Updated: Aug 17, 2020
Recent moves by Oracle surrounding its Java products present many new and vexing challenges to users. These initiatives are now impacting compliance and are putting many organizations at risk.
Last year at this time, the company introduced a subscription-based licensing model for Java offerings and moved to phase out perpetual licenses on all new purchases. This year the company discontinued public updates for Java SE 8, which now requires licensing.
Prior to this year, subscription licenses were already required on Java SE Advanced, Java SE Desktop, Java SE Suite – any of its products that incorporate what Oracle deems “commercial features”, including:
Java Enterprise (MSI) Installer
Java Flight Recorder
Java Mission Control
JRE Usage Tracking
Java Advanced Management Console
Jrockit Mission Control, Flight Recorder, or Real time Deterministic GC
Now that free updates are no longer available, anything newer than Java SE 8u202 (i.e., 211 and 212) requires a license for that user or processor. As does anything newer than Java SE 7u80 and Java SE 6u45. Java SE 11 and 12 also require licenses.
The upshot: it’s imperative to identify where these products are being used in your organization to make sure you have proper licensing before audit time. Accounting for every use of Java presents a rather daunting task: is it in a production environment? Nonproduction? Virtual environment? Nonvirtual? Depending on where it’s deployed, it requires a different licensing scheme. Further complicating your count is determining if Java is already licensed via other software entitlements that come bundled with it, such as Oracle Web Logic.
Next, you must figure out where commercial features are in use. Since these features come installed in Oracle JDK, anyone in this environment is a potential user of the commercial features and must be counted. (JDK is Oracle’s Java Development Kit, one of two ways users often download Java. The other is with JRE – Java Runtime Environment.)
In addition, Oracle counts licenses in a different way from other software publishers (check out our re-cap about best practices in an Oracle Java audit). The company issued a Partitioning Policy that regulates usage which states that certain technologies are not approved to run its software, including a virtual environment, without taking an aggressive approach to licensing. For example, if you have Oracle software running in a VMWare environment, the company will count each of the underlying processors supporting the virtual environment and require licenses.
To avoid some of these costly licensing requirements, many users are looking for viable alternatives to Java, such as Open JDK, which allows Java to be used for free under different vendors. They are examining whether the application is mission critical, and requires the updates directly from Java, or could an Opensource alternative get the job done?
We recommend all Java customers to conduct a self-audit to assess compliance and risk before the supplier conducts an audit. This means determining what your Java deployments are, aligning this information with what you’re entitled to, figuring out where you may be exposed, and if you can optimize, reduce or or eliminate license requirements. You can do this internally with your own people, or you can bring in a third party such as ClearEdge to save time and resources.
Rob Murphy is a Principal Analyst at ClearEdge Partners, and a member of its Compliance Practice team.
This blog post was inspired by the webinar on Oracle Java Compliance Risk. You can access the full recording to this webinar below. To learn more about the challenges associated with compliance, read our whitepaper or contact a member of the ClearEdge Compliance Practice.