Oracle verifies Java licensing tools from Flexera and Lime Software
While one vendor says they help prepare for audit, expert warns they don't defend compliance
Oracle has begun to verify software tools from third-party vendors designed to monitor the licensing of Java products in enterprise environments, prompting a warning from one expert.
In March, the omnipresent software giant began to include Java tools in its software licensing audits, often feared by users who can get caught out by the small print if not the spirit of the contract.
Big Red first introduced two new licensing models for its commercial Java platform, Standard Edition (Java SE), in April 2019 when it began charging license fees for previously free Java. This requires users to purchase an annual subscription for commercial Java SE products in order to receive patches and updates.
By September 2021, when Oracle released Java 17, it began to offer a no-fee license with free quarterly updates for three years – but only for that iteration, not earlier releases such as Java 7, 8 and 11.
Oracle has now verified vendors who offer product tools to help monitor licensing and usage data of Oracle database, Fusion middleware, and Java. The two approved vendors are Flexera and Lime Software.
Oracle has an approved set of licensing tools for its broader set of application and infrastructure software, and experts have warned that, while they can be useful, they do not secure the user organization a cast-iron license position in defense of an aggressive audit. In fact, Oracle is free to use the data from the tools to inform its case in the audit.
In March, Garrick Brivkalns, program manager for Oracle Global Licensing and Advisory Services, told a webinar that Oracle only verified raw usage data on these tools. It was "not working to verify any other aspects that the tool might possess such as entitlements tracking, matching entitlements, the usage, and compliance position determinations," he said.
Craig Guarente, founder and CEO of Oracle licensing advisory firm Palisade Compliance, told The Register this week that the new Java audit tools should come with a similar health warning.
"None of these tools can give you a compliance position," he said. "These verified tools, whether they are for Java or other products, just mean that Oracle verifies that the tools bring in all the information Oracle would need to conduct an audit. For example, if the tools say you are using 100 licenses, that does not mean that Oracle will agree you are using 100 licenses. It just means that Oracle will be able to take the raw data and do their own analysis and come up with their number."
- Oracle brews Java 19. Mmmm, kinda tastes like RISC-V
- Warning over Java libraries and deserialization security weaknesses
- Java SE 6 and 7 devs weigh their options as support ends
- Devops tool Jenkins now requires Java 11: This might sting a bit
Although the tools could make it easier for Oracle to audit a user, they were useful at least in the sense they provided a data point. "That's better than nothing," Guarente said.
Palisade has a Java licensing tool which would never be verified by Oracle because "that is not in the best interests of our clients," Guarente said
However, Lime Software argued that since 2010, Oracle had accepted the data collected by various tool vendors.
"Tool [verified] vendors should bring back the same data Oracle would," director Alex Andrew told The Register. "When we build our products, we break down each licensed component, build test scenarios for usage of each product, and demonstrate that across all platforms and versions we were collecting the right data."
He said the tools were safer to use than Oracle scripts themselves because they are not supported by Oracle for production environments. "I'm not saying that I have ever seen a case where the scripts failed or caused production issues. It's just one of those things that makes the management team nervous," he said.
Use of verified licensing tools was "a great way to defend against an Oracle audit," Andrew said.
"Forewarned is forearmed, especially in the case of Oracle Java. There has been a lot of misleading advice about Java licensing given it is a fairly new and extensively wide-scale problem hitting C Level procurement and software asset management teams."
But there are exceptions where versions and environments do not need licensing, Andrew said. The Lime Software was designed to reveal that information, but it should be used in isolation, he said.
A more complete approach to compliance involves tools, people, and processes to get most out of their agreements without becoming non-compliant. "The tools should be identifying the risks, the consultants should be managing those risks, the processes should mean that the risks don't recur," he said. ®