Oracle now requires a subscription for Java SE
Oracle Update 2020: Java SE is only available directly through Oracle. This blog post was created before this update, and the information contained within it is purely informative. SHI is still an Oracle Platinum Partner and can assist with other inquiries.
If you use the Java SE (Standard Edition) platform, please be advised:
As of April 15, 2019, access to updates and security patches for all versions of Java SE require a support subscription.
This change affects most, if not all, commercial users of the platform. Non-commercial users will have to start paying in January 2020.
This is a major adjustment and we’re sure you have some questions. Here are the most important ones to keep in mind and what you should be doing right now.
What has changed with Java SE?
Oracle now requires that all commercial users of Java SE purchase an annual Java SE subscription to obtain any future patches and updates, or other support services, for Java SE release 8 or higher.
Update 202 (8u202) is the last free public update for Java SE Version 8. Update 211 (8u211) is the first version 8 update to require subscription support. All other versions of Java SE – 6, 7, 9, 10, 11, and 12 – and any patches or updates that are released on or after April 15 will also require a support subscription.
The new annual support subscription also includes the rights to use the Java SE enterprise deployment tools that were previously available under the Java SE Advanced product offerings as well as all of the other components that make up the platform, including the Java Development Kit (JDK) and Java Runtime Environment (JRE).
The Java SE Advanced perpetual license offerings are no longer sold or available from Oracle except by special approval.
What do these changes mean for current commercial users of Java SE?
The most significant change is that the new support subscription is not free. For larger customers, the support will be costly, so the necessary budgetary planning and approval process should start as early as possible. An enterprise with 20,000 seats, for example, might have to pay several hundred thousand dollars per year to maintain support.
In addition, organizations will have to accurately count and identify all of the Java SE instances present in their data centers and that are in use. That’s necessary to calculate the quantities of either physical desktop computers or the physical servers where the software resides.
The Java SE Subscription will be licensed either by the physical number of desktops where Java SE is deployed or by the Oracle processor metric for physical servers where it is deployed.
How is this different from before?
The JDK and JRE were free to download and install since the release of Java SE version 1.0 in 1996. All updates and patches were readily available through the Java.com website. This strategy led to widespread adoption and use of Java as an application development platform and made it one of the most popular programming languages in history.
It’s been business as usual for Java SE users ever since, even after Oracle’s 2010 purchase of Sun Microsystems, which included the Java language and development platform. After that, users could also download and install the JDK, JRE, and several other Java enterprise deployment tools from the Oracle Technology Network (OTN) website in addition to Java.com.
Up to now, there has been no requirement to purchase support or maintenance from Oracle to access updates or patches for the current releases of Java SE.
Customers did have to purchase continued support for older releases once they reached end of life, and for Java SE Enterprise deployment tools such as the Advanced Management Console, which are licensable under the Java SE Advanced support product name. That support contract, however, wasn’t necessary to receive updates and patches.
Can I just continue using an older version of Java SE without support?
It’s technically possible, but definitely not recommended.
While the Java SE platform will technically run without patches and updates, that’s a security risk you don’t want to take. In the lifetime of version 7, over 300 security patches, including some very serious ones, were issued.
If you decide you don’t need to update beyond the 8u202 level, you don’t need to purchase a support subscription. However, you will no longer have access to any future updates or patches.
If you need further convincing, just look at Equifax, which had a Java patch for the Apache Struts vulnerability sitting in a queue to be applied when criminals exploited that vulnerability. The result was one of the biggest data breaches in history.
In more regulated industries like financial services or health care, laws may require that you maintain support.
What should Java SE users do now?
Current commercial users should prioritize getting a handle on their actual Java SE install base. The asset management tools large organizations have around Cisco and other manufacturers aren’t designed to find Java. The best bet is to have a third-party ITAM provider audit your systems for all instances.
Once that information is available, consider reducing your Java footprint by deleting any unnecessary or unused instances of Java SE in the desktop environment, or by resizing physical servers to lower the CPU/core counts and reduce the potential support subscription costs.
While there are options like Open JDK that exist as alternatives to Java, and some organizations already use Open JDK, switching requires reprogramming in a lot of situations. Because it’s open source, the lack of 24/7 support also eliminates this option for many organizations.
The next step
Since Java is considered a no-cost IT expenditure by most commercial users, some of them haven’t kept track of the actual Java deployment across their data center or enterprise and may need assistance from a third-party ITAM services provider to understand the potential exposure that may exist.
The two ways to purchase the support subscription are the Java SE Support Desktop metric for individual users or the Java SE Support Processor metric for servers. The support is currently being sold as a one-year subscription starting when the order is placed with Oracle. At the end of the one-year term, you can choose to renew, cancel, add, or subtract subscriptions.