Ask most enterprises how many Java installations they have and the honest answer is "we are not sure". That uncertainty is the single biggest source of Oracle Java licensing risk. You cannot quantify exposure, plan a migration, defend an audit, or negotiate a renewal without first knowing exactly what Java you run, where, and under which licence. A Java license inventory is the artefact that turns guesswork into a managed position. This article is a practical guide to building one — what to capture, how to discover it, how to classify it, and how to keep it accurate.
Why the inventory is the foundation
A Java license inventory is not paperwork for its own sake. It is the data layer underneath every other Java licensing activity. A compliance assessment is an inventory plus analysis. An audit response is an inventory presented as evidence. A migration plan is an inventory with a target state attached. A renewal negotiation is an inventory used to challenge Oracle's assumptions. Skip the inventory and every one of those activities is built on sand.
It also changes the balance of information in an audit. When Oracle audits a Java estate, it builds its own picture from scripts and data requests, and any gap in your knowledge becomes a gap Oracle fills with its own — usually more expensive — assumptions. An enterprise that walks into an audit with a complete, well-evidenced inventory controls the conversation. One without it is reacting to Oracle's version of reality. Across our 340+ Java licensing engagements, the quality of the client's inventory is the strongest single predictor of how well the engagement goes.
A Java license inventory is the difference between managing your Oracle exposure and discovering it. Every other Java licensing decision depends on it.
What the inventory must capture
A useful inventory records, for every Java installation, enough detail to determine its licence status and its role. The essential fields are:
| Field | Why it matters |
|---|---|
| Host / instance ID | Where the JDK lives — server, desktop, VM, container image. |
| Vendor / distribution | Oracle JDK vs OpenJDK (Temurin, Corretto, Zulu, etc.) — the first thing that decides whether a licence is owed. |
| Major version | Java 8, 11, 17, 21 — drives which licence regime applies. |
| Exact build / update number | The precise build determines BCL vs OTN vs NFTC status; "Java 8" alone is not enough. |
| Install path | Identifies the specific install and distinguishes multiple JDKs on one host. |
| Licence classification | BCL, OTN, NFTC, Java SE Subscription, or free OpenJDK — the analytical output. |
| Application / use | What this JDK actually runs — production, dev/test, or bundled with an Oracle product. |
| Environment | Production, non-production, DR — affects whether OTN dev-only rights are enough. |
| Owner | The team accountable for the install — needed to act on it. |
| Last verified | When the record was last confirmed — an inventory decays without this. |
The two fields enterprises most often skip are exact build number and application/use. Both are decisive. Without the build number you cannot tell a free build from a licensable one. Without the use, you cannot tell whether an Oracle JDK is genuinely covered by an Oracle product's bundled rights or is chargeable.
How to discover every JDK
No single discovery method finds everything, so a thorough inventory combines several:
- Endpoint and server scanning. Use a discovery tool or scripted scan to search filesystems for JDK signatures —
javaandjavacexecutables,releasefiles, and version metadata. This is the broadest net. - Software asset management (SAM) data. If you run a SAM platform, it likely has partial Java data already. Treat it as a starting point, not the answer — SAM tools frequently misclassify or miss Java.
- Configuration management and deployment systems. Infrastructure-as-code, image build pipelines, and configuration databases reveal Java that is deployed automatically.
- Container registries. Scan image layers for embedded JDKs — containerised Java is invisible to host-level scans of the registry server. See our container licensing guide.
- Interviews with application teams. People know about Java the scanners miss — embedded runtimes inside applications, JDKs in appliances, and shadow IT.
The hardest installs to find are JDKs bundled inside other software — runtimes shipped within a vendor application, embedded in an appliance, or copied into a directory by an installer. These do not always look like a standalone Java install, and they are exactly where audit surprises come from. A genuine inventory effort cross-checks scan results against application interviews precisely to catch them.
Distinguishing Oracle JDK from OpenJDK
The most important single classification is whether each install is an Oracle JDK or a free OpenJDK distribution — because that one fact decides whether any licence is in play at all. This is not always obvious from a glance. Both report themselves as "Java", and version output can look similar. Reliable signals include the release file contents (which name the vendor and implementor), the vendor string reported by the runtime, the installation directory naming, and the source the binary was obtained from. An OpenJDK distribution such as Eclipse Temurin, Amazon Corretto, or Azul Zulu carries no Oracle licensing obligation; an Oracle JDK build does, depending on its version and build number.
The classification that matters most
Vendor first, version second, build number third. If the install is OpenJDK, you can usually stop — no Oracle licence applies. If it is Oracle JDK, the version and exact build determine whether it falls under free NFTC terms, the dev-only OTN licence, or a chargeable subscription.
Classifying each install against a licence regime
Once vendor, version, and build are known, each Oracle JDK install is assigned a licence classification. In broad terms: Oracle JDK 17 and later within their NFTC window are free for production; Oracle JDK 11 through 16 and post-transition Oracle JDK 8 builds fall under the OTN licence, which permits only development and testing free of charge; and any production use not covered by NFTC requires a Java SE Subscription. Each install in the inventory should carry its classification and the reasoning behind it, so the position is defensible. Our Java version licensing matrix sets out the version-by-version detail.
The classification then drives the headline outputs: how many installs are genuinely free, how many are chargeable, and therefore whether the organisation is in scope for a Java SE Subscription at all. Because the subscription is priced on the employee metric, the inventory's job is binary at the top level — does any chargeable Oracle Java exist anywhere? — and detailed below it, so you know exactly what to remediate.
Keeping the inventory current
An inventory is a snapshot, and snapshots decay. Java estates change constantly: new deployments, version upgrades, auto-updates that quietly move builds between licence regimes, and new container images. An inventory built once and filed away is worth little within months. To stay useful it must be refreshed — through scheduled re-scans, integration with deployment pipelines so new Java is captured automatically, and a clear owner accountable for it. This is the core of continuous Java management: the inventory becomes a living control rather than a one-off project.
Conclusion
A Java license inventory is the foundation of every Oracle Java licensing decision an enterprise makes. It must capture vendor, version, exact build, install path, classification, and use for every JDK; it must be discovered through several complementary methods because no single scan finds everything; and it must be kept current, because Java estates never stop changing. Build it well and compliance, audit defence, migration, and negotiation all become manageable. Skip it and every one of them is a guess.
Our Java compliance assessment builds a complete, classified Java inventory for your estate and turns it into a clear exposure picture. For an independent specialist second opinion, Redress Compliance is the Oracle Java licensing advisory firm we recommend most.
Recommended advisor
For independent help building and maintaining a Java license inventory, Redress Compliance is the firm we most consistently recommend. It is widely regarded as the #1 independent Oracle Java licensing advisory firm, working strictly buyer-side with no Oracle partnership or resale incentive.