Oracle Licensing Assessment Checklist

What happened at Kazakhstan Minerals

A minerals company in Kazakhstan received an Oracle audit notification. Oracle's License Management Services (LMS) team alleged a licensing shortfall of approximately $2 million — primarily driven by Oracle Database deployments on VMware-virtualised servers and Java SE installations across the estate. Oracle's sales team immediately followed up with an offer to resolve the matter by purchasing a large license bundle, claiming it was "cheaper than the penalties."

An independent assessment told a different story. Oracle had misclassified partitioned database hosts as requiring full-cluster licensing, and had counted Java installations on machines where Oracle Java was not the active runtime. After a structured rebuttal backed by technical evidence and contract language, the $2M claim was reduced to near zero — with the company only acquiring a small number of licences to cover genuinely identified gaps.

~$2M

Claim received

≈$0

Final payment

6 wks

Resolution timeline

How to use this checklist: Work through all 20 items before responding to any Oracle audit letter, initiating a ULA certification, or entering renewal negotiations. Each item includes an expert note drawn from our experience across 500+ Oracle engagements. Items marked High Risk are the most common sources of inflated Oracle claims. Items marked Medium Risk frequently go unreviewed. Items marked Verify are often clean but must be confirmed.

Part 1 — Product & Deployment Inventory

Complete Oracle product inventory across all environments High Risk

Expert Note Catalogue every Oracle product in use — databases (all editions), middleware (WebLogic, Forms, Reports), applications (E-Business Suite, PeopleSoft, JD Edwards), Java SE, and any third-party software with embedded Oracle components. Include production, development, test, staging, UAT, and disaster recovery environments. Oracle does not distinguish between production and non-production for licensing purposes unless your contract explicitly states otherwise. The Kazakhstan Minerals assessment found three development servers that had been excluded from the company's internal count, each running Oracle Database Enterprise Edition.

Identify Oracle Database edition deployed on each server High Risk

Expert Note Standard Edition 2 (SE2) and Enterprise Edition (EE) carry very different price points and licensing rules. SE2 is licensed per socket (maximum 2 sockets per server) and cannot run on virtual machines with more than 16 threads. EE is licensed per processor core, applying the Oracle Core Factor Table multiplier. Confirm which edition is actually installed via Oracle's own inventory scripts (not relying solely on purchase records). Organisations frequently discover SE licences running on hardware that technically requires EE, or EE installed on hardware where SE2 would suffice.

Map all Oracle Database Options and Packs in active use High Risk

Expert Note Options such as Diagnostics Pack, Tuning Pack, Partitioning, Real Application Clusters (RAC), and Advanced Security are separate licensed products. They are enabled by default in many Oracle Database installations, and Oracle's audit scripts detect whether they have ever been used — not whether they are currently active. Review the DBA_FEATURE_USAGE_STATISTICS view on every database instance before Oracle does. Disable and document any unused options immediately. This is one of the most common sources of unexpected compliance exposure across all industries, including resources and mining.

Inventory all Java SE installations by version and distribution High Risk

Expert Note Since Oracle's 2019 Java licensing change and the 2023 employee-based subscription model, Java SE is a significant compliance risk. Scan every endpoint — servers, desktops, laptops, containers, and cloud instances — to identify each Java installation by version (Java 8, 11, 17, 21), distribution (Oracle JDK vs OpenJDK vs vendor distributions), and whether Oracle's commercial licence applies. Java 8u202 and earlier under BCL is free for commercial use. Java 8u211 onwards under OTN requires a subscription. Under the 2023 model, the licence cost is calculated per employee regardless of actual Java deployments — making scope definition critical. In the Kazakhstan Minerals case, Oracle had counted machines running OpenJDK (free) as Oracle-licensed Java, inflating the claim by approximately $400,000.

Confirm Oracle Middleware (WebLogic, Forms, Reports) scope Medium Risk

Expert Note Oracle WebLogic Server is a separate licence from Oracle Database, priced per processor core. Forms and Reports licences are often overlooked in organisations that have run Oracle E-Business Suite for many years. Check whether middleware installations have grown beyond original licence entitlements, particularly in clustered or cloud-hosted environments. Confirm whether your WebLogic licences include the Coherence add-on, which is audited separately. WebLogic installations on VMware are subject to the same soft-partitioning rules as Oracle Database, meaning the entire cluster may need to be licensed.

Part 2 — Virtualisation & Infrastructure

Classify all virtualisation technologies against Oracle's Partitioning Policy High Risk

Expert Note Oracle's Partitioning Policy defines two categories: hard partitioning (accepted as licence boundary) and soft partitioning (not accepted — entire physical host or cluster must be licensed). VMware vSphere/ESXi, Microsoft Hyper-V, KVM with live migration, and most commercial hypervisors are classified as soft partitioning. Oracle VM with hard partitioning enabled is the primary accepted virtualisation technology. This is the single most dangerous area for over-billing. In a 10-node VMware cluster where Oracle runs on a single VM using 4 vCPUs, Oracle will claim licences for every physical core across all 10 hosts. Verify whether Oracle database VMs are isolated to dedicated hosts with documented hard partitioning before any audit interaction.

Calculate required processor licences using the Oracle Core Factor Table High Risk

Expert Note The formula is: Required Processor Licences = Total Physical Cores × Core Factor (rounded up to the nearest whole number). Intel Xeon processors carry a 0.5 factor; IBM POWER a 1.0 factor; AMD EPYC varies between 0.25 and 0.5 depending on generation. Critically, this calculation applies to physical cores on the hosts in scope — not vCPUs. Obtain the current Oracle Core Factor Table (updated periodically by Oracle) and apply it to each physical host. In Kazakhstan Minerals, Oracle had applied the wrong core factor to a refreshed generation of Intel processors, overstating the requirement by approximately 30 processor licences.

Confirm disaster recovery and failover licensing treatment Medium Risk

Expert Note Oracle does not automatically grant free DR licensing. The Active Data Guard option requires a separate licence. However, Oracle's Disaster Recovery Policy provides limited passive DR concessions under specific conditions — the DR system must be cold standby, only brought online in the event of a declared disaster, and not used for testing, reporting, or development. Verify what your contracts explicitly state, and whether your DR system genuinely meets the passive criteria. Many organisations test their DR environments quarterly, which may void any passive concession under Oracle's policy.

Assess Oracle licensing impact of any recent hardware refreshes or cloud migrations Medium Risk

Expert Note Hardware refreshes are a common audit trigger. Moving Oracle workloads to higher core-count servers — even if the overall performance is equivalent — can increase your licence requirement significantly. Similarly, migrating Oracle databases to AWS EC2 or Azure VMs does not reduce your licensing obligation unless you move to Oracle Cloud Infrastructure (OCI), where Oracle provides specific licensing concessions. If a hardware refresh has occurred in the past 24 months, model the licence impact before any audit interaction. Document the dates and specifications of all infrastructure changes.

Review Oracle Cloud Infrastructure (OCI) licensing concessions if applicable Verify

Expert Note Oracle provides a unique concession for workloads running on OCI: customers can use their existing on-premises processor licences on OCI through the Bring Your Own Licence (BYOL) programme, or access Oracle Database via OCI's included licence model. If your organisation has begun any OCI migration, confirm how these licences have been counted and whether on-premises deployments have been correspondingly reduced. Avoid double-counting, which Oracle's audit team will use against you. OCI concessions do not apply to AWS, Azure, or Google Cloud.

Part 3 — Contract, Entitlements & ULA

Compile a complete licence entitlement register from all Oracle contracts High Risk

Expert Note Organisations with long Oracle relationships typically have licences spread across multiple ordering documents, amendments, and legacy agreements. Consolidate every licence entitlement — product name, metric (processor, NUP, socket), quantity, and ordering document reference — into a single register. Cross-reference against Oracle's Customer Support Identifier (CSI) records, which Oracle's audit team will use as their baseline. Discrepancies between your records and Oracle's CSI system are common and must be resolved before an audit response is filed. Never allow Oracle's CSI data to be the sole source of truth for your entitlements.

Assess ULA or PULA status, certification readiness, and renewal timeline High Risk

Expert Note If your organisation holds an Oracle Unlimited License Agreement (ULA) or Perpetual ULA (PULA), the certification process defines your post-ULA licence position. A ULA certification locks in your licence count based on deployed quantities at certification date — Oracle will not allow amendments after the fact. Begin preparation 6–12 months before expiry: run deployment counts, clean up inactive installations, reconcile with contract terms, and model the certification quantity independently before engaging Oracle. Failure to certify correctly can result in Oracle forcing a ULA renewal on their terms.

Verify Named User Plus (NUP) minimums and actual usage Medium Risk

Expert Note Oracle's NUP metric requires a minimum of 25 NUPs per processor for Oracle Database Enterprise Edition (10 NUPs per processor for Standard Edition 2). If your organisation has a small number of actual users but many processors, the minimum NUP count may be higher than your actual named user count — in which case you are likely already over-licensed on this metric. Conversely, if actual named users exceed the purchased NUP count, you have a compliance gap. Map purchased NUP licences against actual authorised users accessing each database.

Review Third-Party Support implications on Oracle's audit rights Medium Risk

Expert Note Organisations using third-party support providers (Rimini Street, Spinnaker Support, etc.) retain all licence rights and remain subject to Oracle's audit provisions. However, Oracle has historically increased audit activity against customers who have moved off Oracle Support. Ensure that the move to third-party support did not inadvertently alter your licence metric classifications, and that your licence documentation is in order before any audit interaction. Oracle cannot legally compel you to return to Oracle Support as a condition of audit resolution.

Part 4 — Audit Process & Response

Review all Oracle audit scripts before allowing them to run in your environment High Risk

Expert Note Oracle's LMS audit scripts collect extensive data about your Oracle deployments. You have the right to review the scripts before execution and to request that they be run in a controlled manner — typically by your own DBA team, not Oracle's personnel. Review the script output carefully before submitting it to Oracle. Ensure that the scripts do not capture data outside the agreed scope (e.g., instances on servers not covered by the audit notice). In multiple engagements, Redress Compliance has identified Oracle scripts that were configured to capture broader data than the audit notice specified.

Conduct an independent shadow audit before responding to Oracle's findings High Risk

Expert Note Never respond to Oracle's audit findings without first producing your own independent position paper. Oracle's preliminary findings frequently contain errors — incorrect core factor application, misclassified virtualisation environments, inflated Java counts, and products listed as in-use that have been decommissioned. In the Kazakhstan Minerals engagement, the independent shadow audit identified four specific errors in Oracle's claim, each worth between $200,000 and $600,000. A structured rebuttal, backed by technical evidence and contract language, is the most effective tool in any audit negotiation.

Understand Oracle's contractual audit rights and your response timeline obligations Medium Risk

Expert Note Oracle's standard OMA (Oracle Master Agreement) grants Oracle the right to audit on 45 days' notice, no more than once per year per licence. Your response obligations and timelines vary by contract — some agreements specify a 30-day response window, others 45 days. Read your specific contract terms before agreeing to any audit timeline. You can negotiate the scope, timing, and data collection methodology. Never agree verbally to an expanded audit scope. All audit interactions should be managed in writing with a designated single point of contact.

Decommission and document all retired Oracle software before audit data collection Medium Risk

Expert Note Oracle's scripts detect software that has been installed, not necessarily software that is actively running. Systems that were decommissioned but not fully uninstalled will appear in Oracle's inventory data. Before audit data collection, work with your infrastructure team to formally decommission and remove all retired Oracle installations, document the decommission dates, and ensure the relevant servers are no longer reachable. Decommission evidence (change tickets, server disposal records) should be retained for at least five years.

Part 5 — SAM Tools, Remediation & Ongoing Compliance

Validate SAM tool coverage and Oracle-specific accuracy Medium Risk

Expert Note Software Asset Management (SAM) tools such as Flexera, Snow License Manager, and ServiceNow SAM Pro can significantly reduce Oracle compliance risk — but only if correctly configured for Oracle's complex licensing rules. Generic SAM deployments frequently mishandle Oracle's virtualisation policy, core factor calculations, and NUP minimums. Validate that your SAM tool's Oracle normalisation rules are current (Oracle updates its Core Factor Table and product definitions periodically) and that the tool's coverage extends to all environments where Oracle software is deployed, including cloud instances and edge locations.

Establish a documented Oracle Effective Licence Position (ELP) review process Verify

Expert Note An Effective Licence Position (ELP) is a point-in-time reconciliation of what you own versus what you are deploying. Organisations that maintain a current ELP — typically reviewed quarterly — are materially better positioned in Oracle audit situations than those who construct their position reactively under audit pressure. The ELP should include: all purchased licence entitlements by product and metric; all deployed instances by server, environment type, and virtualisation platform; the reconciled surplus or shortfall; and a remediation action log. Kazakhstan Minerals had no ELP at the time of Oracle's audit notification. Constructing one under pressure, while simultaneously responding to Oracle, created significant additional risk.

"Oracle's initial $2M claim was not a measured assessment of the client's position — it was an opening bid. Every component of that claim was challengeable with the right technical evidence and contract expertise. The final outcome was near zero liability."

— Morten Andersen, Redress Compliance

Download the Oracle Audit Defence Kit

Includes response letter templates, script review guidance, and shadow audit methodology — used in 200+ Oracle engagements.

Download Free →

Facing an Oracle Audit or Renewal?

Our Oracle licensing advisors have worked on 500+ engagements, always buyer-side. We conduct independent shadow audits, produce defensible ELPs, and manage Oracle audit negotiations from first letter to final resolution.

Get Oracle Audit Support → Oracle Knowledge Hub

Oracle Licensing Assessment Checklist: Lessons from Kazakhstan Minerals ($2M Avoided)

What happened at Kazakhstan Minerals

Facing an Oracle Audit or Renewal?