Java licensing – What’s the story?
In today’s fast paced and demanding IT production environments, unpatched and outdated software raises concerns about stability, performance and compliancy. Various regulatory provisions such as GDPR have been put in place to address this. Vendors are also taking steps to evolve their software more quickly to take advantage of new technology and stay ahead of the game as far as security is concerned. ‘Licence with support’ subscription models are increasingly being adopted to cater for more frequent software releases and patches. Oracle has adopted this approach for Java which is now being sold as an annual licence and support subscription rather than as a perpetual licence with support. This has important implications for the almost countless number of developers and businesses that have installed Java as part of their desktop and backend systems. Developers have been a major and valued part of Grey Matter’s customer base since 1983 and we will be using Code Matters to help guide you through the complexities of these changes. Let’s start with what we know so far.
Java Standard Edition (SE) Subscription
In June this year Oracle announced Java SE Subscription to support businesses running Java in production. It also re-enforced previously released information in terms of the release cycles of both Java and the OpenJDK, firming up on its commitment of a much quicker 6 month update cycle for the latest release. Free patches will only be available for 6 months on OpenJDK after each new release. The commercial version of Java will no longer get publicly available updates. For many years prior to this, businesses have used Java as a development language, using publicly available patches for the latest release without the need to purchase a license or support even though older versions have always required a license.
To remain current without a support contract, commercial organisations will need to adopt the latest free release of OpenJDK every 6 months. They won’t be entitled to the Long Term Support (LTS) releases provided by the commercial edition. This will involve a lot of testing and re-testing which will be impractical and uneconomic in most cases! The first release of this new cycle was Java 11, released on 25th September, 2018. Alternatively, you can buy a licence with support for an older release and Oracle will continue to provide patches for 8 years from the point of first release.
Java 8 is the most commonly deployed release and Oracle has been providing free access to patches for this. From January 1st, 2019 this will cease and organisations continuing to use Java 8 for business, commercial or production purposes (that’s most companies) will need to purchase a licence with support to obtain patches.
Is your use of Java non-compliant?
Licensing rules can be confusing and are often violated, especially in the world of Open Source Software (OSS). Oracle relies on trust for the use of its software products but isn’t slow to deal harshly with businesses identified as being non-compliant in this regard. Older versions such as Java 6 and 7 will be non-compliant if they’ve been patched without a license. The situation is particularly hazardous with Java. Prior to v11 when the software was owned by Sun Microsystems, many organisations will have installed some of the commercial features which under the terms of the Binary Code Licence Agreement were not free. Many users may have got into a non-compliant situation over time without being full aware of the potential consequences. I will explain more about this in a follow-up blog.
Then there’s the issue of regulatory compliance such as GDPR and other measures put in place to protect customers and personal data. The last public update for Java 7 (update 80) was April 2017 and there have been numerous security fixes since, some serious. Java 6 without a license won’t have been patched legally since update 45 in 2013! The broader topic of safety regulations shouldn’t be overlooked either given Java’s use within many devices and appliances. Unpatched and insecure instances of Java could have serious consequences.
The bottom line
From January 1st, the only release that can be patched without a license will be the latest OpenJDK v11 and then only until February 2019, ie 6 months after its release in September. To remain current from February onwards without a subscription, all instances will have to be upgraded to the next release.
The choices look like this:
- Continue to update illegally. Oracle relies on trust so this is an option. However, they’ve just appointed a team of auditors and these are never friendly in Oracle’s case! They will backdate at 150% cost!
- Stop updating. Ignore GDPR and other regulatory requirements that require you to protect customers from security breaches. You risk having insecure systems shut down by regulators which can be more damaging to your business than a fine!
- Use free OpenJDK and adopt the latest release every 6 months. This will keep systems up to date but frequent migrations will be costly in terms of dev and test overheads. You will also miss out on the management tools required to assist with security and performance. These are provided by the SE subscription only.
- Take out a licence subscription. This will provide patches on an on-going basis.
And the benefits of a Java subscription are?
- Ensure licence compliancy.
- Ensure regulatory compliancy.
- Access tools to overcome operational complexities and maximise performance.
- Remove uncertainty and ambiguity around licensing.
- Remove the need for frequent migrations.
- An annual subscription allows you to adjust quantities per requirements every year.
What do I need to do?
To ensure your systems are secure and reliable, you will need to keep your Java installations up to date and patched. This will involve auditing the use of Java within your business. A number of tools are available to assist with this discovery phase, including the Java Usage Tracker which requires a commercial license for use in production. These are some of the tools that come with Java SE.
- Java Usage Tracker. Provides visibility of Java deployment within the organisation. This might allow you to scale back your licence requirements.
- Java Mission Control and Java Flight Recorder. Tools for debugging and fine tuning.
- Java Advanced Management Console. A single ‘pane of glass’ that allows you to update, monitor and ensure each application is serviced by the appropriate version of Java. This is an essential feature.
I will say more about these and other third-party tools that can be used to manage Java and open source software in a follow-up blog.
Grey Matter is running two webinars to explain the Java Licensing changes:
Tuesday, 29 January, 2:30 PM – 3:30 PM GMT
Wednesday, 30 January, 10:00AM – 11:00AM GMT
How Grey Matter can help
Grey Matter can provide advice and assistance to help you determine the Java licences your business requires. We can also supply third-party tools to help with software audits and Grey Matter’s Managed Services team can assist with the audits themselves. They can be reached on +44 (0)1364 654 200.
Having built a picture of Java dependency within your organisation, the next step is to determine the most efficient and economic way of dealing with licensing and support arrangements going forward. Most commercial organisations use Java in some form or another, either to support applications that have a Java client running on the desktop, or to support heavier weight server applications. It’s highly likely both apply. The need for licensing could be created by an internal bespoke application or maybe a third-party solution provided by an ISV. The picture could be complex and potentially costly unless the licensing options have been fully evaluated.
Please call us on +44 (0)1364 654 100 for further information and to discuss requirements as a result of changes to Java licensing.