Strategies for Oracle Java

Licensing and Support Post 2019

Copyright 2018 Version 1 – All Rights Reserved

Upcoming changes to the way Oracle Java is licensed and supported will

begin to have an impact with the release of Java 11 in September 2018,

and will affect Java 8 from January 2019.

INTRODUCTION

Java underpins a wide variety of enterprise software, particularly on the server side, and has historically been considered ‘free’ by businesses.

Upcoming changes to the way Oracle Java is licensed and supported will begin to have an impact with the release of Java 11 in September 2018, and will affect Java 8 from January 2019. This will affect any organisation that currently relies on an up-to-date Oracle Java Virtual Machine in any production capacity.

This, in turn, will affect how organisations choose to architect and deploy technologies based on the Java language, both packaged and bespoke solutions. If you have considered previously that Java was free to use and free to deploy, the following whitepaper aims to help you to understand how things are changing.

The following guide explores the key considerations and options for the future licensing and support of Java, covering four crucial areas for enterprise organisations to be aware of:

1. Changes to how Oracle are supporting Java

2. Java Licensing – Why a license may now be required when it has not been to date.

3. Oracle Options – Description of the commercial offering, and that which will remain free.

4. Other Options – Non-Oracle Java support and patching.

Version 1 has many years of specialist expertise and experience managing Java installations for our customers. As an independent advisor, we recommend that all organisations using Java should carry out an urgent survey of their Java usage, cataloguing the version number in use, its purpose, and the infrastructure upon which it runs.

The output from this exercise will enable the correct action to be taken in a considered manner based on the information presented below.

• The critical change is that there will be no new free Oracle Java releases after January 2019 – all new versions, or updates, will require a commercial agreement for production use.

• The new Oracle Java licensing and support model will be by subscription only for commercial use.

• Oracle has moved to a new 6-monthly cadence for Java releases.

• Oracle will designate a Java release from the OpenJDK source as a Long-Term Support (LTS) release every 3 years, for which support and patches will remain available on a commercial basis only for 8 years, starting with Java 11.

• The OpenJDK should be binary identical to the Oracle Supported Java by September 2018.

• The OpenJDK is patched by Oracle for a maximum of 6 months from release – Oracle’s OpenJDK has no LTS version.

• Other vendors and projects are becoming available which will provide production grade Java Virtual Machines based on the OpenJDK for a range of operating systems, which will be patched with security fixes on a long-term basis, following a similar pattern to the Oracle Java LTS releases.

• It will be necessary for existing systems to be migrated to one of the available support options, Oracle or third party, to remain patched and secure after January 2019.

• Like many other pieces of commercial software, there are hundreds of patched vulnerabilities listed for Java in the CVE database, with newly-discovered vulnerabilities having been corrected in a timely fashion to date. These patches will have availability restricted in future to Oracle customers, the 6-monthly window of updates to Oracle OpenJDK, or users of a third-party patch service for LTS versions.

version1.com/sam

Strategies for Oracle Java Licensing and Support Post 2019

Page 2

ORACLE JAVA LICENSING, PATCHES, AND SUPPORT

The fine details of licensing are complex. Therefore, this section paints the licensing situation at a high level only but Version 1 recommends at a minimum that a survey of your Oracle Java installations be conducted to give confidence in future licensing compliance.

Java Licensing Terms to Date

Sun Microsystems made Java available as a write-once, run anywhere language. When Oracle acquired Sun Microsystems, it defined acceptable free usage in a Binary Code License Agreement which permitted free use for what it designated ‘General Purpose Computing’. In simple terms, this means use on a server or desktop computer, for running applications either directly or within an application server of some sort. Embedded use in devices was proscribed. Patches to the ‘current’ Java Virtual machine have been freely downloadable for the lifespan of a Java version, which has typically run to several years.

Exceptions to ‘Free Use’

To date, when use of Java fell under Oracle’s definition of ‘General Purpose Computing’, a commercial agreement was only required for access to Oracle Java support.

Oracle made some Java add-ons available for separate commercial download but, confusingly, they also included some commercial components in the standard Java SE download, which were switched on with a command-line argument. The commercial components included Java Mission Control (JMC), Java Flight Recorder (JFR), Java Advanced Management Console (AMC), the Microsoft Windows Installer (MSI) Enterprise JRE Installer and the Java Usage Tracker (JUT). The latter, ironically, is a tool requiring a commercial license to determine Java usage for License Management purposes.

The Impending Changes

No version or update of Oracle Java released after January 2019 will be available for any production purpose without a commercial agreement being in place. This includes the next Long Term Support (LTS) Java 11 from its release date, and any future patches for the previous LTS Java, Version 8.

To soften the blow, Oracle has committed to ensuring that the free OpenJDK version of Java will be binary identical to the commercial Oracle Java that requires a license. Unfortunately Oracle’s releases of OpenJDK will receive patches for a maximum of 6 months – there are no LTS versions of Oracle’s OpenJDK. The only means of receiving patches from Oracle OpenJDK is to migrate repeatedly to the next version of Java, which is released on a 6-monthly cycle.

Future Commercial Use of Oracle Java

Commercial use of Oracle Java 11 LTS onwards, or Java 8 updates after January 2019, will require a subscription. There are two types of license available: Java SE and Java SE Desktop, which more or less follow the Processor Core and Named User rules Oracle use for their other products. There are some exceptions if the Java subscription is required to run another licensed Oracle product, but further complications ensue if Java is deployed into any kind of virtualised environment.

version1.com/sam

Strategies for Oracle Java Licensing and Support Post 2019

Page 3

OTHER OPTIONS

There are several responses to Oracle’s commercialisation plans for Java which could make sense, entirely dependent on how Java is used currently within the organisation. If used for more than one purpose, it might be advantageous to consider the most appropriate approach for each installation.

For these reasons, Version 1 recommends that all organisations using Java should carry out an urgent survey of their Java usage, cataloguing the version number in use, its purpose, and the infrastructure upon which it runs. Based on this, some high level approaches are outlined below.

Do Nothing

In general, this option is difficult to recommend, given the large number of security flaws of varying severity which are patched regularly. However, it could be an option if Java is being used in a controlled, isolated environment, where the risk of exploitation of unpatched flaws is acceptably low. This could include non-networked computers, or networks which are well isolated from external influences.

This might also be an option if Java is being supplied as part of a product, where the responsibility for maintenance of the Java VM falls to the vendor/supplier of the product.

If an unmaintained Java 7 or earlier version is currently in use, the associated risks should already have accepted or mitigated and in this case no further changes may be needed.

License Oracle Java

This could be a sensible option if the cost of migration to OpenJDK is far greater than the annual cost of an Oracle Java license for the Java estate in question. Examples of this situation could include a simple small-scale deployment, or where any modifications to the application code are deemed difficult or impossible.

Another key reason for licensing Oracle’s Java is if your organisation still has a heavy reliance on Applets and Java WebStart technologies in a Windows environment. Although this is a deprecated technology, alternatives to Oracle’s browser plugin for Windows environments are not well developed.

However, Oracle licensing and support can be a complex topic. Support arrangements are often tailored to each organisation and relevant Terms & Conditions may vary from customer to customer or agreement to agreement. Understanding these Terms & Conditions in conjunction with various Oracle policies is crucial to purchasing the right number of the correct type of license.

Migrate to OpenJDK

OpenJDK incurs no license cost, however, use of the OpenJDK direct from Oracle incurs the prospect of a full migration/test cycle every 6 months to remain patched, which would be unattractive in most cases.

Fortunately, because OpenJDK is Open Source, anyone can build it, and there are several organisations offering to make patched versions of Java available for years hence. Some of these are commercial offerings complete with support, while the global Java User Group (JUG) community is making builds available at no cost via their AdoptOpenJDK initiative, which has attracted the sponsorship of IBM.

version1.com/sam

Strategies for Oracle Java Licensing and Support Post 2019

Page 4

About Version 1

82% financial

risk reduction

Our optimisation expertise helps to

deliver financial risk reduction of

over 82% on average during audit

scenarios.

£17m reduced

to £100k

When engaged our customer was

facing a bill of £17m, but through

our help this amount became

£100k

£5.8m non-compliance

risks identified

During a typical review,

Version 1 discovers non-

compliance risks of over

£5.8m

Helping Enterprise Organisations Take Control of Their Software Assets.

Talk to our Software Asset Management and Independent Oracle Licensing Experts to Take Control, Quantify Risk, Identify and Optimise Opportunities.

Supporting Enterprise Customers With Oracle Java Licensing Post 2019

• Version 1 has teams of Java Specialists who maintain suites of applications and manage migrations to newer Java versions on a regular basis. Sometimes even a maintenance upgrade within a Java version can yield unwelcome surprises, so it can be worthwhile engaging with experts who have dealt with many of the issues previously.

• Version 1’s Independent Oracle Licensing Experts can provide you with the independent expertise to navigate your agreements, applicable Terms & Conditions and Oracle policy. Where surplus or shortfall of licenses exist, Version 1 guides customers through the options and strategies as part of a Licensed Managed Service (if required).

We will always put the customer first. We are technology agnostic, providing a modular plug & play approach to each set of unique customer requirements.

We enable clients to make better, more informed decisions on their software estate; understand the options and make the right decision for you. Our priority is to give the best advice, not just to secure licensing revenue.

version1.com/sam

Strategies for Oracle Java Licensing and Support Post 2019

Page 5

Version 1 Ireland Head Office

Millennium House Millennium Walkway

Dublin 1, D01 F5P8

Version 1 UK Head Office

6 Brownlow Mews,

London, WC1N 2LD

www.version1.com