Comprehensive software reviews to make better IT decisions
Oracle Is Replacing Free Java SE Public Support With Paid Subscription Support Offering
Core Changes to Oracle’s Java SE Public Support Model
Effective January 2019, Oracle will cease to provide public updates for Java SE 8 for Business, Commercial, or Production Use, requiring the purchase of a commercial license or subscription support stream. The key point for IT practitioners to understand is that current versions of Java SE (e.g. version 8, 9, 10, 11) are still free and available for general purpose computing under the Oracle Binary Code License (BCL).
While the underlying Java SE license is still available at no charge, the public updates for legacy versions will require a commercial paid license from Oracle moving forward. Coupled with an accelerated release schedule for new Java versions, IT shops will find it challenging to keep up with the release cadence from a preparation and testing standpoint. IT leaders are forced to choose between the unappealing options of using Java SE in an unsupported environment, migrating away from the Oracle JDK to the OpenJDK, moving away from Java-developed applications, or paying Oracle Java license/subscription fees.
Consider the changes to Oracle’s planned Java release cadence illustrated below. Historically IT shops had 2-3 years at a minimum to plan for major version releases to Java.
The practice of deprecated Java SE support for legacy Java versions is nothing new from Oracle and is well known in the Java community. The shift in release cadence, however, completely changes the game in terms of the decisions to purchase the Java commercial license or to continue running on an unsupported version of Java, as the new releases of Java will speed up the end of support dates for legacy versions, starting with Java SE 8 in January 2019.
Under Oracle’s new release cadence, this timeline expects to see major Java versions updated every 6 months!
Exceptions to this continued availability of the most current versions of Java SE primarily include use of the Java Runtime Environment (JRE) used in embedded applications and/or where commercial features require a commercial license from Oracle.
Currently, Java SE, Oracle Java SE Advanced, and Oracle Java Standard Suite are deployed from Oracle via the Java Development Kit (JDK) and Java Runtime Environment (JRE). It is important to understand that Oracle provides the same install package for all three editions of Java!
Why is this important? Under the Oracle BCL license agreement, Oracle clearly points out that included commercial features require a separate license from Oracle, and this is currently a commercial license!
“A. COMMERCIAL FEATURES. You may not use the Commercial Features for running Programs, Java applets or applications in your internal business operations or for any commercial or production purpose, or for any purpose other than as set forth in Sections B, C, D, and E of these Supplemental Terms. If You want to use the Commercial Features for any purpose other than as permitted in this Agreement, You must obtain a separate license from Oracle.”
Oracle is frequently criticized for not providing proactive warnings to end users when activating commercial features in Java SE. Starting with Oracle JDK 11, a warning will be presented when using the -XX:+UnlockCommercialFeatures option. This warning is not present in earlier versions of Java.
Further complicating the changes in Oracle’s Java licensing schema, “Starting with Java 11, Oracle will provide JDK releases under the open source GNU General Public License v2, with the Classpath Exception (GPLv2+CPE), and under a commercial license for those using the Oracle JDK as part of an Oracle product or service, or who do not wish to use open source software. This combination of using an open source license and a commercial license replaces the historical 'BCL' license, which had a combination of free and paid commercial terms.”
The gist of this change is that Oracle will actually start to provide commercial features under the Oracle JDK to the completely free builds of the OpenJDK such as Java Flight Recorder, Java Mission Control, Application Class-Data Sharing, and ZGC. Note that this liberation of functionality being added to the OpenJDK does not really help organizations that have built and deployed applications under the more user-friendly Oracle JDK build. In order to receive the benefit of these “free” features, organizations would need to migrate from Oracle JDK to OpenJDK which can present technical challenges, especially for those applications that rely on Java Web Start, which is not supported in the OpenJDK.
For a complete list of the Oracle commercial features included in Java SE Advanced please reference the Oracle white paper Java Usage Tracking and Visualization with Oracle Fusion Middleware. In summary, the matrix below provides a high-level overview of the key differences in the free Java SE editions vs. the commercial Java license packages:
NOTE: The use of the Java Usage Tracker to gather data on the install, deployment, and usage of Java within an organization is in itself a commercial feature requiring a paid license to Oracle for Java SE Advanced.
IT organizations should become familiar with Oracle’s Java product roadmap, which provides key dates for Java edition releases and end of public support for legacy versions.
How Is a Java Commercial License Acquired?
Historically, Java licenses have been purchased under the standard Oracle licensing model of either a Named User Plus (NUP) or Processor license model, with support comprising 22% of the net license price. NUP licenses have contained a (10) NUP license minimum per Core Factor Oracle Processor if electing to go the Named User route. Under most scenarios, purchases under the perpetual license plus support model would be more cost efficient than purchasing the newly released Oracle Java Subscription price schema.
NOTE: The price list is “list” price only and is subject to negotiated discounts.
Unfortunately, recent client reports as well as reports from the industry media indicate that Oracle is no longer offering the perpetual license plus support model and is instead forcing customers to resolve audit non-compliance events and/or net-new Java license needs with its Java SE subscription price model. The Java SE subscription includes all commercial features for the product purchased as well as Oracle Premier Support for both current and previous Java releases. This shift represents another leg in Oracle’s plodding journey towards a recurring revenue model, as subscription offerings are up to three times more profitable over the long term than the legacy license/support model.
Here at Info-Tech Research Group, we strongly recommend that clients push back on Oracle to allow any Java SE commercial license purchases under the legacy NUP/Processor + Support license model as Oracle still provides pricing for the options within the Oracle Technology Price List. While Oracle may “dig in” and require the subscription model purchase, the presence of both pricing models will provide customer advantage when negotiating discounted pricing with Oracle.
The Oracle Java SE Subscription price list is divided between Desktop subscriptions and the Processor model:
NOTE: The price list is “list” price only and is subject to negotiated discounts.
- Conduct an audit of Oracle JDK Java usage. Use a trusted SAM tool or a third-party consultant to capture all desktop and server instances where the Oracle JDK/JRE is installed and/or running.
- Check for use of Java Commercial Features. The Java Oracle JDK build is the same install package for the free Java SE version as well as the commercial Java SE Advanced product. It is a common error for commercial features such as JRockit (Mission Control) and other paid features to be inadvertently activated, triggering a compliance issue.
- Consider alternative options to Java and/or to the Oracle JDK build. Options such as the OpenJDK and other Java builds will allow a de-coupling from Oracle’s license requirements, but will also require application re-development or other migration paths.
- Conduct a cost analysis if contemplating the paid Java license. Oracle will push hard for organizations to purchase the Java SE Subscription model. Oracle perpetual license and support options are still listed on the Oracle Technology Price List, so push for the perpetual model and/or leverage this model to negotiate discounts on the tiered subscription offering.
- Beware of Oracle’s Java Usage Tracker Tool. Java Usage Tracker is a commercial feature of the Oracle JDK and simply using the tool triggers the need to license the Java environment via a commercial license.
- If you already have Java SE Advanced (or Advanced Desktop) or Java SE Suite licenses: nothing changes and you will continue to have access to patches, bugs, security fixes, and support services for all versions of your Java SE product and any included features.
- If you are using a JDK release 8 without commercial features (meaning that you are using the free release, Java SE) and you want to be able to access any Oracle updates and/or support services: a purchase of the Oracle Java SE Subscription or Oracle Java SE Desktop Subscription is required.
- If you plan to upgrade your JDK every 6 months to keep up to date: you will not need to purchase any additional licenses to have access to Oracle updates only.
Want to Know More?
Q headlines a bevy of announcements at AWS re:Invent 2023 in Las Vegas that shed more light on the cloud service provider’s AI strategy and where its differentiation from other vendors lies.
This note outlines some tips and tricks that you should be aware of when embarking on the installation and configuration of a Kubernetes cluster. Such an endeavor should only be attempted if the need for an enterprise-grade container orchestration solution is required.
It’s simply not enough today to pit your traditional application security toolkit against today’s advanced threats, especially those attacks that target APIs or mobile platforms. Bolstering your CI/CD pipeline by introducing more advanced and accurate SAST, SCA, IAST, and DAST will most certainly improve your security posture, but the journey does not end there. There are attacks and use cases that need careful consideration for how you approach security. Appdome believes it has those unknown challenges addressed and can significantly improve your application security program with very little effort from your development and security team, a welcome change from solutions that required a good bit of work to introduce problem-free into your code base four years ago.
This post provides a review of Zoom’s 2023 conference, Zoomtopia 2023. Core aspects covered include what major product releases and upgrades Zoom announced at Zoomtopia 2023, and what these announcements mean for Zoom’s market positioning in 2024.
Contact center as a service (CCaaS) enterprise providers are steamrollering ahead with embedding generative AI functionality in their platforms – whether organizations are prepared for it or not. In this post, I explore a positive outlook for how generative AI can be used to enhance organizations' customer experience capabilities while generating ROI. This includes: 1. Listing the major use cases for generative AI in the contact center. 2. Discussing how we might calculate ROI from utilizing generative AI in the contact center. 3. Considering what organizations can do to prepare for CCaaS vendors’ release of generative AI functionality.
In June 2023, I decided to remove the password on my primary email account as well as the one used to log-in to all of my devices. Did I wait too long? Am I too optimistic this will work without issue? Are there kinks that still need to be worked out? I recently attended Identiverse 2023 and got a FIDO2 hardware token intending at some point in the future to go passwordless. Why wait though? I was pumped up with all the passkey and passwordless sessions I attended and was eager to try this out and share my experience.
If you’re in the market for a password manager or are interested in secrets management, Bitwarden has a powerful platform for you. This unified platform is delivered via a thoughtful and intuitive UI, which Bitwarden Password Manager users will recognize. Bitwarden ranks as top of the Leader Quadrant in SoftwareReviews under the Password Management category, and the company believes its optimized, wide-range passwordless solution set will address most organizations’ needs.
Next-generation firewalls were smarter than previous firewalls, able to deeply analyze traffic and integrate with complementary security solutions. Today our needs are more complex, however, with a 742% increase in software supply chain attacks over the past three years. Sonatype Nexus Firewall has been paying attention and claims its firewall product is smarter about these attacks.
Have you ever thought of what else you could do to take your security operations center (SOC) to the next level and focus on prevention? Look no further – external attack surface management (EASM) was a popular managed service and topic of discussion at Rivest–Shamir–Adleman (RSA) Conference 2023, named after a popular public-key cryptosystem.