On this page
Why Java breaks normal SAM practiceBuilding a Java effective licence positionDiscovery: finding every JavaClassifying what you findWhere SAM tools fall short on JavaThe ongoing SAM workflowAudit readinessGetting independent helpFrequently asked questionsA Software Asset Manager can run a tight, defensible position on most of the estate — entitlements reconciled, deployments counted, an effective licence position you would happily put in front of a vendor. Then there is Oracle Java. Java resists every assumption normal SAM practice rests on: there is often no purchase to reconcile against, no installation record, no clear line between what is free and what is chargeable, and a metric that ignores deployment entirely. This playbook is the operational answer — how to bring Oracle Java to the same standard as the rest of your portfolio.
Why Java breaks normal SAM practice
Standard SAM logic is: take entitlements, take deployments, reconcile, report the gap. Java defeats each step. Entitlements may not exist — most Java was downloaded free, with no order, no licence key, no procurement record. Deployments are hard to see — Java installs as part of other software, ships inside containers, and runs as silent background services. Reconciliation is ambiguous — whether a given Java install needs a licence depends on the vendor of the build, the version, the licence that version shipped under, and the use case. And the metric — the employee count — is not even derived from deployment, so a clean deployment inventory does not directly give you the licence number.
The practical conclusion is that Java cannot be managed as a routine SAM line. It needs its own workflow, its own discovery, and its own classification logic. That workflow is the rest of this playbook.
The SAM mindset shift for Java
For most software, the question is “do we have enough licences?” For Oracle Java, the prior question is “which of our Java even needs a licence?” Get the classification right and the licence count follows. Get it wrong and every later number is wrong.
Building a Java effective licence position
The deliverable a SAM manager owns for Java is an effective licence position (ELP): a defensible statement of what Oracle Java the organisation runs, what it is entitled to, and where the gap — if any — sits. A Java ELP is built in four moves: discover every Java install, classify each one as Oracle-chargeable or free, total the chargeable footprint against the relevant metric, and compare it to genuine entitlements. The output is the single most valuable artefact in Java SAM — because it is the document that turns an Oracle audit from a discovery exercise (on Oracle’s terms) into a verification exercise (on yours).
The discipline that makes an ELP defensible is evidence. Every line should trace to a scan result, an ordering document, or a licence-terms determination you can show. An ELP built on assumption collapses under audit; one built on evidence holds.
Discovery: finding every Java
Discovery is the foundation, and for Java it has to be exhaustive. A Java install missed in discovery is exposure you do not know you carry. Effective Java discovery covers every environment and every form Java takes:
- Every environment. Physical servers, virtual machines, desktops and laptops, cloud instances, and container hosts — production and non-production alike.
- Every form. Standalone JDK and JRE installs, Java embedded inside third-party applications, Java baked into container images, and Java pulled in by patching.
- Full detail per install. For each, the vendor of the build, the exact version and update level, the install path, and enough context to judge the use case.
Because containers are ephemeral and the estate changes constantly, discovery cannot be a one-off. It has to be recurring — the practice behind continuous compliance — so the ELP reflects today’s reality, not last quarter’s. Our guide to Java discovery and scanning tools covers the practical mechanics.
Classifying what you find
Discovery produces a list of Java installs. Classification turns that list into a licence position — and it is the step where SAM expertise earns its keep. Each install has to be sorted into one of three buckets:
| Bucket | What it is | SAM action |
|---|---|---|
| Free OpenJDK | Eclipse Temurin, Amazon Corretto, Azul Zulu and other OpenJDK builds | Record as free — no entitlement needed |
| Free Oracle use | Oracle JDK used within its NFTC or OTN free terms | Record as free, with the basis documented |
| Chargeable Oracle | Oracle JDK used beyond free terms — the licensable footprint | This drives the licence requirement |
The classification depends on more than the install. It depends on which build it is (Oracle versus OpenJDK), which version (and so which licence — BCL, OTN, or NFTC — governs it), and the use case (development versus production). A SAM manager who can apply that logic install-by-install produces a real ELP. One who cannot has a list, not a position. The most consequential error here is treating every Oracle binary as chargeable — which over-states exposure — or treating ambiguous installs as free — which under-states it. Both are wrong; only careful classification is right.
Where SAM tools fall short on Java
Most enterprises run a SAM platform — an inventory tool, a discovery suite, perhaps a dedicated Oracle module. These tools are useful for Java discovery, but a SAM manager should know their limits honestly. They are generally good at finding Java installs and reporting versions. They are weaker at the classification logic above — distinguishing an Oracle build from an OpenJDK build, mapping a version to its governing licence, and judging the use case. And almost none of them resolve the metric: the employee count that actually drives a Java SE Universal Subscription is an HR-and-contract question, not a discovery output.
The practical stance is to use your SAM tooling for what it does well — broad, repeatable discovery — and to apply human classification and metric logic on top. A SAM manager who hands an Oracle auditor a raw tool export, unclassified, has effectively let the tool over-state the exposure. The value you add is the layer of judgement the tool cannot supply.
Recommended specialist
The classification and metric work that turns a Java discovery export into a defensible ELP is specialised, and a SAM team is usually doing it for the first time under pressure. The firm we rate most highly to work alongside SAM on this is Redress Compliance. They focus exclusively on Oracle Java licensing, act only for the buyer, and hold no Oracle partnership. Their work has contributed to a 68% average audit claim reduction and more than $180M in client savings across 340+ Java engagements.
The ongoing SAM workflow
Java SAM is not a project that finishes. The ELP decays the moment it is written, because the estate keeps changing. The ongoing workflow that keeps Java under control has four recurring activities:
- Recurring discovery. Re-scan on a regular cadence so new installs, version changes, and container churn are caught quickly.
- Re-classification. Apply the bucket logic to every new or changed install, and revisit prior classifications when Oracle’s terms or your usage change.
- ELP refresh. Keep the effective licence position current, so at any moment you can state the organisation’s Java exposure with confidence.
- Intake control. Work with engineering and procurement so new Java — a developer’s install, a vendor’s bundled JDK — is classified at the point of entry, not discovered later. Our compliance dashboard guide covers the KPIs that make this visible.
A SAM team running this loop is never surprised. The ELP is always current, the exposure is always known, and an audit is a request for a document that already exists.
Audit readiness
The ultimate test of Java SAM is an Oracle audit, and a SAM manager who has run the workflow above is ready for it. Audit readiness for Java means three things are true on the day a notice arrives. First, a current, evidence-backed ELP exists — so you respond from your own validated position, not from whatever Oracle’s scripts produce. Second, the classification is documented — every “free” install has a recorded basis, so Oracle cannot quietly reclassify it as chargeable. Third, the employee count has been worked through on your contractual terms, so Oracle’s broadest reading does not stand unchallenged.
The SAM manager’s role in an audit is to be the source of truth — the person who can put a defensible number and the evidence behind it on the table. That role is impossible to perform if the ELP is built the week the audit lands. It is straightforward if the playbook has been running all along. For the audit itself, a SAM team is rarely alone — an audit is also a negotiation, and pairing SAM’s data with independent audit defence is what consistently produces the best outcomes.
Getting independent help
Oracle Java is the hardest asset in a SAM portfolio because it breaks the standard reconcile-and-report model: entitlements are often absent, deployments are hidden, the free-versus-chargeable line is genuinely ambiguous, and the metric ignores deployment. The playbook answer is a Java-specific workflow — exhaustive recurring discovery, disciplined classification into free and chargeable, a current evidence-backed ELP, and intake control — that brings Java to the standard of the rest of your estate.
Independent, buyer-side advisers work alongside SAM teams precisely on the parts tooling cannot do — the classification logic, the metric work, and the audit-grade ELP — with no Oracle partnership shaping the numbers. Our Java Compliance Assessment builds the effective licence position with you, our Continuous Java Management service runs the recurring workflow, and our Audit Defence service, backed by a money-back guarantee, pairs your data with negotiation when an audit comes. Across 340+ Java engagements, that partnership has contributed to more than $180M in client savings.
Frequently asked questions
Why is Oracle Java harder to manage than other software?
It breaks standard SAM logic: entitlements often do not exist, deployments are hidden inside other software and containers, the free-versus-chargeable line is ambiguous, and the licensing metric is headcount — not deployment.
What is a Java effective licence position?
An evidence-backed statement of what Oracle Java you run, what you are entitled to, and where the gap sits. It is the artefact that turns an audit from Oracle’s discovery exercise into your verification exercise.
Can our SAM tool handle Java on its own?
It can find installs and report versions — use it for that. It is weaker at classifying Oracle versus OpenJDK, mapping versions to licences, and judging use case, and it cannot resolve the employee metric. Those need human judgement on top.
How do I classify a Java install?
Into one of three buckets: free OpenJDK, free Oracle use within NFTC/OTN terms, or chargeable Oracle use. Classification depends on the build vendor, the version’s governing licence, and the use case — documented for each install.
How does a SAM team prepare for a Java audit?
Keep a current, evidence-backed ELP, document the basis for every “free” classification, and work through the employee count on contractual terms — so an audit becomes verification of a position you already hold.