Java Management Service (JMS) – Beware of Oracle’s Trojan Horse


Without much fanfare, Oracle released a new offering called Java Management Service (JMS) on June 9, 2021.  Since Oracle is offering this service at no charge, this naturally raised some red flags.  Let’s first take a look at the facts about JMS and then discuss potential implications for customers.

What is Java Management Service?

Java Management Service is a reporting and management infrastructure integrated with Oracle Cloud Infrastructure (OCI) Platform services to observe and manage your use of Java SE (on-premise or in the cloud).  JMS is included as a feature that comes at no additional cost for Oracle Java SE (Standard Edition) customers, but users will be billed for any usage that goes beyond the OCI free monitoring tier.

JMS enables customers to:

  • Use insights from JMS to optimize workloads across the enterprise (desktop, server, cloud); and
  • Protect Java SE investments by identifying outdated Java installations and unauthorized applications.

More specifically, JMS allows Java users to track:

  • All the versions of Java that are running in development or production environments
  • Third party vendors that are providing Java installations
  • Applications that are using Java
  • Unauthorized Java programs
  • Outdated Java installations

According to Oracle, Java Management Service uses data provided by Java Usage Tracker.  Java Usage Tracker is available for all releases of Java 7 and later, and also for the following older Java releases:

  • 6u25 and later updates
  • 0u33 and later updates
  • 4.2_35 and later updates

Oracle also states that as the stewards of Java, Oracle uniquely leverages its expertise to gain critical insights into Java application behavior, compliance, and performance.

How Does JMS Work?

Without going into all the set-up details, customers essentially sign up for a no-charge OCI account and then install an Oracle Management Agent in their host environment.  The Management Agent can then monitor and collect data from the sources that reside on hosts or virtual hosts.  There is an Agent Install Key, which is a token required by the Management Agent installation, that authorizes the Management Agent to communicate with OCI.

Here is a diagram from Oracle’s website to further illustrate:

Oracle Management Agent interaction with OCI diagram

Source: Oracle.com

Potential Risks of using Oracle’s Java Management Service

On the surface, JMS may sound like a simple way to track and manage your Java usage in a single location, but companies should exercise caution.  Not only will this make it easier for you to understand your Java environment, but it will also provide Oracle with direct visibility into your Java usage, which includes information related to your system architecture and application environments.

Using JMS will provide Oracle with critical insights into your Java usage and alert them to any unauthorized Java applications in use.  It also gives them visibility into your 3rd party applications that require a Java license.  While those applications may be properly licensed by the 3rd party, Oracle can use this information to understand which applications could potentially be replaced by Oracle solutions and give their sales team direction as to which solutions to upsell.

So how is this free service, or gift from Oracle, a Trojan Horse?  Since customers are proactively installing the Management Agent in their environment, the Agent Install Key authorizes the Management Agent to collect data from the sources that reside on hosts or virtual hosts and communicate this information back to OCI.  It’s the equivalent of setting up a spy cam and expressly giving permission and access to a third party to use the cam to spy on you.

We must give credit to the brilliance from Oracle here.  Below is a high-level list of how we got here:

  • Java is developed by Sun Microsystems, freely downloadable, and widely used by almost every company.
  • Oracle acquires Sun Microsystems, and with it, the rights to Java.
  • Oracle announces they are changing the Java licensing rules and will charge a fee for customers who want support on older versions, as well as licensing fees for new Java versions going forward and for customers who are using the free Java versions outside of the license scope.
  • News of the Java licensing changes creates concern among customers due to the notoriety of Oracle audits.
  • Oracle sets up a Java sales team, with representatives calling customers and introducing themselves as their Java account executive – sounding separate from the rest of Oracle.
  • Customers fear a Java audit and face challenges determining where they have Java installed and how they are using Java.
  • Oracle introduces a free service, JMS, that will enable customers to monitor their Java usage, but which also enables Oracle to collect information regarding a customer’s entire system architecture and application environment.

What is the Real Reason Oracle is Providing JMS at No Charge?

Larry Ellison has repeatedly said for years that Oracle’s go forward success is predicated on Autonomous Database and Fusion ERP.  The challenge Oracle faces is getting their installed base to migrate to these cloud solutions – IaaS, PaaS, and SaaS – which requires generating a sales cycle.  When customers are not interested in engaging in a sales cycle, Oracle has historically threatened an audit.  However, once Oracle officially commences an audit, customers are on high alert and won’t run scripts, meaning Oracle has to trust customers certifications as to the Oracle products and systems they are running.

The brilliance of JMS is that it is being offered as a customer benefit in an area of customer concern, but Java is not very expensive relative to other Oracle products.  Customers who want this benefit and install JMS are ultimately authorizing and providing direct access for Oracle to gather information which can then be used to generate sales cycles resulting in cloud subscriptions.

The Best Way to Manage Your Java Risk

We recommend against using JMS as the perceived risks outweigh the potential benefits.  To ensure your Java use is properly licensed, we recommend conducting a manual, baseline assessment of your Java usage.  While this will take time, it allows you to maintain control and act proactively prior to being audited.  The threat for Java audits is not going away so companies will benefit from establishing a process for tracking and managing their Java usage.

If you would like some direction for conducting a manual assessment, our free Java Compliance Self-Assessment Guide can help you determine your Java usage and better understand your potential compliance exposure.  You can request the guide here.

This blog was co-authored by Erwann Couesbot. Post a comment below, follow me on Twitter @jeffrey_lazarto, find my other UpperEdge blogs, and follow UpperEdge on Twitter and LinkedIn.  Learn more about our Oracle Audit Advisory Services.

 What to Read Next:

About the Author

Jeff Lazarto

Leave a Comment

*