Oracle Java Inquiries – Audit or Fishing Expedition?

Multiple Oracle customers have been contacted by an Oracle Java account representative with calls that appear to be directed at IT managers inquiring about their Java licenses.  At the outset, it appears to be more of an introductory call followed by some questions regarding the customer’s Java usage, Java versions, and number of individuals and machines with Java installed.  Other than catching customers a bit off-guard with the fact that they now have a separate Oracle Java account representative, the call is a friendly one and puts people at ease, willing to share their Java usage information.

Java Deep Dive Information Request

Where things get tricky is with the follow up communication.  Once a customer shares their Java versions and number of users and machines where Java is installed, the account representative replies back a few days later stating that they have shared this information with their architecture team and require additional information.  This additional material includes:

  • How Java is being updated
  • The number of applications Java users might be accessing
  • Datacenters and servers where Java is being updated
  • A holistic view of a customer’s infrastructure across data centers, cloud providers, etc., and
  • The customer’s virtualization strategy.

The above list is not exhaustive, but essentially, Oracle is asking customers for a detailed view of their entire IT infrastructure. So, what initially started out as a friendly introduction has now turned into what customers feel is an audit.

The Oracle Java representatives start out presumptive in their requests, expecting customers to readily provide all of this additional information under the guise that Oracle’s architecture team is making the request. However, we have also learned of situations where Oracle has become rather aggressive in demanding this information to ensure the customer is properly licensed. Customers have contacted us at this stage in the process seeking advice.

Your Oracle Java Obligations and Options

First, customers are under no obligation to provide this information.  The highly sensitive information requested goes well beyond what can be reasonably requested and what customers should even share from a confidentiality perspective.  Second, directly ask Oracle if you are being audited, and if so, request Oracle submit everything in writing per the audit clause in your agreement.  From what we have heard, Oracle is quick to say that you are not being audited but that they require this information to ensure you are properly licensed to receive updates to your various Java versions.

Receiving Java updates is the key point.  If you do not require or desire Java updates, then you do not need to purchase a license.  Oracle is inquiring about infrastructure and applications to build a compelling business case to present to you on why you need Java updates to support your business operations.  Oracle will claim that Java updates are highly recommended for certain mission critical applications and that you are running the risk of compromising your infrastructure and applications without these updates.

Remember that you have the option of telling Oracle that you are not interested in receiving Java updates.  This should be the end of the inquiry.  If Oracle is intending to conduct a full audit, then you will receive formal written notice from Oracle’s LMS group.  As of the date of this writing, we have not heard of a situation where Oracle has followed up with a formal audit.  It just appears to be a scare tactic to get customers to share information in the hopes of creating a sales opportunity.  So don’t be fooled!  This appears to be nothing more than a fishing expedition.

When Java Licenses are Required

Java licenses are required in one of two situations:

  • If your Java usage exceeds the scope of your Java license. To determine if your usage falls within your license scope, I recommend requesting our complementary Java Self-Assessment Guide, which provides a process for making this determination.  This Excel guide puts Oracle’s click-through Java licensing agreements in one place, highlights the different license scope clauses, and enables you to work with your legal team to determine your Java usage and potential compliance exposure.

You will need to follow these steps:

1. Identify the different versions of Java you are using.

2. Review the license scope provided with each version.

3. Evaluate how you are using each version of Java to determine if your usage falls within the prescribed license scope.

This can be a rather subjective exercise and should include analysis from your legal counsel.  Due to the subjective nature of making this determination, we would not expect Oracle to audit customer’s license scope usage unless Oracle has learned of a specific situation where a customer is clearly exceeding their license scope.

  • If you wish to receive Java updates. The challenge for Oracle appears to be that customers are not readily signing up to purchase Java updates and are instead content with what they have or are looking at other options, such as OpenJDK.  My recommendation is for customers to make an independent determination regarding your need or desire for Java updates.  If the answer is no, then kindly tell your Oracle Java account representative that you are not interested in Java updates and that you are properly licensed.

If Oracle wants to challenge your Java license compliance, then ask them to send you a formal audit letter.  This should end the inquiry and you can avoid providing all of the information Oracle is requesting.

Post a comment below, follow me on Twitter @jeffrey_lazarto, find my other UpperEdge blogs, and follow UpperEdge on Twitter and LinkedIn.  Contact me at [email protected] or learn more about our Oracle Commercial Advisory Services.

What to Read Next: