THE

ITAM
JAVA LICENSING
PLAYBOOK
How to address Oracle Java pricing
and licensing changes
TABLE OF CONTENTS
INTRODUCTION 3
SECTION 1
2023’S BIG, UNPLEASANT ORACLE
6
JAVA SE LICENSING SURPRISE
SECTION 2
STAY AND PAY OR SWITCH AND SAVE? 10
SECTION 3
CREATE AN ITAM BLUEPRINT FOR SUCCESS 13
SECTION 4
CHOOSING THE RIGHT OPENJDK SOLUTION 21
SECTION 5
BUILD YOUR ROI – ESTIMATE THE COST OF CHANGE 26
SECTION 6
THE ONLY JDK THAT REDUCES ALL
29
ASSET MANAGEMENT RISKS

ADDITIONAL RESOURCES 32

ABOUT AZUL 33
THE
ITAM JAVA LICENSING PLAYBOOK 2
INTRODUCTION
We have written this guide for asset managers, and specifically IT Asset Management
(ITAM) and Software Asset Management (SAM) professionals. It’s a tough job balancing
software licensing costs and compliance with risk management and IT’s need for security
across the entire asset portfolio. This is compounded by the influx of pricing and licensing
changes demanded by software behemoths like Oracle, Broadcom, and IBM. These
continuous changes put substantial pressure on ITAM/SAM professionals to identify
alternatives that mitigate any IT disruptions, maintain high IT SLAs, and save money.

Oracle’s four licensing and pricing changes in four years for Java are a case in point.
Oracle has generated billions of dollars in revenue simply by implementing new licensing
policies for a previously free programming language and toolset, adopted by nearly all
large enterprises as the foundation of most business-critical software applications.

OpenJDK is Java’s open-source project, and anyone is free to download the source code
for a specific version of the Java Development Kit (JDK). OpenJDK is identical to Oracle
Java SE and the two versions are 100% interchangeable. The Java Technology
Compatibility Kit (TCK), licensed by Oracle themselves to OpenJDK solution providers,
contains more than 150,000 individual tests to ensure compatibility between different
implementations of the Java specification. It’s essential for Java’s portability and for
delivering the “write once, run anywhere” promise. Applications built on TCK-tested
OpenJDK distributions will run the same way on another distribution that has also passed
the TCK test suite.

Oracle releases four Java updates each year, in January, April, July, and October. Each
release has a Critical Patch Update (CPU), which includes only security-related updates,
and Patch Set Updates (PSUs), which are complete updates that are much larger and
include additional non-critical fixes such as bug fixes and new features.

THE
ITAM JAVA LICENSING PLAYBOOK 3
WHY COMMERCIAL SUPPORT IS IMPORTANT
If your organization isn’t paying for commercial support, you won’t be able to access
updates to the Java versions you’re using in production unless you are using them in the
Oracle Cloud Infrastructure (OCI) or you are using a relatively new version of Java under
Oracle’s “No Fee Terms and Conditions” license (NFTC). Every quarter, when Oracle
reports new vulnerabilities and releases patches, your organization will remain exposed to
those vulnerabilities. Applying CPUs is much easier and faster than applying PSUs, but
only Oracle and Azul offer CPUs.

ITAM must work with security teams to assess vulnerabilities as they are reported, and
they must work with application development teams to apply fixes. An OpenJDK
distribution provider should make updates available on a strict SLA so organizations can
apply them as quickly as possible to close any exposure to vulnerabilities.

JAVA IS EVERYWHERE
For nearly 30 years, Java has been the default language for enterprise applications. It’s on
desktops, laptops, servers, mobile phones, TVs, and in every kind of cloud. Java is the
foundation of derivative languages like Kotlin and Scala, frameworks like Hibernate and
Spring, and big data platforms like Solr, Apache, Cassandra, Hadoop, and Kafka. 98% of
surveyed companies in Azul’s 2023 State of Java Report say they use it (Figure 1). 57%
say it is the backbone of most of their applications, including third-party packaged
software, and their infrastructure estate.

98%
JAVA
ADOPTION

USE JAVA IN SOFTWARE OR

INFRASTRUCTURE 93%
USE JAVA-BASED FRAMEWORKS,
LIBRARIES, AND TOOLS
Figure 1. Source: Azul State of Java Survey & Report 2024.

THE
ITAM JAVA LICENSING PLAYBOOK 4
Whether you use Oracle Java knowingly or you feel uneasy about hidden application
dependencies on Java licensing, no asset or license manager can ignore the financial risk
of violating Oracle Java licensing terms. With abundant drop-in replacements and
commercially supported Java options, there’s no reason to take chances. In this guide,
you’ll learn:
What’s changed in Oracle Java SE licensing and how it affects IT and software asset
managers.
How to determine whether you should stay with Oracle and pay, or switch to an
alternative Java solution provider (based on OpenJDK) who provides commercial
support.
What you should consider when licensing Java applications in cloud environments
and how ITAM practices are converging with FinOps.
Why Azul is often recommended as the #1 Oracle Java replacement.

THE
ITAM JAVA LICENSING PLAYBOOK 5
SECTION 1
2023’S BIG,
UNPLEASANT
ORACLE JAVA
SE LICENSING
SURPRISE
THE
ITAM JAVA LICENSING PLAYBOOK 6
In January 2023, consistent with an increasing pattern of monetizing Java, Oracle announced its fourth
licensing and pricing change in four years (Figure 2). It moved from a traditional infrastructure pricing
model to an employee-based metric, regardless of how many employees actually use Java
applications. This new model created a predictable stir in the Java community, when members were
just getting used to the prior model which tallied a combination of named user/laptop and desktops,
and licensable service metrics including physical, virtual, container, and cloud. The new pricing for
Oracle Java SE is now completely disconnected from actual Java usage and mainly results in a massive
price increase. The more employees, the larger the price increase.

Oracle Java licensing uses a liberal and hard-to-measure definition of “Employee”

Oracle’s licensing language considers the number of a company’s employees, effective as of

the date on which the Java SE Universal Subscription was purchased by that company from
Oracle, to be:

All full-time, part-time, and temporary employees, plus all full-time employees, part-time
employees and temporary employees of your agents, contractors, outsourcers, and
consultants that support your internal business operations.

Capping out at 50,000 processors, pricing starts at $15 per month up to 999 employees. Prices
then decline on an employee volume basis in increments, until organizations with between
40,000 and 49,999 pay $5.25 per month.

Organizations with more than 50,000 employees and/or 50,000 processors can expect
individual negotiations.

THE
ITAM JAVA LICENSING PLAYBOOK 7
 JAVA SUBSCRIPTION PRICING AND LICENSING UPDATES

June 2018 Sept 2018 April 2019 Jan 2023

Quarterly updates Starting in January Rolled back most Java charged by

Biannual Java 2019, public licensing cost “employee” count
releases updates for Java 8 increases from 2021 “Employee” defined
Updates certified require a paid to 2019 to include part-time
with reference subscription LTS releases are free and temporary
standard Installing updates under NFTC until employees, and
Commercial without a paid one year after the part-time and
support available subscription is a next LTS release temporary
with a paid violation of LTS releases every 2 employees of
subscription licensing terms years agents contractors,
outsourcers, and
Figure 2. Oracle pricing and licensing updates since 2018.
consultants

As existing Oracle Java subscription contracts using older pricing and licensing models expire,
Oracle’s FAQ document suggests limited renewal possibilities under existing terms and metrics,
assuming your Java estate does not change. If you change your Oracle Java usage in any way, the new
licensing model applies even if an existing estate is still otherwise eligible for coverage under the old
models. Likewise, Oracle expects organizations to pay “back usage” licensing fees for the time the
organization was out of compliance.

Then there is the issue of how to ascertain the total number of employees. Simply looking at an
organization’s website to determine employee and contractor count isn’t ideal, but Oracle’s generous
definition of “employees” makes accurate compliance difficult.

NEGOTIATION WITH ORACLE CAN BE FUTILE, AND MOST ORGANIZATIONS WILL

GET HEFTY PRICE INCREASES
Unless you can negotiate with Oracle within the scope of an existing Oracle Java renewal, nearly all
organizations are seeing their Oracle Java costs soar with these licensing changes. According to ITAM
Review’s real-world stories, cost increases span 2x to 10x, making Oracle Java a much larger, multi-
million dollar IT software license item.

The world’s largest companies are rich targets for compliance audits. A June 2024 article in The
Register confirms that Oracle is now approaching Fortune 200 companies, asking for clarity around
their Oracle Java position.

THE
ITAM JAVA LICENSING PLAYBOOK 8
These changes apply to all Java commercial use, so if your organization already licenses Oracle Java
SE today – whether you use Java SE and have been getting away with it, or you have little
understanding of your Java use – your organization will eventually have to pay the new Oracle Java
per-employee pricing. You will also have to pay “back usage” licensing fees for the time you were out
of compliance, though Oracle generously will make all or part of those fees disappear if you sign a 3-
year or 5-year contract under the new licensing and pricing model.

THE
ITAM JAVA LICENSING PLAYBOOK 9
SECTION 2
STAY AND PAY
OR SWITCH
AND SAVE?

THE
ITAM JAVA LICENSING PLAYBOOK 10
PUTTING YOUR HEAD IN THE SAND WON’T HELP. BETTER TO PAY UP OR MAKE A
NEW PLAN.
If you are a license manager who is discontent with your organization’s Java license use, maybe you
think you can ignore this headwind from Oracle. Probably not the best plan as Oracle audit teams are
on the offensive, disguised as friendly sales teams and armed with download logs and ”call home”
data to catch you out of compliance.

Better to be a smart, risk-averse software license manager and assume you will need to pay for
Oracle’s new Java SE subscriptions. After all, Java is everywhere, and while your developers and
application owners may not know exact Java usage, there’s zero chance Oracle doesn’t know your
organization is using Java through their download metrics and/or security updates (which trigger “call
home” messages that can be turned off) for dependent applications.

Now your head is spinning. What are your options?

1. Buy or renew an unearthly expensive license regardless of Java usage and cost.
2. Replace Oracle Java with a money-saving option and prove there’s no Oracle Java in your
infrastructure.

Note: There is a third option - Try to move away from Java completely. However, this is a Herculean
task that many organizations cannot achieve nor would most even want to, given they selected Java
for its durability, speed and scale. Those that decide to get off Java end up spending years and
significant cost refactoring and redeveloping their key business applications.

Deciding on the best option for you requires a couple things:

An understanding of Java use, licensing, and options.
The agreement of traditional stakeholders – management, Java application owners, developers,
engineers, and information security and compliance teams.

Each stakeholder has a different concern, and if IT or security is unwilling to make a compromise,
there’s not much you can do. The rest of this playbook helps you make a business case for change
based on hundreds of organizations and their respective development, IT and security teams who
have migrated to an Oracle Java alternative with little disruption and immense cost savings.

HOW DO YOU DECIDE WHETHER TO PAY OR SWITCH? YOU HAVE SIX OPTIONS:
Ignore – Hope Oracle goes away, ignore all the sales calls and email threats of an audit, and try and
align every part of your organization to not taking calls or giving information to Oracle. As Shawn
Donohue of Miro Consulting said in a 2024 webinar, “If your plan is to sit and wait and do nothing,
please do not do that.”

THE
ITAM JAVA LICENSING PLAYBOOK 11
Negotiate – Generally this strategy is for organizations that have an existing Java SE renewal. Getting
your Java use within the limits of your existing contract is the only way to approach this. You will need
help, and many license managers will engage advisory specialists.

Surrender – Tell Oracle “You got me” and hand over details about your Java use. This isn’t a
negotiation, as Oracle will simply say you owe them “back usage” if you don’t sign up for a multi-year
contract based on the employee model.

IGNORE NEGOTIATE SURRENDER REMOVE UPGRADE SWITCH

Figure 3. Six options consider for your Oracle Java.

Remove – There really isn’t a good Java alternative in the market for critical applications that must
meet business SLAs, although you can certainly try and rebuild all your applications in a new
programming language and infrastructure. Rewriting your code can take years, is a significant
development investment, and carries an inherent risk of buggy and poorly performing applications.

Upgrade – Stay only on Java versions that include the Oracle No Fee Terms and Conditions (NFTC)
license. Your organization will have to be in a continuous upgrade process. As of mid-September
2024, your organization must be on Oracle Java 21. Oracle releases a new long-term support (LTS)
release of Java every other year, and each LTS release is free to use commercially until one year after
the next LTS is released.

Switch – In most cases, this is the wisest choice with a variety of free and commercially supported
alternatives. The costs of free Java solutions are their security risks, the threat of a critical business
application going down without a commercial support vendor to provide a patch, and many other
considerations. Also, many free Java solutions don’t support legacy Java versions e.g. 6, 7, and 8.

Regardless of these choices, there are only two situations where an organization is very likely to stay
and pay.

1. Small companies with a large Java footprint. The new employee metric likely reduces Java-
related costs.
2. Organizations that run Oracle Java in the Oracle Cloud, and/or within commercially supported
Oracle applications. Neither brings any license risk. Provided an organization is 100% certain
there’s no commercially unsupported Oracle Java, the license risk is known and covered by other
contracts, so staying with Oracle is the best course of action.

These situations are rare though. Due to size and/or poor Java estate governance, most organizations
aren’t in either situation, nor can they neatly and quickly determine whether it’s best to pay or switch.

THE
ITAM JAVA LICENSING PLAYBOOK 12
SECTION 3
CREATE
AN ITAM
BLUEPRINT
FOR SUCCESS

THE
ITAM JAVA LICENSING PLAYBOOK 13
Creating the right plan for addressing license risk in Java involves many considerations (Figures 4 and
5), from understanding your license exposure and risk to having the capabilities to transition to a new
OpenJDK solution to reduce license cost. The cost and risk of change is therefore a critical component
of ROI.

High Risk, Low Skill High Risk, High Skill

License Advisory Partner Select Paid JDK Alternative
JDK Migration Partner Self Service JDK Migration
License Risk

OpenJDK
Alternative

Low Risk, Low Skill Low Risk, High Skill

Try and Negotiate Try and Negotiate
JDK Migration Partner Self Service JDK Migration

Java Skills & Availability

Figure 4. Java skills and availability.

DETERMINING YOUR JAVA LICENSE RISK

Let’s unpack the six factors that make up an organization’s Java risk, which is crucial to deciding
whether to stay and pay or switch and save:

SIX FACTORS IN JAVA RISK

1. YOUR ORGANIZATIONS’ SIZE
2. THE AMOUNT OF ORACLE JAVA IN YOUR SOFTWARE ESTATE
3. JAVA LICENSE DATA YOU SHOULD COLLECT
4. RISK OF AN ORACLE JAVA AUDIT
5. ISV APPLICATIONS THAT ORACLE SAYS ONLY THEY SUPPORT
6. THE SKILL AND AVAILABILITY OF YOUR MIGRATION RESOURCES

Figure 5: Six factors in Java risk.

THE
ITAM JAVA LICENSING PLAYBOOK 14
1. Your organization’s size
The employee-based licensing metric fundamentally means that the more headcount you have, the
larger your financial exposure to Oracle Java.

Also, as your organization grows, so does the likelihood that developers and engineers downloaded,
and continue to update, Oracle Java versions that require a license.

Since Oracle monitors business IP addresses for downloads and has “call home” capabilities, it’s more
than likely that Oracle knows you have an instance of Oracle Java in your business regardless of
whether it was downloaded for production purposes or if it’s being used.

Thus, for larger organizations, plotting your Oracle Java future depends on the footprint size.

2. Identifying the amount of Oracle Java in your

software estate
Today your Java estate may be small. Even if your
Pro Tip 💡
organization is a larger enterprise that only uses Java on A Java inventory is the
a handful of production servers, you need a license to cornerstone of good IT asset
comply, regardless of usage. If you already have an management. What you do with
existing Java SE subscription, you can negotiate to keep the data counts. For Oracle Java
existing pricing grandfathered for a time, but history users, the devil is in the details of
suggests that you will continue to pay more. an Oracle relationship. You’re at
risk if you’re:
Conversely, if you are a large organization with a very
small Java footprint and you are out of compliance, your 1. An existing Oracle Java
urgency for finding an Oracle Java SE alternative is customer who is out of
considerably higher. If Oracle is hounding you to compliance
document your Java inventory, or intends to initiate an 2. A customer who is using
audit, it could be very time-consuming and result in an Oracle Java but not paying
expensive outcome. and getting sales calls from
Oracle due to suspected non-
So, what if you have a large Java estate? compliance
3. An organization with no
Even enormous Java footprints at large companies with insight into where Java is
existing Oracle Java SE contracts may be able to used and whether Java
continue with legacy pricing metrics for some time. This, updates are manually
of course, is provided there are no Java usage changes. downloaded or automatically
In Oracle’s eyes, changes above contract limits trigger triggered
the new user pricing model.

THE
ITAM JAVA LICENSING PLAYBOOK 15
3. What type of Java license data should you collect?
Every organization has a unique web of application infrastructure. Java lurks almost everywhere, given
its longstanding performance and stability throughout IT’s hodgepodge of applications, hardware,
deployment types, and cloud vendors. Thus, establishing accurate Java licensing risk requires an in-
depth and up-to-date Java estate inventory. It’s especially crucial to capture details like Java versions
that require paid Oracle Java SE subscriptions.

Each entry in the inventory should include at least the following fields:
Type: A physical desktop, physical server, cloud instance, and/or container.
Access details: The credentials needed to access a physical machine or cloud instance via a
network connection with sufficient privileges to permit the JDK’s installation. For containers, these
details will relate to how the container image is generated. This will probably be via continuous
integration/continuous delivery (CI/CD) tooling and should include information enabling you to
configure a different JDK for inclusion in the image.
Operating system (OS): Which OS is in use, plus additional details about it such as the edition,
version, build number, and whether it’s 32 bit or 64 bit. The OS will typically be Windows, macOS,
or Linux. For Linux, you should also note the distribution because it may make a difference in the
installation format.
Automated or manual install: Whether the installation will take place using an installer. If the JDK
doesn’t use an installer, this field should also note the location in which the JDK should be
manually unpacked.
JDK version: This field should also include the installed update level, the security update number
within a major Java version, such as JDK 8u202.

USE AN ASSET MANAGEMENT TOOL OR LICENSE ADVISORY EXPERT

To identify where your organization is using Java, you can start with an Oracle-approved ITAM or SAM
tool, like SHI, Flexera, or Certero. While these tools help you comply with license terms and
conditions, they can also produce reports showing which machines installed which versions of Java.

However, generic tools only look where you tell them to. If you miss a server or a whole server farm,
your tool won’t know. Oracle's methods of investigating your Java usage will find everything. A
trusted OpenJDK distribution provider like Azul or an experienced Java migration partner like Miro
Consulting will use a Java-specific tool like Oracle’s.

What to Do If You Don’t Have a Tool

Bring in a license advisory partner or manually scan each machine instead. Absent an ITAM or
SAM tool, organizations often bring in a licensing expert or organization to perform the
licensing scans. You can also manually examine each machine in your estate that runs on a Java
Virtual Machine (JVM), the runtime included in a JDK which is the foundation of all Java-based
applications. Often you can work with your OpenJDK distribution provider to use their scripts
or tools together to perform the necessary license scans in your machine environments.

THE
ITAM JAVA LICENSING PLAYBOOK 16
 These tools can scan the filesystem of a machine, looking for a Java executable and recording
the version string when it’s run. They can also scan the process table to determine whether
Java applications are running and which JDK they use. Take care in analyzing these results —
applications may be used only when required. If an application isn’t running at the time the
process table is being scanned, it won’t be included.

WHICH APPLICATIONS NEED COMMERCIAL SUPPORT?

You also need to understand your production environment for where there’s:

A bundled entitlement for Java SE together with a third-party application.

Mission-critical applications with high security or compliance requirements that already have and
need commercial support.
New Java applications currently in development that will need commercial support.
Applications on Java versions, including from third-party software providers, with No Fee Terms
and Conditions (NFTC) licensing that will expire, discontinue free Java updates, and will require an
Oracle Java SE subscription.

A thorough inventory of Java, support needs, and contracts is crucial for every organization that runs
Java applications. A good Java inventory leads to better application prioritization, project
management, and understanding of the speed at which the migration can occur.

Which Oracle Java versions’ NFTC licenses are set to expire and when?
1. Oracle Java 17 NFTC expired in September 2024. All future Java SE 17 updates will no
longer be allowed without paid licensing.
2. Oracle Java 21 NFTC expires in September 2026, ending future Java SE 21 updates
without paying fees.

ARE YOU AT RISK FROM AN ORACLE JAVA AUDIT?

Having an in-depth and up-to-date inventory of your Java estate, and a true understanding of your
licensing risk, will help you decide whether to migrate or prepare you for the inevitable Oracle license
review or audit. Without it, you’re at risk simply because you have no insights.

According to Gartner, by 2026, more than 20% of organizations using Java applications will be
audited by Oracle, leading to unbudgeted noncompliance fees (“3 Steps to Manage Exposure for
Oracle Java SE Licensing,” July 18, 2023). This often takes the form of an Oracle “sales call” vs. a legal
encounter. That risk increases under certain circumstances. Events like a merger or acquisition, major
hardware refresh cycles, and changes in support renewals can all raise the risk of an audit. Risk also
increases with company size, as the larger you are, the juicier the target.

THE
ITAM JAVA LICENSING PLAYBOOK 17
In addition to an accurate inventory, you’ll want to understand current Oracle Java SE contracts for
each of your Java applications. You’re at risk if you’re an existing Oracle Java customer whose Java
application environment requires a license and you're not paying. Either way, an Oracle salesperson
will treat this as non-compliance.

Oracle is notorious for complex contracts, so include your legal, compliance or risk management
teams to understand the fine print.

4. Are there critical or key applications within your organization that specifically require license
and support compliance, or risk-specific management?
Companies often overlook the need for application license, security and support compliance for
specific applications that contain, manage, or process key individual, financial, or other sensitive
information. For example, you might have to comply with either the U.S. Cybersecurity and
Infrastructure Security Agency (CISA) or the Digital Operational Resilience Act (DORA) in the
European Union that focuses on financial sector resilience against cyber-attacks and other ICT-related
disruptions. In both cases you need responsive (paid) support updates from a reputable OpenJDK
vendor.

There are a variety of global regulations and legislation (Figure 6) that, depending on your industry
and each country’s enforcement policies, create similar considerations in respect to security
application support. Many require organizations to conduct regular risk assessments, including
evaluating software vulnerabilities. Consider the support of OpenJDK vendors that provide critical
updates and vulnerability identification services to reduce the risk of non-compliance. Check with legal
and compliance on the needs of your organization before putting the organization at risk.

VERTICAL REGULATORY COMPLIANCE & SECURITY FOCUS

Figure 6. Example security and risk compliance regulations for specific application support.

THE
ITAM JAVA LICENSING PLAYBOOK 18
5. Do you have Independent Software Vendor (ISV) applications that Oracle says only they
support?
Sometimes ISVs are confused about whether their applications support OpenJDK, and as a result
they default to listing only Oracle Java. To clarify, from OpenJDK 11 onward, the Oracle JDK is built
from the same source as any other OpenJDK distribution (so there is no difference). Additionally, for
all versions of Java, there is a formal standard that includes the Technology Compatibility Test (TCK)
suite to verify conformance. This consists of up to 150,000 tests, all of which must be passed to say a
distribution is Java.

What an ISV is actually saying is that they have simply not tested their applications on any distribution
of OpenJDK except Oracle. When choosing the right OpenJDK to move to, it is important to
understand how your OpenJDK distribution provider will keep you in compliance as well as their
migration success rates. DevOps teams need to know the facts and get engaged with the alternative
OpenJDK vendors they are considering so they can work with the respective ISVs to provide them
with the necessary assurances from their alliance programs.

THE
ITAM JAVA LICENSING PLAYBOOK 19
6. Are your resources skilled and available to manage a migration?

When working with your OpenJDK distribution provider, it’s important to craft and communicate a
solid migration plan together with the business application owners that aligns with the Java license
use. According to Azul’s 2024 Oracle Java Usage, Pricing and Migration survey, 75% of organizations
have completed migrations off Oracle Java in less than a year. A further 61% valued the support and
expertise of either the OpenJDK distribution provider or migration consultants in the process of
migrating.

Asset and license managers should work with Java migration

Pro Tip 💡 experts within their own developer teams and their OpenJDK
The fastest way to make an
informed decision on
whether to pay or switch is
to quantify the business
case. It may negate the
need to negotiate with
Oracle.
distribution provider to build a basic migration plan and then
establish a framework for communication to the main
stakeholders. If necessary, they should bring in external
experts. Key essential skills for a quick and successful
migration plan are Java architecture, Java development, and
project management. For example, you need to consider
when and how long a mission-critical application important to
revenue generation can be offline to complete the
replacement and subsequent verification testing.

Migrating JDKs is generally not difficult, costly or time-consuming. However, it’s often important to
stage the effort based on criticality of applications and then work with the business owners of the
applications to manage priorities. You then need to identify if your organization has the skills to do it –
and if not, work with your OpenJDK distribution provider or source a Java migration partner and
create a plan, however minimal.

THE
ITAM JAVA LICENSING PLAYBOOK 20
SECTION 4
CHOOSING
THE RIGHT
OPENJDK
SOLUTION

THE
ITAM JAVA LICENSING PLAYBOOK 21
You’ve decided to eliminate Oracle Java’s boundless risks and switch to another JDK provider.
This brings new decisions to make. Specifically:

Does your organization need commercial support?

Which Java support providers would work best for you?
Are security patching and high levels of Java application compliance important to your business?

The lure of free open-source JDK is compelling but comes with high risk. The savings you may achieve
by not paying for commercial support may come back to haunt you with increased resourcing costs to
address security vulnerabilities and any instability in unsupported Java. Participants in Azul’s 2024
Oracle Usage, Pricing & Migration Survey and Report recognize that saving money isn’t everything.
When asked what they value most in a paid OpenJDK subscription, with the ability to select multiple
responses, the top five answers were:

Technical expertise (61%)

Timely releases and fixes (54%)
Customer support (42%)
Stabilized security-only updates (40%)
Migration expertise (39%)

Reduced licensing costs came in sixth at 38%. To evaluate an OpenJDK distribution provider for your
Java estate, here are eight things you should consider.

1. Security readiness and compliance

The need for commercial support is rooted in application security risk tolerance. If all of your
enterprise applications can withstand high security and stability risk, then a free open-source JDK
might work for you.

However, this isn’t the case for most organizations, especially larger ones.

Applications that are mission-critical, revenue-producing, or customer-facing generally have the

highest security and stability requirements, as do applications that collect and store sensitive data like
Personally Identifiable Information (PII).

If you have any of the above, then your organization most likely needs to maintain a high-security
posture and is inflexible when it comes to the stability of your applications, making timely Java security
patches vital.

Achieving compliance with any regulations or legislation that is applicable to your organization and
specific requirements around security support, patching, and vulnerability assessment requires review
of several key considerations including:

THE
ITAM JAVA LICENSING PLAYBOOK 22
 Ongoing security updates with timely Critical Patch Updates (CPUs): CPUs are critical to
application stability and fast security patching.
Every year, the OpenJDK project releases four quarterly updates which include all the
changes, security patches, bug fixes, performance enhancements, and everything else. These
updates are called PSUs, or patch set updates, and include all critical and non-critical updates
made between quarterly releases in one download.
The availability and type of patch updates will depend on your JDK distribution provider.
Only two providers – Oracle and Azul – offer security-only CPUs. CPUs include changes
related to security patching only and can be easily and incrementally applied. In contrast,
other OpenJDK vendors provide only large, broad updates (PSUs). OpenJDK PSUs are often
delayed since the vendors are not subject to the same Service Level Agreements (SLAs)
required for paid versions of Java. Oracle and Azul provide PSUs as well. If you’re using an
OpenJDK distribution without CPUs for streamlined patching, the sheer volume of non-critical
fixes means you will need to run more extensive regression testing. To put this in context, a
CPU may include only a handful of applicable Common Vulnerabilities and Exposures (CVEs),
while the corresponding PSU may have hundreds of non-security bug fixes and improvements.
Suppose you are a security-conscious organization that wants to minimize your Java exposure
after an OpenJDK release. You need immediate access to security-only CPUs for all actively
supported versions of OpenJDK distributions to ensure your applications stay secure and
compliant.
Make sure your Java commercial support provides CPUs that come with SLAs, as well as
backported and out-of-cycle fixes.
Access to expertise: Check the level of security expertise within your JDK distribution provider.
Azul is the only JDK vendor focused on monitoring and assessing Java vulnerabilities, ensuring
that critical risks are identified before they can be exploited. Many organizations often lack the
expertise to perform in-depth vulnerability assessments.
Critical response times: In the event of a security incident, organizations need to act quickly to
contain and mitigate the breach. JDK distribution providers with 24/7 support provide critical
incident response expertise that can assist developer operations teams in managing security
breaches immediately, limiting the exposure of sensitive data.
Java-specific security expertise: Some JDK distribution providers offer solutions to identify Java
application vulnerability weakness proactively and enable a deeper understanding of an
organization’s Java security CVEs, enabling them to respond more effectively and help
organizations avoid the penalties associated with breaches in compliance.
Post-incident response support: Following a breach, some JDK distribution providers offer
services to assist with root-cause analysis and remediation, ensuring that vulnerabilities are
patched, and future breaches are prevented. This level of ongoing support is essential for
maintaining compliance and avoiding future security incidents.

2. License cost savings

Avoid the messy, complex, and overly burdensome Oracle per-employee metric and find an OpenJDK
distribution provider that offers simple, straightforward usage-based pricing.

THE
ITAM JAVA LICENSING PLAYBOOK 23
While the larger organizations with relatively small Java estates will enjoy the most savings when
switching from Oracle, the vast majority will still save on license fees.

3. No audit risks
Use an OpenJDK distribution provider with easy, no-hassle contracts that won’t ever enforce
compliance with audits. You’ll eliminate the time-consuming, expensive headaches of an Oracle audit,
as well as the stress that comes with the looming possibility of ongoing licensing and pricing changes.

4. Certified drop-in Oracle Java replacements

OpenJDK is the open-source implementation of Oracle Java SE. What is TCK-certified?
To guarantee that a JDK
Every OpenJDK build of Java needs to be TCK-certified. Any can run your Java
alternative JDK solution that is TCK-certified is a drop-in Oracle application, it undergoes
Java SE replacement which means that you can swap out any rigorous testing of about
Oracle JDK anywhere as a one-for-one equivalent with no code 150,000 tests in Oracle's
or configuration changes. Technology Compatibility
Kit. Java distributions that
5. Industry-leading engineering support pass all these tests give
Choose a vendor that can support the full range of Java builds, application owners,
including all of your relevant versions, hardware and platforms. developers, and asset
managers confidence that
Just as important, expert Java support should always be their applications will
available when you need it – vulnerabilities and issues don’t just function identically with
arise during normal business hours. Don’t settle for anything any TCK-certified
less than 24x7, 365 days a year. distribution of OpenJDK.

6. 100% migration success

Your OpenJDK distribution provider should have the technical expertise, tutorials, methods, and
engineering support with 100% migration success rate for getting off Oracle Java SE. Make sure your
OpenJDK distribution provider has a long, spotless track record of completing the most complex
migrations on time.

7. Support for older releases

During application development, a developer downloads the current Java version. Once placed into
production, it’s common for applications to remain on the same version and not undergo time-
consuming updates to newer releases. Likewise, an organization’s application suite likely contains
many Java versions for many architectures, deployment types, and configuration options depending
on when they were implemented and the infrastructure of choice at that time. Figure out which ones
still have a purpose and which ones don’t match up with anything you still run.

THE
ITAM JAVA LICENSING PLAYBOOK 24
It’s crucial to find an OpenJDK distribution provider with license and support experience with all Java
versions, including 6 and 7. No matter what’s in your Java estate – today and in the future – ensure
that your OpenJDK distribution provider can easily meet all your Java needs.

8. Certified JDKs with indemnification against copyleft contamination

If you run proprietary applications on Java, like your SaaS app that you resell, the potential for license
contamination is real. Issues have surfaced in every release of OpenJDK since Java 6 that can force a
software app to open-source an application’s source code or obtain additional and potentially
expensive licenses from third parties. Make sure your JDK distribution provider has a certified JDK to
guarantee that your application’s license remains what you want to be.

THE
ITAM JAVA LICENSING PLAYBOOK 25
SECTION 5
BUILD YOUR
ROI –
ESTIMATE THE
COST OF
CHANGE
THE
ITAM JAVA LICENSING PLAYBOOK 26
Java migration is often easier and faster than you think. According to Azul’s 2024 Oracle Usage,
Pricing Migration survey, 84% of companies said their Java migration was easier than expected or
went as expected, and three-quarters completed their migrations within a year. The key to all
migrations is to create a business case that models the cost and risk of change. The considerations to
work with your JDK distribution provider are as follows (Figure 7):

Pro Tip 💡
What to think about when
making your business case
# EMPLOYEES
for change.
# JVMS (DESKTOP SERVER)
# CRITICAL APPLICATIONS The fastest way to make an
JDK VERSIONS informed decision on
MIGRATION EFFORT (HOURS) -- whether to pay or switch is to
DISCOVERY, EXECUTION, get an indicative view of the
VALIDATION business case from industry
ORACLE JAVA SE $ COST best practices. One way of
ALTERNATE OPENJDK $ COST doing that is to think of T-
MIGRATION TIME/COST shirt sizing and see if your
OpenJDK distribution
ESTIMATE
provider has a T-shirt size you
1,3,5 YEAR TCO, ROI $, ROI %
fit within. It may also
eliminate the need to
negotiate with Oracle.

Figure 7. T-shirt sizing your organization’s needs.

PROS AND CONS: “STAY AND PAY” COMPARED TO “SWITCH AND SAVE”
Once fully informed about your Java estate, costs of change, licensing risk, and audit risk, it’s time to
consider the pros and cons of staying with, or migrating from, Oracle Java (Figure 8).

THE
ITAM JAVA LICENSING PLAYBOOK 27
 Advantages Disadvantages

Everything stays the same High licensing fees

Periodic, difficult contract
negotiations
Persistent, ongoing audit risk
Stay & Pay
Audit risk can extend beyond Java
estate into other Oracle products
Handcuffed to long-term Oracle
contracts

One-to-one replacement Time and operational risk to replace

for Oracle Java SE
Dramatically lower costs
throughout the Java
estate, even for
applications that require
commercial support
Low/no audit risk
Lower support
subscription costs, but
Switch & Save potentially higher costs
for in-house Java
resources, depending on
the distribution provider
Longer support timeline
and security patches for
most widely used JDK
versions available from
some vendors
Oracle Java SE with different builds
of OpenJDK
Free versions don’t have security
guarantees or support
Oracle doesn’t provide commercial
support for Java 6 and 7, but not all
OpenJDK vendors provide it either
Not all OpenJDK vendors support
all operating systems and
configurations
Patch Set Updates (PSUs) delivery
varies by vendor – from near
immediate upon embargo release to
weeks
Only Azul offers Critical Patch
Updates (CPUs) similar to Oracle

Figure 8. Advantages and disadvantages of staying or switching.

To sum it up, small companies with large Java estates and companies who run Oracle Java within the
Oracle Coud Infrastructure (and nowhere else) and/or only run Java in commercially licensed Oracle
applications and infrastructure will find it more advantageous to stay and pay, at least for some
period. Outside these two situations, insightful analysis of the six factors that make up Java risk will
lead most organizations to make a new license management choice. To avoid paying high fees and
dealing with unknown risks of Oracle’s licensing, smart asset management teams switch and save by
moving to supported and certified builds of OpenJDK.

THE
ITAM JAVA LICENSING PLAYBOOK 28
SECTION 6
THE ONLY JDK
THAT REDUCES
ALL ASSET
MANAGEMENT
RISKS
THE
ITAM JAVA LICENSING PLAYBOOK 29
By choosing Azul, you’ll gain access to the world’s best supported and TCK-certified OpenJDK builds,
including options that provide price-reduced alternatives to Oracle Java SE, as well as specific-
purpose built versions of Java that optimize Java application performance and compute costs in the
cloud.

In this section, we’ll cover how Azul is the top Oracle Java replacement; how Azul offers customers the
highest security, compliance, and IP assurance available; and why Azul has been 100% successful in
migrating customers off Oracle Java. You can extend Azul’s Java license use and optimize
performance way beyond typical ITAM practices into FinOps. According to the FinOps Foundation,
“FinOps and ITAM teams should strive to create/share one source of truth for data [license
information] and avoid duplicating the effort and cost of maintaining multiple repositories of the same
data [license information].”

ELIMINATE LICENSE, AUDIT, AND OPERATIONAL RISK WITH AZUL, THE #1

ORACLE JAVA REPLACEMENT
As the #1 Oracle Java replacement, Azul’s fully standards-compliant, 100% open-source Java
development and runtime platform is a one-to-one version equivalent to Oracle Java SE at the update
level across your entire Java estate, not just on a specific cloud platform. It’s also TCK tested
and certified to assure that all replacements will work as intended.

Azul also supports more Java versions, regardless of platform or age, than any other vendor, including
Oracle. Need to support Java 6, 7, 8, 11, 17, 21, and beyond? Azul can do it. Need open-source
support for Oracle JDK legacy functionality like Java Web Start and applets? You’ll get it with Azul in
the form of IcedTea-Web, although it isn’t a drop-in replacement and may require some updates.

In addition, Azul supports most hardware and software platforms that enterprises use today - whether
your Java applications run on a desktop, virtual server, physical server, containers, or in a public,
private, or hybrid cloud. This way, a single vendor can support all your Java needs.

Should you ever need customer support for your Java estate, Azul’s global engineering team of Java
subject matter experts is always standing by to help. You can reach them 24 hours a day, 7 days a
week, including holidays.

Best of all, Azul ensures your Java applications perform optimally with maximum stability and security
without high Oracle licensing fees or audit risk. Thanks to support plans based on the familiar usage-
based licensing model for desktops and servers, your organization will enjoy large license cost savings,
typically 70% less than Oracle.

Most importantly, Azul’s straightforward contracts assure your compliance isn’t through audits. Asset
and license managers will never worry about the prospect of a time and energy-stealing audit, and the
legal and financial risk that comes with them.

THE
ITAM JAVA LICENSING PLAYBOOK 30
TRUST AZUL TO REDUCE YOUR SECURITY, COMPLIANCE AND IP RISKS
Azul has an unbeatable track record of timely releases to keep your applications stable, secure, and in
compliance. Organizations get fast access to quarterly, stabilized CPUs that are immediately
deployable into production, as well as backported security fixes for older versions of Java, and out-of-
cycle releases to fix critical issues. Azul is the only open-source OpenJDK that provides security-only
updates backed by SLAs, where you can get CPUs into production in mere hours, not weeks, with
minimal regression testing. Finally, by using Azul, your IP remains protected and yours. Azul’s certified
indemnification reduces the risk of license contamination, so your organization can effectively manage
IP and patent risks.

WITH 100% SUCCESS MIGRATING OFF ORACLE JAVA, AZUL HELPS REACH ALL
YOUR JAVA ASSET MANAGEMENT GOALS
Azul reduces the risks associated with replacing your Oracle Java. With 100% success migrating
organizations off Oracle, you can take advantage of the Azul Migration Methodology. Perfected from
years of migration experience, trust your Azul migration team to successfully guide you and your IT
operations through the entire Java migration process. OpenJDK Migration for Dummies defines the
Azul Migration Methodology as:
Discovery. Identify which versions of Java are being used by which applications and on which
machines within your organization, including cloud instances. You’ll use this inventory to create a
migration plan.
Execution. For each machine that requires a Java runtime, install the same version (or versions) of
the OpenJDK distribution you choose.
Validation. Test your applications to verify that everything works as expected.
Azul’s discovery and inventory analysis scanning tools are guaranteed to find every Oracle Java
executable and installation throughout your IT infrastructure. If you need extra hands to plan,
mentoring and guidance from our deep bench of Java subject matter experts, or a quick migration off
Oracle Java SE, support is available. Azul and its large partner network of certified service providers
are ready to help.

WHAT HAPPENS WHEN I NEED TO MODERNIZE MY JAVA APPLICATIONS INTO

THE CLOUD OR OPTIMIZE MY ORACLE JAVA LICENSE ALREADY IN CLOUD
SOLUTION PROVIDERS?
Switch and save with Azul today
By using Azul supported and certified builds of OpenJDK, you will enjoy the optimal mix of Java
security, risk management and license cost savings. Azul reduces the risks associated with replacing
your Oracle Java. Take advantage of the Azul OpenJDK Migration Methodology, perfected from
years of migration experience and boasting 100% success migrating organizations like yours. Trust our
team to successfully guide you and your IT operations through the entire Java migration process. Azul
is the only Oracle Java SE replacement that offers support that is identical or superior to Oracle. When
you migrate to Azul, asset and license managers will reduce asset management risks across the board.
Are you ready to switch and save with Azul Platform Core? Contact us now.

THE
ITAM JAVA LICENSING PLAYBOOK 31
ADDITIONAL RESOURCES
Things to Read Next

OpenJDK Migration for How Oracle Separates Java Uncover the Truth about Oracle
Dummies Pricing from Value Java

Transitioning from Oracle JDK DORA Digital Data Sheet Azul Platform Core vs Free
to Azul Zulu Builds of OpenJDK OpenJDK

Things to Watch Next

Oracle Java Myths Uncovered: Oracle's Licensing Change How to Migrate Off Java and
How to Reduce Your Oracle Makes Java More Expensive, Avoid Failing a Java Audit
Java Compliance Risk in 2024 How to Tame this Cost?

How Difficult Is It Really to State of Java 2023 Savings from Migrating from
Move to a Different OpenJDK Oracle Java
Distribution?

THE
ITAM JAVA LICENSING PLAYBOOK 32
ABOUT AZUL
Headquartered in Sunnyvale, California, Azul provides the Java platform for the modern cloud
enterprise. Azul is the only company 100% focused on Java. Millions of Java developers, hundreds of
millions of devices, and the world’s most highly regarded businesses trust Azul to power their
applications with exceptional capabilities, performance, security, value, and success. Azul customers
include 36% of the Fortune 100, 50% of the Forbes Top 10 World’s Most Valuable Brands, all 10 of
the world’s top 10 financial trading companies, and leading brands like Avaya, Bazaarvoice, BMW,
Deutsche Telekom, LG, Mastercard, Mizuho, Priceline, Salesforce, Software AG, and Workday. Learn
more at azul.com and follow us @azulsystems.

Oracle and Java are registered trademarks of Oracle Corporation and/or its affiliates. Other names
may be trademarks of their respective owners.

Contact Azul
385 Moffett Park Drive, Suite 115 Sunnyvale, CA
94089 USA +1.650.230.6500
www.azul.com
Copyright © 2024 Azul Systems, Inc.

THE
ITAM JAVA LICENSING PLAYBOOK 33