Unravelling the mysteries of Java (and other products) actual versions for licensing

Report Inappropriate Content · ‎May 13, 2021

Author: Nicolas Rousseau
Author Email Address: nrousseau@flexera.com
Solution Type: Custom Report (Application Transparency Report)
Flexera Product & Version: FlexNet Manager 2016-2020R2
Environment: On Premise Only
Development Effort (Days): 0.3
Implementation Effort (Days): 0.1
Disclaimer:
SOLUTIONS ARE PROVIDED ON AN "AS IS" BASIS. NEITHER FLEXERA NOR ITS SUPPLIERS MAKE ANY WARRANTIES, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. LICENSEE MAY HAVE OTHER STATUTORY RIGHTS. HOWEVER, TO THE FULL EXTENT PERMITTED BY LAW, THE DURATION OF STATUTORILY REQUIRED WARRANTIES, IF ANY, WILL BE LIMITED TO THE SHORTER OF (I) THE STATUTORILY REQUIRED PERIOD OR (II) THIRTY (30) DAYS FROM LICENSEE’S ACCEPTANCE OF THE AGREEMENT.

Important note (January 5th 2023): a new "Application Transparency" report has been introduced from ITAM / FNMS 2022R1 onwards, please use this one. More information here.

Oracle has kept his customers and SAM consultants busy with Java, that depending on updates or even builds can be public or commercial (restricted).

An example in the Java Standard 8 release notes: https://www.oracle.com/java/technologies/javase/8u-relnotes.html. The list of public and restricted updates and builds are at the bottom of this answer...

To address this need, Flexera ARL had to link evidences based on their build level (available in Windows, the Unix agent will bring this capability in June). This build level management forced Flexera to change from a quite granular “update level recognition” to a “major version level” normalization, to avoid the mess of having tens of recognized builds and versions... The April announcement for the change can be found here: https://community.flexera.com/t5/Technopedia-Blog/Content-Change-Notification-Java-Build-version-changes/ba-p/184442

The downside is a loss of visibility on recognized applications. A report mitigates this issue and allows to understand (for all products) the recognized applications... and the raw versions of the evidences that allowed to recognize the applications. the description is below... the code of the report is attached.

Recognized Applications Transparency Report (NR)

Business need

The Flexera ARL normalizes the raw evidences to make the data manageable and align with the licensing requirements. The applications are often normalized at major version level.

There is however a need (for Java particularly) to understand what is the underlying exact version of the evidences that have been recognized into the application (major version).

NOTE THAT THIS REPORT HAS BEEN RELEASED WITH ITAM 2021 31.4 / FNMS 2022R1.

Description

The report shows all installations for the product named entered in the search filter (exact match on Product Name) and looks up all raw evidences that match this title for recognition (files (mandatory, at least one as a recognition rule, not ignored), installer (not ignored) or WMI (added with v5 of the report).

If several evidences led to the recognition of one installed application, there will be several rows in the report.

The report contains information on computer OS, location, corporate unit etc.

The version 4 of the report also manages the cases of suite recognition. For instance, if you enter "DB2" as an input, the report will return the suite components and the related file and installer evidences used for recognition. Version 4 greatly enhances performance.

Preview
Public and restricted versions of Java

1.Java SE 5:

1.Java 5 Until (& incl.) update 22 => “PUBLIC”

2.Java 5 update 23 & up => “RESTRICTED”

3.Java 5 (all update) where build >30 => “RESTRICTED”

2.Java SE 6:

1.Java 6 Until (& incl.) update 45 => “PUBLIC”

2.Java 6 update 51 & up => “RESTRICTED”

3.Java 6 (all update) where build >30 => “RESTRICTED”

3.Java SE 7:

1.Java 7 Until (& incl.) update 79 => “PUBLIC”

2.Java 7 update 80 & up => “RESTRICTED”

3.Java 7 (all update) where build >30 => “RESTRICTED”

4.Java SE 8:

1.Java 8 Until (& incl.) update 202 => “PUBLIC”

2.Java 8 update 211 & up=> “Restricted” (License change – 16/04/2019)

3.Java 8 (all update) where build >30 => “RESTRICTED”

5.Java SE 9 / 10

1.Java 9 & 10 => Public

2.Java 9 & 10 (all update) where build >30 => “RESTRICTED”

6.Java 11

1.Java 11 Until (&incl.) update 2 => Public

2.Java 11 update 3 => “RESTRICTED”

7.Java 12 and more => “Restricted” (Licensing modification – 16/04/2019)

bfaller · ‎May 18, 2021

Thank you Nicolas !

Of course, you are only talking about Oracle Java (including SUN) and not about OpenJdk, IBM, SAP, Azul and others publishers.

And as you know, restricted Oracle Java is included (Bundled) in some Oracle Products and some non Oracle products like Symantec endpoint Protection. Flexera and/or User can add Oracle Java as supplementary product in the associated licences.

Regards.

[Nicolas Rousseau]: Hello Benoit, this topic is a separated one that is tricky. The report returns any evidence used for recognition by the ARL (eventually extended by the FNMS users). The recognition of Java is trick and the ARL is focused on the "Oracle" publisher evidences that can however be bundled by other products. This "embedded Java exclusion" or "Exclusion by path" will be addressed by a feature Engineering is currently working on. Note that a published solution anticipates (and a rudimentary but efficient way) this feature: https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/Automating-the-Management-of-Embedded-Java-instances/ta-p/195162

durgeshsingh · ‎Jun 28, 2021

Team,

I have tried this query on inventory DB & getting below error

Msg 2812, Level 16, State 62, Line 142
Could not find stored procedure 'ComplianceCustomViewRegister'.

Completion time: 2021-06-28T09:01:05.8167136+02:00

Please suggest.

ChrisG · ‎Jun 28, 2021

@durgeshsingh - the script should be run against your compliance database, not your inventory database.

durgeshsingh · ‎Jun 28, 2021

Thanks a lot chris G. It went successful.

durgeshsingh · ‎Jun 28, 2021

Hi Chris,

We are looking header change of [LocationPath] & want to put corporate unit. Please suggest if this can be added.

[Nicolas Rousseau]: hey @durgeshsingh please use v4 just uploaded. Performance has been added, suites are managed and the corporate unit column is added (as well as the matched ARL evidence).

EHacking · ‎Jul 20, 2021

So how does this help those of us in the cloud? Can someone at Flexera run this for us and send it to us?

[Nicolas Rousseau]: hello @EHacking, please contact me at nrousseau@flexera.com and I will send you the output of the report. Please also mention which product... (just a guess... Java Platform??). This report will be embedded in the productized solution we plan for December / January on the cloud.

samirdivan · ‎Aug 25, 2021

Great, it run successfully.

Thank you

gbauer · ‎Sep 21, 2021

Thank you Nicolas,

this helps quite a lot clarifiying the situation.

Nevertheless I have some questions:

In our report Java 8 ist detected:

8.0.910.61

D:\app\oraadm\product\12.2.0\client_1\jdk\bin\

Java Platform 8 Standard

Java Platform

8

Standard

Commercial

From my point of view, this should be 8.091 and therefore not commercial

(as you wrote: 1.Java 8 Until (& incl.) update 202 => “PUBLIC”)

Also as a part of the Oracle Client it should be a component

Do you agree ?

Thank you

An last but not least, will you update the script, when new version will be available ?

thanks

bfaller · ‎Sep 21, 2021

Hello,

Oracle Java is one of mos complex license subject.

8.0.910.61: means version 8, update 91, build 61.

There are several rules :

Updates until 202 are free for Oracle Java 8

Builds more that 30 are restricted

Java may be bundled, like possibly here with oracle client.

But these rules have exceptions, and Flexera is working since two years to improve this.

So I confirm, for Oracle Java 8, all updates 91 are free. When restricted, like update 92 build 31, evidences have to be assigned to commercial application (not component). Last caveat, path information for file evidence is unique, then may be wrong with multiples matches.

Regards.

nrousseau1 · ‎Nov 12, 2021

Hello everyone, just posted version 4 of the report that improve heavily performance and mixes applications recognized as well as suites member details @sohbinong made the request of also covering suites and suites members. Thus: "DB2" will show the recognized DB2 PVU option, OEM etc.

The v4 also added the corporate unit column and a "Matched ARL evidence" column as well. This report will be released on the cloud in December or January a part of the "Automated Management of bundled Java instances" (or... "exclusion by file path") feature.

jq3i4h9u · ‎Nov 16, 2021

Will this be enabled for Cloud customers in December 2021?

nrousseau1 · ‎Nov 16, 2021

This will be actually in January (December release is already code freeze). Please contact me if you need an extract nrousseau@flexera.com

gbauer · ‎Jan 21, 2022

Bonjour Nicolas,

you are writing:

3.Java SE 7:

1.Java 7 Until (& incl.) update 80 => “PUBLIC”

2.Java 7 update 85 & up => “RESTRICTED”

3.Java 7 (all update) where build >30 => “RESTRICTED”

Based on the MOSDocument of Oracle (MOS Document 1439822)

based on my understanding all Version > (including) 7.80 are commercial

Can you please Check ?

Thank you

bfaller · ‎Jan 21, 2022

@gbauer MOS document 1439822 is the reference and 7u80 is restricted (last public is 7.u79). All updates > 79 are restricted for Oracle java 7 (and should be only available on MOS site for custormer with java support contract).

Regards.

nrousseau1 · ‎Jan 21, 2022

Hello @gbauer and @bfaller , that's for spotting that. That's indeed an issue that we are going to fix in the ARL (I checked, this is not just in the post). Thanks.

nrousseau1 · ‎Feb 01, 2022

Hello @gbauer and @bfaller ,

Last Friday's ARL update fixes this issue. 1439822 document also shows "Public" versions that the ARL may treat some Java 8 Updates (when not related to restricted builds) as commercial. 231, 241, 251, 261... We are planning to remove the following patterns from the Java Platform standard recognition: 8.0.231%, 8.0.241% or 8.0.251% , 1.8.0_221-b% (Unix)... and keep the 8.0.%.31, 1.8.0_%-b31...

Checking on real data, the Updates are often linked to restricted builds but the tuning will probably remove false positives.

Feel free to comment if you don't agree with the approach.

Thanks

Version / Update / BPR Commercial or Not

32140627 Oracle JRE 8 Update 281 (public)

32140620 Oracle JDK 8 Update 281 (public)

31856308 Oracle JRE 8 Update 271 (public)

31856303 Oracle JDK 8 Update 271 (public)

31311324 Oracle JRE 8 Update 261 (public)

31311322 Oracle JDK 8 Update 261 (public)

30884163 Oracle JRE 8 Update 251 (public)

30884160 Oracle JDK 8 Update 251 (public)

30425890 Oracle JRE 8 Update 241 (public)

30425889 Oracle JDK 8 Update 241 (public)

30057644 Oracle JRE 8 Update 231 (public)

30057643 Oracle JDK 8 Update 231 (public)

29657248 Oracle JRE 8 Update 221 (public)

29657243 Oracle JDK 8 Update 221 (public)

29206836 Oracle JRE 8 Update 211 (public)

29206832 Oracle JDK 8 Update 211 (public)

bfaller · ‎Feb 04, 2022

Be aware that "public" in Oracle documentation 1439822 does not mean freeware, but "not only available in MOS site". Then java 8u281 for instance are OTN license, needing a java SE subscription for production use. .

Beware also that JAVA SE subscription cover all installed Oracle Java.

nrousseau1 · ‎Feb 04, 2022

Hi Benoit,

Thanks for your input, one more confusing thing from Oracle... I had the same conversation 2 days ago with Oracle on "Public" that does not mean freeware... the big patterns on updates should apply then.

Regarding Java SE subscription that covers all versions... does it mean reversely that when you try to size your licensable estate, you also need to count all free versions? I still have a hard time to understand the process.

Les say I have an estate of 10K installations of Java Platform, 2K commercial versions, 8K free versions (legacy). I decide to start paring subscriptions for the 2K licensable installations... does your statement mean

That if I go for subscriptions, I will need to cover the 2K and by paying the subscriptions for 2K installations, I have the right to upgrade the other 8K?
Does it mean then I need then to pay subscriptions for the users of the 8K?

I know we discussed it already but see a logical disconnect here...

Thanks,

Nicolas

bfaller · ‎Feb 04, 2022

The JAVA SE text says that you have to take into account installed oracle software. Then, without specific sentence in your contract, all have to be paid (and of course all take benefit from support). Do not forget that for decade, Oracle client could buy support for Java, including freeware.

gbauer · ‎Mar 15, 2022

Bonjour Nicolas,

I am playing around with your differnent Reports (Transparency Report & Embedded Java):

Are the settings needed for the reports conflicting each other ?

Can you please provide a Step-by-Step description on how to implement the settings for this (like there is for the Embedded) ?

And last but not least: I have learned that Flexera is "Verified for Oracle Database, Database Options & Oracle Fusion Middleware" as Tool Vendor: Are there discussions ongoing to be verified for Oracle Java as well ? I'd like that and this also would put Flexera in a first Row -position.

Thank you for your support

KR

Gabriel