"We had no idea how Oracle was counting our employees. Once we understood the methodology — and challenged it — the exposure was far smaller than Oracle claimed, and the migration path was straightforward." — Chief Information Officer, Midwestern State Authority

Client Profile

The client is a state-level government authority in the central United States responsible for administering public services to a population of several million citizens. The organisation employs approximately 15,200 full-time equivalent staff across multiple departments including finance, social services, transportation infrastructure, and public health. Its technology environment spans on-premises data centres, a hybrid cloud deployment on a major hyperscaler, and a large distributed desktop fleet managed centrally by a shared IT services division.

Oracle Java had been part of the authority's standard desktop and server software stack since the early 2000s. Java SE was deployed across approximately 11,000 managed workstations and a further 180 application servers running Oracle-dependent middleware and a legacy Java-based case management platform. Prior to the engagement with Redress Compliance, the authority had been running on legacy Java 8 builds distributed under the pre-2019 free-use terms, and had made no changes to its Java estate following Oracle's January 2023 licence model shift to per-employee subscriptions.

The Challenge

In mid-2024, the authority received a formal letter from Oracle's Global License Advisory Services (GLAS) team requesting a Java compliance review. Oracle indicated that based on publicly available employee headcount data, the authority had an estimated 15,200 employees potentially within scope of Oracle's new Java SE Universal Subscription model, which is priced at a fixed per-employee annual rate regardless of whether those individuals actively use Java. Oracle's initial demand letter cited a licensing obligation in excess of $700,000 per year.

The letter created significant concern within the authority's IT leadership team. The CIO had no recent software asset management (SAM) data on Java deployments and could not quickly confirm or dispute Oracle's employee-based count. The authority's legal counsel flagged two distinct risks: first, that engaging Oracle without a clear factual position could result in an admission that the larger demand was accurate; and second, that public sector procurement regulations required any settlement of this magnitude to follow a defined approval process, which would take time Oracle was not expected to grant voluntarily.

A third complexity was the authority's use of third-party vendors. Several of its contracted IT service providers ran Java on the authority's behalf under managed service arrangements, and it was unclear whether Oracle would attempt to include those deployments in its count. The authority engaged Redress Compliance within three weeks of receiving Oracle's initial communication to build an accurate factual basis before any response was made.

The Approach

Redress Compliance began with a rapid deployment audit designed to produce a defensible, evidence-based picture of the authority's actual Oracle Java footprint. Working alongside the authority's internal SAM team, Redress deployed lightweight discovery tooling across the managed endpoint estate and interrogated application server configurations to identify active Java runtime environments, version levels, and usage patterns.

The audit produced a materially different picture from Oracle's demand. Of the 11,000 workstations Oracle assumed were within scope, only 4,300 had any Java runtime environment installed, and of those, fewer than 1,800 showed evidence of active use in the preceding 90 days. On the server side, 180 application servers were confirmed to be running Oracle Java SE, but the majority were operating on Java 8 builds that pre-dated the universal subscription requirement or were running in cloud environments where the licensing obligation was partially covered by existing Oracle Database licences.

Redress then challenged Oracle's counting methodology directly. Oracle's per-employee model counts all employees of the contracting entity, but excludes certain categories of worker that are not employees in the legal sense — including contractors employed through third-party managed service providers operating under their own Oracle agreements, part-time staff below defined hour thresholds in certain jurisdictions, and staff in specific roles with no access to technology systems. Applying the correct definitional scope reduced the authority's qualifying headcount from 15,200 to approximately 9,400.

In parallel, Redress structured a migration programme. Working with the authority's application owners, the team identified that the Java-dependent case management platform could be retested against OpenJDK 21 with targeted remediation of three identified compatibility issues. The workstation estate was scheduled for a phased rollout of Amazon Corretto — a no-cost, production-ready OpenJDK distribution — over a 10-week period managed by the existing endpoint deployment toolchain.

The Outcome

Oracle's initial demand of over $700,000 was resolved without proceeding to formal negotiation on Oracle's terms. The authority's confirmed factual position — a deployment audit showing active use on 1,800 workstations and 180 servers, with a qualifying employee count of 9,400 rather than 15,200 — gave Oracle's GLAS team a substantially reduced compliance target. Oracle agreed to a one-time true-up payment significantly below its original demand, covering the historical exposure period under a confidential settlement figure that the authority's procurement process was able to approve.

The migration programme was completed within the 14-week engagement window. By the close of the engagement, all workstation Java deployments had been replaced by Amazon Corretto, the case management platform had been validated on OpenJDK 21, and the authority's Oracle Java subscription obligation had been reduced to zero. The authority now carries no ongoing Oracle Java licensing cost and has no exposure to future Oracle Java price increases.

Key Takeaways

  • Oracle's per-employee count is not always accurate. Oracle's GLAS team typically uses publicly available headcount data as a proxy for licensing scope. A precise internal audit frequently produces a materially lower qualifying count, particularly when contractors, managed service employees, and non-technology roles are properly excluded.
  • Never respond to Oracle without a factual basis. Engaging Oracle in dialogue before completing an internal deployment audit risks creating an implied acceptance of Oracle's demand. The first step is always to understand your own position.
  • OpenJDK migration is technically straightforward for most Java 8 estates. The vast majority of Java 8 applications run without modification on certified OpenJDK distributions. Compatibility issues, where they exist, are typically limited and addressable within a standard software testing cycle.
  • Public sector organisations have specific procurement constraints Oracle does not always acknowledge. Settlement timelines must account for internal approval processes, and any negotiation strategy should be designed to create breathing room rather than compress the timeline to Oracle's advantage.
  • Eliminating Oracle Java entirely is the most durable outcome. A negotiated settlement reduces the immediate liability but does not remove the underlying compliance risk. Migration removes it permanently.

Received a letter from Oracle's GLAS team about Java licensing?

Redress Compliance can audit your actual exposure and build your response strategy before you engage Oracle.
Get Oracle Java Audit →