Why Your Oracle Java Compliance Depends on Your Version of Java


java compliance risk

Earlier this year, Oracle changed the licensing model of Java Standard Edition (SE) to a subscription-based pricing model for commercial Java users.  This change has created confusion and concerns about the compliance risks associated with Java.  You can still deploy Java for free for certain types of use without a commercial license, but it’s critical not to assume your use of Java SE falls into this category.  To avoid owing Oracle significant fees in the event of an audit, you need to ensure that your Java usage remains within your license scope.

This is easier said than done since anyone can download any version of Java SE from Oracle’s website which automatically includes a mix of free and commercial features.  When downloading, it’s incredibly easy to unintentionally accept the click-through agreement and assume you have full use which is one reason that most Java SE users do not pay close attention to the license scope for Java.

Unfortunately, organizations struggle to understand when a commercial Java license is required and how to quantify the potential financial exposure associated with their Java usage.  To add to that confusion, Oracle’s Java licensing requirements differ depending on the version of Java you are using – and those differences are substantial.  In this post, we will highlight the key differences in the license scope of the different Java SE versions, so you are better equipped to assess your potential Java audit exposure.

The Applicable Metrics (NUP or Processor) Are the Same for All Java Versions 

Before considering whether your usage of Java requires a commercial license based on the deployed version, keep in mind that Java usage metrics are based on the number of “desktop computers” or “servers” running an instance of Java SE.  The graphic below provides a visual representation of how to count the number of Java SE licenses you may require.   

Oracle Processor and NUP based Metrics

If you deployed Java on desktop computers and require a commercial license, then the number of required licenses will be based on Oracle’s “Named User Plus” metric and will represent the number of users and devices directly or indirectly accessing desktop computers running any version of Java.  On the other hand, if you deployed Java in a server environment, you would need to count the number of required “Processor” licenses according to Oracle’s standard processor licensing policy.   

Now that you know how to quantify your Java usage, let’s take a look at the differences in licensing restrictions between versions of Java SE. 

Java SE Version 10 and Earlier

If you are using Java SE 10 or earlier versions of Java, your usage will be governed by the Oracle Binary Code License (BCL) agreement.  In particular, you should pay close attention to the “SUPPLEMENTAL LICENSE TERMS” section of this agreement which defines your license scope and identifies key licensing restrictions that require a paid commercial license.

License scope and restrictions that most often apply to Java SE 10 or earlier include:

  1. COMMERCIAL FEATURES – Here you also have to be fully aware of the applicable commercial features
  2. SOFTWARE INTERNAL USE FOR DEVELOPMENT LICENSE GRANT
  3. LICENSE TO DISTRIBUTE SOFTWARE
  4. LICENSE TO DISTRIBUTE REDISTRIBUTABLES
  5. DISTRIBUTION BY PUBLISHERS

If your organization leverages Java outside of this license scope, you are required to pay for a commercial license either based on the number of desktops or the number of processors on servers running Java.

Java SE Version 11 and Later

Starting with Java SE 11, the Oracle Technology Network License Agreement for Oracle Java SE applies. According to this agreement, organizations are allowed to deploy and use Java without a paid commercial license only in the following instances:

  • Personal Use
  • Development Use
  • Oracle Approved Product Use
  • Oracle Cloud Infrastructure Use

We recommend that you review the agreement to understand the complete definition of each of these use types.

The agreement also states that you may not:

  • Remove or modify any Program markings or any notice of Oracle’s or a licensor’s proprietary rights;
  • Make the Programs available in any manner to any third party (other than Contractors acting on Your behalf as set forth in this Agreement);
  • Assign this Agreement or distribute, give, or transfer the Programs or an interest in them to any third party, except as expressly permitted in this Agreement for Contractors (the foregoing shall not be construed to limit the rights You may otherwise have with respect to Separately Licensed Third Party Technology);
  • Cause or permit reverse engineering (unless required by law for interoperability), disassembly or decompilation of the Programs; and
  • Create, modify, or change the behavior of, classes, interfaces, or subpackages that are in any way identified as “java”, “javax”, “sun”, “oracle” or similar convention as specified by Oracle in any naming convention designation.”

To summarize, the agreement that applies to the Java SE version you are using is listed in the table below along with the key terms you should pay special attention to.

Applicable Agreement Key Terms
Java SE Version 10 and Earlier Oracle Binary Code License (BCL) Agreement Supplemental License Terms
Java SE Version 11 and Later Oracle Technology Network License Agreement License Rights and Restrictions

Being out of compliance not only introduces potential audit risks around your Java use but it could also trigger a larger Oracle audit which could uncover even greater financial exposure.  We recommend engaging your IT and legal teams to conduct an internal assessment of your Java usage and license rights to confirm that your use of Java SE falls within the license scope stated in the agreement applicable to the Java version you use.

Sources:

This post was updated on October 4th, 2019 to clarify Oracle’s NUP licensing requirements.   

Follow me on Twitter @ErwannCouesbot, find my other UpperEdge blogs, and follow UpperEdge on Twitter and LinkedIn

Related Posts

About the Author

Leave a Comment

*