Java License Compliance Checklist
Don’t wait for Oracle to tell you that you’re non-compliant.
Find out for yourself first. This checklist walks you through each step to confirm your organization’s Java compliance status and fix any gaps. The goal is to make Java licensing easy, repeatable, and audit-proof before Oracle ever comes knocking.
Pro Tip: “The best way to pass an audit is to run one yourself first.”
Read our ultimate guide to Oracle Java Compliance Management Best Practices.
Step 1 – Discover Every Java Installation
Start with full visibility into where Java is running. Use network scanning tools, endpoint management software, or custom scripts to detect every Java runtime in your environment. Scan everything: employee laptops, developer workstations, servers, test machines, and even containerized applications.
Maintain an inventory of each Java installation, noting the device or server name, its location, and its use. If you don’t know an instance exists, you can’t manage or license it – but Oracle’s auditors surely will find it.
Pro Tip: “If you can’t see it, Oracle will.”
Step 2 – Identify the Java Vendor and Build
Not all Java installations carry the same risk. For each discovered Java, identify whether it’s an Oracle JDK or an OpenJDK distribution. Oracle’s official builds are the ones that require a paid license for commercial use.
Most other OpenJDK-based distributions – such as Azul Zulu, Amazon Corretto, or Red Hat OpenJDK – are free to use and offer their own support options. In your inventory, create columns for “Vendor” and “License Type.”
Clearly label which instances are Oracle JDK (commercial) and which are open-source Java (non-commercial).
This separation lets you focus compliance efforts on Oracle. In short: if it’s Oracle’s Java, assume it needs a license (or careful review); if it’s not Oracle’s, it’s likely free, but double-check the vendor’s terms to be safe.
Step 3 – Record Java Version Numbers
Version details matter for compliance. Older Oracle JDK versions (for example, Java 8 updates from 2019 or earlier) might still be covered under Oracle’s old Binary Code License (BCL), which allowed free use in production.
But anything from Java 11 onward falls under Oracle’s newer licensing rules, which typically require a subscription for commercial use. Even Java 8 updates released after a certain date started requiring a subscription. So, document the exact version number and update level for each installation.
This helps you identify which instances might be “grandfathered in” under a free license and which are subject to Oracle’s subscription model.
Essentially, the version will define your risk: an outdated Java 8 may be free to use (though unsupported), whereas Java 11, 17, or newer from Oracle almost certainly requires a paid license for production use.
Step 4 – Map Employee Coverage
Oracle’s current Java licensing model is employee-based. That means every employee in your organization counts toward licensing requirements—not just developers or IT staff. Confirm your total employee headcount (include full-time, part-time, and the relevant contractors as defined by Oracle).
Compare this number to the number of employees your current Oracle Java subscription covers, if you have one. If you have 10,000 employees but only purchased a 5,000-employee Java subscription, then 5,000 employees are essentially unlicensed in Oracle’s eyes. That discrepancy is a compliance exposure.
In Oracle’s model, you don’t get to pick and choose who is licensed; the expectation is that your subscription matches your total headcount. Identify any gap between the total number of employees and the number of licensed employees. This might involve coordinating with HR to get an accurate count. The key is to ensure your Java license scope (number of employees paid for) is equal to or greater than your actual workforce size.
Pro Tip: “If they get a paycheck, Oracle counts them.”
Read what tools you can use, Tools for Java License Management.
Step 5 – Remove Unnecessary Oracle Java Installations
One of the easiest ways to reduce compliance risk is to simply eliminate Oracle JDK where it isn’t truly needed. Review your inventory from Step 1 and find systems that don’t explicitly require Oracle’s Java.
Common candidates are test or QA servers, developers’ laptops, older applications, or tooling that could run on OpenJDK instead. If an application or process can tolerate using an open-source Java (which is highly likely in most cases), uninstall the Oracle JDK from that system and replace it with a free OpenJDK distribution.
Each Oracle JDK you remove is one less potential liability. Focus on non-critical or low-risk systems first—for example, internal tools or batch processes that aren’t tied to Oracle-specific features.
By purging unneeded Oracle Java installations, you shrink the surface area of a potential audit. Even a single stray Oracle JDK on a forgotten server could put you in violation, so aim for zero Oracle JDKs outside of what you absolutely need for business.
Step 6 – Verify Entitlements from Oracle Products
Sometimes you might be entitled to use Java without a separate license because it’s bundled with another Oracle product you own. Check if any Oracle software your company has purchased includes Java usage rights.
Common cases include Oracle middleware and enterprise apps: for example, certain editions of WebLogic Server, Oracle Database, PeopleSoft, or Oracle’s ERP systems come with a restricted-use license for Java.
This typically means you can use Oracle’s Java only for running that specific product (such as the Java runtime embedded in WebLogic or the one required by Oracle Database’s internal processes) without needing a separate Java SE subscription.
If you have such products, document the details: which product, what version, and what Java usage is covered. Be very clear on the limits – if the Java is only licensed for the product’s internal use, you cannot use that same installation to run other applications. Any Java usage outside the product’s scope would still require a license. Make sure to keep proof of these entitlements (like the licensing documents or Oracle’s official policy text) in your records. They could be your get-out-of-jail card in an audit if Oracle questions those particular Java installations.
Step 7 – Review Download Access and Installation Controls
Lock down how Oracle Java can enter your environment. Ideally, no one should be downloading Oracle JDK from the internet or installing it themselves. Implement controls to prevent unapproved installations.
This can include firewall rules or web filters to block Oracle’s Java download page, or at least an internal policy that all Oracle Java downloads must go through IT procurement or a centralized repository. You want a single, managed pathway for any Oracle Java deployment.
Also, maintain a clear approval process: for someone to install Oracle JDK, they must justify it and obtain explicit permission. Track who has access to Oracle Java installation files and where they deploy them.
By doing this, you not only prevent surprise installs, but you also create an audit trail of every Oracle Java in use.
Remember, Oracle can track downloads from their site too—if they see your company has pulled down installers multiple times, that could raise flags. So, cut off the direct download route. In short: no approval, no installation.
Pro Tip: “No approval, no install — that’s your first compliance rule.”
Step 8 – Confirm Subscription Renewal or Support Status
If your organization has an Oracle Java SE subscription, make sure it’s active and up to date. Check the subscription renewal dates, the number of employees (or processors, in older agreements) it covers, and when your next payment or true-up is due.
It’s crucial not to let a Java subscription lapse if you plan to keep using Oracle’s Java. The moment a subscription expires, continuing to use Oracle JDK (especially for updates or new deployments) could put you out of compliance.
Verify that all invoices have been paid and that you have documentation of your current entitlement (for example, a license certificate or Oracle contract that shows you’re licensed through a certain date for a certain scope).
Keep an eye on renewal communications from Oracle—they often remind you or renegotiate terms at renewal. Be well prepared in advance of the renewal deadline to avoid any gaps.
If your subscription expired and you forgot to renew, you should treat any Oracle Java in use as unlicensed until coverage is reinstated. The safest play is to align your Java subscription dates with your fiscal or planning cycle, and set reminders so it never slips through the cracks.
Step 9 – Run an Internal Compliance Simulation
Now it’s time to play “Oracle auditor” for a day. Conduct an internal mock audit to test your compliance status. Take all the data you gathered (installations, versions, vendor info, employee counts, entitlements, etc.) and assess it against Oracle’s license terms. Ask the hard questions an auditor would: How many Oracle JDK installations do we have, and where are they?
Are all of those covered by a current subscription or an entitlement? How many employees do we have versus how many are licensed? Can we show proof for each licensed instance (either a subscription we removed or that it’s OpenJDK)? Compile your findings into a mock compliance report. This report should detail any shortfalls, like “X number of installs not covered” or “Y employees over the license count.” The exercise will likely expose a few gaps or uncertainties – that’s a good thing, because you’re catching them internally.
Once you have the results, take action to close any gaps: perhaps buy additional licenses if truly needed, remove or replace more Oracle JDK installations, or update your records and processes.
By running this simulation, you can fix problems on your own timeline, rather than scrambling during an official audit. It’s wise to perform such self-audits periodically (for example, every quarter or at least annually) since environments change over time.
Step 10 – Document and Store Everything
Finally, organize your defense dossier before you ever need to use it. Documentation is your best shield in an audit.
Keep a central repository or folder (digital is fine, with backups) that contains all relevant compliance materials. This should include:
- Java Inventory Reports: The full list of Java installations you discovered, with details (from Step 1–3).
- Proof of Entitlements: Any documents showing your rights to use Java via other Oracle products (from Step 6), such as excerpts from contracts or official Oracle statements.
- Subscription Agreements: Copies of your Oracle Java subscription contracts, confirmation of purchased licenses, and records of renewal and payment.
- Renewal and Audit Communications: Store any emails or letters from Oracle about Java licensing or audits, as well as your own internal renewal planning documents.
- Internal Audit Results: The reports and notes from your internal compliance simulations (Step 9), including any action plans you executed to remediate issues.
- Audit Response Templates: It can help to have a predrafted template for how you would respond to an Oracle audit inquiry, listing the data you would provide. While every audit is different, a ready template ensures you won’t scramble to craft a response under pressure.
By keeping all of this organized, you can quickly answer any auditor questions with factual evidence.
If Oracle’s auditors come calling, you’ll already have a complete paper trail to demonstrate that you’ve managed your Java deployments within the license terms.
Good record-keeping turns a potential audit nightmare into a more routine review. In short, save everything and make sure it’s accessible to the right people on your team.
Table – Quick Java Compliance Checklist
| Step | Task | Objective |
|---|---|---|
| 1 | Discover all Java installs | Full visibility of where Java is running |
| 2 | Identify vendor | Separate Oracle JDK vs. OpenJDK (license impact) |
| 3 | Record version | Flag old free versions vs. new subscription versions |
| 4 | Count employees | Match subscription to total workforce (avoid gaps) |
| 5 | Remove unused Oracle builds | Reduce exposure by uninstalling or swapping out Oracle JDK |
| 6 | Check entitlements | Use Java rights bundled with other Oracle products (where applicable) |
| 7 | Control downloads | Prevent unapproved Oracle Java from being installed anew |
| 8 | Review renewal status | Keep subscriptions active; no lapse in coverage |
| 9 | Run mock audit | Verify data accuracy and compliance internally |
| 10 | Store records | Be ready with documentation when Oracle calls |
Sample Internal Audit Template
When conducting your self-audit, it helps to tabulate the findings. Here’s a sample template for tracking each Java installation or usage instance and its compliance status:
1️⃣ Department / System Owner – (Who is responsible for the system where Java is installed)
2️⃣ Installed Java Versions – (Which versions and update levels of Java are present)
3️⃣ Vendor Build (Oracle / OpenJDK) – (Is it Oracle’s JDK or an OpenJDK distribution, and which vendor)
4️⃣ Covered by Subscription? – (Yes/No – Is this instance covered under our Oracle Java subscription, if one exists)
5️⃣ Used with Oracle Product? – (Yes/No – Is this Java only being used within an Oracle product that provides a license entitlement)
6️⃣ Non-Compliant Risk Level – (High/Medium/Low – For example, high if Oracle JDK with no license, low if OpenJDK or covered)
7️⃣ Remediation Plan – (What action will we take if it’s non-compliant? E.g., uninstall, replace with OpenJDK, or purchase a license)
8️⃣ Completion Status – (Track the progress: Not started, In Progress, Completed – to remediate this item)
This template ensures you gather all the necessary info for each Java installation and know exactly what to do about it. It’s basically your to-do list for achieving full compliance.
Final Take
Java license compliance isn’t a one-time scramble – it’s a continuous, manageable process. The steps above are not complex individually; the challenge is being thorough and consistent.
Keep your Java inventory up to date, validate your license coverage regularly, and proactively swap out Oracle JDK where it’s not essential.
Revisit this self-audit checklist quarterly (or at least a couple of times a year) so that any new development – like a new server coming online or an increase in headcount – is caught and addressed early.
Over time, these practices turn compliance into just another routine part of IT governance, rather than a fire drill when an audit notice arrives. If you prepare diligently on paper, an Oracle audit will feel more like a formality than a threat.
Pro Tip: “Compliance isn’t luck — it’s preparation on paper.”
Read about our Java License Compliance Services.
