This article is more than 1 year old
Oracle's compliance cops now include Java in license audits
Paid-for subs introduced three years ago now getting attention from Big Red's management services team
Oracle has begun to include Java in its software licensing audits as part of a classic move set to catch customers on the fringes of non-compliance and beyond.
Big Red first introduced two new licensing models for its commercial Java platform, Standard Edition (Java SE), in April 2019 when it began charging license fees for previously free Java. This requires users to purchase an annual subscription for commercial Java SE products in order to receive patches and updates.
By September 2021, when Oracle released Java 17, it began to offer a no-fee license with free quarterly updates for three years — but only for that iteration; not earlier releases such as Java 7, 8 and 11.
So far, Oracle has taken a soft approach to audit Java, via its sales teams. But the omnipresent software development kit has been making its way into official Oracle audits — which many users view with some trepidation — since the beginning of this year, say our sources.
Craig Guarente, Palisade Compliance founder and CEO said his team had started seeing letters from Oracle licence management services (LMS) specifically asking for information about Java, with some customers unprepared to understand the compliance of their licensing estate.
“There's plenty of confusion out there in the market. One misconception people have is that using an older version of Java doesn’t require a license. In fact, even if you're using the older versions, if you're downloading patches and updates from Oracle's website, then you need a support license for that. Customers are getting worried enough that they're just writing big checks,” he said.
Oracle is also using auditing in other areas, such as databases, to access information about Java usage. “Companies declaring 5,000 database licenses might get a knock on the door from a Java sales rep, saying, ‘We heard your environment is 5,000 CPUs: we don't see Java licenses for that' You can be giving Oracle information one week in one area that's being used in a completely different area,” he said.
There are two crucial differences with managing licensing of Java compared with Oracle’s other products. While databases and other on-prem software may come with a perpetual licence, Java requires a subscription. At the same time, defending audits for databases, middleware or applications requires customers to start from their contracts, whereas Java can be so widespread, it might require a technical analysis of the IT estates, Guarente said.
Earlier this year, software asset management company Anglepoint said it had spotted official Java audits coming from Oracle. Scott Jensen, Oracle practice lead, told The Register there was a group of organizations that had “wholly ignored the topic altogether” of Java licensing, creating risks for their employers.
“You are susceptible and vulnerable to any number of risks, whether it be the financial risks due to license shortfalls, but even security risks for that matter,” he said.
Among organizations better prepared for the Oracle auditing process, some were seeking open-source alternatives, Jensen said. “I've seen Fortune 500 organizations who basically uninstall Java overnight and then said, ‘Well, we'll see what breaks and, and if it breaks, then we'll put Java back’. But many organizations have sort of done a rip and replace taking out Oracle Java and replacing it with Open JDK or other equivalents."
A Gartner research note says users require a commercial subscription to obtain critical updates for Oracle Java SE 7, Java SE 8 and Java SE 11. It recommends organisations evaluate their options by assessing the appetite to migrate to Java 17 or to switch to a third-party Java product.
Anne Thomas, Gartner veep and distinguished analyst, said that Oracle’s view on virtualization was also inflating Java subscriptions. As with databases, organisations have to license for every processor without partitioning the virtual environment and only to licensing in one cluster, for example.
“That's why these big companies are dealing with an annual price point of more than $10m,” she said.
Another source of confusion was that Java subscriptions are required for the runtime environment, not the software development kit, she said.
“There were people who didn't really understand it. Part of it might have been the difference between the Java Development Kit in the Java Runtime Environment: Oracle's product is called Oracle JDK, even though it is a runtime. Therefore a lot of people didn't realize that the licensing actually applied to the runtime,” she told The Register.