How To Approach an Oracle Java Audit
TL;DR
Oracle cannot audit “all Oracle Java” in your estate — the scope of any audit is very likely to be a subset of your estate. We have never seen a well-scoped Java-only audit for a typical enterprise. Ensure you understand your audit obligations and Oracle’s rights under the mutual agreements you have in place. You should consider your obligations (and therefore your Oracle Java SE estate) by agreement type: this is not easy but understanding the subtlety is important and advantageous to your organisation. As ever, we recommend that you contact our independent experts here at Version 1 to discuss your situation.
Oracle Java Audits… what’s really happening and what’s the threat?
With the shock of the Java SE Universal subscription (video blog here, FAQ here) subsiding, but with continued worry from customers, inevitably we are being asked a lot of questions about Oracle Java audits; how often are we seeing them, how likely is it that a customer would receive a notification of audit, what’s the risk, surely we are next!?
It is fair to say there’s been some ‘noise’ and alarm-bell ringing in the press — the reality is that Oracle Java audits are still exceptionally rare — and standalone audits for a ‘normal’ business (ISVs and distributors don’t fall into this category) are effectively unheard of, though we expect that to change in 2024 and beyond. What we have seen are audits with Java added into the scope of a wider audit, plenty of questions from Oracle prior to transactions, or requests/demands for ‘assistance sessions’ or declarations with Oracle LMS/GLAS to pose questions about how customers have counted their legacy metric (Processor and Named User Plus) requirements –however, these latter items are not formal audits and represent no obligation to you: there’s a balance to be struck in these situations — if you ‘cooperate’, Oracle are more likely to approve sales under the older metrics.
This blog considers standard agreements most customers have with Oracle — it does not include more ‘niche’ agreements such as embedded (in a device) or distributors’ agreements — however, the principles still apply.
*Real* Oracle Audits for Java Are Exceptionally Rare
So, should you expect that with the change to the Employee metric introduced as part of the Java SE Universal subscription, Oracle will ramp up audits and you may find yourself suddenly exposed to significant non-compliance bills? Remember that under the Employee metric used for Oracle Java SE Universal subscriptions, Oracle doesn’t need to wait for you to measure/return script output in order for them to tell you what your bill may be — they can just look at your annual report and send you an invoice.
The good news is that it’s not quite as bleak as you may expect. Typically, auditors (for many software vendors) may run the audit process according to their perceived requirements — rather than based on your actual contractual rights. There are a number of aspects to consider here (these apply to non-Java audits as well):
· Contracts or agreements under which Oracle are invoking an audit
· Which entity is being audited?
· Your obligations to meet the contractually agreed audit rights — i.e. the data you may need to provide
· Timescales
· Product audit scope — which specific products are included (Oracle Java SE, for example)
The most important element of all from above are the contracts or agreements under which Oracle has the right to audit. Let’s be absolutely clear here — if you have no agreement with Oracle, they have no right to audit you.
“Of course I read the terms and conditions and didn’t just click “I agree””
It’s worthwhile us exploring an overlooked agreement type, given it is critical: click-wrap agreements such as the OTN License Agreement for Oracle Java SE (which many people don’t bother to read but really should) which governs downloads of certain releases of Oracle Java SE (those with security patches and updates beyond April 2019, such as Java 8u211, Java 11–16) include audit rights.
It is worth noting that this agreement, which requires Oracle.com credentials (and therefore the details of individuals who download it are logged), has the following text:
“By selecting the “Accept License Agreement” button or box (or the equivalent) or installing or using the Programs, You indicate Your acceptance of this Agreement and Your agreement, as an authorized representative of Your company or organization.”
It is worth considering what this means — anyone downloading Oracle Java SE under this agreement is accepting terms and obligations on behalf of your organisation: is this something you want!? It also means that if that individual shares that download with colleagues, even the act of installing the software implies acceptance of the terms (from agreement of the original download).
This also shows why you, as someone interested in SAM/license management, should have an internal policy on downloads and the ability for individuals (typically developers/admins) to accept the terms of an agreement on behalf of your organisation. We have seen many customers disable such download pages.
Interestingly, later versions of Oracle Java SE, such as Java 17, which are licensed under the No Fees Terms and Conditions (see below) require no explicit agreement of terms — you can even invoke a download straight to a server without any acceptance of terms.
One Download = One Agreement = One Audit Clause?
What happens if you have 10 users who separately download the same version/update (e.g. Java 8u291) of Oracle Java SE governed by the OTN License Agreement for Oracle Java SE — i.e. they each ‘read’ and accept the OTN agreement?
If you read the agreement, the key term is “Program(s)” (i.e. Oracle Java SE) which is defined as “Oracle software provided by Oracle pursuant to this Agreement…” — it is arguable (and you should check this with your legal counsel) that each acceptance of the agreement covers ONLY the software (the archive / zip) downloaded / used after accepting the agreement. So; 10 ‘acceptances’ of the agreement and 10 downloads (of the same zip file, plus any copies of it) would result in 10 distinct agreements — each with their own agreement between the ‘agreer’ and Oracle on behalf of your organisation but only relating to the specific download made available upon that particular agreement.
To potentially support this ‘one download = one agreement = one audit clause’ consideration, the “Entire Agreement” clause in the OTN agreement should be considered; in particular “…this Agreement supersedes all prior or contemporaneous agreements or representations…or license agreements for prior versions of the Programs.” It can’t reasonably be the case that downloading Oracle Java SE once via OTN supersedes all other license agreements including commercial agreements and older versions of Oracle Java SE which are covered by other agreements (such as the BCL). Also, if it was the case that ‘one acceptance covers all’, it wouldn’t be necessary to accept the agreement before each and every download.
Of course, it may be that some of the agreements are immediately superseded by a commercial agreement (i.e. not covered by the rights of the OTN License Agreement for Oracle Java SE) or by a ‘parent’ product, e.g. Oracle Forms — in which case the terms of the previous agreement would no longer apply.
Taking this to an extreme viewpoint, this could mean that each downloaded archive (e.g. zip file) has its own agreement, each with its own audit clause which means only that individual archive can be audited at once. You could even say that Oracle would need to initiate an audit by referencing every single audit clause specifically. In effect, you would treat each individual’s agreement as a separate ‘ordering document’, each of which covers a single download/archive. Therefore, you could have hundreds of such agreements, each with their own audit clause.
The above all gets messy; we have our viewpoint and guidance on this but you should seek legal input for consideration on how you want to approach this.
So, what rights do Oracle have?
There’s a key message I want to get across in this blog:
There are various rights to audit dependent on the agreement under which Java was obtained
This means Oracle cannot ‘audit Java’ (i.e. all your Oracle Java in your estate) in one fell-swoop. Instead, any invocation of audit MUST be under a related agreement which permits Oracle to audit.
The table below shows Oracle’s rights by agreement; this is not exhaustive (e.g. agreements with distribution rights are not considered here):
Correctly Approaching an Oracle Audit
So, let’s take an example mixed estate of 500 deployments of a few agreement types- we’ll keep it simple!
This can be shown simply as follows, categorised by version — which is what most people would consider these days when thinking about Java subscriptions.
OK, that’s fine but we all know it’s not that simple, considering what I’ve described above.
Below is an improved version, by version and agreement — i.e. considering the agreement which covers part of each subset of the estate: e.g. some Java 8u211 is covered here by the OTN Java agreement and separate commercial agreement(s) (with Oracle Master Agreement(s) (OMA) and ordering document(s)) exist.
This is an improvement, and it is interesting to note that sometimes the same version/update may be licensed via different agreements (e.g. OTN Java SE for a developer deployment but commercial agreement for a server) but we need to move away from being ‘version-obsessed’ — really, we have to focus on deployments covered by particular agreements — by recalling the table above, we know that each of these distinct agreement types has different audit rights.
In the re-categorised view below, Oracle has only agreed audit rights for the deployments covered by the agreements circled in red. These audit rights are different and should be invoked and approached separately.
The following graph shows how you really should consider and ‘categorise’ your estate:
As a result of this ‘refocussing by agreement’, out of 500 deployments, only 225 (45%) have any audit obligations for licensees and these are split as follows:
· 70 (14%) of the deployments under the OTN Java agreement audit rights.
· 155 (31%) of the deployments under the commercial agreement (ordering document and related OMA). This in fact may be multiple orders with one OMA, and so likely all ‘auditable’ at the same time, under the same invocation of the Audit clause from the OMA or even multiple orders with different OMAs, each of which will have separate Audit clauses and could arguably run in series rather than ‘all at once’.
· To be clear — the BCL and NFTC-covered deployments do not have any audit obligations (for you) or rights (for Oracle). If you ONLY have Oracle Java under these agreements, you cannot be audited by Oracle for Java.
It is therefore critical for a licensee to ensure that only ‘auditable’ Java is included in scope and also to require that an audit is undertaken by agreement type in series — i.e. not concurrently, and in the event of multiple agreements of the same type, that these are again separated.
Which agreement applies?
You can probably see that for any given installation, it is possible for there to be an ‘evolution’ of agreements. So, you may download Oracle Java 11 under the OTN agreement but at a later point move to a commercial agreement — in effect the commercial agreement supersedes the original ‘download agreement’ and any audit rights (or any other terms and conditions) are replaced by the later agreement.
Also bear in mind any situation where the OTN agreement is simply not sufficient from the moment it is downloaded — i.e. the agreement does not provide rights to use the software: hopefully this is obvious but you must have a commercial (or alternative) license agreement to immediately ‘take over’ (supersede) from the OTN agreement.
Though it is a very challenging approach, the theoretical and correct way to classify Oracle Java license is by installation and by associated license agreement. This is very hard to track when someone may have downloaded and agreed to an agreement in a non-centralised / unmanaged way.
How can I tell which agreement applies to each installation?
Unfortunately there is no simple answer to this — there are potential agreements which could cover almost all variants of Oracle Java SE and a subset of agreements that apply to each version/update of Java: there is nothing to definitively state / determine / measure which agreement DOES apply — this comes down to effort from you — in effect taking your multiple agreements (of each different type) and seeing which ‘fit’ according to usage. This is a MAJOR task. Only once completed can you assess which installations are ‘auditable’.
The example below shows how a simple estate of 8 machines containing 10 Oracle Java SE installations needs a ‘line-by-line’ appraisal of each installation. From this, it can then be determined which of your Oracle Java SE estate can be audited.
Audit Rights
As stated above, audit rights for Oracle only exist in a couple of ‘mainstream’ agreement types. To recap, these are as follows and have the following audit clauses — you will notice they are different in their wording and obligations for you: they should be treated differently and in isolation.
· OTN Java SE agreement; the full extent of the audit obligations are “Oracle may audit an Entity’s use of the Programs” which is very ‘light’ on clarity or obligations for you — there’s no expectation of timescales, what level of assistance (or disclosure of data) you need to provide or resolution steps, besides the ominous “… automatically terminate without notice if You fail to comply…”. Therefore, the terms of any audit are up for negotiation upon initiation by Oracle.
It is worth bearing in mind that an audit under these terms may (subject to the above) only consider the ‘auditability’ of the terms of the agreement and that agreement’s applicability to your usage — which means under no such audit terms do Oracle have the right to audit your typical elements or metrics about your estate, e.g. servers, processors or even Named Users.
You can consider this another way; the OTN Java SE license agreement is like an ordering document with no metric and no quantities — therefore Oracle doesn’t have the right to ask questions about such elements: they can only audit items of relevance to the agreement.
· Commercial agreement (and Standard Terms and Restrictions (per eDelivery downloads); typically an ordering document for Java SE license (pre-2019) and support or subscription (2019 onwards) plus an associated master agreement (likely an Oracle Master Agreement (OMA)). Standard wording contained in the OMA is along the following lines:
“Upon 45 days written notice, Oracle may audit Your use of the Programs. You agree to cooperate with Oracle’s audit and provide reasonable assistance and access to information. Any such audit shall not unreasonably interfere with Your normal business operations. You agree to pay within 30 days of written notification any fees applicable to Your use of the Programs in excess of Your license rights.”
Note how much more ‘descriptive’ these terms are compared to the OTN Java SE agreement — there’s a notice period, clarification of your obligations and the impact of the audit. Once again, it is critical that (in any audit) you bear in mind the terms and rights of an audit; what is the scope, which entities and ultimately what can Oracle reasonably ask for (given the context of your license agreement and the obligations you have signed up to).
Note that Oracle should only invoke audit (using an agreed audit clause in an agreement between you and Oracle) using a specific audit clause — i.e. you must insist to know under which agreement they are invoking audit AND you must be careful only to undertake one audit at a time — which will only include in its scope any installations covered by that agreement. It is unreasonable to be audited under multiple audit clauses (under multiple agreements) at once.
You should only participate in an audit once you are told which specific agreement (and its audit clause) is being referenced. Do not accept an audit including multiple agreements and limit the scope only to the installations under the specified audit clause.
If you still have old metrics (Processor/Named User Plus) then you really need to be clear on the VMware policy and understand what rights, if any, Oracle has regarding your estate — see this blog post.
Other considerations
You now understand that Oracle cannot simply audit all Java in your environment; a subset is perhaps more likely but you still need to be careful on setting the scope of an audit.
Once you have understood all of this and properly scoped an audit, you then need to understand how Oracle typically run audits — they certainly do not execute scripts or network scanning software on your estate, there are rumours of an Oracle Java SE script but you typically have no obligation to execute it (it’s hard to imagine how it would even work reliably for license reasons).
Contrary to some rumours, it is certainly not the case that installations of Oracle Java in your estate ‘dial home’ with information about your wider estate — see this as an overview of what Oracle Java can send to Oracle, also bear in mind that this is covered under the ‘Information Collection’ clause in the OTN Java SE agreement (typically, other agreements such as a commercial Java subscription do not include this clause). We do know that Oracle monitors downloads of Java, which requires a login to oracle.com, and that they use this information to demonstrate to enterprises that potentially ‘subscriptionable’ Java has been downloaded — this is another reason for you to lock down the download pages for Oracle Java.
What to do if you receive an audit letter from Oracle for Java
Hopefully you will already have Version 1’s independent experts helping you understand your estate and the nuances of everything in this document! If not, of course we would recommend you contact us ASAP. Beyond that, you should validate the audit letter: does it specify the agreement under which Oracle is invoking the audit; as discussed above, this needs to be one of the following:
· The OTN Java SE License Agreement agreed by an employee of yours: you should ask Oracle to specify each and every user and date the agreement was accepted. This may be the impetus for you to lockdown Oracle’s Java SE download pages; albeit too late at this time!
· A specific OMA associated with particular ordering documents.
· Any other agreement type which has explicit audit rights.
In all cases: you (and Oracle) should be able to explicitly reference the audit clause being invoked and the limitations / coverage of that clause. Do not blindly enter into an audit of all Oracle Java SE! You also should be fully aware of Oracle’s approach to licensing in VMware — see this blog for more information.
Conclusion
This is clearly a complex subject with multiple considerations; hopefully this blog has made you think about approaching an Oracle Java SE audit differently — but we realise it’s still not easy. The goal of this blog is not to complicate something that is already challenging for many organisations but instead to offer a different perspective on how audits should be approached rather than ‘blindly’ following a ‘one (agreement with audit rights) fits all installations, therefore you must be audited on everything’ approach.
If you have concerns about your choices around Oracle Java SE, what your audit risk is or what your next steps should be, please feel free to contact us.
About the Author
Paul Bullen is a Principal License Consultant at Version 1
About Version 1
Our independent and experienced SAM and licensing consultants to provide expertise to customers globally, ensuring customers get the best value from their assets.
The scale of Version 1 means we can help you with all aspects of your software strategy moving from on-premise to XaaS? Do it with experienced cloud architects and economists at your side we can provide a one-stop-shop for moving to the cloud.
Version 1 proves that IT can make a real difference to our customers’ businesses. Established in 1996 and headquartered in Dublin, Ireland, Version 1 is trusted by customers to deliver IT services and solutions which drive customer success. Our 3,000 strong team works closely with our technology partners to provide independent advice that helps our customers navigate the rapidly changing world of IT. Our customers include top global banks, many FTSE listed companies in the Financial Services, Utilities (incl. Oil & Gas, pan-European energy companies and major domestic water companies) and Commercial sectors as well as Public Sector organisations across local and central government. Our greatest strength is balance in our efforts to achieve Customer Success, Empowered People and a Strong Organisation, underpinned by a commitment to our values. We believe this is what makes Version 1 different and more importantly, our customers agree.
