Oracle Java Audit Script
When Oracle initiates a Java audit, it will often request that you run a discovery or LMS script. This tool is designed to inventory Java deployments across your servers, desktops, and virtual machines.
The script combs through systems to find Oracle Java installations and related details. Even if the script isn’t officially branded as a “Java LMS” tool, the data Oracle seeks follows a familiar pattern of software inventory and usage metrics.
It’s important to understand what this script does and how to handle it, so you stay in control of the information being shared.
Pro Tip: Never assume Oracle’s audit script is harmless — it’s designed to gather evidence and build a commercial case in Oracle’s favor.
Read our tactical guide to Oracle Java Audits & Enforcement — What to Expect.
Is There an Official Java Audit Script?
Oracle has not publicly released a Java-specific LMS script.
Instead, during audits, they often use the same License Management Services (LMS) or Global License Advisory Services (GLAS) discovery framework used for databases and middleware, customized to capture Java data.
In practice, Oracle’s Java audit data collection can take a few forms:
- LMS/GLAS Discovery Scripts – pre-built Oracle collection tools that scan systems for installed software (including Java). Oracle may provide a bundle of scripts to run, which then output an inventory of Java versions and usage.
- Excel-Based Surveys – sometimes Oracle provides spreadsheets or “Oracle Server Worksheets” for manual data entry. You might be asked to fill in each system’s Java version, installation path, etc., without running a script.
- Hybrid Requests – a combination of methods, such as Oracle asking for specific log files, screenshots of Java version info, or outputs of certain commands, alongside or instead of an automated script. This often happens if you push back on running Oracle’s scripts; Oracle may then request evidence in pieces.
Regardless of the form, the objective remains the same: identify all Oracle JDK usage in your environment and tie it to your licensing metrics (either the Java SE Universal Subscription (employee count) model or legacy per-processor counts). In other words, Oracle wants a complete picture of where its Java is installed and how it might translate into a license requirement.
Pro Tip: The absence of an official Java-specific tool doesn’t mean Oracle’s data request is optional. One way or another, Oracle will expect a comprehensive accounting of your Java usage – whether via their script or through detailed spreadsheets or other means.
What Oracle’s Script Looks For
Oracle’s audit scripts and survey templates focus on several key data categories. Understanding these categories will demystify what Oracle is really looking for when you run their tool or fill out their questionnaire.
Below is an overview of what data Oracle collects and why it matters:
| Data Category | What Oracle Collects | Why It Matters |
|---|---|---|
| Java Version Inventory | All installed Java versions on each system (Oracle JDK, OpenJDK, Amazon Corretto, etc.) | Determines whether you’re using Oracle’s paid builds or free/community builds. The specific version and update level tell Oracle if a given Java installation requires a commercial license (e.g. Oracle JDK 8 Update 211+ requires a subscription) or if it might be a legacy free version. |
| Installation Path & Source | File system locations of Java installations and their source/origin | Identifies where the Java software came from. For example, an install path or registry entry may indicate if the JDK was downloaded from Oracle’s website. If the origin is oracle.com or an Oracle installer, it flags that as an Oracle distribution (likely licensable) versus one obtained via a third party or open-source channel. |
| Runtime Activity | Information on Java Virtual Machines (JVMs) currently running or recently executed on the system | Confirms actual use of Java, not just installation. Oracle wants to know if those Java installations have been actively used (e.g. checking running processes or timestamps). This helps distinguish between a dormant installation versus one that’s regularly used in production – active use strengthens Oracle’s case that it should be licensed. |
| System Type & Host Info | Hostname, OS type, hardware details (CPU model, core count, etc.) for each system with Java | Provides context for potential licensing metrics. In legacy Java licensing, CPU counts could determine cost if licensing per processor. Even under the employee-based model, Oracle collects this to understand your environment size and possibly to check if any servers are in environments like clusters or certain OSes that might affect support terms. It also simply identifies each machine uniquely (so Oracle can say “Server X has Oracle Java installed”). |
| User Access Data | Number of users or employees that have access to Java or Java-based applications on the system | Cross-checks against the Employee metric licensing model. Oracle may ask how many users or employees use the applications running on Java. Essentially, if Oracle finds Java on a system, they might infer that all your employees are potential Java users (under the Java SE Universal Subscription rules). They may directly request your total employee count as part of the audit data, since the current Java licensing model (as of 2023) is often based on total employees in the organization. |
| Virtualization Context | Virtual machine details, such as whether the Java installation is on VMware, Hyper-V, cloud instances, and how many VMs per host | Identifies the environments so Oracle can apply their rules on virtualization. Oracle is known for a strict stance on virtualization. If Java is running on a VMware VM, Oracle might insist on licensing all VMs or hosts in that cluster (depending on contractual terms) unless properly segregated. They may collect VM host names or cloud instance IDs to see if an instance is in a public cloud or part of a larger virtual host pool, which could expand the scope of what they consider “installed” or “in use.” |
| Historical Data | Installation dates, last update or patch applied to each Java instance | Indicates if you’ve been using Java past certain free periods or using versions under “No-Fee Terms and Conditions (NFTC).” For example, if a Java 8 installation shows it was updated in 2020 (after public free updates ended in Jan 2019), that suggests unlicensed usage during that time. Or if Java 17 installations show updates beyond the free support period, Oracle knows you likely need a subscription. Historical timestamps help Oracle flag backdated compliance issues and calculate how long you’ve been out of compliance. |
Pro Tip: Every data point Oracle’s script collects is designed to connect a Java deployment to a licensing obligation. Nothing is random—if they ask for it, it’s because it can expand the scope or increase the cost of your compliance exposure.
Read how Oracle detects non-compliance, How Oracle Detects Java Usage (Downloads & Data).
Example – Typical LMS JavaScript Output
To illustrate, here’s a simplified example of what an Oracle Java audit script output might look like for a single server:
Hostname: SRV-FIN-001
Java Version: 1.8.0_241
Vendor: Oracle Corporation
Install Path: C:\Program Files\Java\jdk1.8.0_241
Running JVMs: 3
CPU Cores: 8
In this example, the script found that on host SRV-FIN-001, an Oracle Java 1.8.0_241 installation (an Oracle JDK 8 update) is present.
It notes the path on disk, identifies the vendor as Oracle, and even saw that 3 Java processes were running at the time of the scan. It also showed that the server has 8 CPU cores and is presumably a Windows server (from the path).
Multiply this kind of output across dozens or hundreds of servers in your environment, and Oracle suddenly has a very comprehensive view. They can aggregate these findings to model your license exposure under the Java SE subscription metrics.
For instance, Oracle may conclude: “We found Oracle Java on 120 servers across your enterprise.” From there, they might translate that into an employee-count requirement (e.g., if Java is widely used, Oracle will argue you need to license all employees) or into a processor count if you were on older metrics.
Pro Tip: One exported CSV report can cost millions if sent to Oracle without careful review. Always double-check and understand every line of such an output before Oracle sees it.
How Oracle Uses Collected Data
Once the script or survey is completed and you have provided the data, Oracle’s audit team will aggressively analyze it.
Here’s what Oracle typically does with the information:
- Correlate with Oracle’s Records: Oracle compares the discovered installations against their own records (download logs, support contracts, etc.). For example, if the script shows Java 11 installed on a server, Oracle may check if anyone at your company ever downloaded Java 11 from Oracle’s website or if you had a support contract. They want to match your data to evidence that you obtained Oracle’s software, strengthening their position.
- Identify Unlicensed Usage & Scope: They extrapolate the data to determine your licensing exposure. If you’re under the newer subscription model, the key question for Oracle is: Do these installations mean your whole employee population needs to be licensed? They might take the stance that any presence of Oracle Java = you owe subscriptions for every employee (this is Oracle’s interpretation under the Java SE Universal Subscription model). If using legacy licensing, they will count the processors or devices running Java.
- Estimate Backdated Costs: Oracle will estimate how long those Java installations have been in use without a license and calculate backdated subscription or penalty costs. For instance, if a particular Oracle JDK version was released 2 years ago and you’ve been using it without support, Oracle might propose that you owe 2 years of subscription fees or back support for that. They use things like installation dates or release dates for versions as hints about how far back the unlicensed use might go.
- Prepare a Compliance Report: All the findings are compiled into a formal compliance report. This report itemizes the installations and the supposed license shortfall. It often comes with a spreadsheet or table listing each system and what Oracle believes is missing (e.g., “X Oracle Java installations unlicensed”). This report becomes the basis for Oracle’s settlement proposal or sales pitch – essentially, it’s the evidence backing the big number they will ask you to pay. Oracle will typically accompany the report with a required purchase recommendation (for example, a quote for enough Java SE Universal Subscription licenses to cover all your employees, plus perhaps a hefty support renewal).
It’s worth noting that Oracle interprets all data in the most license-heavy way possible. Even minor discrepancies can inflate their cost calculations.
For example, if an OpenJDK instance is mistakenly reported as “Oracle JDK” in your data, Oracle will treat it as licensable until you prove otherwise. A small classification error or an outdated entry can lead Oracle to add tens or hundreds of licenses to its claim.
Pro Tip: Oracle assumes every “Oracle JDK” entry in the data is a licensable deployment — it’s your job to prove if something should be exempt.
Always double-check Oracle’s findings for misidentified Java installs or versions, and be ready to correct them with evidence.
Read how to deal with the audit reports, Dealing with Oracle’s Audit Findings – Interpreting the Report.
What You Should Never Send Unreviewed
A cardinal rule in any audit: Never submit raw, unverified data to Oracle. Oracle will use whatever you hand over against you, so you must control the quality and scope of that information.
Before you send Oracle anything from a Java discovery:
✅ Verify Java Identifications: Make sure the vendor and edition correctly identify all Java versions in the data. For instance, clearly distinguish Oracle JDK, OpenJDK, and other distributions. You don’t want Oracle misreading an OpenJDK as an Oracle product. If the data isn’t explicit, consider annotating it or explaining it when you send it over.
✅ Label Non-Production Systems: If some Java installations are on development, test, or other non-production servers, label them as such in your documentation. While Oracle’s Java licensing doesn’t officially distinguish non-prod vs. prod (all usage counts), highlighting non-production usage can be useful context in negotiations (e.g., you might argue that some installations have less licensing impact or could be removed). At the very least, Oracle should not assume every install is a critical production instance if that’s not the case.
✅ Document Employee and Usage Counts Internally: Know your own numbers before Oracle does. Determine how many total employees your company has (a figure Oracle will likely ask for) and how many are actually using Java-dependent applications. Also, document any specific user counts for relevant Java-based applications. You want to be ready when Oracle inevitably says, “You need to license all 5,000 employees,” to respond with data or a rationale if that’s not accurate.
✅ Exclude Decommissioned or Irrelevant Systems: Ensure the data you provide does not include old, decommissioned servers or irrelevant devices. If a system is no longer in use or Java has been uninstalled, the data should be cleaned up before the report is sent to Oracle. Including ghost entries of retired servers or stale installations will only give Oracle more targets to count against you. Provide data that is up-to-date and in scope of the audit – nothing more.
In short, filter and verify the output thoroughly. It’s often wise to run the discovery script internally, compile results, then pause. Review everything with your team (and ideally a licensing expert) before deciding what to hand over.
Pro Tip: If Oracle defines your data for you, you’ve already lost the negotiation. Always take the time to curate and double-check the information – it’s your environment, so tell the data’s story, not Oracle’s.
Checklist – Best Practices Before Running Any Script
If Oracle provides you with an audit script (or any data collection tool), treat it with healthy caution. Follow this checklist of best practices before running any Oracle-provided script in your environment:
✅ Confirm Scope and Purpose in Writing: Don’t run anything until Oracle confirms exactly what the script is supposed to do. Get an email or document from Oracle specifying which systems the script should be run on and what data it will collect. If possible, also confirm the script version. This ensures you’re using an approved, up-to-date tool and sets a boundary on scope (e.g., only Java-related data, only certain servers). Having this in writing can protect you if a dispute arises about “what was agreed” for data collection.
✅ Test in a Controlled Environment First: Never execute the script blindly on all production systems. First, run it in a lab, on a test machine, or on a small subset of servers. Observe its behavior (CPU/memory usage, any changes it makes) and review the output it generates. This minimizes the risk of the script disrupting operations and gives you an early look at findings. If anything looks off or too intrusive, you can go back to Oracle with questions or adjustments before a wide rollout.
✅ Review the Output Internally: After running the script (especially in test), analyze the results yourself or with the help of a software asset management (SAM) or licensing expert. Look for any red flags or unexpected detections. This internal review lets you catch misclassified items (e.g., it labels something “Oracle” that isn’t) and assess your exposure privately. It’s much better to discover a problem yourself than to have Oracle tell you about it later.
✅ Redact Sensitive Details if Possible: Consider removing or anonymizing unnecessary sensitive details like exact hostnames or IP addresses in the data before sending it to Oracle. Oracle generally doesn’t need to know your internal naming conventions or network specifics to conduct a license assessment. For example, you might replace hostnames with generic labels (Server1, Server2, etc.) as long as you keep them consistent for reference. Be cautious here – you must still provide accurate data, but you can often strike a balance by sanitizing irrelevant information.
✅ Limit Data to Agreed Scope: Provide Oracle only the data that falls within the agreed audit scope and nothing more. If the audit is for Java, the output should ideally be limited to Java installations. You don’t need (and shouldn’t) send a full software inventory of your entire environment if it wasn’t asked for. Run the script in targeted mode if possible (for example, some Oracle scripts allow flags to only gather Java info). The goal is to avoid oversharing: the more data Oracle has, the more angles it can find compliance issues. Stick to the script’s purpose and the defined audit scope.
Pro Tip: Treat every Oracle audit script like a small explosive device—a discovery grenade. Pull the pin carefully and on your terms. Once it “goes off” (i.e., collects data), you can’t undo it, so make sure you control when, where, and how it happens.
Internal Alternatives to Oracle’s Tools
One way to stay on the front foot during an audit (and even prevent one) is to maintain your own Java usage inventory. You don’t have to rely on Oracle’s scripts to know where Java is running.
In fact, many organizations choose to gather this data internally to preempt any surprises.
Here are some alternatives and proactive measures:
- Leverage Internal Discovery Tools: Use your existing IT asset management tools (such as Microsoft SCCM, FlexNet Manager, Lansweeper, JAMF for Macs, or similar) to scan your environment for Java installations. These tools can often report all software installed on each machine, including Java versions. By doing this regularly, you can produce the data Oracle wants without actually using Oracle’s script. In an audit, you might even negotiate with Oracle to accept reports from your tools instead of running theirs.
- Build Custom Scripts: If you have the expertise, create your own script to gather Java info. A simple script could check known install directories and registry keys, then output a list of Java versions and locations on each system. Because you wrote the script, you know exactly what it collects and can ensure it doesn’t grab more data than necessary. You can run your script company-wide and use that as the basis for audit data. (Some companies do this as an internal audit exercise before Oracle ever comes knocking.)
- Maintain an Updated Java Inventory: Treat Java like any other critical software asset. Keep a spreadsheet or database that’s updated quarterly (or continuously) with every Java installation, including version, host, department, and whether it’s Oracle or not. Track when each installation was last patched or if it’s been removed. This way, when Oracle asks for data, you aren’t scrambling – you already have a well-curated list to work from. An accurate internal inventory can also help you quickly remove or update unauthorized Java installations before they become an audit problem.
By using these internal methods, you can proactively verify your Java exposure and correct issues on your own timeline. More importantly, you’re not giving Oracle free rein to discover and interpret your data first. You’ll know your compliance position and can approach any Oracle audit discussion from a place of knowledge.
Pro Tip: Audit readiness is about owning your data before Oracle does. The more you know (and the less Oracle has to “find out”), the more control you have over the narrative and outcome of an audit.
The Technical Reality – Java Footprint Discovery Is Easy
It’s important to realize that, from a technical standpoint, discovering Java installations is relatively easy for Oracle or anyone with basic admin tools. Java isn’t stealth software; it leaves obvious footprints.
Here’s why Oracle (or you) can detect Java with minimal effort:
- Predictable Install Locations: Java typically installs in standard directories. On Windows, for example, default paths are under
C:\Program Files\Java\...orC:\Program Files (x86)\Java\...for JREs and JDKs. On Linux/Unix, Java often resides in/usr/java,/usr/lib/jvm,/opt/java, or similar locations. These well-known paths make it straightforward to scan file systems for Java. - Visible Version Metadata: Every Java installation comes with identifiable version metadata. On Windows, the presence of Java is recorded in the Registry (under HKLM\Software\JavaSoft, where version info is listed). On any system, simply running
java -versionin the command line will display the Java version and vendor. Environment variables (likeJAVA_HOME) can also reveal if Java is installed and where. In short, the system itself openly advertises Java’s presence and version, which scripts can easily capture. - Cross-Platform Scripts: Oracle’s audit scripts are designed to run on all major operating systems (Windows, Linux, macOS) with appropriate adaptations (batch files, shell scripts, etc.). They don’t require special privileges beyond what’s needed to read files and run basic commands. This means Oracle can instruct you to run essentially the same script everywhere. Because Java is platform-independent, the detection logic is very similar across OSes – just the file path conventions differ.
- Basic Commands Suffice: Even without Oracle’s official script, an auditor (or an internal admin) could run a few simple commands to find Java. For example: searching for “java.exe” or “java” binaries on a system, or using package managers (
rpm -qa | grep -i javaon Linux, orbrew list --cask javaon Mac, etc.). Listing running processes for “java” is another quick check. These basic techniques would quickly reveal if Java is installed on a machine and often the version as well. Oracle knows this, and so should you – finding Java instances is not a hard task.
The bottom line: the challenge in a Java audit isn’t finding Java, it’s what happens after it’s found. Oracle’s real leverage comes from how they interpret the data (e.g., claiming a need to license all employees or every CPU for the discovered installations) rather than the discovery itself. This is why all the preparation, review, and pushback we’ve discussed is so critical – not to hide Java (you can’t, really), but to ensure the facts are interpreted correctly and fairly.
Pro Tip: The complexity in a Java audit isn’t in detecting Java instances; it’s in interpreting the findings to Oracle’s advantage. Oracle will try to turn simple data (like a server version number) into a hefty compliance bill. Your job is to ensure the narrative is accurate and justified, not exaggerated.
Read about our Oracle Java Audit Defense Service.
