for a commodity like Java. Others value having the vendor of the Java technology itself backing their usage. Evaluate your specific context โ€“ e.g., if an audit would be ruinous, you might hasten to switch; if you have a long relationship with Oracle and sizable support contracts, maybe negotiating a Java deal within that relationship works in your favor.
  3. Using Java Within Other Oracle Products (Embedded Rights) โ€“ Many Oracle products include an embedded Java runtime. Oracleโ€™s policy generally allows you to use Java as part of another Oracle-licensed product without a separate Java SE license. This is known as โ€œOracle Approved Product Use.โ€ For example, Oracle WebLogic Server, Oracle Database, Oracle E-Business Suite, and others all run on Java internally. When you have a license for WebLogic or EBS, it comes with the right to use the necessary Java platform for that application. Similarly, Java is often included under the hood if you are running Oracle software on Oracle Cloud.
    • Embedded Use is Restricted: The key is that the Java usage is restricted to the Oracle productโ€™s functionality. If WebLogic installs an Oracle JDK on the server, you can use that JDK only for running WebLogic and applications deployed in WebLogic. You cannot take the same JDK and run some other custom application or script on that server outside of WebLogicโ€™s context, which would require a separate Java license. In practice, keep the โ€œbundledโ€ Java solely dedicated to the product.
    • No Extra Charge for Embedded Java: Oracle explicitly notes that using Java for products like Oracle DB or Oracle apps is covered. For instance, running Java inside Oracleโ€™s forms or reports or using the Java runtime that comes with Oracle Fusion Middleware does not require an additional Java SE subscription. Oracle even provides that running Java on Oracle Cloud Infrastructure (OCI) or within Oracle SaaS is considered part of that serviceโ€™s license.
    • Auditing Embedded Use: Oracle often asks if youโ€™re using Java beyond just the Oracle products during audits. If you only have Java installed as part of Oracle Database and nowhere else, you would typically respond that itโ€™s โ€œJava embedded in Oracle product Xโ€ which is allowed. Itโ€™s good to document that. For example, note the path of the Java installation and which Oracle product was installed. If an auditor accidentally flags it, you can point to the product and the license agreement that covers it.
    • Third-Party Products Bundling Java: The embedded rights apply to Oracle products. If a non-Oracle vendor includes Oracleโ€™s JRE in their application installer, that can be a gray area. Oracleโ€™s Java licensing doesnโ€™t permit ISVs to give their customers Oracleโ€™s JRE for production use without the customers having a license. Many third-party software makers switched to bundling OpenJDK to avoid this issue. But if you discover a third-party app has an Oracle JRE packaged, you should verify if that vendor has a deal with Oracle or if you need to license Java for that usage. When in doubt, contact the vendor or assume you need a license.
    • Bottom Line: If Java is only used as an โ€œengineโ€ inside a properly licensed Oracle product, youโ€™re safe and do not need an additional Java SE license. Ensure that Java isnโ€™t being used beyond that scope on the same systems.
  4. Strategic Exit Plan or Hybrid Model for Javaโ€”Given Oracleโ€™s licensing changes, many organizations are formulating anย exit strategyย from Oracle Java or a hybrid approach to reduce reliance. A strategic exit plan means systematically migrating off Oracleโ€™s Java to alternatives over a defined timeline, minimizing business disruption. A hybrid model means continuing to use Oracle Java in some capacity while supplementing or gradually replacing it elsewhere.
    • Assessment Phase: Start by categorizing all Java-dependent applications in your environment. Identify which ones are tightly coupled to Oracleโ€™s Java (perhaps due to vendor support requirements or specific Java versions) versus those more agnostic. Also note the criticality of each application. This will inform the transition order โ€“ typically, non-critical, internal apps can move first as a pilot for using OpenJDK. In contrast, critical revenue-generating systems might be later after thorough testing.
    • Evaluate Alternatives: Decide on which Java distribution(s) will be your Oracle replacements. Options include Azul Zulu, Eclipse Temurin (Adoptium), Amazon Corretto, IBM Semeru (OpenJ9), Red Hat OpenJDK, etc. Each has different support models:
      • Some are community-driven with free updates (Adoptium).
      • Some are backed by large companies offering support contracts (Azul, Red Hat, IBM, etc.).
      • Ensure the versions you need are supported for the long term (for example, Amazon Corretto and Azul provide long-term support for Java 8 and 11 well into the future).
    • Pilot and Migrate: Begin migrating a few applications to the chosen JDK and run them at their own pace. You likely wonโ€™t need any code change (Java is Java), but you might find minor configuration differences or tuning needed. Gain confidence here. Then, create a schedule to move the remaining applications in waves. It could align with your normal software update cycles or DevOps pipelines. For each migration, have a rollback plan in case of unforeseen issues.
    • Licensing Transition: As you migrate off Oracle, track when you can reduce your Oracle Java license counts. If youโ€™re on the employee metric, you might need to stop using Oracle Java before dropping the subscription (since itโ€™s all or nothing). If you still have an older contract with the processor/NUP, you might be able to reduce the number of licenses at renewal as usage drops. Plan the timing โ€“ e.g., if your Oracle Java subscription renews in December 2025, aim to have migrations done by then so you can either not renew or renew a much smaller quantity.
    • Hybrid Operations: Sometimes, a full exit isnโ€™t immediately possible. Maybe a vendor application only supports Oracle JDK and wonโ€™t certify OpenJDK โ€“ you might keep that one on Oracle Java with a small subscription and everything else on OpenJDK. This is a hybrid model. If going hybrid, segregate environments clearly to avoid license contamination.โ€ For instance, dedicate certain servers or containers to run the Oracle-required app, use Oracle Java there (and count just those in scope), and ensure all other apps are on a different JDK. This makes it easier to demonstrate compliance (only those specific systems need Oracle licenses).
    • Monitor and Refine: After most transitions, monitor the performance and support experiences with the new JDKs. You might find, for example, that an open-source JDK works fine but you want a third-party support contract for peace of mind โ€“ those can usually be added after the fact. Also, keep an eye on Oracleโ€™s moves; if Oracle were to improve their licensing or offer a more compelling deal, you can reevaluate the decision. But generally, once off Oracle, organizations rarely return due to the cost savings and reduced compliance risk.
    • Communication: If you plan to let an Oracle Java subscription lapse, it can be wise to inform Oracle (through your account rep) that you are transitioning off if you have a good relationship. In some cases, Oracle might return with a discounted offer to entice you to stay. Even if not, it sets the expectation. However, you are not obligated to tell them your plans. Simply not renewing is a clear message on its own. Just be prepared that Oracle may follow up when a subscription ends to โ€œcheckโ€ if you are still using Java. Your exit plan should have removed Oracle Java from production by then. Logs or documentation showing youโ€™ve uninstalled or replaced it can definitively close the chapter and avoid any post-termination audit friction.

IT leaders can navigate Oracle Java SE licensing with far greater confidence by understanding these 15 key points โ€“ from licensing nuances and compliance pitfalls to audit tactics and exit strategies. Oracleโ€™s Java licensing can no longer be treated with a laissez-faire approach; it requires active management and strategic decision-making.

With the right knowledge and preparation, you can avoid compliance headaches, control costs, and make the best choice for your Java platforms in the future.

Do you want to know more about our Oracle Java Advisory Services?

Please enable JavaScript in your browser to complete this form.
Author

  • Fredrik Filipsson has 20 years of experience in Oracle license management, including nine years working at Oracle and 11 years as a consultant, assisting major global clients with complex Oracle licensing issues. Before his work in Oracle licensing, he gained valuable expertise in IBM, SAP, and Salesforce licensing through his time at IBM. In addition, Fredrik has played a leading role in AI initiatives and is a successful entrepreneur, co-founding Redress Compliance and several other companies.

    View all posts