How Oracle Adapted Its Audit Playbook to Java

… and what to do about it

Case study

Oracle has perfected the practice of using license audits for applications and databases to its advantage. But when it comes to the world of the Java programming language, the game is different. This case study explains how Oracle has adapted its auditing methods to create opportunities for new subscription license revenue for Java and what customers should do to protect themselves.

Oracle’s new approach to Java auditing and licensing

Oracle acquired the original creator of Java, Sun Microsystems, in 2009. After a long period of tranquil stewardship, starting in 2019, Oracle began to pursue an increasingly aggressive sales and compliance effort with Java customers.

Many businesses that are long-time Java users have had eye-opening experiences over the past two years. They have received seemingly innocuous calls from Oracle regarding their Java licenses during which they unwittingly and unnecessarily disclosed information that Oracle used as leverage in subsequent licensing negotiations. This is part of a deliberate, new strategy from Oracle to push customers into paying for Java licenses.

Most companies have never considered the need to pay for Java licenses because until recently, they haven’t had to. The Java language and runtime environment were free, and as a result they were widely embedded. Initially, after the Sun Microsystems acquisition, Oracle did not seem to want to rock the boat with Java customers and did not focus on audits. But that has changed. Oracle now wants to push Java customers into recurring subscription agreements, thereby complicating their later consideration of other options in the marketplace.

At the outset of its campaign, Oracle first sought to have Java customers adopt perpetual licenses. Oracle has since moved to a subscription model. Additionally, for companies using older, pre-2019 versions of Java, Oracle has begun to limit the availability of patches and fixes, making the software less useful and potentially less secure. The only way to get the patches for these older versions of Oracle Java is to purchase a subscription license.

It can be intimidating for any company to be contacted by Oracle about its Java use, as businesses often feel Oracle has informational leverage over them. Generally, if a company has Oracle Java but isn’t using it, Oracle will leave them alone. But for companies with older, deeply embedded versions that need updates, Oracle is pushing paid Java subscriptions. Many Oracle and non-Oracle applications utilize Java, so many businesses may be using Java without even knowing it.

Typically, Oracle licenses instances of Java by user name, but for servers and virtual machines licenses are per-processor and are considerably more expensive. Organizations can face hefty bills to buy the licenses Oracle claims they need.

Palisade Compliance offers businesses the ability to gain transparency into their Java usage.

The Oracle Java playbook revealed

– a manufacturing company’s experience

A manufacturing company located in the Pacific Northwest recently went through an encounter that shows how the Oracle Java playbook for auditing and licensing works and what to do about it.

The company was contacted by Oracle and offered assistance in navigating their Java usage. Oracle led with a series of seemingly innocuous questions such as: whether the organization wanted or needed security updates for Java, was the company using commercial features, and if its versions of Java had been in use longer than six months.

The company generally had had a positive relationship with Oracle until that point and therefore answered all of the questions in the affirmative. Using these responses, Oracle then notified the company’s leadership that they needed to immediately buy authorized versions of Java from Oracle. Under pressure, the company was unable to readily determine the extent of its Java usage, which prompted Oracle to state that they needed to sign an expensive unlimited license agreement (ULA) to ensure both past and future compliance.

This aggressive push by Oracle caught the company completely off-guard. The company was used to paying nothing for Java. It was jarring suddenly to be asked to pay for licenses.

Faced with so much uncertainty, the manufacturing company sought outside help before proceeding any further in their communications with Oracle. Research led the company to hire us to be its partner in navigating its use of Oracle Java going forward and to level the playing field with Oracle.

The company began by undertaking our thorough discovery and analysis process to determine the extent of its Java footprint. During the discovery process, our data collection scripts were run, scanning the company’s entire network, and found every instance of Java – whether that was Oracle Java or from another provider.

Based on the discovery phase, we generated a report for the business with the name and location of every installation of Java. The company was thus able to know exactly which machines were running Java, as well as the third-party applications that relied on it. We also quantified the potential financial risk of the company’s current Java deployment.

Through our analysis process, the company determined:

  • Where Java was needed and where it was not
  • Where Java should not be installed because of licensing issues
  • Where there were multiple versions or duplicate installations of Java
  • Where Oracle Java was licensed as part of third party software
  • Where a less-costly non-Oracle Java solution could be used in place of Oracle

With this information and full transparency of its Oracle Java usage, the manufacturing company had the ability to face Oracle on equal footing and negotiate equitable terms for the Oracle Java licenses it actually wanted and needed.

Positive outcome – big savings and reduced risk

By partnering with us, the manufacturing company successfully handled Oracle Java licensing negotiations and dramatically reduced its cost of coming into compliance. The analysis revealed that its initial risk exposure exceeded $2 million per year. We offered the company a mitigation plan that helped to streamline Java usage and reduced that risk by $1.8 million per year. Oracle had been pushing the business to sign an annual ULA, but the business determined it wasn’t obligated and didn’t need to pay for that scale of usage. The company ultimately paid Oracle only $200,000 for the Java it actually required. Knowing that Oracle had yet to actually audit any customers for their Java usage further empowered the company to better respond to Oracle’s aggressive tactics. (This situation has subsequently changed and Oracle is now auditing Java.)

The company was only able to achieve these cost benefits because of its relationship with us and the expertise gained from the partnership. We educated the company on many Oracle practices such as dramatically escalating costs faced by businesses with more than 20,000 Oracle Java installs. Oracle pushes expensive ULAs on such customers, which are incredibly lucrative for Oracle. The company learned that, unlike with a traditional Oracle ULA for applications that can last for several years, at the end of the year-long Java agreement, all licenses covered by an Oracle Java ULA expire. Therefore, the ULA wasn’t a solution for the business. Without us, the company would have signed the ULA and been forced to re-sign each year after that, which would have been a major expense. The company also opted to get some of its Java licenses from other vendors to further reduce costs and its reliance on Oracle in general.

As with any response to Oracle, information is power and we gave the company the necessary knowledge to only pay for what it needed and to better manage what would be revealed to Oracle in future interactions.